-
Notifications
You must be signed in to change notification settings - Fork 0
/
users.php
184 lines (170 loc) · 7.3 KB
/
users.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
<?php
require('includes/application_top.php');
include('includes/classes/class.formvalidation.php');
if (!$user->is_admin) {
header('Location: ./');
exit;
}
$action = $_GET['action'];
switch ($action) {
case 'add_action':
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$userName = $_POST['userName'];
$userID = (int)$_POST['userID'];
$password = $_POST['password'];
$password2 = $_POST['password2'];
$my_form = new validator;
if($my_form->checkEmail($_POST['email'])) { // check for good mail
if ($my_form->validate_fields('firstname,lastname,email,userName,password')) { // comma delimited list of the required form fields
if ($password == $password2) {
//check that username does not already exist
$username = $mysqli->real_escape_string(str_replace(' ', '_', $_POST['username']));
$sql = "SELECT userName FROM " . DB_PREFIX . "users WHERE userName='".$userName."';";
$query = $mysqli->query($sql);
if ($query->num_rows == 0) {
//form is valid, perform insert
$salt = substr($crypto->encrypt((uniqid(mt_rand(), true))), 0, 10);
$secure_password = $crypto->encrypt($salt . $crypto->encrypt($password));
$sql = "INSERT INTO " . DB_PREFIX . "users (userName, password, salt, firstname, lastname, email, status)
VALUES ('".$userName."', '".$secure_password."', '".$salt."', '".$firstname."', '".$lastname."', '".$email."', 1);";
$mysqli->query($sql) or die($mysqli->error);
$display = '<div class="responseOk">User ' . $userName . ' Updated</div><br/>';
} else {
$display = '<div class="responseError">User already exists, please try another username.</div><br/>';
}
} else {
$display = '<div class="responseError">Passwords do not match, please try again.</div><br/>';
}
} else {
$display = '<div class="responseError">' . $my_form->error . '</div><br/>';
}
} else {
$display = '<div class="responseError">Invalid email address, please try again.</div><br/>';
}
$action = 'add';
break;
case 'edit_action':
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$userName = $_POST['userName'];
$userID = (int)$_POST['userID'];
$my_form = new validator;
if($my_form->checkEmail($_POST['email'])) { // check for good mail
if ($my_form->validate_fields('firstname,lastname,email,userName')) { // comma delimited list of the required form fields
//form is valid, perform update
$sql = "update " . DB_PREFIX . "users ";
$sql .= "set firstname = '" . $firstname . "', lastname = '" . $lastname . "', email = '" . $email . "', userName = '" . $userName . "' ";
$sql .= "where userID = " . $userID . ";";
$mysqli->query($sql) or die('error updating user');
$display = '<div class="responseOk">User ' . $userName . ' Updated</div><br/>';
/*
if ($_POST['password'] == $_POST['password2']) {
} else {
$display = '<div class="responseError">Passwords do not match, please try again.</div><br/>';
}*/
} else {
$display = '<div class="responseError">' . $my_form->error . '</div><br/>';
}
} else {
$display = '<div class="responseError">Invalid email address, please try again.</div><br/>';
}
$action = 'edit';
break;
case 'delete':
$sql = "delete from " . DB_PREFIX . "users where userID = " . (int)$_GET['id'];
$mysqli->query($sql) or die('error deleting user: ' . $sql);
$sql = "delete from " . DB_PREFIX . "picks where userID = " . (int)$_GET['id'];
$mysqli->query($sql) or die('error deleting user picks: ' . $sql);
$sql = "delete from " . DB_PREFIX . "picksummary where userID = " . (int)$_GET['id'];
$mysqli->query($sql) or die('error deleting user picks summary: ' . $sql);
header('Location: ' . $_SERVER['PHP_SELF']);
exit;
break;
default:
$userID = $_GET['id'];
break;
}
include('includes/header.php');
if ($action == 'add' || $action == 'edit') {
//display add/edit screen
if ($action == 'edit' && sizeof($_POST) == 0) {
$sql = "select * from " . DB_PREFIX . "users where userID = " . $userID;
$query = $mysqli->query($sql);
if ($query->num_rows > 0) {
$row = $query->fetch_assoc();
$firstname = $row['firstname'];
$lastname = $row['lastname'];
$email = $row['email'];
$userName = $row['userName'];
} else {
header('Location: ' . $_SERVER['PHP_SELF']);
exit;
}
}
?>
<h1><?php echo ucfirst($action); ?> User</h1>
<?php
if(isset($display)) {
echo $display;
}
?>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>?action=<?php echo $action; ?>_action" method="post" name="addedituser">
<input type="hidden" name="userID" value="<?php echo $userID; ?>" />
<p>First Name:<br />
<input type="text" name="firstname" value="<?php echo $firstname; ?>"></p>
<p>Last Name:<br />
<input type="text" name="lastname" value="<?php echo $lastname; ?>"></p>
<p>Email:<br />
<input type="text" name="email" value="<?php echo $email; ?>" size="30"></p>
<p>User Name:<br />
<input type="text" name="userName" value="<?php echo $userName; ?>"></p>
<?php if ($action == 'add') { ?>
<p>Password:<br />
<input type="password" name="password" value=""></p>
<p>Confirm Password:<br />
<input type="password" name="password2" value=""></p>
<?php } ?>
<p><input type="submit" name="action" value="Submit" class="btn btn-info" /></p>
</form>
<?php
} else {
//display listing
?>
<h1>Update Users</h1>
<p><a href="<?php echo $_SERVER['PHP_SELF']; ?>?action=add&week=<?php echo $week; ?>"><img src="images/icons/add_16x16.png" width="16" height="16" alt="Add Game" /></a> <a href="<?php echo $_SERVER['PHP_SELF']; ?>?action=add">Add User</a></p>
<div class="table-responsive">
<?php
$sql = "select * from " . DB_PREFIX . "users order by lastname, firstname";
$query = $mysqli->query($sql);
if ($query->num_rows > 0) {
echo '<table class="table table-striped">' . "\n";
echo ' <tr><th align="left">Username</th><th align="left">Name</th><th align="left">Email</th><th>Status</th><th> </th></tr>' . "\n";
$i = 0;
while ($row = $query->fetch_assoc()) {
$rowclass = (($i % 2 == 0) ? ' class="altrow"' : '');
echo ' <tr' . $rowclass . '>' . "\n";
echo ' <td>' . $row['userName'] . '</td>' . "\n";
echo ' <td>' . $row['lastname'] . ', ' . $row['firstname'] . '</td>' . "\n";
echo ' <td>' . $row['email'] . '</td>' . "\n";
echo ' <td align="center"><img src="images/icons/' . (($row['status']) ? 'check_16x16.png' : 'cross_16x16.png') . '" width="16" height="16" alt="status" /></td>' . "\n";
echo ' <td><a href="' . $_SERVER['PHP_SELF'] . '?action=edit&id=' . $row['userID'] . '"><img src="images/icons/edit_16x16.png" width="16" height="16" alt="edit" /></a> <a href="javascript:confirmDelete(\'' . $row['userID'] . '\');"><img src="images/icons/delete_16x16.png" width="16" height="16" alt="delete" /></a></td>' . "\n";
echo ' </tr>' . "\n";
$i++;
}
echo '</table>' . "\n";
}
}
?>
<script type="text/javascript">
function confirmDelete(id) {
//confirm delete
if (confirm('Are you sure you want to delete? This action cannot be undone.')) {
location.href = "<?php echo $_SERVER['PHP_SELF']; ?>?action=delete&id=" + id;
}
}
</script>
<?php
include('includes/footer.php');