svn commit: r343 - trunk/mapbender/http/php/mod_editFilteredUser.php
uli at osgeo.org
uli at osgeo.org
Wed May 24 10:42:38 EDT 2006
Author: uli
Date: 2006-05-24 14:42:38+0000
New Revision: 343
Modified:
trunk/mapbender/http/php/mod_editFilteredUser.php (contents, props changed)
Log:
validation of permissions
prepared statements included
Modified: trunk/mapbender/http/php/mod_editFilteredUser.php
Url: https://mapbender.osgeo.org/source/browse/mapbender/trunk/mapbender/http/php/mod_editFilteredUser.php?view=diff&rev=343&p1=trunk/mapbender/http/php/mod_editFilteredUser.php&p2=trunk/mapbender/http/php/mod_editFilteredUser.php&r1=342&r2=343
==============================================================================
--- trunk/mapbender/http/php/mod_editFilteredUser.php (original)
+++ trunk/mapbender/http/php/mod_editFilteredUser.php 2006-05-24 14:42:38+0000
@@ -1,6 +1,7 @@
<?php
-# $Id: mod_editFilteredUser.php,v 1.16 2006/03/09 11:11:59 uli_rothstein Exp $
-# $Header: /cvsroot/mapbender/mapbender/http/php/mod_editFilteredUser.php,v 1.16 2006/03/09 11:11:59 uli_rothstein Exp $
+# $Id$
+# http://www.mapbender.org/index.php/Administration
+#
# Copyright (C) 2002 CCGIS
#
# This program is free software; you can redistribute it and/or modify
@@ -17,12 +18,12 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-require_once("../php/mb_validateSession.php");
import_request_variables("PG");
require_once("../../conf/mapbender.conf");
$con = db_connect($DBSERVER,$OWNER,$PW);
db_select_db(DB,$con);
-$gui_id = $_SESSION["mb_user_gui"];
+require_once("../php/mb_validatePermission.php");
+$self = $PHP_SELF . "?".SID."&guiID=".$_REQUEST["guiID"]."&elementID=".$_REQUEST["elementID"];
$myUser = true;
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
@@ -95,79 +96,84 @@
</head>
<body>
<?php
-require_once("../../conf/mapbender.conf");
-$con = db_connect($DBSERVER,$OWNER,$PW);
-db_select_db(DB,$con);
-
+function setPassword($password){
+ if($password != ""){
+ if (SYS_DBTYPE=="mysql"){
+ $pw = "password('".$password."')";
+ }else{
+ if (MD5 == 'false'){
+ $pw = $password;
+ }else{
+ $pw = "md5('".$password."')";
+ }
+ }
+ return $pw;
+ }
+ else{
+ return false;
+ }
+}
#delete
if($action == 'delete'){
- $sql = "DELETE FROM mb_user WHERE mb_user_id = " . $selected_user;
- $res = db_query($sql);
+ $sql = "DELETE FROM mb_user WHERE mb_user_id = $1";
+ $v = array($selected_user);
+ $t = array('i');
+ $res = db_prep_query($sql,$v,$t);
$selected_user = 'new';
}
#save
if($action == 'save'){
- $sql = "SELECT mb_user_id FROM mb_user WHERE mb_user_name = '".$name."' ";
- $res = db_query($sql);
- if(db_fetch_row($res)){
- echo "<script language='JavaScript'>alert('Username must be unique!');</script>";
- }
- else{
- $sql = "Insert INTO mb_user (mb_user_name, mb_user_password,mb_user_owner, mb_user_description, mb_user_email, mb_user_phone, mb_user_department, mb_user_resolution) VALUES ";
- $sql.= "('".$name."', ";
-
- if(SYS_DBTYPE == "mysql") {
- $sql .= "password('".$password."')";
+ $sql = "SELECT mb_user_id FROM mb_user WHERE mb_user_name = $1 ";
+ $v = array($name);
+ $t = array('s');
+ $res = db_prep_query($sql,$v,$t);
+ if(db_fetch_row($res)){
+ echo "<script language='JavaScript'>alert('Username must be unique!');</script>";
}
- else {
- if (MD5 == 'false'){
- $sql .= "'".$password."'";
- }else{
- $sql .= "md5('".$password."')";
- }
+ else{
+ $sql = "Insert INTO mb_user (mb_user_name, mb_user_password,mb_user_owner, mb_user_description, ";
+ $sql .= "mb_user_email, mb_user_phone, mb_user_department, mb_user_resolution) VALUES ";
+ $sql.= "($1,$2,$3,$4,$5,$6,$7,$8)";
+ $tmpPW = setPassword($password);
+ $v = array($name,$tmpPW,$owner_id,$description,$email,$phone,$department,$resolution);
+ $t = array('s','s','i','s','s','s','s','i');
+ $res = db_prep_query($sql,$v,$t);
+ $selected_user = db_insert_id($res,"mb_user","mb_user_id");
}
-
- $sql.= ",".$owner_id.",'".$description."', '".$email."', '".$phone."', '".$department."', ".$resolution.");";
- $res = db_query($sql);
- $selected_user = db_insert_id($res,"mb_user","mb_user_id");
- }
}
#update
if($action == 'update'){
- $sql = "SELECT mb_user_id FROM mb_user WHERE mb_user_name = '".$name."' AND mb_user_id <> ".$selected_user;
- $res = db_query($sql);
- if(db_fetch_row($res)){
- echo "<script language='JavaScript'>alert('Username must be unique!');</script>";
- }
- else{
- $sql = "UPDATE mb_user SET mb_user_name ='".$name."'";
- if($password != ""){
- $sql.=", mb_user_password = ";
-
- if (SYS_DBTYPE=="mysql"){
- $sql.= "password('".$password."')";
- }else{
- if (MD5 == 'false'){
- $sql .= "'".$password."'";
- }else{
- $sql.= "md5('".$password."')";
- }
- }
+ $sql = "SELECT mb_user_id FROM mb_user WHERE mb_user_name = $1 AND mb_user_id <> $2";
+ $v = array($name,$selected_user);
+ $t = array('s','i');
+ $res = db_prep_query($sql,$v,$t);
+ if(db_fetch_row($res)){
+ echo "<script language='JavaScript'>alert('Username must be unique!');</script>";
}
- $sql.=", mb_user_description = '".$description."'";
- $sql.=", mb_user_login_count = '".$login_count."'";
- $sql.=", mb_user_email = '".$email."'";
- $sql.=", mb_user_phone = '".$phone."'";
- $sql.=", mb_user_department = '".$department."'";
- $sql.=", mb_user_resolution = ".$resolution;
- $sql.=" where mb_user_id = " . $selected_user;
- $res = db_query($sql);
- if($password && $res){
- echo "<script language='JavaScript'>alert('Password has been updated successfully!');</script>";
+ else{
+ $sql = "UPDATE mb_user SET mb_user_name = $1";
+ $sql.=", mb_user_description = $2";
+ $sql.=", mb_user_login_count = $3";
+ $sql.=", mb_user_email = $4";
+ $sql.=", mb_user_phone = $5";
+ $sql.=", mb_user_department = $6";
+ $sql.=", mb_user_resolution = $7";
+ $sql.=" where mb_user_id = $8";
+ $v = array($name,$description,$login_count,$email,$phone,$department,$resolution,$selected_user);
+ $t = array('s','s','i','s','s','s','i','i');
+ $res = db_prep_query($sql,$v,$t);
+ if($password != ''){
+ $sql = "UPDATE mb_user SET mb_user_password = $1 WHERE mb_user_name = $2";
+ $v = array(setPassword($password), $name);
+ $t = array('s','s');
+ $res = db_prep_query($sql,$v,$t);
+ if($password && $res){
+ echo "<script language='JavaScript'>alert('Password has been updated successfully!');</script>";
+ }
}
- }
+ }
}
if (!isset($name) || $selected_user == 'new'){
$name = "";
@@ -185,7 +191,7 @@
/*HTML*****************************************************************************************************/
-echo "<form name='form1' action='" . $PHP_SELF . "?".SID."' method='post'>";
+echo "<form name='form1' action='" . $self ."' method='post'>";
echo "<table border='0'>";
#User
echo "<tr>";
@@ -214,8 +220,10 @@
if(isset($selected_user) && $selected_user != 0){
- $sql = "SELECT * FROM mb_user WHERE mb_user_id = ".$selected_user." ORDER BY mb_user_name ";
- $res = db_query($sql);
+ $sql = "SELECT * FROM mb_user WHERE mb_user_id = $1 ORDER BY mb_user_name ";
+ $v = array($selected_user);
+ $t = array('i');
+ $res = db_prep_query($sql,$v,$t);
if($row = db_fetch_array($res)){
$name = $row["mb_user_name"];
$password = $row["mb_user_password"];
@@ -227,8 +235,10 @@
$department = $row["mb_user_department"];
$resolution = $row["mb_user_resolution"];
}
- $sql = "SELECT mb_user_name FROM mb_user WHERE mb_user_id = " . $owner_id;
- $res = db_query($sql);
+ $sql = "SELECT mb_user_name FROM mb_user WHERE mb_user_id = $1";
+ $v = array($owner_id);
+ $t = array('i');
+ $res = db_prep_query($sql,$v,$t);
if($row = db_fetch_array($res)){
$owner_name = $row["mb_user_name"];
}
More information about the Mapbender_commits
mailing list