Enforce POST and validate input for profile forms
parent
f073fb621d
commit
841f1707eb
|
@ -1,132 +1,122 @@
|
||||||
<?php
|
<?php
|
||||||
$statement = $RUNTIME['PDO']->prepare("CREATE TABLE IF NOT EXISTS `iarstates` (`userID` VARCHAR(36) NOT NULL COLLATE 'utf8_unicode_ci', `filesize` BIGINT(20) NOT NULL DEFAULT '0', `iarfilename` VARCHAR(64) NOT NULL COLLATE 'utf8_unicode_ci', `running` INT(1) NOT NULL DEFAULT '0', PRIMARY KEY (`userID`) USING BTREE) COLLATE='utf8_unicode_ci' ENGINE=InnoDB;");
|
$statement = $RUNTIME['PDO']->prepare("CREATE TABLE IF NOT EXISTS `iarstates` (`userID` VARCHAR(36) NOT NULL COLLATE 'utf8_unicode_ci', `filesize` BIGINT(20) NOT NULL DEFAULT '0', `iarfilename` VARCHAR(64) NOT NULL COLLATE 'utf8_unicode_ci', `running` INT(1) NOT NULL DEFAULT '0', PRIMARY KEY (`userID`) USING BTREE) COLLATE='utf8_unicode_ci' ENGINE=InnoDB;");
|
||||||
$statement->execute();
|
$statement->execute();
|
||||||
|
|
||||||
|
//Prüfe ob IAR grade erstellt wird.
|
||||||
|
$statementIARCheck = $RUNTIME['PDO']->prepare('SELECT 1 FROM iarstates WHERE userID =:userID');
|
||||||
|
$statementIARCheck->execute(['userID' => $_SESSION['UUID']]);
|
||||||
|
$IARRUNNING = $statementIARCheck->rowCount() != 0;
|
||||||
|
$statementIARCheck->closeCursor();
|
||||||
|
|
||||||
|
if($_SERVER['REQUEST_METHOD'] == 'POST') {
|
||||||
|
include 'app/FormValidator.php';
|
||||||
|
|
||||||
|
if(isset($_POST['createIAR'])) {
|
||||||
|
$validator = new FormValidator(array()); // CSRF validation only
|
||||||
|
if($validator->isValid($_POST) && $IARRUNNING == FALSE) {
|
||||||
|
$iarname = md5(time().$_SESSION['UUID'] . rand()).".iar";
|
||||||
|
|
||||||
|
$HTML->ReplaceSeitenInhalt("%%IARINFOMESSAGE%%", '<div class="alert alert-danger" role="alert">Deine IAR wird jetzt erstellt und der Download Link wird dir per PM zugesendet. '.$APIResult.'</div>');
|
||||||
|
$HTML->ReplaceSeitenInhalt("%%IARBUTTONSTATE%%", 'disabled');
|
||||||
|
|
||||||
|
$statementIARSTART = $RUNTIME['PDO']->prepare('INSERT INTO iarstates (userID, filesize, iarfilename) VALUES (:userID, :filesize, :iarfilename)');
|
||||||
|
$statementIARSTART->execute(['userID' => $_SESSION['UUID'], 'filesize' => 0, 'iarfilename' => $iarname]);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else if(isset($_POST['saveProfileData'])) {
|
||||||
|
$validator = new FormValidator(array(
|
||||||
|
'formInputFeldVorname' => array('regex' => '/[^\\/<>\s]{1,64}/'),
|
||||||
|
'formInputFeldNachname' => array('regex' => '/[^\\/<>\s]{1,64}/'),
|
||||||
|
'formInputFeldEMail' => array('regex' => '/\S{1,64}@\S{1,250}.\S{2,64}/'),
|
||||||
|
'formInputFeldOfflineIM' => array('regex' => '(|on)'),
|
||||||
|
'formInputFeldPartnerName' => array('regex' => '/[^\\/<>\s]{1,64} [^\\/<>\s]{1,64}/')
|
||||||
|
));
|
||||||
|
|
||||||
|
if($validator->isValid($_POST)) {
|
||||||
|
if(isset($_POST['formInputFeldVorname']) && $_POST['formInputFeldVorname'] != "") {
|
||||||
|
$NewFirstName = trim($_POST['formInputFeldVorname']);
|
||||||
|
|
||||||
|
if($NewFirstName != "" && $_SESSION['FIRSTNAME'] != $NewFirstName) {
|
||||||
|
$statement = $RUNTIME['PDO']->prepare('UPDATE UserAccounts SET FirstName = :FirstName WHERE PrincipalID = :PrincipalID');
|
||||||
|
$statement->execute(['FirstName' => $NewFirstName, 'PrincipalID' => $_SESSION['UUID']]);
|
||||||
|
$_SESSION['FIRSTNAME'] = $NewFirstName;
|
||||||
|
$_SESSION['USERNAME'] = $_SESSION['FIRSTNAME']." ".$_SESSION['LASTNAME'];
|
||||||
|
$_SESSION['DISPLAYNAME'] = strtoupper($_SESSION['USERNAME']);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if(isset($_POST['formInputFeldNachname']) && $_POST['formInputFeldNachname'] != "") {
|
||||||
|
$NewLastName = trim($_POST['formInputFeldNachname']);
|
||||||
|
|
||||||
|
if($NewLastName != "" && $_SESSION['LASTNAME'] != $NewLastName) {
|
||||||
|
$statement = $RUNTIME['PDO']->prepare('UPDATE UserAccounts SET LastName = :LastName WHERE PrincipalID = :PrincipalID');
|
||||||
|
$statement->execute(['LastName' => $NewLastName, 'PrincipalID' => $_SESSION['UUID']]);
|
||||||
|
$_SESSION['LASTNAME'] = $NewLastName;
|
||||||
|
$_SESSION['USERNAME'] = $_SESSION['FIRSTNAME']." ".$_SESSION['LASTNAME'];
|
||||||
|
$_SESSION['DISPLAYNAME'] = strtoupper($_SESSION['USERNAME']);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if(isset($_POST['formInputFeldEMail']) && $_POST['formInputFeldEMail'] != "") {
|
||||||
|
$NewEMail = trim($_POST['formInputFeldEMail']);
|
||||||
|
|
||||||
|
if($NewEMail != "" && $_SESSION['EMAIL'] != $NewEMail) {
|
||||||
|
$statement = $RUNTIME['PDO']->prepare('UPDATE UserAccounts SET Email = :Email WHERE PrincipalID = :PrincipalID');
|
||||||
|
$statement->execute(['Email' => $NewEMail, 'PrincipalID' => $_SESSION['UUID']]);
|
||||||
|
|
||||||
|
$statement = $RUNTIME['PDO']->prepare('UPDATE usersettings SET email = :Email WHERE useruuid = :PrincipalID');
|
||||||
|
$statement->execute(['Email' => $NewEMail, 'PrincipalID' => $_SESSION['UUID']]);
|
||||||
|
|
||||||
|
$_SESSION['EMAIL'] = $NewEMail;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if(isset($_POST['formInputFeldOfflineIM']) && $_POST['formInputFeldOfflineIM'] == "on") {
|
||||||
|
$statement = $RUNTIME['PDO']->prepare('UPDATE usersettings SET imviaemail = :IMState WHERE useruuid = :PrincipalID');
|
||||||
|
$statement->execute(['IMState' => 'true', 'PrincipalID' => $_SESSION['UUID']]);
|
||||||
|
} else {
|
||||||
|
$statement = $RUNTIME['PDO']->prepare('UPDATE usersettings SET imviaemail = :IMState WHERE useruuid = :PrincipalID');
|
||||||
|
$statement->execute(['IMState' => 'false', 'PrincipalID' => $_SESSION['UUID']]);
|
||||||
|
}
|
||||||
|
|
||||||
|
include 'app/OpenSim.php';
|
||||||
|
$opensim = new OpenSim();
|
||||||
|
|
||||||
|
if(isset($_POST['formInputFeldPartnerName']) && $_POST['formInputFeldPartnerName'] != "") {
|
||||||
|
$NewPartner = trim($_POST['formInputFeldPartnerName']);
|
||||||
|
$CurrentPartner = $opensim->getPartner($_SESSION['UUID']);
|
||||||
|
|
||||||
|
if($CurrentPartner != "")$CurrentPartner = $opensim->getUserName($CurrentPartner);
|
||||||
|
|
||||||
|
if($NewPartner != "" && $CurrentPartner != $NewPartner) {
|
||||||
|
$newPartnerUUID = $opensim->getUserUUID($NewPartner);
|
||||||
|
|
||||||
|
if($newPartnerUUID != null) {
|
||||||
|
$statement = $RUNTIME['PDO']->prepare('UPDATE userprofile SET profilePartner = :profilePartner WHERE useruuid = :PrincipalID');
|
||||||
|
$statement->execute(['profilePartner' => $newPartnerUUID, 'PrincipalID' => $_SESSION['UUID']]);
|
||||||
|
}
|
||||||
|
}else{
|
||||||
|
$statement = $RUNTIME['PDO']->prepare('UPDATE userprofile SET profilePartner = :profilePartner WHERE useruuid = :PrincipalID');
|
||||||
|
$statement->execute(['profilePartner' => '00000000-0000-0000-0000-000000000000', 'PrincipalID' => $_SESSION['UUID']]);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else if(isset($_POST['savePassword'])) {
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
header('Location: index.php?page=profile');
|
||||||
|
die();
|
||||||
|
}
|
||||||
|
|
||||||
$HTML->setHTMLTitle("Dein Profile");
|
$HTML->setHTMLTitle("Dein Profile");
|
||||||
$HTML->importSeitenInhalt("profile.html");
|
$HTML->importSeitenInhalt("profile.html");
|
||||||
|
|
||||||
//Prüfe ob IAR grade erstellt wird.
|
if(!$IARRUNNING)
|
||||||
$IARRUNNING = FALSE;
|
|
||||||
|
|
||||||
$statementIARCheck = $RUNTIME['PDO']->prepare('SELECT 1 FROM iarstates WHERE userID =:userID');
|
|
||||||
$statementIARCheck->execute(['userID' => $_SESSION['UUID']]);
|
|
||||||
if($statementIARCheck->rowCount() != 0)
|
|
||||||
{
|
{
|
||||||
$HTML->ReplaceSeitenInhalt("%%IARINFOMESSAGE%%", '<div class="alert alert-danger" role="alert">Aktuell wird eine IAR erstellt.<br>Warte bitte bis du eine PM bekommst.</div>');
|
$HTML->ReplaceSeitenInhalt("%%IARINFOMESSAGE%%", '<div class="alert alert-danger" role="alert">Aktuell wird eine IAR erstellt.<br>Warte bitte bis du eine PM bekommst.</div>');
|
||||||
$HTML->ReplaceSeitenInhalt("%%IARBUTTONSTATE%%", 'disabled');
|
$HTML->ReplaceSeitenInhalt("%%IARBUTTONSTATE%%", 'disabled');
|
||||||
$IARRUNNING = TRUE;
|
|
||||||
}
|
|
||||||
|
|
||||||
if(isset($_REQUEST['createIAR']))
|
|
||||||
{
|
|
||||||
if($IARRUNNING == FALSE)
|
|
||||||
{
|
|
||||||
$iarname = md5(time().$_SESSION['UUID'] . rand()).".iar";
|
|
||||||
|
|
||||||
$HTML->ReplaceSeitenInhalt("%%IARINFOMESSAGE%%", '<div class="alert alert-danger" role="alert">Deine IAR wird jetzt erstellt und der Download Link wird dir per PM zugesendet. '.$APIResult.'</div>');
|
|
||||||
$HTML->ReplaceSeitenInhalt("%%IARBUTTONSTATE%%", 'disabled');
|
|
||||||
|
|
||||||
$statementIARSTART = $RUNTIME['PDO']->prepare('INSERT INTO iarstates (userID, filesize, iarfilename) VALUES (:userID, :filesize, :iarfilename)');
|
|
||||||
$statementIARSTART->execute(['userID' => $_SESSION['UUID'], 'filesize' => 0, 'iarfilename' => $iarname]);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if(isset($_REQUEST['formInputFeldVorname']) && $_REQUEST['formInputFeldVorname'] != "")
|
|
||||||
{
|
|
||||||
$NewFirstName = trim($_REQUEST['formInputFeldVorname']);
|
|
||||||
|
|
||||||
if($NewFirstName != "")
|
|
||||||
{
|
|
||||||
if($_SESSION['FIRSTNAME'] != $NewFirstName)
|
|
||||||
{
|
|
||||||
$statement = $RUNTIME['PDO']->prepare('UPDATE UserAccounts SET FirstName = :FirstName WHERE PrincipalID = :PrincipalID');
|
|
||||||
$statement->execute(['FirstName' => $NewFirstName, 'PrincipalID' => $_SESSION['UUID']]);
|
|
||||||
$_SESSION['FIRSTNAME'] = $NewFirstName;
|
|
||||||
$_SESSION['USERNAME'] = $_SESSION['FIRSTNAME']." ".$_SESSION['LASTNAME'];
|
|
||||||
$_SESSION['DISPLAYNAME'] = strtoupper($_SESSION['USERNAME']);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if(isset($_REQUEST['formInputFeldNachname']) && $_REQUEST['formInputFeldNachname'] != "")
|
|
||||||
{
|
|
||||||
$NewLastName = trim($_REQUEST['formInputFeldNachname']);
|
|
||||||
|
|
||||||
if($NewLastName != "")
|
|
||||||
{
|
|
||||||
if($_SESSION['LASTNAME'] != $NewLastName)
|
|
||||||
{
|
|
||||||
$statement = $RUNTIME['PDO']->prepare('UPDATE UserAccounts SET LastName = :LastName WHERE PrincipalID = :PrincipalID');
|
|
||||||
$statement->execute(['LastName' => $NewLastName, 'PrincipalID' => $_SESSION['UUID']]);
|
|
||||||
$_SESSION['LASTNAME'] = $NewLastName;
|
|
||||||
$_SESSION['USERNAME'] = $_SESSION['FIRSTNAME']." ".$_SESSION['LASTNAME'];
|
|
||||||
$_SESSION['DISPLAYNAME'] = strtoupper($_SESSION['USERNAME']);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if(isset($_REQUEST['formInputFeldEMail']) && $_REQUEST['formInputFeldEMail'] != "")
|
|
||||||
{
|
|
||||||
$NewEMail = trim($_REQUEST['formInputFeldEMail']);
|
|
||||||
|
|
||||||
if($NewEMail != "")
|
|
||||||
{
|
|
||||||
if($_SESSION['EMAIL'] != $NewEMail)
|
|
||||||
{
|
|
||||||
$statement = $RUNTIME['PDO']->prepare('UPDATE UserAccounts SET Email = :Email WHERE PrincipalID = :PrincipalID');
|
|
||||||
$statement->execute(['Email' => $NewEMail, 'PrincipalID' => $_SESSION['UUID']]);
|
|
||||||
|
|
||||||
$statement = $RUNTIME['PDO']->prepare('UPDATE usersettings SET email = :Email WHERE useruuid = :PrincipalID');
|
|
||||||
$statement->execute(['Email' => $NewEMail, 'PrincipalID' => $_SESSION['UUID']]);
|
|
||||||
|
|
||||||
$_SESSION['EMAIL'] = $NewEMail;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if(isset($_REQUEST['formInputFeldOfflineIM']) && $_REQUEST['formInputFeldOfflineIM'] != "")
|
|
||||||
{
|
|
||||||
$NewOfflineIM = trim($_REQUEST['formInputFeldOfflineIM']);
|
|
||||||
|
|
||||||
if($NewOfflineIM != "")
|
|
||||||
{
|
|
||||||
if($NewOfflineIM == "on" || $NewOfflineIM == "true")
|
|
||||||
{
|
|
||||||
$statement = $RUNTIME['PDO']->prepare('UPDATE usersettings SET imviaemail = :IMState WHERE useruuid = :PrincipalID');
|
|
||||||
$statement->execute(['IMState' => 'true', 'PrincipalID' => $_SESSION['UUID']]);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}else if(!isset($_REQUEST['formInputFeldOfflineIM']) && isset($_REQUEST['saveProfileData'])){
|
|
||||||
$statement = $RUNTIME['PDO']->prepare('UPDATE usersettings SET imviaemail = :IMState WHERE useruuid = :PrincipalID');
|
|
||||||
$statement->execute(['IMState' => 'false', 'PrincipalID' => $_SESSION['UUID']]);
|
|
||||||
}
|
|
||||||
|
|
||||||
include 'app/OpenSim.php';
|
|
||||||
$opensim = new OpenSim();
|
|
||||||
|
|
||||||
if(isset($_REQUEST['formInputFeldPartnerName']) && $_REQUEST['formInputFeldPartnerName'] != "")
|
|
||||||
{
|
|
||||||
$NewPartner = trim($_REQUEST['formInputFeldPartnerName']);
|
|
||||||
$CurrentPartner = $opensim->getPartner($_SESSION['UUID']);
|
|
||||||
|
|
||||||
if($CurrentPartner != "")$CurrentPartner = $opensim->getUserName($CurrentPartner);
|
|
||||||
|
|
||||||
if($NewPartner != "")
|
|
||||||
{
|
|
||||||
if($CurrentPartner != $NewPartner)
|
|
||||||
{
|
|
||||||
$newPartnerUUID = $opensim->getUserUUID($NewPartner);
|
|
||||||
|
|
||||||
if($newPartnerUUID != null)
|
|
||||||
{
|
|
||||||
$statement = $RUNTIME['PDO']->prepare('UPDATE userprofile SET profilePartner = :profilePartner WHERE useruuid = :PrincipalID');
|
|
||||||
$statement->execute(['profilePartner' => $newPartnerUUID, 'PrincipalID' => $_SESSION['UUID']]);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}else{
|
|
||||||
$statement = $RUNTIME['PDO']->prepare('UPDATE userprofile SET profilePartner = :profilePartner WHERE useruuid = :PrincipalID');
|
|
||||||
$statement->execute(['profilePartner' => '00000000-0000-0000-0000-000000000000', 'PrincipalID' => $_SESSION['UUID']]);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
$statementLocalUsers = $RUNTIME['PDO']->prepare("SELECT FirstName,LastName FROM UserAccounts ORDER BY PrincipalID ASC");
|
$statementLocalUsers = $RUNTIME['PDO']->prepare("SELECT FirstName,LastName FROM UserAccounts ORDER BY PrincipalID ASC");
|
||||||
|
|
Loading…
Reference in New Issue