public function executeInner() { // instantiate db $dbManager = new DBManager(); // make comments safe and nicely formatted // TODO: strip tags with exceptions (see examples at http://us2.php.net/manual/en/function.strip-tags.php) // allowable tags <b><strong><u><i><a><em> possibly allowable <ul><ol><li> // TODO: convert "safe" tags to safe implementations, ex <strong style="foo"></strong> becomes <strong></strong> // TODO: sanitize anchor tags, ex <a href="javascript://"> is killed and <a href="foo"> becomes <a href="foo" target="_blank"> // escape strings for insert $name = $dbManager->escapeString($this->name); $contents = $dbManager->escapeString($this->contents); // do query $result = mysql_query("INSERT INTO blogcomments SET blogid=" . $this->blogId . ",name='{$name}', message='{$contents}'"); // check if successful if ($result) { $this->addNotice("Successfully posted a blog entry from \"" . $this->name . "\"."); // TODO: determine why trend micro firewall causing this to hang and why email not sending even when not hanging //$this->notifyAdmins(); } else { $this->addError("An error occured attempting to add a blog post. " . $dbManager->getLastError()); } // return success regardless since returned to the same place and error displayed return GlobalConstants::SUCCESS; }
protected function executeInner() { // update user in database $userid = $this->getUser()->getUserid(); // instantiate db $dbManager = new DBManager(); // escape strings for insert $email = $dbManager->escapeString($this->email); $result = null; if (!Str::nullOrEmpty($this->password)) { // they put something in for password, update it $password = md5($this->password); $result = mysql_query("UPDATE users SET email='{$email}', password='******' WHERE userid = {$userid}"); } else { // just update email $result = mysql_query("UPDATE users SET email='{$email}' WHERE userid = {$userid}"); } // check if successful if (!$result) { $this->addError("An error occured attempting update user info. " . $dbManager->getLastError()); return GlobalConstants::USER_INPUT; } $this->addNotice("Successfully updated user info for \"" . $this->email . "\"."); // get new user object $result = mysql_query("SELECT * FROM users WHERE userid = {$userid}"); $user = mysql_fetch_object($result, 'User'); // update user object in session $_SESSION[ValidateCredentials::USER_KEY] = $user; // return success regardless since returned to the same place and error displayed return GlobalConstants::SUCCESS; }
public function executeInner() { // instantiate db $dbManager = new DBManager(); // escape strings for insert $title = $dbManager->escapeString($this->postTitle); $contents = $dbManager->escapeString($this->contents); // do query $result = mysql_query("UPDATE blog SET title='{$title}', message='{$contents}' WHERE blogid = " . $this->blogId); // check if successful if ($result) { $this->addNotice("blog.notice.blogUpdated", array('id' => $this->blogId)); } else { $this->addError("blog.error.failedBlogUpdate", array("error" => $dbManager->getLastError())); } // return success regardless since returned to the same place and error displayed return GlobalConstants::SUCCESS; }
protected function executeInner() { $dbManager = new DBManager(); // prepare input for query $email = $dbManager->escapeString($this->email); // get user info from db $result = mysql_query("SELECT * FROM users WHERE email ='" . $email . "'"); // if does not exist, add error and return user error if (mysql_num_rows($result) == 0) { $this->addError("login.error.invalidEmail", array("email" => $this->email), "email"); return GlobalConstants::USER_ERROR; } // convert result into user object $user = mysql_fetch_object($result, 'User'); // check md5 of submitted password and what is stored in the db if (!$user->validatePassword($this->password)) { $this->addError("login.error.invalidPassword", null, "email"); return GlobalConstants::USER_ERROR; } $this->addNotice("login.notice.credentialsValid", array("email" => $this->email)); // push user object into session $_SESSION[self::USER_KEY] = $user; }