Пример #1
0
 // Check for illegal input...
 if (!IsSqlTextOkay($_POST)) {
     $error_msg = "Illegal characters in input... Do not use quotes and control chars.";
     goto GenerateHtml;
 }
 $update = false;
 if (!empty($_POST["Password"]) || !empty($_POST["Password2"])) {
     if ($_POST["Password"] != $_POST["Password2"]) {
         $error_msg = "Error: new passwords do not match.";
         goto GenerateHtml;
     }
     $update = true;
 }
 // Check for changes.
 foreach ($data as $key => $value) {
     if (!IsFieldInParamList($key, $param_list)) {
         continue;
     }
     if ($value != GetValueFromParamList($param_list, $key)) {
         $update = true;
         break;
     }
 }
 if ($update === false) {
     $success_msg = "No changes given.";
     goto GenerateHtml;
 }
 // Looks like we are okay to update database!
 $okay = UpdateUser($param_list, $userid);
 if ($okay === true) {
     $success_msg = "Data Updated!";
Пример #2
0
function UpdateUser($param_list, $userid = 0)
{
    global $config;
    $loc = "userlib.php->UpdateUser";
    $pwchanged = false;
    $fields = array(array("LastName", "str"), array("FirstName", "str"), array("PasswordHash", "str"), array("NickName", "str"), array("Title", "str"), array("BadgeID", "str"), array("Email", "str"), array("Tags", "str"), array("Active", "bool"));
    if ($userid != 0) {
        $sql = "SELECT * FROM Users WHERE UserID=" . intval($userid);
        $result = SqlQuery($loc, $sql);
        if ($result->num_rows <= 0) {
            $error_msg = "Unable to update user. UserID=" . intval($userid) . " not found.";
            log_msg($loc, $error_msg);
            return $error_msg;
        }
    } else {
        if (!IsFieldInParamList("UserName", $param_list)) {
            $error_msg = 'Unable to update user. No UserName or UserID Given.';
            log_msg($loc, $error_msg);
            return $error_msg;
        }
        $username = GetValueFromParamList($param_list, "UserName");
        $sql = 'SELECT * FROM Users WHERE UserName="******"';
        $result = SqlQuery($loc, $sql);
        if ($result->num_rows <= 0) {
            $error_msg = 'Unable to update user. UserName="******" not found.';
            log_msg($loc, $error_msg);
            return $error_msg;
        }
        $row = $result->fetch_assoc();
        $userid = intval($row["UserID"]);
    }
    // If the BadgeID is being changed we need to make sure its not a duplicate.
    if (IsFieldInParamList("BadgeID", $param_list)) {
        $badgeid = GetValueFromParamList($param_list, "BadgeID");
        if (!blank($badgeid)) {
            if (!VerifyBadgeFormat($badgeid)) {
                $error_msg = 'Unable to update user. Bad Format for BadgeID. Must be in form of "A000".';
                log_msg($loc, $error_msg);
                return $error_msg;
            }
            $sql = 'SELECT UserID FROM Users WHERE BadgeID="' . $badgeid . '"';
            $result = SqlQuery($loc, $sql);
            while ($row = $result->fetch_assoc()) {
                if ($row["UserID"] != $userid) {
                    $error_msg = 'Unable to update user. BadgeID ' . $badgeid . ' already in use.';
                    log_msg($loc, $error_msg);
                    return $error_msg;
                }
            }
        }
    }
    // At this point, move all values into a seperate array, but treat password special.
    $data = array();
    $c = 0;
    foreach ($param_list as $param_spec) {
        if (!isset($param_spec["FieldName"])) {
            continue;
        }
        if (!isset($param_spec["Value"])) {
            continue;
        }
        if ($param_spec["FieldName"] == "Password") {
            $pw = $param_spec["Value"];
            if (empty($pw)) {
                continue;
            }
            $v = crypt($pw, $config["Salt"]);
            $pwchanged = true;
            $fn = "PasswordHash";
            $data[$fn] = $v;
            $c++;
            continue;
        }
        $fn = $param_spec["FieldName"];
        $v = $param_spec["Value"];
        $data[$fn] = $v;
        $c++;
    }
    if ($c <= 0) {
        $error_msg = "Unable to update user. UserID=" . intval($userid) . ". Nothing to update.";
        log_msg($loc, $error_msg);
        return $error_msg;
    }
    // At this point, we have a userid that we can count on, and the data.
    $sql = 'UPDATE Users SET ';
    $sql .= GenerateSqlSet($data, $fields);
    $sql .= " WHERE UserID=" . intval($userid);
    SqlQuery($loc, $sql);
    $msg = 'Info for User ' . $userid . ' updated by ' . GetUserName() . '. ';
    if ($pwchanged) {
        $msg .= '(Including a password change.)';
    }
    log_msg($loc, $msg);
    return true;
}