function login($email, $password, $remember_me = false) { $email = cleanData($email); if ($userData = $this->checkUser($email, $password)) { $this->loginUser($userData, $remember_me); return true; } return false; }
function updateQuery($table, $data, $where) { $count = 0; foreach ($data as $field => $value) { $count > 0 ? $update .= ', ' : ($update = ''); $update .= $value === 'NOW()' ? $field . "= NOW()" : $field . '="' . cleanData($value) . '"'; $count++; } if (mysql_query('UPDATE ' . $table . ' SET ' . $update . ' WHERE ' . $where . ' LIMIT 1')) { return true; } else { return false; } }
/** * Clean form data * * Strips tags and removes/replaces certain characters from post data * * @param array $p Post data from a form * @return array $p */ function cleanData($p) { $returnArray = array(); foreach ($p as $key => $value) { //if value is an array recursively apply this function if (is_array($value)) { $returnArray[$key] = cleanData($value); } else { //arrays with strings to find and replace $find = array("<?php", "?>"); $replace = array("", ""); //trips possible tags (excluding links, bold, italic, lists, paragraphs) first, then removes certain forbidden strings, then removes backslashes, removes the first pargraph tag, removes the first closing paragraph tag, then converts remaining special characters to htmlentities $returnArray[$key] = htmlspecialchars(preg_replace('~<p>(.*?)</p>~is', '$1', stripslashes(str_replace($find, $replace, strip_tags($value, "<a><i><b><strong><em><li><ul><ol><br><p><iframe>"))), 1), ENT_QUOTES); } } //return the cleaned array return $returnArray; }
} } else { $errors .= $er2; } return $errors; } // When the submit button is pressed Validates and Sanitizes the data if (isset($submit)) { // Checking Date $error = cleanData($date, $dateEr1, $dateEr2); $errors .= $error; // Checking Location $error = cleanData($location, $locationEr1, $locationEr2); $errors .= $error; // Checking Description $error = cleanData($desc, $msgEr, $msgEr); $errors .= $error; // Check to see if there is errors if (!$errors) { //Insert data in mysql database; $sql = "INSERT INTO `blazing`.`vacation` (`id`, `date`, `location`, `desc`) VALUES (NULL, '{$date}', '{$location}', '{$desc}')"; if (!mysql_query($sql)) { echo "<br /> Didn't work"; } else { echo "Saved Results:<br>"; echo $date . " | " . $location . " | " . $desc . "<br><br>"; echo '<h1 style="color:green; margin-left:35%; margin-right:50%;">Vacation SUCCESSFULLY CREATED</h1>'; } echo "You have successfully submitted data!<br><br>"; } else { echo $errors;
<?php require "admin_login.php"; $product = "NailAccessories"; $typenum = '7'; //need to change h2 at line 116 //change num at 89 //change path in 33 //change path at 101 //change num at 102 if (isset($_POST['submit'])) { $name = cleanData($_POST['name']); $code = cleanData($_POST['code']); $price = cleanData($_POST['price']); $description = cleanData($_POST['description']); //print "Data cleaned"; addData($name, $code, $price, $description); } else { printform(); } function cleanData($data) { $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); $data = strip_tags($data); return $data; } function checkPicture() { if (isset($_FILES['picture'])) {
echo $errors; } } else { $errors .= $er2; } return $errors; } // When the submit button is pressed Validates and Santizes the data if (isset($submit)) { // Checking User Name $error = cleanData($user_name, $nameEr1, $nameEr2); $errors .= $error; // Checking User Email $error = cleanData($user_email, $emailEr1, $emailEr2); $errors .= $error; // Checking Message $error = cleanData($msg, $msgEr, $msgEr); $errors .= $error; // Check to see if there is erros if (!$errors) { $mail_to = '*****@*****.**'; $header = 'From: ' . $_POST['user_name']; $subject = 'New Mail from Business website Form Submission'; $message = 'From: ' . $_POST['user_name'] . "\n" . 'Email: ' . $_POST['user_email'] . "\n" . 'Message:\\n' . $_POST['msg'] . "\n\n"; mail($mail_to, $subject, $message, $header); //echo $message; echo "Thank you for your email!<br><br>"; } else { echo $errors; } }
public function customAjax($id, $data) { global $dbh; global $SETTINGS; global $TYPES; $return = ['status' => 'success']; if ($data['subAction'] == 'list') { //list subAction $return['options'] = []; if ($data['subType'] == 'preDiscount') { //list all products and services on the order, plus an order line $sth = $dbh->prepare('SELECT CONCAT("P", orderProductID) AS id, name, recurringID, parentRecurringID, date FROM products, orders_products WHERE orderID = 1 AND products.productID = orders_products.productID UNION SELECT CONCAT("S", orderServiceID) AS id, name, recurringID, parentRecurringID, date FROM services, orders_services WHERE orderID = 1 AND services.serviceID = orders_services.serviceID'); $sth->execute([':orderID' => $id]); $return['options'][] = ['value' => 'O', 'text' => 'Order']; while ($row = $sth->fetch()) { if ($row['recurringID'] !== null) { $text = 'Recurring: ' . $row['name']; } elseif ($row['parentRecurringID'] !== null) { $text = formatDate($row['date']) . ': ' . $row['name']; } else { $text = $row['name']; } $return['options'][] = ['value' => $row['id'], 'text' => htmlspecialchars($text, ENT_QUOTES | ENT_HTML5, 'UTF-8')]; } } else { $discounts = []; if ($data['subType'] == 'discount') { //get the list of discounts applied to the item already so we don't apply the same discount twice to the same item $temp = [substr($data['subID'], 0, 1), substr($data['subID'], 1)]; $sth = $dbh->prepare('SELECT discountID FROM orders_discounts WHERE orderID = :orderID AND appliesToType = :appliesToType AND appliesToID = :appliesToID'); $sth->execute([':orderID' => $id, ':appliesToType' => $temp[0], ':appliesToID' => $temp[1]]); while ($row = $sth->fetch()) { $discounts[] = $row['discountID']; } } $sth = $dbh->prepare('SELECT ' . $TYPES[$data['subType']]['idName'] . ', name FROM ' . $TYPES[$data['subType']]['pluralName'] . ' WHERE active = 1'); $sth->execute(); while ($row = $sth->fetch()) { if ($data['subType'] != 'discount' || !in_array($row[0], $discounts)) { $return['options'][] = ['value' => $row[0], 'text' => htmlspecialchars($row[1], ENT_QUOTES | ENT_HTML5, 'UTF-8')]; } } } } elseif ($data['subAction'] == 'getDefaultPrice') { //getDefaultPrice subAction $sth = $dbh->prepare('SELECT defaultPrice FROM ' . $TYPES[$data['subType']]['pluralName'] . ' WHERE ' . $TYPES[$data['subType']]['idName'] . ' = :subID'); $sth->execute([':subID' => $data['subID']]); $row = $sth->fetch(); $return['defaultPrice'] = formatNumber($row['defaultPrice']); } elseif ($data['subAction'] == 'add') { //add subAction $return['status'] = 'fail'; $subType = $data['subType']; unset($data['subAction']); unset($data['subType']); if ($subType == 'discount') { //for discounts, subID contains a one letter indication of the type of item (O = order, P = product, S = service), and the unique subID $itemType = substr($data['subID'], 0, 1); $uniqueID = substr($data['subID'], 1); if ($itemType == 'O') { $itemTypeFull = 'order'; $subType = 'discountOrder'; } elseif ($itemType == 'P') { $itemTypeFull = 'product'; $subType = 'discountProduct'; } elseif ($itemType == 'S') { $itemTypeFull = 'service'; $subType = 'discountService'; } if ($itemType == 'O') { $data['subID'] = 0; } else { $sth = $dbh->prepare('SELECT ' . $TYPES[$itemTypeFull]['idName'] . ' FROM orders_' . $TYPES[$itemTypeFull]['pluralName'] . ' WHERE order' . $TYPES[$itemTypeFull]['formalName'] . 'ID = :uniqueID'); $sth->execute([':uniqueID' => $uniqueID]); $row = $sth->fetch(); $data['subID'] = $row[0]; } } $data = cleanData('order', $subType, $data); $return = verifyData('order', $subType, $data); if ($return['status'] != 'fail') { if ($subType == 'payment') { $dateTS = DateTime::createFromFormat($SETTINGS['dateFormat'] . '|', $data['date'])->getTimestamp(); $sth = $dbh->prepare('INSERT INTO orderPayments (orderID, date, paymentType, paymentAmount) VALUES(:orderID, :date, :paymentType, :paymentAmount)'); $sth->execute([':orderID' => $id, ':date' => $dateTS, ':paymentType' => $data['paymentType'], ':paymentAmount' => $data['paymentAmount']]); $changeData = ['subType' => 'payment', 'date' => $dateTS, 'paymentType' => $data['paymentType'], 'paymentAmount' => $data['paymentAmount']]; } elseif ($subType == 'product' || $subType == 'service') { $sth = $dbh->prepare('SELECT quantity FROM orders_' . $TYPES[$subType]['pluralName'] . ' WHERE orderID = :orderID AND ' . $TYPES[$subType]['idName'] . ' = :subID AND unitPrice = :unitPrice'); $sth->execute([':orderID' => $id, ':subID' => $data['subID'], ':unitPrice' => $data['unitPrice']]); $result = $sth->fetchAll(); if (count($result) == 1 && $data['recurring'] == 'no') { //if the product or service is already present in the expense AND we aren't doing a recurring item, add the quantity to the existing row $totalQuantity = $data['quantity'] + $result[0]['quantity']; $sth = $dbh->prepare('UPDATE orders_' . $TYPES[$subType]['pluralName'] . ' SET quantity = :quantity WHERE orderID = :orderID AND ' . $TYPES[$subType]['idName'] . ' = :subID AND unitPrice = :unitPrice'); $sth->execute([':quantity' => $totalQuantity, ':orderID' => $id, ':subID' => $data['subID'], ':unitPrice' => $data['unitPrice']]); $changeAction = 'E'; //this is technically an edit, not an add $changeData = ['subType' => $subType, 'subID' => $data['subID'], 'unitPrice' => $data['unitPrice'], 'quantity' => $totalQuantity]; } else { if ($data['recurring'] == 'yes') { $startTS = DateTime::createFromFormat($SETTINGS['dateFormat'] . '|', $data['startDate'])->getTimestamp(); $endTS = DateTime::createFromFormat($SETTINGS['dateFormat'] . '|', $data['endDate'])->getTimestamp(); //add the recurring item $sth = $dbh->prepare('SELECT MAX(recurringID) AS recurringID FROM orders_' . $TYPES[$subType]['pluralName']); $sth->execute(); $result = $sth->fetchAll(); $recurringID = $result[0]['recurringID'] + 1; $sth = $dbh->prepare('INSERT INTO orders_' . $TYPES[$subType]['pluralName'] . ' (orderID, ' . $TYPES[$subType]['idName'] . ', unitPrice, quantity, recurringID, dayOfMonth, startDate, endDate) VALUES(:orderID, :subID, :unitPrice, :quantity, :recurringID, :dayOfMonth, :startDate, :endDate)'); $sth->execute([':orderID' => $id, ':subID' => $data['subID'], ':unitPrice' => $data['unitPrice'], ':quantity' => $data['quantity'], ':recurringID' => $recurringID, ':dayOfMonth' => $data['dayOfMonth'], ':startDate' => $startTS, ':endDate' => $endTS]); //add occasions from start date to now $temp = new DateTime(); $temp->setTimestamp($startTS); $patternStart = new DateTime($data['dayOfMonth'] . '-' . $temp->format('M') . '-' . $temp->format('Y')); $interval = new DateInterval('P1M'); $now = new DateTime(); $period = new DatePeriod($patternStart, $interval, $now); foreach ($period as $date) { $timestamp = $date->getTimestamp(); if ($timestamp >= $startTS && $timestamp <= $endTS) { $sth = $dbh->prepare('INSERT INTO orders_' . $TYPES[$subType]['pluralName'] . ' (orderID, ' . $TYPES[$subType]['idName'] . ', date, unitPrice, quantity, parentRecurringID) VALUES(:orderID, :subID, :date, :unitPrice, :quantity, :parentRecurringID)'); $sth->execute([':orderID' => $id, ':subID' => $data['subID'], ':date' => $timestamp, ':unitPrice' => $data['unitPrice'], ':quantity' => $data['quantity'], ':parentRecurringID' => $recurringID]); } } $changeData = ['subType' => $subType, 'subID' => $data['subID'], 'unitPrice' => $data['unitPrice'], 'quantity' => $data['quantity'], 'recurring' => $data['recurring'], 'interval' => $data['interval'], 'dayOfMonth' => $data['dayOfMonth'], 'startDate' => $startTS, 'endDate' => $endTS]; } else { //get date of order $sth = $dbh->prepare('SELECT date FROM orders WHERE orderID = :orderID'); $sth->execute([':orderID' => $id]); $row = $sth->fetch(); $sth = $dbh->prepare('INSERT INTO orders_' . $TYPES[$subType]['pluralName'] . ' (orderID, ' . $TYPES[$subType]['idName'] . ', date, unitPrice, quantity) VALUES(:orderID, :subID, :date, :unitPrice, :quantity)'); $sth->execute([':orderID' => $id, ':subID' => $data['subID'], ':date' => $row['date'], ':unitPrice' => $data['unitPrice'], ':quantity' => $data['quantity']]); $changeData = ['subType' => $subType, 'subID' => $data['subID'], 'unitPrice' => $data['unitPrice'], 'quantity' => $data['quantity']]; } } } elseif ($subType == 'discountOrder' || $subType == 'discountProduct' || $subType == 'discountService') { //get discountType and discountAmount $sth = $dbh->prepare('SELECT discountType, discountAmount FROM discounts WHERE discountID = :discountID'); $sth->execute([':discountID' => $data['discountID']]); $row = $sth->fetch(); $discountType = $row['discountType']; $discountAmount = $row['discountAmount']; $sth = $dbh->prepare('INSERT INTO orders_discounts (orderID, discountID, appliesToType, appliesToID, discountType, discountAmount) VALUES(:orderID, :discountID, :appliesToType, :appliesToID, :discountType, :discountAmount)'); $sth->execute([':orderID' => $id, ':discountID' => $data['discountID'], ':appliesToType' => $itemType, ':appliesToID' => $uniqueID, ':discountType' => $discountType, ':discountAmount' => $discountAmount]); $changeData = ['subType' => $subType, 'subID' => $data['subID'], 'discountID' => $data['discountID']]; //determine if the appliesTo item is a recurring item, and if so, add a discount to past recurrences if they don't already have this discount //TODO: user could possibly make a decision to apply this to past and future recurrences, or just future if ($itemType != 'O') { $sth = $dbh->prepare('SELECT recurringID FROM orders_' . $TYPES[$itemTypeFull]['pluralName'] . ' WHERE order' . $TYPES[$itemTypeFull]['formalName'] . 'ID = :uniqueID'); $sth->execute([':uniqueID' => $uniqueID]); $row = $sth->fetch(); if ($row['recurringID'] != null) { $recurringID = $row['recurringID']; $sth = $dbh->prepare('SELECT order' . $TYPES[$itemTypeFull]['formalName'] . 'ID AS uniqueID FROM orders_' . $TYPES[$itemTypeFull]['pluralName'] . ' WHERE parentRecurringID = :parentRecurringID AND order' . $TYPES[$itemTypeFull]['formalName'] . 'ID NOT IN( SELECT appliesToID FROM orders_discounts WHERE discountID = :discountID AND appliesToType = :appliesToType )'); $sth->execute([':parentRecurringID' => $recurringID, ':discountID' => $data['discountID'], 'appliesToType' => $itemType]); while ($row = $sth->fetch()) { $sth2 = $dbh->prepare('INSERT INTO orders_discounts (orderID, discountID, appliesToType, appliesToID, discountType, discountAmount) VALUES(:orderID, :discountID, :appliesToType, :appliesToID, :discountType, :discountAmount)'); $sth2->execute([':orderID' => $id, ':discountID' => $data['discountID'], ':appliesToType' => $itemType, ':appliesToID' => $row['uniqueID'], ':discountType' => $discountType, ':discountAmount' => $discountAmount]); } } } } self::updateAmountDue($id); $temp = isset($changeAction) ? $changeAction : 'A'; addChange('order', $id, $_SESSION['employeeID'], $temp, json_encode($changeData)); } } elseif ($data['subAction'] == 'edit') { //edit subAction $subType = $data['subType']; unset($data['subAction']); unset($data['subType']); $sth = $dbh->prepare('SELECT ' . $TYPES[$subType]['idName'] . ' AS id FROM orders_' . $TYPES[$subType]['pluralName'] . ' WHERE order' . $TYPES[$subType]['formalName'] . 'ID = :uniqueID'); $sth->execute([':uniqueID' => $data['subID']]); $row = $sth->fetch(); $uniqueID = $data['subID']; $data['subID'] = $row['id']; $data = cleanData('order', $subType, $data); $return = verifyData('order', $subType, $data); if ($return['status'] != 'fail') { $sth = $dbh->prepare('UPDATE orders_' . $TYPES[$subType]['pluralName'] . ' SET unitPrice = :unitPrice, quantity = :quantity WHERE order' . $TYPES[$subType]['formalName'] . 'ID = :uniqueID'); $sth->execute([':unitPrice' => $data['unitPrice'], ':quantity' => $data['quantity'], ':uniqueID' => $uniqueID]); self::updateAmountDue($id); addChange('order', $id, $_SESSION['employeeID'], 'E', json_encode(['subType' => $subType, 'subID' => $data['subID'], 'unitPrice' => $data['unitPrice'], 'quantity' => $data['quantity']])); } } elseif ($data['subAction'] == 'delete') { //delete subAction if ($data['subType'] == 'payment') { $sth = $dbh->prepare('SELECT date, paymentAmount FROM orderPayments WHERE paymentID = :paymentID'); $sth->execute([':paymentID' => $data['subID']]); $row = $sth->fetch(); $sth = $dbh->prepare('DELETE FROM orderPayments WHERE paymentID = :paymentID'); $sth->execute([':paymentID' => $data['subID']]); $changeData = ['subType' => 'payment', 'date' => $row['date'], 'paymentAmount' => $row['paymentAmount']]; } elseif ($data['subType'] == 'product' || $data['subType'] == 'service') { $appliesToType = $data['subType'] == 'product' ? 'P' : 'S'; $sth = $dbh->prepare('SELECT ' . $TYPES[$data['subType']]['idName'] . ' AS id, recurringID, unitPrice, quantity FROM orders_' . $TYPES[$data['subType']]['pluralName'] . ' WHERE order' . $TYPES[$data['subType']]['formalName'] . 'ID = :uniqueID'); $sth->execute([':uniqueID' => $data['subID']]); $row = $sth->fetch(); $recurring = $row['recurringID'] === null ? 'no' : 'yes'; //delete item discounts and children's discounts (if any) $sth = $dbh->prepare('DELETE FROM orders_discounts WHERE appliesToType = :appliesToType AND (appliesToID IN ( SELECT order' . $TYPES[$data['subType']]['formalName'] . 'ID FROM orders_' . $TYPES[$data['subType']]['pluralName'] . ' WHERE parentRecurringID = :recurringID ) OR appliesToID = :appliesToID)'); $sth->execute([':appliesToType' => $appliesToType, ':recurringID' => $row['recurringID'], ':appliesToID' => $data['subID']]); //delete item and children (if any) $sth = $dbh->prepare('DELETE FROM orders_' . $TYPES[$data['subType']]['pluralName'] . ' WHERE order' . $TYPES[$data['subType']]['formalName'] . 'ID = :uniqueID OR parentRecurringID = :recurringID'); $sth->execute([':uniqueID' => $data['subID'], ':recurringID' => $row['recurringID']]); $changeData = ['subType' => $data['subType'], 'subID' => $row['id'], 'unitPrice' => $row['unitPrice'], 'quantity' => $row['quantity'], 'recurring' => $recurring]; } elseif ($data['subType'] == 'discount') { $sth = $dbh->prepare('SELECT discountID, appliesToType, appliesToID FROM orders_discounts WHERE orderDiscountID = :orderDiscountID'); $sth->execute([':orderDiscountID' => $data['subID']]); $row = $sth->fetch(); if ($row['appliesToType'] == 'O') { $subType = 'discountOrder'; } elseif ($row['appliesToType'] == 'P') { $subType = 'discountProduct'; } elseif ($row['appliesToType'] == 'S') { $subType = 'discountService'; } $sth = $dbh->prepare('DELETE FROM orders_discounts WHERE orderDiscountID = :orderDiscountID'); $sth->execute([':orderDiscountID' => $data['subID']]); $changeData = ['subType' => $subType, 'subID' => $row['appliesToID'], 'discountID' => $row['discountID']]; } self::updateAmountDue($id); addChange('order', $id, $_SESSION['employeeID'], 'D', json_encode($changeData)); } return $return; }
} .error { color: red; } </style> </head> <body> <?php $iderror = $passworderror = ""; if ($_SERVER["REQUEST_METHOD"] == "POST") { // Clean data $id = cleanData($_POST["id"]); $password = cleanData($_POST["password"]); if (empty($id)) { $iderror = "* Student ID is a required field"; } else { if (!is_numeric($id)) { $iderror = "* Student ID is a number"; } } if (empty($password)) { $passworderror = "* Password is a required field"; //return; } // Check for errors if (empty($iderror) && empty($passworderror)) { // Check user data with database // If valid go to next page with sessionID
</a></td> <td width="15%" align="center" height="12" class="menutable"><?php echo strtoupper($msg_showblogs8); ?> </td> <td width="5%" align="center" height="12" class="menutable"><input type="checkbox" name="log" onclick="selectAll();"></td> </tr> </table> <?php $q_blogs = mysql_query("SELECT * FROM " . $database['prefix'] . "blogs \n {$sql_order} \n LIMIT {$limitvalue}, {$SETTINGS->total}\n ") or die(mysql_error()); while ($BLOGS = mysql_fetch_object($q_blogs)) { ?> <table cellpadding="0" cellspacing="1" width="100%" align="center" style="margin-top:3px;border: 1px solid #64798E"> <tr> <td width="50%" align="left" height="15" valign="middle" style="padding-left:5px"><?php echo strlen($BLOGS->title) > 25 ? substr(cleanData($BLOGS->title), 0, 25) . "..." : cleanData($BLOGS->title); ?> </td> <td width="30%" align="left" height="15" valign="middle"><?php echo $BLOGS->rawpostdate; ?> </td> <td width="15%" align="center" height="15" valign="middle" style="padding:5px 3px 5px 0"><a href="index.php?cmd=edit&id=<?php echo $BLOGS->id; ?> " title="<?php echo $msg_showblogs8; ?> "><img style="padding:2px" src="images/edit.gif" alt="<?php echo $msg_showblogs8; ?>
$estampa_large = imagecreatefrompng(FILES_PATH . 'logo_large.png'); $estampa_medium = imagecreatefrompng(FILES_PATH . 'logo_medium.png'); $estampa_thumbs = imagecreatefrompng(FILES_PATH . 'logo_thumbs.png'); $rankImage = 1; // put file in DB, and place file in directory, if uploaded foreach ($file_image["name"] as $key => $name_file) { if ($name_file != "") { // insert the item into [news_images], and return photo_id $sql_fields = "sales_id, image, rank, date_created, date_modified"; $sql_values = "'" . magicAddSlashes($item_id) . "', '', '" . $rankImage . "', NOW(), NOW()"; $photo_id = insertRecord("sale_photos", $sql_fields, $sql_values, TRUE); $rankImage++; // clean up filenames $filename = $name_file; $filename = $item_id . "_" . $photo_id . "_" . $filename; $filename = cleanData($filename); /// include auto cropper, to limit photo filesize include_once $path_to_dynamik . "auto_cropper.inc.php"; // full - save the new (cropped) image to the folder $crop = new autoCropper(imagecreatefromjpeg($file_image["tmp_name"][$key]), FILES_PATH . FILES_SALES_LARGE . $filename, IMG_SALES_LARGE_WIDTH, IMG_SALES_LARGE_HEIGHT, IMG_SALES_LARGE_FIXED, 100, array(255, 255, 255)); $crop->processImage(); // chmod the file @chmod(FILES_PATH . FILES_SALES_LARGE . $filename, 0777); // Watermark large $margen_dcho = 0; $margen_inf = 0; $sx = imagesx($estampa_large); $sy = imagesy($estampa_large); $im = imagecreatefromjpeg(FILES_PATH . FILES_SALES_LARGE . $filename); imagecopy($im, $estampa_large, imagesx($im) - $sx - $margen_dcho, imagesy($im) - $sy - $margen_inf, 0, 0, imagesx($estampa_large), imagesy($estampa_large)); imagejpeg($im, FILES_PATH . FILES_SALES_LARGE . $filename);
mysql_query("DELETE FROM starter WHERE `id`={$id}"); } $form->setError('starter_success', 'Conversation(s) deleted successfully!'); $form->return_msg_to('starters.php'); } else { if (isset($_POST['edit_starter']) && $_POST['edit_starter'] == 'EDIT') { $starter_id = $_POST['starter_id']; if (sizeof($starter_id) <= 0) { $form->setError('starter_error', 'Please select a conversation to edit!'); $form->return_msg_to('starters.php'); } $id = is_array($starter_id) ? $starter_id[0] : $starter_id; if (is_array($starter_id)) { $form->return_msg_to('edit-starter.php?id=' . $id); } else { $starter = cleanData($_POST['starter']); if ($starter == '') { $form->setError('starter_error', 'You cannot create empty conversation!'); $form->return_msg_to('edit-starter.php?id=' . $id); } $result = mysql_query('UPDATE starter SET `starter`="' . $starter . '" WHERE id=' . $id); if (!$result) { $form->setError('starter_error', 'Conversation edit failed! Please try again.'); $form->return_msg_to('edit-starter.php?id=' . $id); } else { $form->setError('starter_success', 'Conversation updated successfully!'); $form->return_msg_to('starters.php'); } } } else { $form->return_msg_to('starters.php');
$Form->setError('error', 'Please write user password'); } // Password if (!isset($_POST['phone']) || empty($_POST['phone'])) { $Form->setError('error', 'Please write user phone number'); } /** * Error Found! * Redirect back to form page */ if ($Form->num_errors > 0) { $Form->return_msg_to('add-a-administrator.php'); } $first_name = cleanData($_POST['first_name']); $last_name = cleanData($_POST['last_name']); $email = cleanData($_POST['email']); $password = cleanData($_POST['password']); $phone = cleanData($_POST['phone']); $receive_email = cleanData($_POST['receive_email']); $userAdd = insertQuery(TBL_USER, array('type' => 'admin', 'first_name' => $first_name, 'last_name' => $last_name, 'email' => $email, 'password' => $password, 'phone_no' => $phone, 'receive_email' => $receive_email, 'create_date' => 'NOW()')); if (!$userAdd) { $Form->setError('error', 'Database error! Please try again.'); $Form->return_msg_to('add-a-administrator.php'); } else { $Form->setError('success', 'New admin added successfully'); $Form->return_msg_to('add-a-administrator.php'); } } else { $Form->setError('error', 'Some error occured!'); $Form->return_msg_to('add-a-administrator.php'); }
if (strlen($value) < $min && !$allowEmpty) { $error = "It is too short."; } else { if ($allowEmpty && strlen($value) > 0 && strlen($value) < $min) { $error = "It is too short."; } else { if (strlen($value) > $max) { $error = "It is too long."; } } } } return $error; } if (!empty($_POST)) { $data = cleanData($_POST); $errors['survey-name'] = checkData($data['survey-name'], 3, 50, 0); $errors['survey-description'] = checkData($data['survey-description'], 3, 250, 0); $errors['choice1'] = checkData($data['choice1'], 2, 50, 0); $errors['choice2'] = checkData($data['choice2'], 2, 50, 0); $errors['choice3'] = checkData($data['choice3'], 2, 50, 1); $errors['choice4'] = checkData($data['choice4'], 2, 50, 1); $errors['choice5'] = checkData($data['choice5'], 2, 50, 1); $req = $pdo->prepare('SELECT id, name FROM surveys WHERE name = :name'); $req->bindvalue(':name', $data['survey-name'], PDO::PARAM_STR); $req->execute(); if ($res = $req->fetch()) { $dataId = $res['id']; $errors['survey-name'] = 'This survey already exists'; $disableForm = 'This survey already exists, <a href="survey-' . $dataId . '.html">please check it.</a>'; }
//================== //================== // Case : RSS Feed //================== case 'rss-feed': $rss_feed = ''; $build_date = date('D, j M Y H:i:s') . ' GMT'; $MW_FEED->path = $SETTINGS->w_path . '/themes/' . THEME; // Open channel.. $rss_feed = $MW_FEED->open_channel(); // Feed info.. $rss_feed .= $MW_FEED->feed_info(str_replace("{website_name}", $SETTINGS->website, $msg_rss), $SETTINGS->modR ? $SETTINGS->w_path . '/index.html' : $SETTINGS->w_path . '/index.php', $build_date, str_replace("{website_name}", $SETTINGS->website, $msg_rss2), $SETTINGS->website); // Get latest posts.. $query = mysql_query("SELECT * FROM " . $database['prefix'] . "blogs \n ORDER BY id DESC \n LIMIT " . $SETTINGS->rssfeeds . "\n ") or die(mysql_error()); while ($RSS = mysql_fetch_object($query)) { $rss_feed .= $MW_FEED->add_item($msg_rss3 . $RSS->title, $SETTINGS->modR ? $SETTINGS->w_path . '/blog/' . $RSS->id . '/' . addTitleToUrl(cleanData($RSS->title)) . '.html' : $SETTINGS->w_path . '/index.php?cmd=blog&post=' . $RSS->id, $RSS->rss_date ? $RSS->rss_date : $build_date, $RSS->comments); } // Close channel.. $rss_feed .= $MW_FEED->close_channel(); // Display RSS feed.. header('Content-Type: text/xml'); echo get_magic_quotes_gpc() ? stripslashes(trim($rss_feed)) : trim($rss_feed); break; //================== // Case : Captcha //================== //================== // Case : Captcha //================== case 'captcha': $MWC = new PhpCaptcha();
<option<?php echo isset($area) && $area == 'comments' ? " selected " : " "; ?> value="comments"><?php echo $msg_search6; ?> </option> </select></td> </tr> <tr> <td class="headbox" align="left"><?php echo $msg_search2; ?> :</td> <td align="left"><input class="formbox" type="text" name="keywords" size="30" maxlength="50" value="<?php echo isset($keywords) ? cleanData($keywords) : ''; ?> "></td> </tr> <tr> <td class="headbox" align="left"><?php echo $msg_search3; ?> :</td> <td valign="top" align="left"><select name="from_day"> <option selected value="0"> - </option> <?php foreach ($days as $s_days) { echo '<option' . (isset($from_day) && $from_day == $s_days ? ' selected ' : ' ') . 'value="' . $s_days . '">' . $s_days . '</option>' . "\n"; } ?>
$email = $_POST['email']; $addressline1 = $_POST['addressline1']; $addressline2 = $_POST['addressline2']; $city = $_POST['city']; $state = $_POST['state']; $zip = $_POST['zip']; cleanData($username); cleanData($userpassword); cleanData($firstname); cleanData($lastname); cleanData($email); cleanData($addressline1); cleanData($addressline2); cleanData($city); cleanData($state); cleanData($zip); $host = "localhost"; $user = "******"; $password = "******"; $dbc = mysql_pconnect($host, $user, $password); $dbname = "X32720502"; mysql_select_db($dbname) or die("Cannot connect to database " . mysql_error()); //construct the query string $query = "UPDATE USERS SET FirstName='" . $firstname . "', LastName='" . $lastname . "', Email='" . $email . "', AddressLine1='" . $addressline1 . "', AddressLine2='" . $addressline2 . "', City='" . $city . "', State='" . $state . "', Zip='" . $zip . "', Password='******' WHERE Username='******';"; if (!mysql_query($query, $dbc)) { die('Error: ' . mysql_error()); } else { echo "<script>alert(\"Your info was updated in the database\")</script>"; } echo "<script>window.location = 'index.php';</script>"; mysql_close();
$humanErr = "Incorrect response to are you a human<br>"; $errString = ""; if ($_SERVER['REQUEST_METHOD'] == 'POST') { $name = cleanData($_POST['name']); if (empty($name) || !preg_match("/^[a-zA-Z ]*\$/", $name)) { $errString .= $nameErr; } $emailAddress = cleanData($_POST['email']); if (empty($emailAddress) || !filter_var($emailAddress, FILTER_VALIDATE_EMAIL)) { $errString .= $emailErr; } $message = cleanData($_POST['message']); if (empty($message)) { $errString .= $msgErr; } $human = cleanData($_POST['human']); if (empty($human) || $human != '9') { $errString .= $humanErr; } if (!empty($errString)) { // Set a 400 (bad request) response code and exit. http_response_code(400); echo "Oops! There was a problem with your submission. Please complete the form and try again."; exit; } else { sendMail($name, $emailAddress, $message); } } else { // Not a POST request, set a 403 (forbidden) response code. http_response_code(403); echo "There was a problem with your submission, please try again.";
<?php /** * Created by N0B0DY. * User: me@suvo.me * Date: 9/15/14 * Time: 1:41 AM */ include '../../core.php'; $session->loginRequired('admin'); $Form = new Form(); if (!isset($_GET['id']) || empty($_GET['id'])) { $Form->setError('error', 'No agency ID found!'); $Form->return_msg_to('user.php'); } $id = cleanData($_GET['id']); $agency_query = mysql_query("SELECT * FROM " . TBL_AGENCY . " WHERE id = '" . $id . "' LIMIT 1"); if (mysql_num_rows($agency_query) < 1) { $Form->setError('error', 'No agency found with given ID!'); $Form->return_msg_to('user.php'); } $agency_data = mysql_fetch_assoc($agency_query); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Life Department - Edit Agency</title> <!-- Bootstrap CSS --> <link rel="stylesheet" href="<?php
//starting the session session_start(); function cleanData($text) { $text = trim($text); $text = stripcslashes($text); $text = htmlspecialchars($text); } //if the user tried to submit their login... if (isset($_POST['submit'])) { //get the variables and clean them $username = $_POST['username']; $userpassword = $_POST['password']; cleanData($username); cleanData($userpassword); //connect to the database $host = "localhost"; $user = "******"; $password = "******"; $dbc = mysql_pconnect($host, $user, $password); $dbname = "X32720502"; mysql_select_db($dbname) or die("Cannot connect to database " . mysql_error()); //construct a query where we look in USERS for a row that has the matching username and passowrd $query = mysql_query("SELECT * FROM USERS WHERE Username='******' AND Password='******';"); //gather the number of rows in the result. //if there is one and only one match, log the user in $rows = mysql_num_rows($query); if ($rows == 1) { //initialize session with the username $_SESSION['login_user'] = $username;
?> "> [<a href="javascript:void(0);" onclick="return overlib('<?php echo $msg_javascript20; ?> ', STICKY, CAPTION,'<?php echo $msg_javascript6; ?> ', CENTER);" onmouseout="nd();"><b>?</b></a>]</td> </tr> <tr> <td class="headbox" align="left"><?php echo $msg_settings51; ?> :</td> <td align="left"><input class="formbox" type="text" name="meta_d" size="30" value="<?php echo cleanData($SETTINGS->meta_d); ?> "> [<a href="javascript:void(0);" onclick="return overlib('<?php echo $msg_javascript21; ?> ', STICKY, CAPTION,'<?php echo $msg_javascript6; ?> ', CENTER);" onmouseout="nd();"><b>?</b></a>]</td> </tr> <tr> <td class="headbox" align="left"><?php echo $msg_settings53; ?> : [<a href="javascript:void(0);" onclick="return overlib('<?php echo $msg_javascript23;
<?php if ($_POST['submit'] == "Submit") { $email = cleanData($_POST['email']); $first = cleanData($_POST['first']); $last = cleanData($_POST['last']); $mobile = cleanData($_POST['mobile']); $image = cleanData($_POST['image']); //print "Data cleaned"; addData($email, $first, $last, $mobile, $image); } else { printForm(); } function claenData($data) { $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); $data = strip_tags($data); return $data; } function addData($email, $first, $last, $mobile, $image) { //print "ready to add data"; include "mili.php"; } function printForm() { //displays the html form $pageTitle = "Add a Contact"; include "header.php";
?> "><b><?php echo $msg_addcomments6; ?> </b></a>]</td> </tr> </table> <div id="<?php echo $blogs['id']; ?> " style="display:none"> <table cellpadding="0" cellspacing="1" width="100%" align="center" style="margin-top:3px"> <?php while ($comments = mysql_fetch_array($comcount)) { $find = array('{poster}', '{date}'); $replace = array('<b>' . cleanData($comments['name']) . '</b>', $comments['rawpostdate']); ?> <tr> <td align="left" width="80%" valign="middle"><img src="images/tree.gif" border="0"><?php echo str_replace($find, $replace, $msg_addcomments9); ?> </td> <td align="center" width="10%" valign="middle"><a href="index.php?cmd=editcomments&id=<?php echo $comments['id']; ?> " title="<?php echo $msg_showblogs8; ?> "><img src="images/edit.gif" alt="<?php echo $msg_showblogs8; ?>
//echo md5($_POST['login_password'].$response['salt'])." - ".$response['password'];exit; if ($response['num_users'] > 0 && crypt($cleanedPost['login_password'], $response['password']) == $response['password']) { $_SESSION['loggedin'] = 1; $_SESSION['username'] = $response['username']; $_SESSION['usertype'] = $response['usertype']; header('Location:../admin.php'); exit; } else { $_SESSION['loggedin'] = NULL; header('Location:../admin.php?loginError=1&usernameAttempt=' . $cleanedPost['login_name']); exit; } } else { if ($_SERVER['REQUEST_METHOD'] == 'POST' && !empty($_POST['create_user_name']) && !empty($_POST['create_user_password']) && !empty($_POST['create_user_usertype'])) { //clean post data $cleanedPost = cleanData($_POST); include_once 'db.inc.php'; //Open a database connection and store it $db = new PDO(DB_INFO, DB_USER, DB_PASS); //PROCESS PASSWORD source:http://alias.io/2010/01/store-passwords-safely-with-php-and-mysql/ // A higher "cost" is more secure but consumes more processing power $cost = 10; // Create a random salt $salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.'); // Prefix information about the hash so PHP knows how to verify it later. // "$2a$" Means we're using the Blowfish algorithm. The following two digits are the cost parameter. $salt = sprintf("\$2a\$%02d\$", $cost) . $salt; // Hash the password with the salt $hash = crypt($cleanedPost['create_user_password'], $salt); $sql = "INSERT INTO admin (username, password, usertype) VALUES(?, ?, ?)"; $stmt = $db->prepare($sql);
<tr> <td align="left" style="padding:2px;background-color:#F0F6FF;color:#000000"> <?php $q_latest = mysql_query("SELECT * FROM " . $database['prefix'] . "blogs ORDER BY id DESC LIMIT " . LATEST_BLOGS . "") or die(mysql_error()); while ($BLOGS = mysql_fetch_object($q_latest)) { ?> <table width="100%" cellspacing="0" cellpadding="0" style="margin-top:3px;border:1px solid #64798E"> <tr> <td align="left" width="90%" style="padding:5px;background-color:#FFFFFF"><a href="../index.php?cmd=blog&post=<?php echo $BLOGS->id; ?> " target="_blank" title="<?php echo cleanData($BLOGS->title); ?> "><b><?php echo cleanData($BLOGS->title); ?> </b></a></td> <td align="right" style="padding:5px;background-color:#FFFFFF"><a href="index.php?cmd=edit&id=<?php echo $BLOGS->id; ?> "><img src="images/edit_small.gif" alt="<?php echo $msg_showblogs8; ?> " title="<?php echo $msg_showblogs8; ?> " border="0"></a></td> </tr> </table> <?php
$Form->setError('error', 'Please write user password'); } // Password if (!isset($_POST['phone']) || empty($_POST['phone'])) { $Form->setError('error', 'Please write user phone number'); } // Agency if (!isset($_POST['agency']) || empty($_POST['agency'])) { $Form->setError('error', 'Please select a agency'); } /** * Error Found! * Redirect back to form page */ if ($Form->num_errors > 0) { $Form->return_msg_to('add-a-user.php'); } $first_name = cleanData($_POST['first_name']); $last_name = cleanData($_POST['last_name']); $email = cleanData($_POST['email']); $password = cleanData($_POST['password']); $phone = cleanData($_POST['phone']); $agency = cleanData($_POST['agency']); $userAdd = insertQuery(TBL_USER, array('type' => 'user', 'agency_id' => $agency, 'first_name' => $first_name, 'last_name' => $last_name, 'email' => $email, 'password' => $password, 'phone_no' => $phone, 'create_date' => 'NOW()')); if (!$userAdd) { $Form->setError('error', 'Database error! Please try again.'); $Form->return_msg_to('add-a-user.php'); } else { $Form->setError('success', 'New user added successfully'); $Form->return_msg_to('user.php'); }
$tpl_header->assign('SUBTEXT', $msg_public_header); $tpl_header->assign('FEED_URL', $SETTINGS->modR ? $SETTINGS->w_path . '/rss-feed.html' : $SETTINGS->w_path . '/index.php?cmd=rss-feed'); $tpl_header->assign('H_URL', $SETTINGS->modR ? $SETTINGS->w_path . '/index.html' : $SETTINGS->w_path . '/index.php'); $tpl_header->assign('P_URL', $SETTINGS->modR ? $SETTINGS->w_path . '/profile.html' : $SETTINGS->w_path . '/index.php?cmd=profile'); $tpl_header->assign('C_URL', $SETTINGS->modR ? $SETTINGS->w_path . '/contact.html' : $SETTINGS->w_path . '/index.php?cmd=contact'); $tpl_header->assign('A_URL', $SETTINGS->modR ? $SETTINGS->w_path . '/all-archive.html' : $SETTINGS->w_path . '/index.php?cmd=all-archive'); $tpl_header->assign('SEARCH_URL', $SETTINGS->modR ? $SETTINGS->w_path . '/index.html' : $SETTINGS->w_path . '/index.php?cmd=search'); $tpl_header->assign('H_CURRENT', $cmd == 'home' ? ' id="current"' : ''); $tpl_header->assign('P_CURRENT', $cmd == 'profile' ? ' id="current"' : ''); $tpl_header->assign('C_CURRENT', $cmd == 'contact' ? ' id="current"' : ''); $tpl_header->assign('A_CURRENT', $cmd == 'archive' || $cmd == 'all-archive' ? ' id="current"' : ''); $tpl_header->assign('H_CURRENT_CLASS', $cmd == 'home' ? ' class="selected"' : ''); $tpl_header->assign('P_CURRENT_CLASS', $cmd == 'profile' ? ' class="selected"' : ''); $tpl_header->assign('C_CURRENT_CLASS', $cmd == 'contact' ? ' class="selected"' : ''); $tpl_header->assign('A_CURRENT_CLASS', $cmd == 'archive' || $cmd == 'all-archive' ? ' class="selected"' : ''); $tpl_header->assign('HOME', $msg_public_header2); $tpl_header->assign('PROFILE', $msg_public_header3); $tpl_header->assign('CONTACT', $msg_public_header4); $tpl_header->assign('ARCHIVE', $msg_public_header5); $tpl_header->assign('RSS_FEED', $msg_public_header12); $tpl_header->assign('MENU', $msg_public_header14); $tpl_header->assign('SHOW_ARCHIVE', buildArchive($SETTINGS->totalArchives)); $tpl_header->assign('VIEW_PROFILE', $msg_public_header8); $tpl_header->assign('SEARCH_BLOG', $msg_public_header6); $tpl_header->assign('SEARCH', $msg_public_header7); $tpl_header->assign('KEYWORDS', $msg_public_header9); $tpl_header->assign('IMAGE', $SETTINGS->profileImage ? '<img class="profile_image" src="' . $SETTINGS->w_path . '/uploads/' . $SETTINGS->profileImage . '"' . ($SETTINGS->imageWidth > 0 ? ' width="' . $SETTINGS->imageWidth . '"' : ' ') . ' ' . ($SETTINGS->imageHeight > 0 ? ' height="' . $SETTINGS->imageHeight . '" ' : ' ') . 'title="' . $msg_public_header3 . '" alt="' . $msg_public_header3 . '" /><br />' : ''); $tpl_header->assign('ENTERED_KEYWORDS', isset($_GET['keywords']) ? cleanData($_GET['keywords']) : ''); $tpl_header->assign('FAVOURITE_SITES', loadFavouriteSites()); $tpl_header->assign('ADSENSE_BLOCK', loadAdsense()); $tpl_header->display('themes/' . THEME . '/header.tpl.php');
<?php /* Created on : Sep 15, 2014, 3:40:02 PM Author : me@rafi.pro Name : Mohammad Faozul Azim Rafi */ include '../../core.php'; $session->loginRequired('admin', false); $Form = new Form(); if (!isset($_POST['id'])) { $Form->setError('error', 'You must select a banner to delete!'); $Form->return_msg_to('banner.php'); } $id = cleanData($_POST['id']); $result = mysql_fetch_array(mysql_query('SELECT * FROM ' . TBL_BANNER . ' WHERE id="' . $id . '"')); if ($result == FALSE) { $Form->setError('error', 'Banner id not found!'); $Form->return_msg_to('banner.php'); } $delete_result = mysql_query('DELETE FROM ' . TBL_BANNER . ' WHERE id="' . $id . '"'); if ($delete_result) { if (file_exists(UPLOAD_DIR . $result['file_name'])) { unlink(UPLOAD_DIR . $result['file_name']); } $Form->setError('success', 'Banner delete success!'); $Form->return_msg_to('banner.php'); } $Form->setError('success', 'Banner delete failed!'); $Form->return_msg_to('banner.php');
?> </b>:<br><br> <input class="formbox" type="text" name="email" size="30" maxlength="250" value="<?php echo cleanData($COMMENTS->email); ?> "><br><span class='error'><i>(<?php echo $msg_editcomments8; ?> )</i></td> </tr> <tr> <td align="left"><b><?php echo $msg_add2; ?> </b>:<br><br><textarea style="width:98%" cols="50" rows="12" name="comments"><?php echo cleanData($COMMENTS->comments); ?> </textarea></td> </tr> <tr> <td align="left"><input class="formbutton" type="submit" value="<?php echo $msg_editcomments2; ?> " title="<?php echo $msg_editcomments2; ?> "></td> </tr> </table> </form> <table width="100%" cellspacing="0" cellpadding="0" border="0" style="margin-top:3px;border:1px solid #64798E">
?> </a></td> <td width="15%" align="center" height="17" class="menutable"><?php echo strtoupper($msg_showcomments3); ?> </td> </tr> </table> <?php $q_blogs = mysql_query("SELECT * FROM " . $database['prefix'] . "blogs \n {$sql_order} \n LIMIT {$limitvalue}, {$SETTINGS->total}\n ") or die(mysql_error()); while ($BLOGS = mysql_fetch_object($q_blogs)) { ?> <table cellpadding="0" cellspacing="1" width="100%" align="center" style="margin-top:3px;border: 1px solid #164677;"> <tr> <td width="75%" align="left" height="15" valign="middle" style="padding:5px"><?php echo strlen($BLOGS->title) > 70 ? substr(cleanData($BLOGS->title), 0, 70) . "..." : cleanData($BLOGS->title); ?> </td> <td width="10%" align="center" height="15" valign="middle" style="padding:5px"><b><?php echo number_format($BLOGS->v_count); ?> </b></td> <td width="15%" align="center" height="15" valign="middle" style="padding:5px"><a href="index.php?cmd=addcomments&id=<?php echo $BLOGS->id; ?> " title="<?php echo $msg_showcomments3; ?> "><img style="padding:2px" src="images/add.gif" alt="<?php echo $msg_showcomments3; ?>
} $return['html'] .= '<div class="btnSpacer"><button id="editBtn">Edit</button></div>'; echo json_encode($return); } /* Function: editSave Inputs: Outputs: */ if ($_POST['action'] == 'editSave') { //verify data $data = $_POST; unset($data['action']); unset($data['type']); unset($data['id']); $data = cleanData($_POST['type'], null, $data); $return = verifyData($_POST['type'], null, $data); //manual check for managerID (ONLY for editMany (I think only for editMany because otherwise you can't edit the CEO)) because it's required, but not checked in verifyData if (array_key_exists('managerID', $data) && $data['managerID'] == '' && count(explode(',', $_POST['id'])) > 1) { $return['status'] = 'fail'; $return['managerID'] = 'Required'; } if ($return['status'] != 'fail') { $idArr = explode(',', $_POST['id']); $idArrSafe = []; foreach ($data as $key => $value) { if ($TYPES[$_POST['type']]['fields'][$key]['verifyData'][1] == 'date') { //if this is a date, convert it to a unixTS $temp = DateTime::createFromFormat($SETTINGS['dateFormat'] . '|', $value)->getTimestamp(); $data[$key] = $temp; $value = $temp;