Menu
▾
▴
[mxbb-commits] mx_import_tools/includes functions_mod_user.php, 1.5, 1.6
|
From: Jon O. <jon...@us...> - 2006-06-17 20:47:46
|
Update of /cvsroot/mxbb/mx_import_tools/includes In directory sc8-pr-cvs7.sourceforge.net:/tmp/cvs-serv5214/modules/mx_import_tools/includes Modified Files: functions_mod_user.php Log Message: security Index: functions_mod_user.php =================================================================== RCS file: /cvsroot/mxbb/mx_import_tools/includes/functions_mod_user.php,v retrieving revision 1.5 retrieving revision 1.6 diff -C2 -d -r1.5 -r1.6 *** functions_mod_user.php 5 Apr 2006 22:33:30 -0000 1.5 --- functions_mod_user.php 17 Jun 2006 20:47:43 -0000 1.6 *************** *** 8,12 **** * */ ! include_once( $phpbb_root_path . 'includes/functions_validate.' . $phpEx ); include_once( $phpbb_root_path . 'includes/functions_post.' . $phpEx ); --- 8,17 ---- * */ ! ! if( !defined('IN_PORTAL') ) ! { ! die("Hacking attempt"); ! } ! include_once( $phpbb_root_path . 'includes/functions_validate.' . $phpEx ); include_once( $phpbb_root_path . 'includes/functions_post.' . $phpEx ); *************** *** 14,18 **** class user ! { // These are the 3 critical values for any user var $username; --- 19,23 ---- class user ! { // These are the 3 critical values for any user var $username; *************** *** 20,30 **** var $user_email; ! var $user_id; // The remaining userdata fields are stored in an array ! var $user_fields; // This stores details of any usergroups that the user should be in ! var $groups; // The constructor for this class ! // The password must be in MD5 format, but we'll handle escaping any special // characters in any field within the function --- 25,35 ---- var $user_email; ! var $user_id; // The remaining userdata fields are stored in an array ! var $user_fields; // This stores details of any usergroups that the user should be in ! var $groups; // The constructor for this class ! // The password must be in MD5 format, but we'll handle escaping any special // characters in any field within the function *************** *** 37,41 **** $this->user_email = $this->sql_escape( $email ); ! $this->user_id = ''; // Now we need to set the remaining fields to some default values // If you wish to integrate with another MOD, you should add any initilization --- 42,46 ---- $this->user_email = $this->sql_escape( $email ); ! $this->user_id = ''; // Now we need to set the remaining fields to some default values // If you wish to integrate with another MOD, you should add any initilization *************** *** 68,76 **** $this->user_fields['user_style'] = $board_config['default_style']; $this->user_fields['user_level'] = USER; ! $this->user_fields['user_posts'] = 0; // addon entries $this->user_fields['user_realname'] = $name; $this->user_fields['user_list_option'] = '0110000000100000000000000000101'; ! } // This function escapes any special characters in a string to allow for safe // use in the SQL query. It is used in the constructor and should be used on --- 73,81 ---- $this->user_fields['user_style'] = $board_config['default_style']; $this->user_fields['user_level'] = USER; ! $this->user_fields['user_posts'] = 0; // addon entries $this->user_fields['user_realname'] = $name; $this->user_fields['user_list_option'] = '0110000000100000000000000000101'; ! } // This function escapes any special characters in a string to allow for safe // use in the SQL query. It is used in the constructor and should be used on *************** *** 79,91 **** { return str_replace( "\'", "''", addslashes( $data ) ); ! } // This function is used to set any of the user fields if you do not want to // use the default values. Any field listed in the array in this function // will have special characters escaped function set_field( $field_name, $data ) ! { // It's not the most efficient, but we escape everything just to be safe $this->user_fields[$field_name] = $this->sql_escape( $data ); ! } // This function allows you to set a specific user_id for this user // You should only call this if you know that the user_id you are specifying --- 84,96 ---- { return str_replace( "\'", "''", addslashes( $data ) ); ! } // This function is used to set any of the user fields if you do not want to // use the default values. Any field listed in the array in this function // will have special characters escaped function set_field( $field_name, $data ) ! { // It's not the most efficient, but we escape everything just to be safe $this->user_fields[$field_name] = $this->sql_escape( $data ); ! } // This function allows you to set a specific user_id for this user // You should only call this if you know that the user_id you are specifying *************** *** 95,99 **** { $this->user_id = intval( $id ); ! } // This function returns the user_id of the user. // It is only really useful after the call to insert_user() --- 100,104 ---- { $this->user_id = intval( $id ); ! } // This function returns the user_id of the user. // It is only really useful after the call to insert_user() *************** *** 101,105 **** { return $this->user_id; ! } // This function is used to set any usergroups the user should be added to // upon registration. --- 106,110 ---- { return $this->user_id; ! } // This function is used to set any usergroups the user should be added to // upon registration. *************** *** 108,124 **** { $this->groups[] = $group_id; ! } // This function validates the userdata to ensure that the user can be inserted // into the database. It checks for duplicate usernames, disallowed usernames, // invalid email addresses and disallowed email addresses ! // Returns true if the user can be inserted, false otherwise function validate_user() { $return_msg = array(); ! $return_msg['is_ok'] = true; $return_msg['username_ok'] = true; $return_msg['mail_ok'] = true; ! $name_check = validate_username( stripslashes( str_replace( "''", "\'", $this->username ) ) ); if ( $name_check['error'] ) --- 113,129 ---- { $this->groups[] = $group_id; ! } // This function validates the userdata to ensure that the user can be inserted // into the database. It checks for duplicate usernames, disallowed usernames, // invalid email addresses and disallowed email addresses ! // Returns true if the user can be inserted, false otherwise function validate_user() { $return_msg = array(); ! $return_msg['is_ok'] = true; $return_msg['username_ok'] = true; $return_msg['mail_ok'] = true; ! $name_check = validate_username( stripslashes( str_replace( "''", "\'", $this->username ) ) ); if ( $name_check['error'] ) *************** *** 137,151 **** } return $return_msg; ! } // This is the function which actually inserts the user into the database ! // NB. This function does not validate the user allowing you to register names // and email addresses which might otherwise be disallowed, if you want to // validate the data you should call validate_user() first ! // Returns true on success, false otherwise function insert_user() { ! global $db; // Get the user_id if one has not already been set if ( $this->user_id == '' ) --- 142,156 ---- } return $return_msg; ! } // This is the function which actually inserts the user into the database ! // NB. This function does not validate the user allowing you to register names // and email addresses which might otherwise be disallowed, if you want to // validate the data you should call validate_user() first ! // Returns true on success, false otherwise function insert_user() { ! global $db; // Get the user_id if one has not already been set if ( $this->user_id == '' ) *************** *** 163,182 **** } $this->user_id = $row['total'] + 1; ! } // Build the main SQL query $sql = "INSERT INTO " . USERS_TABLE . " (user_id, username, user_regdate, user_password, user_email, user_icq, user_website, user_occ, user_from, user_interests, user_sig, user_sig_bbcode_uid, user_avatar, user_avatar_type, user_viewemail, user_aim, user_yim, user_msnm, user_attachsig, user_allowsmile, user_allowhtml, user_allowbbcode, user_allow_viewonline, user_notify, user_notify_pm, user_popup_pm, user_timezone, user_dateformat, user_lang, user_style, user_level, user_allow_pm, user_active, user_actkey, user_posts, user_realname) "; ! $sql .= "VALUES (" . $this->user_id . ", '" . $this->username . "', '" . $this->user_fields['user_regdate'] . "', '" . $this->user_password . "', '" . $this->user_email . "', '" . $this->user_fields['user_icq'] . "', '" . $this->user_fields['user_website'] . "', '" . $this->user_fields['user_occ'] . "', '" . $this->user_fields['user_from'] . "', '" . $this->user_fields['user_interests'] . "', '" . $this->user_fields['user_sig'] . "', '" . $this->user_fields['user_sig_bbcode_uid'] . "', '" . $this->user_fields['user_avatar'] . "', '" . $this->user_fields['user_avatar_type'] . "', " . $this->user_fields['user_viewemail'] . ", '" . str_replace( ' ', '+', $this->user_fields['user_aim'] ) . "', '" . $this->user_fields['user_yim'] . "', '" . $this->user_fields['user_msnm'] . "', " . $this->user_fields['user_attachsig'] . ", " . $this->user_fields['user_allowsmile'] . ", " . $this->user_fields['user_allowhtml'] . ", " . $this->user_fields['user_allowbbcode'] . ", " . $this->user_fields['user_allow_viewonline'] . ", " . $this->user_fields['user_notify'] . ", " . $this->user_fields['user_notify_pm'] . ", " . $this->user_fields['user_popup_pm'] . ", " . $this->user_fields['user_timezone'] . ", '" . $this->user_fields['user_dateformat'] . "', '" . $this->user_fields['user_lang'] . "', " . $this->user_fields['user_style'] . ", " . $this->user_fields['user_level'] . ", 1, 1, '', '" . $this->user_fields['user_posts'] . "', '" . $this->user_fields['user_realname'] . "')"; ! // Insert the user ! if ( !( $result = $db->sql_query( $sql, BEGIN_TRANSACTION ) ) ) { $error = true; ! } ! // Insert the personal group $sql = "INSERT INTO " . GROUPS_TABLE . " (group_name, group_description, group_single_user, group_moderator) VALUES ('', 'Personal User', 1, 0)"; ! if ( !( $result = $db->sql_query( $sql ) ) ) { --- 168,187 ---- } $this->user_id = $row['total'] + 1; ! } // Build the main SQL query $sql = "INSERT INTO " . USERS_TABLE . " (user_id, username, user_regdate, user_password, user_email, user_icq, user_website, user_occ, user_from, user_interests, user_sig, user_sig_bbcode_uid, user_avatar, user_avatar_type, user_viewemail, user_aim, user_yim, user_msnm, user_attachsig, user_allowsmile, user_allowhtml, user_allowbbcode, user_allow_viewonline, user_notify, user_notify_pm, user_popup_pm, user_timezone, user_dateformat, user_lang, user_style, user_level, user_allow_pm, user_active, user_actkey, user_posts, user_realname) "; ! $sql .= "VALUES (" . $this->user_id . ", '" . $this->username . "', '" . $this->user_fields['user_regdate'] . "', '" . $this->user_password . "', '" . $this->user_email . "', '" . $this->user_fields['user_icq'] . "', '" . $this->user_fields['user_website'] . "', '" . $this->user_fields['user_occ'] . "', '" . $this->user_fields['user_from'] . "', '" . $this->user_fields['user_interests'] . "', '" . $this->user_fields['user_sig'] . "', '" . $this->user_fields['user_sig_bbcode_uid'] . "', '" . $this->user_fields['user_avatar'] . "', '" . $this->user_fields['user_avatar_type'] . "', " . $this->user_fields['user_viewemail'] . ", '" . str_replace( ' ', '+', $this->user_fields['user_aim'] ) . "', '" . $this->user_fields['user_yim'] . "', '" . $this->user_fields['user_msnm'] . "', " . $this->user_fields['user_attachsig'] . ", " . $this->user_fields['user_allowsmile'] . ", " . $this->user_fields['user_allowhtml'] . ", " . $this->user_fields['user_allowbbcode'] . ", " . $this->user_fields['user_allow_viewonline'] . ", " . $this->user_fields['user_notify'] . ", " . $this->user_fields['user_notify_pm'] . ", " . $this->user_fields['user_popup_pm'] . ", " . $this->user_fields['user_timezone'] . ", '" . $this->user_fields['user_dateformat'] . "', '" . $this->user_fields['user_lang'] . "', " . $this->user_fields['user_style'] . ", " . $this->user_fields['user_level'] . ", 1, 1, '', '" . $this->user_fields['user_posts'] . "', '" . $this->user_fields['user_realname'] . "')"; ! // Insert the user ! if ( !( $result = $db->sql_query( $sql, BEGIN_TRANSACTION ) ) ) { $error = true; ! } ! // Insert the personal group $sql = "INSERT INTO " . GROUPS_TABLE . " (group_name, group_description, group_single_user, group_moderator) VALUES ('', 'Personal User', 1, 0)"; ! if ( !( $result = $db->sql_query( $sql ) ) ) { *************** *** 184,190 **** $error = true; } - ! $group_id = $db->sql_nextid(); // Insert the user_group entry --- 189,195 ---- $error = true; } ! ! $group_id = $db->sql_nextid(); // Insert the user_group entry *************** *** 195,199 **** echo('error - couldn\'t insert user group: ' . $this->username ); $error = true; ! } // Add the user to any applicable groups --- 200,204 ---- echo('error - couldn\'t insert user group: ' . $this->username ); $error = true; ! } // Add the user to any applicable groups *************** *** 208,212 **** } } ! return ( $error == true ) ? false : true; } --- 213,217 ---- } } ! return ( $error == true ) ? false : true; } *************** *** 215,219 **** function move_user() { ! global $db; // Get the user_id if one has not already been set if ( $this->user_id == '' ) --- 220,224 ---- function move_user() { ! global $db; // Get the user_id if one has not already been set if ( $this->user_id == '' ) *************** *** 233,237 **** } $this->user_id = $row['user_id']; ! } // Add the user to any applicable groups --- 238,242 ---- } $this->user_id = $row['user_id']; ! } // Add the user to any applicable groups *************** *** 244,248 **** $sql = "SELECT * FROM " . USER_GROUP_TABLE . " ! WHERE user_id = '" . $this->user_id . "' AND group_id = '" . $this->groups[$i] . "'" ; --- 249,253 ---- $sql = "SELECT * FROM " . USER_GROUP_TABLE . " ! WHERE user_id = '" . $this->user_id . "' AND group_id = '" . $this->groups[$i] . "'" ; *************** *** 270,274 **** } } ! return ( $error == true ) ? false : true; } --- 275,279 ---- } } ! return ( $error == true ) ? false : true; } *************** *** 277,281 **** function update_user() { ! global $db; // Get the user_id if one has not already been set if ( $this->user_id == '' ) --- 282,286 ---- function update_user() { ! global $db; // Get the user_id if one has not already been set if ( $this->user_id == '' ) *************** *** 295,299 **** } $this->user_id = $row['user_id']; ! } $sql = "UPDATE " . USERS_TABLE . " --- 300,304 ---- } $this->user_id = $row['user_id']; ! } $sql = "UPDATE " . USERS_TABLE . " *************** *** 309,314 **** { $error = true; ! } ! return ( $error == true ) ? false : true; } --- 314,319 ---- { $error = true; ! } ! return ( $error == true ) ? false : true; } |
