inc/users.inc.php
changeset 65 ce1c4d5e1576
parent 58 78558a77131e
child 67 2f8c29fc5e2e
equal deleted inserted replaced
64:dab0e9deeb67 65:ce1c4d5e1576
    27  * return values: an array with all users in it.
    27  * return values: an array with all users in it.
    28  */
    28  */
    29 function show_users($id='',$rowstart=0,$rowamount=9999999)
    29 function show_users($id='',$rowstart=0,$rowamount=9999999)
    30 {
    30 {
    31  	global $db;
    31  	global $db;
       
    32 	$add = '';
    32  	if(is_numeric($id))
    33  	if(is_numeric($id))
    33  	{
    34  	{
    34                  //When a user id is given, it is excluded from the userlist returned.
    35                  //When a user id is given, it is excluded from the userlist returned.
    35                  $add = " WHERE users.id!=$id";
    36                  $add = " WHERE users.id!=".$db->quote($id);
    36 	}
    37 	}
    37 
    38 
    38 	// Make a huge query.
    39 	// Make a huge query.
    39 	$sqlq = "SELECT users.id AS id,
    40 	$sqlq = "SELECT users.id AS id,
    40 		users.username AS username,
    41 		users.username AS username,
    52 			users.email,
    53 			users.email,
    53 			users.description,
    54 			users.description,
    54 			users.level,
    55 			users.level,
    55 			users.active
    56 			users.active
    56 		ORDER BY
    57 		ORDER BY
    57 			users.fullname
    58 			users.fullname";
    58 	 	LIMIT $rowamount OFFSET $rowstart";
       
    59 
    59 
    60 	// Execute the huge query.
    60 	// Execute the huge query.
       
    61 	$db->setLimit($rowstart, $rowamount);
    61 	$result = $db->query($sqlq);
    62 	$result = $db->query($sqlq);
    62 	$ret = array();
    63 	$ret = array();
    63 	$retcount = 0;
    64 	$retcount = 0;
    64 	while ($r = $result->fetchRow())
    65 	while ($r = $result->fetchRow())
    65 	{
    66 	{
    85  function is_valid_user($id)
    86  function is_valid_user($id)
    86 {
    87 {
    87 	global $db;
    88 	global $db;
    88 	if(is_numeric($id))
    89 	if(is_numeric($id))
    89 	{
    90 	{
    90 		$result = $db->query("SELECT id FROM users WHERE id=$id");
    91 		$result = $db->query("SELECT id FROM users WHERE id=".$db->quote($id));
    91 		if ($result->numRows() == 1)
    92 		if ($result->numRows() == 1)
    92 		{
    93 		{
    93 			return true;
    94 			return true;
    94 		}
    95 		}
    95 		else
    96 		else
   132  * return values: true if exists, false if not.
   133  * return values: true if exists, false if not.
   133  */
   134  */
   134 function user_exists($user)
   135 function user_exists($user)
   135 {
   136 {
   136 	global $db;
   137 	global $db;
   137 	$result = $db->query("SELECT id FROM users WHERE username='$user'");
   138 	$result = $db->query("SELECT id FROM users WHERE username=".$db->quote($user));
   138 	if ($result->numRows() == 0)
   139 	if ($result->numRows() == 0)
   139 	{
   140 	{
   140                  return false;
   141                  return false;
   141 	}
   142 	}
   142 	elseif($result->numRows() == 1)
   143 	elseif($result->numRows() == 1)
   157 function get_user_info($id)
   158 function get_user_info($id)
   158 {
   159 {
   159 	global $db;
   160 	global $db;
   160 	if (is_numeric($id))
   161 	if (is_numeric($id))
   161 	{
   162 	{
   162 		$result = $db->query("SELECT id, username, fullname, email, description, level, active from users where id=$id");
   163 		$result = $db->query("SELECT id, username, fullname, email, description, level, active from users where id=".$db->quote($id));
   163 		$r = $result->fetchRow();
   164 		$r = $result->fetchRow();
   164 		return $r;
   165 		return $r;
   165 	}
   166 	}
   166 	else
   167 	else
   167 	{
   168 	{
   181 	{
   182 	{
   182 		error(ERR_LEVEL_10);
   183 		error(ERR_LEVEL_10);
   183 	}
   184 	}
   184 	if (is_numeric($id))
   185 	if (is_numeric($id))
   185 	{
   186 	{
   186         	$db->query("DELETE FROM users WHERE id=$id");
   187         	$db->query("DELETE FROM users WHERE id=".$db->quote($id));
   187         	$db->query("DELETE FROM zones WHERE owner=$id");
   188         	$db->query("DELETE FROM zones WHERE owner=".$db->quote($id));
   188         	return true;
   189         	return true;
   189         	// No need to check the affected rows. If the affected rows would be 0,
   190         	// No need to check the affected rows. If the affected rows would be 0,
   190         	// the user isnt in the dbase, just as we want.
   191         	// the user isnt in the dbase, just as we want.
   191         }
   192         }
   192 	else
   193 	else
   207 	{
   208 	{
   208 		error(ERR_LEVEL_10);
   209 		error(ERR_LEVEL_10);
   209 	}
   210 	}
   210 	if (!user_exists($user))
   211 	if (!user_exists($user))
   211 	{
   212 	{
   212 		// Might have to be changed.
   213 		if (!is_valid_email($email)) 
   213 		// TODO probably.
   214 		{
   214 		$description = mysql_escape_string($description);
   215 			error(ERR_INV_EMAIL);
   215 
   216 		}
   216 		// Clean up the fullname
   217 
   217 		$fullname = mysql_escape_string($fullname);
   218 		$db->query("INSERT INTO users (username, password, fullname, email, description, level, active) VALUES (".$db->quote($user).", '" . md5($password) . "', ".$db->quote($fullname).", ".$db->quote($email).", ".$db->quote($description).", ".$db->quote($level).", ".$db->quote($active).")");
   218 		is_valid_email($email);
       
   219 
       
   220 		$db->query("INSERT INTO users (username, password, fullname, email, description, level, active) VALUES ('$user', '" . md5($password) . "', '$fullname', '$email', '$description', '$level', '$active')");
       
   221 		return true;
   219 		return true;
   222 	}
   220 	}
   223 	else
   221 	else
   224 	{
   222 	{
   225 		error(ERR_USER_EXISTS);
   223 		error(ERR_USER_EXISTS);
   236 	global $db;
   234 	global $db;
   237 	if(!level(10)) {
   235 	if(!level(10)) {
   238 		error(ERR_LEVEL_10);
   236 		error(ERR_LEVEL_10);
   239 	}
   237 	}
   240 
   238 
   241   	// Might have to be changed.
   239 	if (!is_valid_email($email)) 
   242   	// TODO
   240 	{
   243 	$description = mysql_escape_string($description);
   241 		error(ERR_INV_EMAIL);
   244 	$fullname = mysql_escape_string($fullname);
   242 	}
   245 	is_valid_email($email);
   243 
   246 
   244 	$sqlquery = "UPDATE users set username=".$db->quote($user).", fullname=".$db->quote($fullname).", email=".$db->quote($email).", level=".$db->quote($level).", description=".$db->quote($description).", active=".$db->quote($active);
   247 	$sqlquery = "UPDATE users set username='$user', fullname='$fullname', email='$email', level=$level, description='$description', active=$active ";
       
   248 
   245 
   249 	if($password != "")
   246 	if($password != "")
   250 	{
   247 	{
   251 		$sqlquery .= ", password= '" . md5($password) . "' ";
   248 		$sqlquery .= ", password= '" . md5($password) . "' ";
   252 	}
   249 	}
   253 
   250 
   254 	$sqlquery .= "where id=$id" ;
   251 	$sqlquery .= " WHERE id=".$db->quote($id) ;
   255 
   252 
   256   	// Search the username that right now goes with this ID.
   253   	// Search the username that right now goes with this ID.
   257 	$result = $db->query("SELECT username from users where id=$id");
   254 	$result = $db->query("SELECT username from users where id=".$db->quote($id));
   258 	$r = array();
   255 	$r = array();
   259 	$r = $result->fetchRow();
   256 	$r = $result->fetchRow();
   260 
   257 
   261   	// If the found username with this ID is the given username with the command.. execute.
   258   	// If the found username with this ID is the given username with the command.. execute.
   262 
   259 
   266   		return true;
   263   		return true;
   267   	}
   264   	}
   268 
   265 
   269   	// Its not.. so the user wants to change.
   266   	// Its not.. so the user wants to change.
   270   	// Find if there is an id that has the wished username.
   267   	// Find if there is an id that has the wished username.
   271   	$otheruser = $db->query("SELECT id from users where username='$user'");
   268   	$otheruser = $db->query("SELECT id from users where username=".$db->query($user));
   272   	if($otheruser->numRows() > 0)
   269   	if($otheruser->numRows() > 0)
   273   	{
   270   	{
   274   		error(ERR_USER_EXIST);
   271   		error(ERR_USER_EXIST);
   275   	}
   272   	}
   276 
   273 
   297 	{
   294 	{
   298 		error(ERR_USER_MATCH_NEW_PASS);
   295 		error(ERR_USER_MATCH_NEW_PASS);
   299 	}
   296 	}
   300 
   297 
   301 	// Retrieve the users password.
   298 	// Retrieve the users password.
   302 	$result = $db->query("SELECT password, id FROM users WHERE username='". $_SESSION["userlogin"]  ."'");
   299 	$result = $db->query("SELECT password, id FROM users WHERE username=".$db->quote($_SESSION["userlogin"]));
   303 	$rinfo = $result->fetchRow();
   300 	$rinfo = $result->fetchRow();
   304 
   301 
   305 	// Check the current password versus the database password and execute the update.
   302 	// Check the current password versus the database password and execute the update.
   306 	if(md5($currentpass) == $rinfo["password"])
   303 	if(md5($currentpass) == $rinfo["password"])
   307 	{
   304 	{
   325 function get_fullname_from_userid($id)
   322 function get_fullname_from_userid($id)
   326 {
   323 {
   327 	global $db;
   324 	global $db;
   328 	if (is_numeric($id))
   325 	if (is_numeric($id))
   329 	{
   326 	{
   330 		$result = $db->query("SELECT fullname FROM users WHERE id=$id");
   327 		$result = $db->query("SELECT fullname FROM users WHERE id=".$db->quote($id));
   331 		$r = $result->fetchRow();
   328 		$r = $result->fetchRow();
   332 		return $r["fullname"];
   329 		return $r["fullname"];
   333 	}
   330 	}
   334 	else
   331 	else
   335 	{
   332 	{
   345 function get_owner_from_id($id)
   342 function get_owner_from_id($id)
   346 {
   343 {
   347 	global $db;
   344 	global $db;
   348 	if (is_numeric($id))
   345 	if (is_numeric($id))
   349 	{
   346 	{
   350 		$result = $db->query("SELECT fullname FROM users WHERE id=$id");
   347 		$result = $db->query("SELECT fullname FROM users WHERE id=".$db->quote($id));
   351 		if ($result->numRows() == 1)
   348 		if ($result->numRows() == 1)
   352 		{
   349 		{
   353 			$r = $result->fetchRow();
   350 			$r = $result->fetchRow();
   354 			return $r["fullname"];
   351 			return $r["fullname"];
   355 		}
   352 		}
   371 function get_owners_from_domainid($id) {
   368 function get_owners_from_domainid($id) {
   372       
   369       
   373       global $db;
   370       global $db;
   374       if (is_numeric($id))
   371       if (is_numeric($id))
   375       {
   372       {
   376               $result = $db->query("SELECT users.id, users.fullname FROM users, zones WHERE zones.domain_id=$id AND zones.owner=users.id ORDER by fullname");
   373               $result = $db->query("SELECT users.id, users.fullname FROM users, zones WHERE zones.domain_id=".$db->quote($id)." AND zones.owner=users.id ORDER by fullname");
   377               if ($result->numRows() == 0)
   374               if ($result->numRows() == 0)
   378               {
   375               {
   379 		      return "";
   376 		      return "";
   380               } 
   377               } 
   381 	      else 
   378 	      else