Added functionality to update country + gender + added some xss security
This commit is contained in:
parent
9a1693fcf1
commit
c6c76ea30d
4 changed files with 65 additions and 19 deletions
|
@ -3,7 +3,7 @@
|
||||||
function change_info(){
|
function change_info(){
|
||||||
|
|
||||||
try{
|
try{
|
||||||
//if logged in
|
//if logged in
|
||||||
if(WebUsers::isLoggedIn()){
|
if(WebUsers::isLoggedIn()){
|
||||||
|
|
||||||
if(isset($_POST['target_id'])){
|
if(isset($_POST['target_id'])){
|
||||||
|
@ -19,17 +19,24 @@ function change_info(){
|
||||||
$webUser = new WebUsers();
|
$webUser = new WebUsers();
|
||||||
//use current info to check for changes
|
//use current info to check for changes
|
||||||
$current_info = $webUser->getInfo($_POST['target_id']);
|
$current_info = $webUser->getInfo($_POST['target_id']);
|
||||||
|
|
||||||
//TODO: XSS filtering
|
//TODO: XSS filtering
|
||||||
|
$current_info['FirstName'] = filter_var($current_info['FirstName'], FILTER_SANITIZE_STRING);
|
||||||
|
$current_info['LastName'] = filter_var($current_info['LastName'], FILTER_SANITIZE_STRING);
|
||||||
|
$current_info['Country'] = filter_var($current_info['Country'], FILTER_SANITIZE_STRING);
|
||||||
|
$current_info['Gender'] = filter_var($current_info['Gender'], FILTER_SANITIZE_NUMBER_INT);
|
||||||
|
|
||||||
|
|
||||||
//make the query that will update the data.
|
|
||||||
$updated = false;
|
$updated = false;
|
||||||
$values = Array();
|
$values = Array();
|
||||||
$values['user'] = $target_username;
|
$values['user'] = $target_username;
|
||||||
|
|
||||||
|
//make the query that will update the data.
|
||||||
$query = "UPDATE ams_user SET ";
|
$query = "UPDATE ams_user SET ";
|
||||||
if(($_POST['FirstName'] != "") && ($_POST['FirstName'] != $current_info['FirstName'])){
|
if(($_POST['FirstName'] != "") && ($_POST['FirstName'] != $current_info['FirstName'])){
|
||||||
$query = $query . "FirstName = :fName ";
|
$query = $query . "FirstName = :fName ";
|
||||||
$updated = true;
|
$updated = true;
|
||||||
$values['fName'] = $_POST['FirstName'];
|
$values['fName'] = filter_var($_POST['FirstName'], FILTER_SANITIZE_STRING);
|
||||||
}
|
}
|
||||||
if(($_POST['LastName'] != "") && ($_POST['LastName'] != $current_info['LastName'])){
|
if(($_POST['LastName'] != "") && ($_POST['LastName'] != $current_info['LastName'])){
|
||||||
if($updated){
|
if($updated){
|
||||||
|
@ -38,9 +45,27 @@ function change_info(){
|
||||||
$query = $query . "LastName = :lName ";
|
$query = $query . "LastName = :lName ";
|
||||||
}
|
}
|
||||||
$updated = true;
|
$updated = true;
|
||||||
$values['lName'] = $_POST['LastName'];
|
$values['lName'] = filter_var($_POST['LastName'], FILTER_SANITIZE_STRING);
|
||||||
}
|
}
|
||||||
//TODO: add the other fields too
|
if(($_POST['Country'] != "AA") && ($_POST['Country'] != $current_info['Country'])){
|
||||||
|
if($updated){
|
||||||
|
$query = $query . ", Country = :country ";
|
||||||
|
}else{
|
||||||
|
$query = $query . "Country = :country ";
|
||||||
|
}
|
||||||
|
$updated = true;
|
||||||
|
$values['country'] = filter_var($_POST['Country'], FILTER_SANITIZE_STRING);
|
||||||
|
}
|
||||||
|
if($_POST['Gender'] != $current_info['Gender']){
|
||||||
|
if($updated){
|
||||||
|
$query = $query . ", Gender = :gender ";
|
||||||
|
}else{
|
||||||
|
$query = $query . "Gender = :gender ";
|
||||||
|
}
|
||||||
|
$updated = true;
|
||||||
|
$values['gender'] = filter_var($_POST['Gender'], FILTER_SANITIZE_NUMBER_INT);
|
||||||
|
}
|
||||||
|
//finish the query!
|
||||||
$query = $query . "WHERE Login = :user";
|
$query = $query . "WHERE Login = :user";
|
||||||
|
|
||||||
//if some field is update then:
|
//if some field is update then:
|
||||||
|
@ -61,24 +86,25 @@ function change_info(){
|
||||||
$result['username'] = $_SESSION['user'];
|
$result['username'] = $_SESSION['user'];
|
||||||
$result['no_visible_elements'] = 'FALSE';
|
$result['no_visible_elements'] = 'FALSE';
|
||||||
$result['target_id'] = $_POST['target_id'];
|
$result['target_id'] = $_POST['target_id'];
|
||||||
if(isset($_GET['id'])){
|
|
||||||
if(WebUsers::isAdmin() && ($_POST['target_id'] != $_SESSION['id'])){
|
|
||||||
$result['isAdmin'] = "TRUE";
|
|
||||||
}
|
|
||||||
}
|
|
||||||
helpers :: loadtemplate( 'settings', $result);
|
helpers :: loadtemplate( 'settings', $result);
|
||||||
exit;
|
exit;
|
||||||
|
|
||||||
}else{
|
}else{
|
||||||
//ERROR: permission denied!
|
//ERROR: permission denied!
|
||||||
|
$_SESSION['error_code'] = "403";
|
||||||
|
header("Location: index.php?page=error");
|
||||||
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
}else{
|
}else{
|
||||||
//ERROR: The form was not filled in correclty
|
//ERROR: The form was not filled in correclty
|
||||||
|
header("Location: index.php?page=settings");
|
||||||
|
exit;
|
||||||
}
|
}
|
||||||
}else{
|
}else{
|
||||||
//ERROR: user is not logged in
|
//ERROR: user is not logged in
|
||||||
exit;
|
header("Location: index.php");
|
||||||
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
}catch (PDOException $e) {
|
}catch (PDOException $e) {
|
||||||
|
|
|
@ -28,10 +28,10 @@ function change_mail(){
|
||||||
}else{
|
}else{
|
||||||
$result['EMAIL_ERROR'] = 'FALSE';
|
$result['EMAIL_ERROR'] = 'FALSE';
|
||||||
}
|
}
|
||||||
$result['prevNewEmail'] = $_POST["NewEmail"];
|
$result['prevNewEmail'] = filter_var($_POST["NewEmail"], FILTER_SANITIZE_EMAIL);
|
||||||
|
|
||||||
if ($reply== "success"){
|
if ($reply== "success"){
|
||||||
$status = WebUsers::setEmail($target_username, $_POST["NewEmail"] );
|
$status = WebUsers::setEmail($target_username, filter_var($_POST["NewEmail"], FILTER_SANITIZE_EMAIL) );
|
||||||
if($status == 'ok'){
|
if($status == 'ok'){
|
||||||
$result['SUCCESS_MAIL'] = "OK";
|
$result['SUCCESS_MAIL'] = "OK";
|
||||||
}else if($status == 'shardoffline'){
|
}else if($status == 'shardoffline'){
|
||||||
|
@ -66,14 +66,20 @@ function change_mail(){
|
||||||
|
|
||||||
}else{
|
}else{
|
||||||
//ERROR: permission denied!
|
//ERROR: permission denied!
|
||||||
|
$_SESSION['error_code'] = "403";
|
||||||
|
header("Location: index.php?page=error");
|
||||||
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
}else{
|
}else{
|
||||||
//ERROR: The form was not filled in correclty
|
//ERROR: The form was not filled in correclty
|
||||||
|
header("Location: index.php?page=settings");
|
||||||
|
exit;
|
||||||
}
|
}
|
||||||
}else{
|
}else{
|
||||||
//ERROR: user is not logged in
|
//ERROR: user is not logged in
|
||||||
exit;
|
header("Location: index.php");
|
||||||
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
}catch (PDOException $e) {
|
}catch (PDOException $e) {
|
||||||
|
|
|
@ -42,12 +42,12 @@ function change_password(){
|
||||||
exit;
|
exit;
|
||||||
|
|
||||||
}else{
|
}else{
|
||||||
$result['prevCurrentPass'] = $_POST["CurrentPass"];
|
$result['prevCurrentPass'] = filter_var($_POST["CurrentPass"], FILTER_SANITIZE_STRING);
|
||||||
$result['prevNewPass'] = $_POST["NewPass"];
|
$result['prevNewPass'] = filter_var($_POST["NewPass"], FILTER_SANITIZE_STRING);
|
||||||
$result['prevConfirmNewPass'] = $_POST["ConfirmNewPass"];
|
$result['prevConfirmNewPass'] = filter_var($_POST["ConfirmNewPass"], FILTER_SANITIZE_STRING);
|
||||||
$result['permission'] = $_SESSION['permission'];
|
$result['permission'] = $_SESSION['permission'];
|
||||||
$result['no_visible_elements'] = 'FALSE';
|
$result['no_visible_elements'] = 'FALSE';
|
||||||
$return['username'] = $_SESSION['user'];
|
$result['username'] = $_SESSION['user'];
|
||||||
$result['target_id'] = $_POST['target_id'];
|
$result['target_id'] = $_POST['target_id'];
|
||||||
|
|
||||||
global $SITEBASE;
|
global $SITEBASE;
|
||||||
|
@ -61,14 +61,20 @@ function change_password(){
|
||||||
|
|
||||||
}else{
|
}else{
|
||||||
//ERROR: permission denied!
|
//ERROR: permission denied!
|
||||||
|
$_SESSION['error_code'] = "403";
|
||||||
|
header("Location: index.php?page=error");
|
||||||
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
}else{
|
}else{
|
||||||
//ERROR: The form was not filled in correclty
|
//ERROR: The form was not filled in correclty
|
||||||
|
header("Location: index.php?page=settings");
|
||||||
|
exit;
|
||||||
}
|
}
|
||||||
}else{
|
}else{
|
||||||
//ERROR: user is not logged in
|
//ERROR: user is not logged in
|
||||||
exit;
|
header("Location: index.php");
|
||||||
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
}catch (PDOException $e) {
|
}catch (PDOException $e) {
|
||||||
|
|
|
@ -21,6 +21,14 @@ function settings(){
|
||||||
$result = WebUsers::getInfo($_SESSION['id']);
|
$result = WebUsers::getInfo($_SESSION['id']);
|
||||||
$result['target_id'] = $_SESSION['id'];
|
$result['target_id'] = $_SESSION['id'];
|
||||||
$result['current_mail'] = WebUsers::getEmail($_SESSION['id']);
|
$result['current_mail'] = WebUsers::getEmail($_SESSION['id']);
|
||||||
|
|
||||||
|
//Sanitize Data
|
||||||
|
$result['current_mail'] = filter_var($result['current_mail'], FILTER_SANITIZE_EMAIL);
|
||||||
|
$result['Login'] = filter_var($result['Login'], FILTER_SANITIZE_STRING);
|
||||||
|
$result['FirstName'] = filter_var($result['FirstName'], FILTER_SANITIZE_STRING);
|
||||||
|
$result['LastName'] = filter_var($result['LastName'], FILTER_SANITIZE_STRING);
|
||||||
|
$result['Country'] = filter_var($result['Country'], FILTER_SANITIZE_STRING);
|
||||||
|
$result['Gender'] = filter_var($result['Gender'], FILTER_SANITIZE_NUMBER_INT);
|
||||||
}
|
}
|
||||||
$result['country_array'] = getCountryArray();
|
$result['country_array'] = getCountryArray();
|
||||||
return $result;
|
return $result;
|
||||||
|
|
Loading…
Reference in a new issue