27 * return values: an array with all users in it. |
27 * return values: an array with all users in it. |
28 */ |
28 */ |
29 function show_users($id='',$rowstart=0,$rowamount=9999999) |
29 function show_users($id='',$rowstart=0,$rowamount=9999999) |
30 { |
30 { |
31 global $db; |
31 global $db; |
|
32 $add = ''; |
32 if(is_numeric($id)) |
33 if(is_numeric($id)) |
33 { |
34 { |
34 //When a user id is given, it is excluded from the userlist returned. |
35 //When a user id is given, it is excluded from the userlist returned. |
35 $add = " WHERE users.id!=$id"; |
36 $add = " WHERE users.id!=".$db->quote($id); |
36 } |
37 } |
37 |
38 |
38 // Make a huge query. |
39 // Make a huge query. |
39 $sqlq = "SELECT users.id AS id, |
40 $sqlq = "SELECT users.id AS id, |
40 users.username AS username, |
41 users.username AS username, |
132 * return values: true if exists, false if not. |
133 * return values: true if exists, false if not. |
133 */ |
134 */ |
134 function user_exists($user) |
135 function user_exists($user) |
135 { |
136 { |
136 global $db; |
137 global $db; |
137 $result = $db->query("SELECT id FROM users WHERE username='$user'"); |
138 $result = $db->query("SELECT id FROM users WHERE username=".$db->quote($user)); |
138 if ($result->numRows() == 0) |
139 if ($result->numRows() == 0) |
139 { |
140 { |
140 return false; |
141 return false; |
141 } |
142 } |
142 elseif($result->numRows() == 1) |
143 elseif($result->numRows() == 1) |
157 function get_user_info($id) |
158 function get_user_info($id) |
158 { |
159 { |
159 global $db; |
160 global $db; |
160 if (is_numeric($id)) |
161 if (is_numeric($id)) |
161 { |
162 { |
162 $result = $db->query("SELECT id, username, fullname, email, description, level, active from users where id=$id"); |
163 $result = $db->query("SELECT id, username, fullname, email, description, level, active from users where id=".$db->quote($id)); |
163 $r = $result->fetchRow(); |
164 $r = $result->fetchRow(); |
164 return $r; |
165 return $r; |
165 } |
166 } |
166 else |
167 else |
167 { |
168 { |
181 { |
182 { |
182 error(ERR_LEVEL_10); |
183 error(ERR_LEVEL_10); |
183 } |
184 } |
184 if (is_numeric($id)) |
185 if (is_numeric($id)) |
185 { |
186 { |
186 $db->query("DELETE FROM users WHERE id=$id"); |
187 $db->query("DELETE FROM users WHERE id=".$db->quote($id)); |
187 $db->query("DELETE FROM zones WHERE owner=$id"); |
188 $db->query("DELETE FROM zones WHERE owner=".$db->quote($id)); |
188 return true; |
189 return true; |
189 // No need to check the affected rows. If the affected rows would be 0, |
190 // No need to check the affected rows. If the affected rows would be 0, |
190 // the user isnt in the dbase, just as we want. |
191 // the user isnt in the dbase, just as we want. |
191 } |
192 } |
192 else |
193 else |
207 { |
208 { |
208 error(ERR_LEVEL_10); |
209 error(ERR_LEVEL_10); |
209 } |
210 } |
210 if (!user_exists($user)) |
211 if (!user_exists($user)) |
211 { |
212 { |
212 // Might have to be changed. |
213 if (!is_valid_email($email)) |
213 // TODO probably. |
214 { |
214 $description = mysql_escape_string($description); |
215 error(ERR_INV_EMAIL); |
215 |
216 } |
216 // Clean up the fullname |
217 |
217 $fullname = mysql_escape_string($fullname); |
218 $db->query("INSERT INTO users (username, password, fullname, email, description, level, active) VALUES (".$db->quote($user).", '" . md5($password) . "', ".$db->quote($fullname).", ".$db->quote($email).", ".$db->quote($description).", ".$db->quote($level).", ".$db->quote($active).")"); |
218 is_valid_email($email); |
|
219 |
|
220 $db->query("INSERT INTO users (username, password, fullname, email, description, level, active) VALUES ('$user', '" . md5($password) . "', '$fullname', '$email', '$description', '$level', '$active')"); |
|
221 return true; |
219 return true; |
222 } |
220 } |
223 else |
221 else |
224 { |
222 { |
225 error(ERR_USER_EXISTS); |
223 error(ERR_USER_EXISTS); |
236 global $db; |
234 global $db; |
237 if(!level(10)) { |
235 if(!level(10)) { |
238 error(ERR_LEVEL_10); |
236 error(ERR_LEVEL_10); |
239 } |
237 } |
240 |
238 |
241 // Might have to be changed. |
239 if (!is_valid_email($email)) |
242 // TODO |
240 { |
243 $description = mysql_escape_string($description); |
241 error(ERR_INV_EMAIL); |
244 $fullname = mysql_escape_string($fullname); |
242 } |
245 is_valid_email($email); |
243 |
246 |
244 $sqlquery = "UPDATE users set username=".$db->quote($user).", fullname=".$db->quote($fullname).", email=".$db->quote($email).", level=".$db->quote($level).", description=".$db->quote($description).", active=".$db->quote($active); |
247 $sqlquery = "UPDATE users set username='$user', fullname='$fullname', email='$email', level=$level, description='$description', active=$active "; |
|
248 |
245 |
249 if($password != "") |
246 if($password != "") |
250 { |
247 { |
251 $sqlquery .= ", password= '" . md5($password) . "' "; |
248 $sqlquery .= ", password= '" . md5($password) . "' "; |
252 } |
249 } |
253 |
250 |
254 $sqlquery .= "where id=$id" ; |
251 $sqlquery .= " WHERE id=".$db->quote($id) ; |
255 |
252 |
256 // Search the username that right now goes with this ID. |
253 // Search the username that right now goes with this ID. |
257 $result = $db->query("SELECT username from users where id=$id"); |
254 $result = $db->query("SELECT username from users where id=".$db->quote($id)); |
258 $r = array(); |
255 $r = array(); |
259 $r = $result->fetchRow(); |
256 $r = $result->fetchRow(); |
260 |
257 |
261 // If the found username with this ID is the given username with the command.. execute. |
258 // If the found username with this ID is the given username with the command.. execute. |
262 |
259 |
266 return true; |
263 return true; |
267 } |
264 } |
268 |
265 |
269 // Its not.. so the user wants to change. |
266 // Its not.. so the user wants to change. |
270 // Find if there is an id that has the wished username. |
267 // Find if there is an id that has the wished username. |
271 $otheruser = $db->query("SELECT id from users where username='$user'"); |
268 $otheruser = $db->query("SELECT id from users where username=".$db->query($user)); |
272 if($otheruser->numRows() > 0) |
269 if($otheruser->numRows() > 0) |
273 { |
270 { |
274 error(ERR_USER_EXIST); |
271 error(ERR_USER_EXIST); |
275 } |
272 } |
276 |
273 |
297 { |
294 { |
298 error(ERR_USER_MATCH_NEW_PASS); |
295 error(ERR_USER_MATCH_NEW_PASS); |
299 } |
296 } |
300 |
297 |
301 // Retrieve the users password. |
298 // Retrieve the users password. |
302 $result = $db->query("SELECT password, id FROM users WHERE username='". $_SESSION["userlogin"] ."'"); |
299 $result = $db->query("SELECT password, id FROM users WHERE username=".$db->quote($_SESSION["userlogin"])); |
303 $rinfo = $result->fetchRow(); |
300 $rinfo = $result->fetchRow(); |
304 |
301 |
305 // Check the current password versus the database password and execute the update. |
302 // Check the current password versus the database password and execute the update. |
306 if(md5($currentpass) == $rinfo["password"]) |
303 if(md5($currentpass) == $rinfo["password"]) |
307 { |
304 { |
345 function get_owner_from_id($id) |
342 function get_owner_from_id($id) |
346 { |
343 { |
347 global $db; |
344 global $db; |
348 if (is_numeric($id)) |
345 if (is_numeric($id)) |
349 { |
346 { |
350 $result = $db->query("SELECT fullname FROM users WHERE id=$id"); |
347 $result = $db->query("SELECT fullname FROM users WHERE id=".$db->quote($id)); |
351 if ($result->numRows() == 1) |
348 if ($result->numRows() == 1) |
352 { |
349 { |
353 $r = $result->fetchRow(); |
350 $r = $result->fetchRow(); |
354 return $r["fullname"]; |
351 return $r["fullname"]; |
355 } |
352 } |