svn commit: r344 - trunk/mapbender/http/php/mod_editUser.php

uli at osgeo.org uli at osgeo.org
Wed May 24 10:53:09 EDT 2006


Author: uli
Date: 2006-05-24 14:53:08+0000
New Revision: 344

Modified:
   trunk/mapbender/http/php/mod_editUser.php

Log:
validation of permissions
prepared statements included

Modified: trunk/mapbender/http/php/mod_editUser.php
Url: https://mapbender.osgeo.org/source/browse/mapbender/trunk/mapbender/http/php/mod_editUser.php?view=diff&rev=344&p1=trunk/mapbender/http/php/mod_editUser.php&p2=trunk/mapbender/http/php/mod_editUser.php&r1=343&r2=344
==============================================================================
--- trunk/mapbender/http/php/mod_editUser.php	(original)
+++ trunk/mapbender/http/php/mod_editUser.php	2006-05-24 14:53:08+0000
@@ -1,6 +1,7 @@
 <?php
-# $Id: mod_editUser.php,v 1.16 2006/03/09 10:44:20 uli_rothstein Exp $
-# $Header: /cvsroot/mapbender/mapbender/http/php/mod_editUser.php,v 1.16 2006/03/09 10:44:20 uli_rothstein Exp $
+# $Id: mod_editFilteredUser.php 343 2006-05-24 14:42:38Z uli $
+# http://www.mapbender.org/index.php/Administration
+#
 # Copyright (C) 2002 CCGIS 
 #
 # This program is free software; you can redistribute it and/or modify
@@ -17,13 +18,13 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
-session_start();
 import_request_variables("PG");
-require_once("../php/mb_validateSession.php");
 require_once("../../conf/mapbender.conf");
 $con = db_connect($DBSERVER,$OWNER,$PW);
 db_select_db(DB,$con);
-$gui_id = $_SESSION["mb_user_gui"];
+require_once("../php/mb_validatePermission.php");
+$self = $PHP_SELF . "?".SID."&guiID=".$_REQUEST["guiID"]."&elementID=".$_REQUEST["elementID"];
+$myUser = false;
 ?>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
@@ -31,7 +32,7 @@
 <?php
 echo '<meta http-equiv="Content-Type" content="text/html; charset='.CHARSET.'">';	
 ?>
-<title>Edit User</title>
+<title>Edit Filtered User</title>
 <?php
 include '../include/dyn_css.php';
 $myPW = "**********";
@@ -95,78 +96,84 @@
 </head>
 <body>
 <?php
-require_once("../../conf/mapbender.conf");
-$con = db_connect($DBSERVER,$OWNER,$PW);
-db_select_db(DB,$con);
-
+function setPassword($password){
+	if($password != ""){
+		if (SYS_DBTYPE=="mysql"){
+			$pw = "password('".$password."')";
+		}else{
+			if (MD5 == 'false'){
+				$pw = $password;
+			}else{
+				$pw = "md5('".$password."')";
+			}
+		}
+		return $pw;
+	}
+	else{
+		return false;	
+	}
+}
 #delete
 if($action == 'delete'){
-   $sql = "DELETE FROM mb_user WHERE mb_user_id = " . $selected_user;
-   $res = db_query($sql);
+   $sql = "DELETE FROM mb_user WHERE mb_user_id = $1";
+   $v = array($selected_user);
+   $t = array('i');
+   $res = db_prep_query($sql,$v,$t);
    $selected_user = 'new';
 }
 
 #save
 if($action == 'save'){
-   $sql = "SELECT mb_user_id FROM mb_user WHERE mb_user_name = '".$name."' ";
-   $res = db_query($sql);
-   if(db_fetch_row($res)){
-      echo "<script language='JavaScript'>alert('Username must be unique!');</script>";
-   }
-   else{
-     $sql = "Insert INTO mb_user (mb_user_name, mb_user_password,mb_user_owner, mb_user_description, mb_user_email, mb_user_phone, mb_user_department, mb_user_resolution) VALUES ";
-     $sql .= "('".$name."', ";
-     
-	if(SYS_DBTYPE == "mysql") {
-		$sql .= "password('".$password."')";
+	$sql = "SELECT mb_user_id FROM mb_user WHERE mb_user_name = $1 ";
+	$v = array($name);
+	$t = array('s');
+	$res = db_prep_query($sql,$v,$t);
+	if(db_fetch_row($res)){
+		echo "<script language='JavaScript'>alert('Username must be unique!');</script>";
 	}
-	else {
-		if (MD5 == 'false'){
-			$sql .= "'".$password."'";
-		}else{
-			$sql .= "md5('".$password."')";
-		}
+	else{
+		$sql = "Insert INTO mb_user (mb_user_name, mb_user_password,mb_user_owner, mb_user_description, ";
+		$sql .= "mb_user_email, mb_user_phone, mb_user_department, mb_user_resolution) VALUES ";
+		$sql.= "($1,$2,$3,$4,$5,$6,$7,$8)";	
+		$tmpPW = setPassword($password);
+		$v = array($name,$tmpPW,$owner_id,$description,$email,$phone,$department,$resolution);
+		$t = array('s','s','i','s','s','s','s','i');
+		$res = db_prep_query($sql,$v,$t);
+		$selected_user = db_insert_id($res,"mb_user","mb_user_id");
 	}
-	$sql.= ",".$owner_id.",'".$description."', '".$email."', '".$phone."', '".$department."', ".$resolution.");";
-     $res = db_query($sql);
-     $selected_user = db_insert_id($res,"mb_user","mb_user_id");
-   }
 }
 
 #update
 if($action == 'update'){
-   $sql = "SELECT mb_user_id FROM mb_user WHERE mb_user_name = '".$name."' AND mb_user_id <> ".$selected_user;
-   $res = db_query($sql);
-   if(db_fetch_row($res)){
-      echo "<script language='JavaScript'>alert('Username must be unique!');</script>";
-   }
-   else{
-     $sql = "UPDATE mb_user SET mb_user_name ='".$name."'";
-     if($password != ""){
-        $sql.=", mb_user_password = ";
-
-	     if (SYS_DBTYPE=="mysql"){
-	     	$sql.= "password('".$password."')";
-	     }else{
-			if (MD5 == 'false'){
-				$sql .= "'".$password."'";
-			}else{
-				$sql .= "md5('".$password."')";
-			}
-	     }
+	$sql = "SELECT mb_user_id FROM mb_user WHERE mb_user_name = $1 AND mb_user_id <> $2";
+	$v = array($name,$selected_user);
+	$t = array('s','i');
+	$res = db_prep_query($sql,$v,$t);
+	if(db_fetch_row($res)){
+		echo "<script language='JavaScript'>alert('Username must be unique!');</script>";
 	}
-     $sql.=", mb_user_description = '".$description."'";
-     $sql.=", mb_user_login_count = '".$login_count."'";
-     $sql.=", mb_user_email = '".$email."'";
-     $sql.=", mb_user_phone = '".$phone."'";
-     $sql.=", mb_user_department = '".$department."'";
-     $sql.=", mb_user_resolution = ".$resolution;
-     $sql.=" where mb_user_id = " . $selected_user;
-     $res = db_query($sql);
-		if($password && $res){
-			echo "<script language='JavaScript'>alert('Password has been updated successfully!');</script>";
+	else{
+		$sql = "UPDATE mb_user SET mb_user_name = $1";			
+		$sql.=", mb_user_description = $2";
+		$sql.=", mb_user_login_count = $3";
+		$sql.=", mb_user_email = $4";
+		$sql.=", mb_user_phone = $5";
+		$sql.=", mb_user_department = $6";
+		$sql.=", mb_user_resolution = $7";
+		$sql.=" where mb_user_id = $8";
+		$v = array($name,$description,$login_count,$email,$phone,$department,$resolution,$selected_user);
+		$t = array('s','s','i','s','s','s','i','i');     
+		$res = db_prep_query($sql,$v,$t);		
+		if($password != ''){
+			$sql = "UPDATE mb_user SET mb_user_password = $1 WHERE mb_user_name = $2 AND mb_user_id = $3";
+			$v = array(setPassword($password), $name, $selected_user);
+			$t = array('s','s','i');
+			$res = db_prep_query($sql,$v,$t);
+			if($password && $res){
+				echo "<script language='JavaScript'>alert('Password has been updated successfully!');</script>";
+			}	
 		}
-   }
+	}
 }
 if (!isset($name) || $selected_user == 'new'){
   $name = "";
@@ -184,7 +191,7 @@
 
 /*HTML*****************************************************************************************************/
 
-echo "<form name='form1' action='" . $PHP_SELF . "?".SID."' method='post'>";
+echo "<form name='form1' action='" . $self ."' method='post'>";
 echo "<table border='0'>";
 #User
 echo "<tr>";
@@ -213,8 +220,10 @@
 
 
 if(isset($selected_user) && $selected_user != 0){
-   $sql = "SELECT * FROM mb_user WHERE mb_user_id = ".$selected_user." ORDER BY mb_user_name ";
-   $res = db_query($sql);
+   $sql = "SELECT * FROM mb_user WHERE mb_user_id = $1 ORDER BY mb_user_name ";
+   $v = array($selected_user);
+   $t = array('i');
+   $res = db_prep_query($sql,$v,$t);
    if($row = db_fetch_array($res)){
       $name = $row["mb_user_name"];
       $password = $row["mb_user_password"];
@@ -226,8 +235,10 @@
       $department = $row["mb_user_department"];
       $resolution = $row["mb_user_resolution"];
    }
-   $sql = "SELECT mb_user_name FROM mb_user WHERE mb_user_id = " . $owner_id;
-   $res = db_query($sql);
+   $sql = "SELECT mb_user_name FROM mb_user WHERE mb_user_id = $1";
+   $v = array($owner_id);
+   $t = array('i');
+   $res = db_prep_query($sql,$v,$t);
    if($row = db_fetch_array($res)){
       $owner_name = $row["mb_user_name"];
    }
@@ -248,7 +259,7 @@
       if(isset($selected_user) && $selected_user != 'new'){
          echo $myPW;
       }
-      echo "'>";
+      echo "' >";
    echo "</td>";
 echo "</tr>";
 
@@ -261,6 +272,7 @@
    echo "</td>";
 echo "</tr>";
 
+
 #owner
 echo "<tr>";
    echo "<td>Owner: </td>";




More information about the Mapbender_commits mailing list