mike/wishlist
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

converted from the mysql_ API to the PDO library

Browse source
This commit is contained in:
Ryan Walberg 2012-11-22 04:36:20 +00:00
parent 75aefbd9e3
commit 246232f0a3
31 changed files with 1460 additions and 1217 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

78
src/categories.php
View file

@ -13,9 +13,10 @@
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
include("config.php");
include("db.php");
include("funcLib.php");
require_once(dirname(__FILE__) . "/includes/funcLib.php");
require_once(dirname(__FILE__) . "/includes/MySmarty.class.php");
$smarty = new MySmarty();
$opt = $smarty->opt();
session_start();
if (!isset($_SESSION["userid"])) {
@ -30,7 +31,7 @@ else {
$userid = $_SESSION["userid"];
}
if (!empty($_GET["message"])) {
$message = strip_tags($_GET["message"]);
$message = $_GET["message"];
}
$action = $_GET["action"];
@ -38,8 +39,6 @@ $action = $_GET["action"];
if ($action == "insert" || $action == "update") {
/* validate the data. */
$category = trim($_GET["category"]);
if (!get_magic_quotes_gpc())
$category = addslashes($category);
$haserror = false;
if ($category == "") {
@ -50,66 +49,73 @@ if ($action == "insert" || $action == "update") {
if ($action == "delete") {
/* first, NULL all category FKs for items that use this category. */
$query = "UPDATE {$OPT["table_prefix"]}items SET category = NULL WHERE category = " . addslashes($_GET["categoryid"]);
mysql_query($query) or die("Could not query: " . mysql_error());
$query = "DELETE FROM {$OPT["table_prefix"]}categories WHERE categoryid = " . addslashes($_GET["categoryid"]);
mysql_query($query) or die("Could not query: " . mysql_error());
$stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}items SET category = NULL WHERE category = ?");
$stmt->bindValue(1, (int) $_GET["categoryid"], PDO::PARAM_INT);
$stmt->execute();
$stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}categories WHERE categoryid = ?");
$stmt->bindValue(1, (int) $_GET["categoryid"], PDO::PARAM_INT);
$stmt->execute();
header("Location: " . getFullPath("categories.php?message=Category+deleted."));
exit;
}
else if ($action == "edit") {
$query = "SELECT category FROM {$OPT["table_prefix"]}categories WHERE categoryid = " . addslashes($_GET["categoryid"]);
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
if ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) {
$stmt = $smarty->dbh()->prepare("SELECT category FROM {$opt["table_prefix"]}categories WHERE categoryid = ?");
$stmt->bindValue(1, (int) $_GET["categoryid"], PDO::PARAM_INT);
$stmt->execute();
if ($row = $stmt->fetch()) {
$category = $row["category"];
}
mysql_free_result($rs);
}
else if ($action == "") {
$category = "";
}
else if ($action == "insert") {
if (!$haserror) {
$query = "INSERT INTO {$OPT["table_prefix"]}categories(categoryid,category) " .
"VALUES(NULL,'$category')";
mysql_query($query) or die("Could not query: " . mysql_error());
$stmt = $smarty->dbh()->prepare("INSERT INTO {$opt["table_prefix"]}categories(categoryid,category) VALUES(NULL, ?)");
$stmt->bindParam(1, $category, PDO::PARAM_STR);
$stmt->execute();
header("Location: " . getFullPath("categories.php?message=Category+added."));
exit;
}
}
else if ($action == "update") {
if (!$haserror) {
$query = "UPDATE {$OPT["table_prefix"]}categories " .
"SET category = '$category' " .
"WHERE categoryid = " . addslashes($_GET["categoryid"]);
mysql_query($query) or die("Could not query: " . mysql_error());
$stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}categories " .
"SET category = ? " .
"WHERE categoryid = ?");
$stmt->bindParam(1, $category, PDO::PARAM_STR);
$stmt->bindValue(2, (int) $_GET["categoryid"], PDO::PARAM_INT);
$stmt->execute();
header("Location: " . getFullPath("categories.php?message=Category+updated."));
exit;
}
}
else {
echo "Unknown verb.";
exit;
die("Unknown verb.");
}
$query = "SELECT c.categoryid, c.category, COUNT(itemid) AS itemsin " .
"FROM {$OPT["table_prefix"]}categories c " .
"LEFT OUTER JOIN {$OPT["table_prefix"]}items i ON i.category = c.categoryid " .
$stmt = $smarty->dbh()->prepare("SELECT c.categoryid, c.category, COUNT(itemid) AS itemsin " .
"FROM {$opt["table_prefix"]}categories c " .
"LEFT OUTER JOIN {$opt["table_prefix"]}items i ON i.category = c.categoryid " .
"GROUP BY c.categoryid, category " .
"ORDER BY category";
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
"ORDER BY category");
$stmt->execute();
$categories = array();
while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) {
while ($row = $stmt->fetch()) {
$categories[] = $row;
}
mysql_free_result($rs);
define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/');
require_once(SMARTY_DIR . 'Smarty.class.php');
$smarty = new Smarty();
$smarty->assign('action', $action);
if (isset($action)) {
$smarty->assign('action', $action);
}
$smarty->assign('categories', $categories);
$smarty->assign('categoryid', addslashes($_GET["categoryid"]));
if (isset($_GET["categoryid"])) {
$smarty->assign('categoryid', (int) $_GET["categoryid"]);
}
if (isset($message)) {
$smarty->assign('message', $message);
}
@ -119,6 +125,6 @@ if (isset($category_error)) {
}
$smarty->assign('haserror', $haserror);
$smarty->assign('isadmin', $_SESSION["admin"]);
$smarty->assign('opt', $OPT);
$smarty->assign('opt', $smarty->opt());
$smarty->display('categories.tpl');
?>

118
src/config.php
View file

@ -1,118 +0,0 @@
<?php
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation; either version 2 of the License, or
// (at your option) any later version.
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
global $OPT;
/* The maximum number of days before an event which produces a notification. */
$OPT["event_threshold"] = 60;
/* Whether or not requesting to shop for someone is immediately approved.
0 = auto-approve,
1 = require approval
*/
$OPT["shop_requires_approval"] = 1;
/* Whether or not requesting a new account is immediately approved.
0 = auto-approve,
1 = require administrator approval
*/
$OPT["newuser_requires_approval"] = 1;
/* Whether or not whom an item is reserved/bought by is hidden. */
$OPT["anonymous_purchasing"] = 0;
/* The number of your items that show on each page. */
$OPT["items_per_page"] = 10;
/* The e-mail From: header. */
$OPT["email_from"] = "webmaster@" . $_SERVER['SERVER_NAME'];
/* The e-mail Reply-To: header. */
$OPT["email_reply_to"] = "webmaster@" . $_SERVER['SERVER_NAME'];
/* The e-mail X-Mailer header. */
$OPT["email_xmailer"] = "PHP/" . phpversion();
/* Whether or not to show brief blurbs in certain spots which describe how
features work.
0 = don't help text,
1 = show help text
*/
$OPT["show_helptext"] = 0;
/* Whether or not clicking the Delete Item link requires a JavaScript-based
confirmation.
0 = don't show confirmation,
1 = show confirmation
*/
$OPT["confirm_item_deletes"] = 0;
/* Whether or not to allow multiple quantities of an item. */
$OPT["allow_multiples"] = 1;
/* This is prefixed to all currency values, set it as appropriate for your currency. */
$OPT["currency_symbol"] = "$"; // US or other dollars
//$OPT["currency_symbol"] = "&#163;"; // Pound (£) symbol
//$OPT["currency_symbol"] = "&#165;"; // Yen
//$OPT["currency_symbol"] = "&#8364;"; // Euro
//$OPT["currency_symbol"] = "&euro;"; // Euro alternative
/* If this is set to something other than "" then phpgiftreg will expect that
string to prefix all tables in this installation. Useful for running
multiple phpgiftreg installations in the same MySQL database.
*/
$OPT["table_prefix"] = "";
//$OPT["table_prefix"] = "gift_"; // all tables must be prefixed by `gift_'
/* Whether or not your own events show up on the home page.
0 = don't show my own events,
1 = show my own events
*/
$OPT["show_own_events"] = 1;
/* The length of random generated passwords. */
$OPT["password_length"] = 8;
/* Whether or not to hide the price when it's $0.00.
0 = don't hide it,
1 = hide it
*/
$OPT["hide_zero_price"] = 1;
/* Whether or not to hash passwords. Your version of MySQL may or may not
support it.
"MD5" = use MySQL's MD5() function,
"SHA1" = use MySQL's SHA1() function,
"" = use nothing (store passwords in plaintext).
If you switch this on, you're going to need to do a
UPDATE users SET password = MD5(password)
on your database to convert the passwords. This operation is NON-REVERSIBLE!
*/
$OPT["password_hasher"] = "MD5";
/* Whether or not to allow image uploads. If on, the next option must point to
a valid subdirectory that is writeable by the web server. The setup.php
script will confirm this.
0 = don't allow images,
1 = allow images
*/
$OPT["allow_images"] = 1;
/* The *sub*-directory we we can store item images. If you don't want to
allow images to be attached to items, leave this variable empty ("").
Trailing / is optional.
*/
$OPT["image_subdir"] = "item_images/";
?>

18
src/db.php
View file

@ -1,18 +0,0 @@
<?php
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation; either version 2 of the License, or
// (at your option) any later version.
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
mysql_connect("localhost","root","") or die("Could not connect: " . mysql_error());
mysql_select_db("phpgiftreg");
?>

202
src/event.php
View file

@ -13,9 +13,10 @@
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
include("config.php");
include("db.php");
include("funcLib.php");
require_once(dirname(__FILE__) . "/includes/funcLib.php");
require_once(dirname(__FILE__) . "/includes/MySmarty.class.php");
$smarty = new MySmarty();
$opt = $smarty->opt();
session_start();
if (!isset($_SESSION["userid"])) {
@ -27,28 +28,34 @@ else {
}
if (!empty($_GET["message"])) {
$message = strip_tags($_GET["message"]);
$message = $_GET["message"];
}
if (isset($_GET["eventid"])) {
$eventid = (int) $_GET["eventid"];
$eventid = $_GET["eventid"];
}
// for security, let's make sure that if an eventid was passed in, it belongs
// to $userid (or is a system event and the user is an admin).
// all operations on this page should only be performed by the event's owner.
if (isset($eventid)) {
$query = "SELECT * FROM {$OPT["table_prefix"]}events WHERE eventid = $eventid AND ";
if ($_SESSION["admin"] == 1)
$query .= "(userid = " . $_SESSION["userid"] . " OR userid IS NULL)";
else
$query .= "userid = " . $_SESSION["userid"];
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
if (mysql_num_rows($rs) == 0) {
echo "Nice try! (That's not your event.)";
exit;
try {
$query = "SELECT * FROM {$opt["table_prefix"]}events WHERE eventid = ? AND ";
if ($_SESSION["admin"] == 1)
$query .= "(userid = ? OR userid IS NULL)";
else
$query .= "userid = ?";
$stmt = $smarty->dbh()->prepare($query);
$stmt->bindParam(1, $eventid, PDO::PARAM_INT);
$stmt->bindParam(2, $userid, PDO::PARAM_INT);
$stmt->execute();
if (!$stmt->fetch())
die("Nice try! (That's not your event.)");
}
catch (PDOException $e) {
die("sql exception: " . $e->getMessage());
}
mysql_free_result($rs);
}
$action = isset($_GET["action"]) ? $_GET["action"] : "";
@ -59,9 +66,7 @@ if ($action == "insert" || $action == "update") {
$eventdate = $_GET["eventdate"];
$ts = strtotime($eventdate);
$recurring = (strtoupper($_GET["recurring"]) == "ON" ? 1 : 0);
$systemevent = (strtoupper($_GET["system"]) == "ON" ? 1 : 0);
if (!get_magic_quotes_gpc())
$description = addslashes($description);
$systemevent = (strtoupper($_GET["systemevent"]) == "ON" ? 1 : 0);
$haserror = false;
if ($description == "") {
@ -75,21 +80,36 @@ if ($action == "insert" || $action == "update") {
}
if ($action == "delete") {
$query = "DELETE FROM {$OPT["table_prefix"]}events WHERE eventid = $eventid";
mysql_query($query) or die("Could not query: " . mysql_error());
header("Location: " . getFullPath("event.php?message=Event+deleted."));
exit;
try {
$stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}events WHERE eventid = ?");
$stmt->bindParam(1, $eventid, PDO::PARAM_INT);
$stmt->execute();
header("Location: " . getFullPath("event.php?message=Event+deleted."));
exit;
}
catch (PDOException $e) {
die("sql exception: " . $e->getMessage());
}
}
else if ($action == "edit") {
$query = "SELECT description, eventdate, recurring, userid FROM {$OPT["table_prefix"]}events WHERE eventid = $eventid";
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
if ($row = mysql_fetch_array($rs,MYSQL_ASSOC)) {
try {
$stmt = $smarty->dbh()->prepare("SELECT description, eventdate, recurring, userid FROM {$opt["table_prefix"]}events WHERE eventid = ?");
$stmt->bindParam(1, $eventid, PDO::PARAM_INT);
$stmt->execute();
// we know this will work, see above.
$row = $stmt->fetch();
$description = $row["description"];
$eventdate = $row["eventdate"];
$recurring = $row["recurring"];
$systemevent = ($row["userid"] == "");
}
mysql_free_result($rs);
catch (PDOException $e) {
die("sql exception: " . $e->getMessage());
}
}
else if ($action == "") {
$description = "";
@ -99,67 +119,95 @@ else if ($action == "") {
}
else if ($action == "insert") {
if (!$haserror) {
$query = "INSERT INTO {$OPT["table_prefix"]}events(userid,description,eventdate,recurring) " .
"VALUES(" . ($systemevent ? "NULL" : $userid) . ",'$description','" . strftime("%Y-%m-%d", $ts) . "',$recurring)";
mysql_query($query) or die("Could not query: " . mysql_error());
header("Location: " . getFullPath("event.php?message=Event+added."));
exit;
try {
$stmt = $smarty->dbh()->prepare("INSERT INTO {$opt["table_prefix"]}events(userid,description,eventdate,recurring) VALUES(?, ?, ?, ?)");
$stmt->bindValue(1, $systemevent ? NULL : $userid, PDO::PARAM_BOOL);
$stmt->bindParam(2, $description, PDO::PARAM_STR);
$stmt->bindValue(3, strftime("%Y-%m-%d", $ts), PDO::PARAM_STR);
$stmt->bindParam(4, $recurring, PDO::PARAM_BOOL);
$stmt->execute();
header("Location: " . getFullPath("event.php?message=Event+added."));
exit;
}
catch (PDOException $e) {
die("sql exception: " . $e->getMessage());
}
}
}
else if ($action == "update") {
if (!$haserror) {
$query = "UPDATE {$OPT["table_prefix"]}events SET " .
"userid = " . ($systemevent ? "NULL" : $userid) . ", " .
"description = '$description', " .
"eventdate = '" . strftime("%Y-%m-%d", $ts) . "', " .
"recurring = $recurring " .
"WHERE eventid = $eventid";
mysql_query($query) or die("Could not query: " . mysql_error());
header("Location: " . getFullPath("event.php?message=Event+updated."));
exit;
try {
$stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}events SET " .
"userid = ?, " .
"description = ?, " .
"eventdate = ?, " .
"recurring = ? " .
"WHERE eventid = ?");
$stmt->bindValue(1, $systemevent ? NULL : $userid, PDO::PARAM_BOOL);
$stmt->bindParam(2, $description, PDO::PARAM_STR);
$stmt->bindValue(3, strftime("%Y-%m-%d", $ts), PDO::PARAM_STR);
$stmt->bindParam(4, $recurring, PDO::PARAM_BOOL);
$stmt->bindParam(5, $eventid, PDO::PARAM_INT);
$stmt->execute();
header("Location: " . getFullPath("event.php?message=Event+updated."));
exit;
}
catch (PDOException $e) {
die("sql exception: " . $e->getMessage());
}
}
}
else {
echo "Unknown verb.";
exit;
die("Unknown verb.");
}
$query = "SELECT eventid, userid, description, eventdate, recurring " .
"FROM {$OPT["table_prefix"]}events " .
"WHERE userid = $userid";
if ($_SESSION["admin"] == 1)
$query .= " OR userid IS NULL"; // add in system events
$query .= " ORDER BY userid, eventdate";
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
$events = array();
while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) {
$row['eventdate'] = strftime("%m/%d/%Y", strtotime($row['eventdate']));
$events[] = $row;
}
mysql_free_result($events);
try {
$query = "SELECT eventid, userid, description, eventdate, recurring " .
"FROM {$opt["table_prefix"]}events " .
"WHERE userid = ?";
if ($_SESSION["admin"] == 1)
$query .= " OR userid IS NULL"; // add in system events
$query .= " ORDER BY userid, eventdate";
$stmt = $smarty->dbh()->prepare($query);
$stmt->bindParam(1, $userid, PDO::PARAM_INT);
define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/');
require_once(SMARTY_DIR . 'Smarty.class.php');
$smarty = new Smarty();
if (isset($message)) {
$smarty->assign('message', $message);
$stmt->execute();
$events = array();
while ($row = $stmt->fetch()) {
$row['eventdate'] = strftime("%m/%d/%Y", strtotime($row['eventdate']));
$events[] = $row;
}
if (isset($message)) {
$smarty->assign('message', $message);
}
$smarty->assign('action', $action);
$smarty->assign('haserror', $haserror);
$smarty->assign('events', $events);
$smarty->assign('eventdate', strftime("%m/%d/%Y", strtotime($eventdate)));
if (isset($eventdate_error)) {
$smarty->assign('eventdate_error', $eventdate_error);
}
$smarty->assign('description', $description);
if (isset($description_error)) {
$smarty->assign('description_error', $description_error);
}
$smarty->assign('recurring', $recurring);
$smarty->assign('systemevent', $systemevent);
if (isset($eventid)) {
$smarty->assign('eventid', $eventid);
}
$smarty->assign('userid', $userid);
$smarty->assign('isadmin', $_SESSION['admin']);
$smarty->assign('opt', $smarty->opt());
$smarty->display('event.tpl');
}
$smarty->assign('action', $action);
$smarty->assign('haserror', $haserror);
$smarty->assign('events', $events);
$smarty->assign('eventdate', strftime("%m/%d/%Y", strtotime($eventdate)));
if (isset($eventdate_error)) {
$smarty->assign('eventdate_error', $eventdate_error);
catch (PDOException $e) {
die("sql exception: " . $e->getMessage());
}
$smarty->assign('description', $description);
if (isset($description_error)) {
$smarty->assign('description_error', $description_error);
}
$smarty->assign('recurring', $recurring);
$smarty->assign('systemevent', $systemevent);
$smarty->assign('eventid', $eventid);
$smarty->assign('userid', $userid);
$smarty->assign('isadmin', $_SESSION['admin']);
$smarty->assign('opt', $OPT);
$smarty->display('event.tpl');
?>

189
src/families.php
View file

@ -13,9 +13,10 @@
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
include("config.php");
include("db.php");
include("funcLib.php");
require_once(dirname(__FILE__) . "/includes/funcLib.php");
require_once(dirname(__FILE__) . "/includes/MySmarty.class.php");
$smarty = new MySmarty();
$opt = $smarty->opt();
session_start();
if (!isset($_SESSION["userid"])) {
@ -30,16 +31,17 @@ else {
$userid = $_SESSION["userid"];
}
if (!empty($_GET["message"])) {
$message = strip_tags($_GET["message"]);
$message = $_GET["message"];
}
$action = empty($_GET["action"]) ? "" : $_GET["action"];
if (!empty($_GET["familyid"]))
$familyid = (int) $_GET["familyid"];
if ($action == "insert" || $action == "update") {
/* validate the data. */
$familyname = trim($_GET["familyname"]);
if (!get_magic_quotes_gpc())
$familyname = addslashes($familyname);
$haserror = false;
if ($familyname == "") {
@ -49,104 +51,145 @@ if ($action == "insert" || $action == "update") {
}
if ($action == "delete") {
/* first, delete all memberships for this family. */
$query = "DELETE FROM {$OPT["table_prefix"]}memberships WHERE familyid = " . addslashes($_GET["familyid"]);
mysql_query($query) or die("Could not query: " . mysql_error());
$query = "DELETE FROM {$OPT["table_prefix"]}families WHERE familyid = " . addslashes($_GET["familyid"]);
mysql_query($query) or die("Could not query: " . mysql_error());
header("Location: " . getFullPath("families.php?message=Family+deleted."));
exit;
try {
/* first, delete all memberships for this family. */
$stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}memberships WHERE familyid = ?");
$stmt->bindParam(1, $familyid, PDO::PARAM_INT);
$stmt->execute();
$stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}families WHERE familyid = ?");
$stmt->bindValue(1, $familyid, PDO::PARAM_INT);
$stmt->execute();
header("Location: " . getFullPath("families.php?message=Family+deleted."));
exit;
}
catch (PDOException $e) {
die("sql exception: " . $e->getMessage());
}
}
else if ($action == "edit") {
$query = "SELECT familyname FROM {$OPT["table_prefix"]}families WHERE familyid = " . addslashes($_GET["familyid"]);
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
if ($row = mysql_fetch_array($rs,MYSQL_ASSOC)) {
$familyname = $row["familyname"];
try {
$stmt = $smarty->dbh()->prepare("SELECT familyname FROM {$opt["table_prefix"]}families WHERE familyid = ?");
$stmt->bindValue(1, $familyid, PDO::PARAM_INT);
$stmt->execute();
if ($row = $stmt->fetch()) {
$familyname = $row["familyname"];
}
else {
die("family doesn't exist.");
}
}
catch (PDOException $e) {
die("sql exception: " . $e->getMessage());
}
mysql_free_result($rs);
}
else if ($action == "") {
$familyname = "";
}
else if ($action == "insert") {
if (!$haserror) {
$query = "INSERT INTO {$OPT["table_prefix"]}families(familyid,familyname) " .
"VALUES(NULL,'$familyname')";
mysql_query($query) or die("Could not query: " . mysql_error());
try {
$stmt = $smarty->dbh()->prepare("INSERT INTO {$opt["table_prefix"]}families(familyid,familyname) VALUES(NULL, ?)");
$stmt->bindParam(1, $familyname, PDO::PARAM_STR);
$stmt->execute();
}
catch (PDOException $e) {
die("sql exception: " . $e->getMessage());
}
header("Location: " . getFullPath("families.php?message=Family+added."));
exit;
}
}
else if ($action == "update") {
if (!$haserror) {
$query = "UPDATE {$OPT["table_prefix"]}families " .
"SET familyname = '$familyname' " .
"WHERE familyid = " . addslashes($_GET["familyid"]);
mysql_query($query) or die("Could not query: " . mysql_error());
try {
$stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}families " .
"SET familyname = ? " .
"WHERE familyid = ?");
$stmt->bindParam(1, $familyname, PDO::PARAM_STR);
$stmt->bindValue(2, $familyid, PDO::PARAM_INT);
$stmt->execute();
}
catch (PDOException $e) {
die("sql exception: " . $e->getMessage());
}
header("Location: " . getFullPath("families.php?message=Family+updated."));
exit;
}
}
else if ($action == "members") {
$members = $_GET["members"];
/* first, delete all memberships for this family. */
$query = "DELETE FROM {$OPT["table_prefix"]}memberships WHERE familyid = " . addslashes($_GET["familyid"]);
mysql_query($query) or die("Could not query: " . mysql_error());
/* now add them back. */
foreach ($members as $userid) {
$query = "INSERT INTO {$OPT["table_prefix"]}memberships(userid,familyid) VALUES(" . addslashes($userid) . "," . addslashes($_GET["familyid"]) . ")";
mysql_query($query) or die("Could not query: " . mysql_error());
try {
/* first, delete all memberships for this family. */
$stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}memberships WHERE familyid = ?");
$stmt->bindValue(1, $familyid, PDO::PARAM_INT);
$stmt->execute();
/* now add them back. */
foreach ($members as $userid) {
$stmt = $smarty->dbh()->prepare("INSERT INTO {$opt["table_prefix"]}memberships(userid,familyid) VALUES(?, ?)");
$stmt->bindParam(1, $userid, PDO::PARAM_INT);
$stmt->bindParam(2, $familyid, PDO::PARAM_INT);
$stmt->execute();
}
}
catch (PDOException $e) {
die("sql exception: " . $e->getMessage());
}
header("Location: " . getFullPath("families.php?message=Members+changed."));
exit;
}
else {
echo "Unknown verb.";
exit;
die("Unknown verb.");
}
$query = "SELECT f.familyid, familyname, COUNT(userid) AS members " .
"FROM {$OPT["table_prefix"]}families f " .
"LEFT OUTER JOIN {$OPT["table_prefix"]}memberships m ON m.familyid = f.familyid " .
try {
$stmt = $smarty->dbh()->prepare("SELECT f.familyid, familyname, COUNT(userid) AS members " .
"FROM {$opt["table_prefix"]}families f " .
"LEFT OUTER JOIN {$opt["table_prefix"]}memberships m ON m.familyid = f.familyid " .
"GROUP BY f.familyid " .
"ORDER BY familyname";
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
$families = array();
while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) {
$families[] = $row;
}
mysql_free_result($rs);
if ($action == "edit") {
$query = "SELECT u.userid, u.fullname, m.familyid FROM {$OPT["table_prefix"]}users u " .
"LEFT OUTER JOIN {$OPT["table_prefix"]}memberships m ON m.userid = u.userid AND m.familyid = " . addslashes($_GET["familyid"]) . " " .
"ORDER BY u.fullname";
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
$nonmembers = array();
while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) {
$nonmembers[] = $row;
"ORDER BY familyname");
$stmt->execute();
$families = array();
while ($row = $stmt->fetch()) {
$families[] = $row;
}
mysql_free_result($rs);
}
define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/');
require_once(SMARTY_DIR . 'Smarty.class.php');
$smarty = new Smarty();
$smarty->assign('action', $action);
$smarty->assign('haserror', $haserror);
if (isset($familyname_error)) {
$smarty->assign('familyname_error', $familyname_error);
if ($action == "edit") {
$stmt = $smarty->dbh()->prepare("SELECT u.userid, u.fullname, m.familyid FROM {$opt["table_prefix"]}users u " .
"LEFT OUTER JOIN {$opt["table_prefix"]}memberships m ON m.userid = u.userid AND m.familyid = ? " .
"ORDER BY u.fullname");
$stmt->bindParam(1, $familyid, PDO::PARAM_INT);
$stmt->execute();
$nonmembers = array();
while ($row = $stmt->fetch()) {
$nonmembers[] = $row;
}
}
$smarty->assign('action', $action);
$smarty->assign('haserror', $haserror);
if (isset($familyname_error)) {
$smarty->assign('familyname_error', $familyname_error);
}
$smarty->assign('families', $families);
$smarty->assign('familyid', $familyid);
$smarty->assign('familyname', $familyname);
if (isset($nonmembers)) {
$smarty->assign('nonmembers', $nonmembers);
}
if (isset($message)) {
$smarty->assign('message', $message);
}
$smarty->assign('isadmin', $_SESSION["admin"]);
$smarty->assign('opt', $smarty->opt());
$smarty->display('families.tpl');
}
$smarty->assign('families', $families);
$smarty->assign('familyid', $_GET["familyid"]);
$smarty->assign('familyname', $familyname);
if (isset($nonmembers)) {
$smarty->assign('nonmembers', $nonmembers);
catch (PDOException $e) {
die("sql exception: " . $e->getMessage());
}
if (isset($message)) {
$smarty->assign('message', $message);
}
$smarty->assign('isadmin', $_SESSION["admin"]);
$smarty->assign('opt', $OPT);
$smarty->display('families.tpl');
?>

12
src/footer.php
View file

@ -1,12 +0,0 @@
<p>
<center>
<table border="0" cellpadding="10">
<tr>
<!-- <td><a target="_blank" href="http://httpd.apache.org"><img src="images/powered-by-apache2.png" border="0" alt="Powered by Apache" title="Powered by Apache"></a></td> -->
<td><a href="http://www.php.net"><img src="images/php-power-white.gif" border="0" alt="Powered by PHP" title="Powered by PHP"></a></td>
<td><a href="http://www.mysql.com"><img src="images/powered-by-mysql-88x31.png" border="0" alt="Powered by MySQL" title="Powered by MySQL"></a></td>
<!-- <td><a href="http://fedora.redhat.com"><img src="images/powered-by-fedora.png" border="0" alt="Powered by Fedora" title="Powered by Fedora"></a></td> -->
</tr>
</table>
</center>
</p>

76
src/forgot.php
View file

@ -13,57 +13,59 @@
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
include("config.php");
include("db.php");
include("funcLib.php");
require_once(dirname(__FILE__) . "/includes/funcLib.php");
require_once(dirname(__FILE__) . "/includes/MySmarty.class.php");
$smarty = new MySmarty();
$opt = $smarty->opt();
$error = "";
if (isset($_POST["action"]) && $_POST["action"] == "forgot") {
$username = $_POST["username"];
if (isset($_POST["action"])) {
if ($_POST["action"] == "forgot") {
$username = $_POST["username"];
if (!get_magic_quotes_gpc()) {
$username = addslashes($username);
}
try {
// make sure that username is valid
$query = "SELECT email FROM {$OPT["table_prefix"]}users WHERE username = '$username'";
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
if (mysql_num_rows($rs) == 0) {
$error = "The username '" . stripslashes($username) . "' could not be found.";
mysql_free_result($rs);
}
else {
$row = mysql_fetch_array($rs,MYSQL_ASSOC);
$email = $row["email"];
mysql_free_result($rs);
$stmt = $smarty->dbh()->prepare("SELECT email FROM {$opt["table_prefix"]}users WHERE username = ?");
$stmt->bindParam(1, $username, PDO::PARAM_STR);
$stmt->execute();
if ($row = $stmt->fetch()) {
$email = $row["email"];
if ($email == "")
$error = "The username '" . stripslashes($username) . "' does not have an e-mail address, so the password could not be sent.";
$error = "The username '" . $username . "' does not have an e-mail address, so the password could not be sent.";
else {
$pwd = generatePassword();
$query = "UPDATE {$OPT["table_prefix"]}users SET password = {$OPT["password_hasher"]}('$pwd') WHERE username = '$username'";
mysql_query($query) or die("Could not query: " . mysql_error());
$pwd = generatePassword($opt);
$stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}users SET password = {$opt["password_hasher"]}(?) WHERE username = ?");
$stmt->bindParam(1, $pwd, PDO:PARAM_STR);
$stmt->bindParam(2, $username, PDO::PARAM_STR);
$stmt->execute();
mail(
$email,
"Gift Registry password reset",
"Your Gift Registry account information:\r\n" .
"Your username is '" . $username . "' and your new password is '$pwd'.",
"From: {$GLOBALS["OPT"]["email_from"]}\r\nReply-To: {$OPT["email_reply_to"]}\r\nX-Mailer: {$GLOBALS["OPT"]["email_xmailer"]}\r\n"
) or die("Mail not accepted for $email");
"From: {$opt["email_from"]}\r\nReply-To: {$opt["email_reply_to"]}\r\nX-Mailer: {$opt["email_xmailer"]}\r\n"
) or die("Mail not accepted for $email");
}
}
else {
$error = "The username '" . $username . "' could not be found.";
}
if (!empty($error)) {
$smarty->assign('error', $error);
}
$smarty->assign('action', $_POST["action"]);
$smarty->assign('username', $username);
$smarty->assign('opt', $smarty->opt());
$smarty->display('forgot.tpl');
}
catch (PDOException $e) {
die("sql exception: " . $e->getMessage());
}
}
define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/');
require_once(SMARTY_DIR . 'Smarty.class.php');
$smarty = new Smarty();
if (isset($error) && $error != "") {
$smarty->assign('error', $error);
else {
$smarty->assign('opt', $smarty->opt());
$smarty->display('forgot.tpl');
}
$smarty->assign('action', $_POST["action"]);
$smarty->assign('username', $username);
$smarty->assign('opt', $OPT);
$smarty->display('forgot.tpl');
?>

162
src/funcLib.php
View file

@ -1,162 +0,0 @@
<?php
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation; either version 2 of the License, or
// (at your option) any later version.
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
include("config.php");
/* for some reason, $OPT isn't accessible from here, even when config.php is
explicitly included. however, $GLOBALS["OPT"] works fine. */
function getFullPath($url) {
$fp = $_SERVER["SERVER_PORT"] == "443" ? "https://" : "http://";
$fp .= $_SERVER["HTTP_HOST"];
$dir = dirname($_SERVER["PHP_SELF"]);
if ($dir != "/")
$fp .= $dir;
$fp .= "/" . $url;
return $fp;
}
function jsEscape($s) {
return str_replace("\"","\\u0022",str_replace("'","\\'",str_replace("\r\n","\\r\\n",$s)));
}
function adjustAllocQuantity($itemid, $userid, $bought, $adjust) {
$howmany = getExistingQuantity($itemid,$userid,$bought);
if ($howmany == 0) {
if ($adjust < 0) {
// can't subtract anything from 0.
return 0;
}
else {
$query = "INSERT INTO {$GLOBALS["OPT"]["table_prefix"]}allocs(itemid,userid,bought,quantity) " .
"VALUES($itemid,$userid,$bought,$adjust)";
mysql_query($query) or die("Could not query: " . mysql_error());
return $howmany;
}
}
else {
/* figure out the real amount to adjust by, in case someone claims to have
received 3 of something from a buyer when they only bought 2. */
if ($adjust < 0) {
if (abs($adjust) > $howmany)
$actual = -$howmany;
else
$actual = $adjust;
}
else {
$actual = $adjust;
}
if ($howmany + $actual == 0)
$query = "DELETE FROM {$GLOBALS["OPT"]["table_prefix"]}allocs WHERE itemid = $itemid AND userid = $userid AND bought = $bought";
else
$query = "UPDATE {$GLOBALS["OPT"]["table_prefix"]}allocs " .
"SET quantity = quantity + $actual " . // because "quantity + -5" is okay.
"WHERE itemid = $itemid AND userid = $userid AND bought = $bought";
mysql_query($query) or die("Could not query: " . mysql_error());
return $actual;
}
}
function getExistingQuantity($itemid, $userid, $bought) {
$query = "SELECT quantity FROM {$GLOBALS["OPT"]["table_prefix"]}allocs WHERE bought = $bought AND userid = $userid AND itemid = $itemid";
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
$row = mysql_fetch_array($rs,MYSQL_ASSOC);
if (!$row)
return 0;
else {
$qty = $row["quantity"];
mysql_free_result($rs);
return $qty;
}
}
function sendMessage($sender, $recipient, $message) {
// assumes $message has already been slashed.
$query = "INSERT INTO {$GLOBALS["OPT"]["table_prefix"]}messages(sender,recipient,message,created) " .
"VALUES($sender,$recipient,'$message','" . strftime("%Y-%m-%d") . "')";
mysql_query($query) or die("Could not query: " . mysql_error());
// determine if e-mail must be sent.
$query = "SELECT ur.email_msgs, ur.email AS remail, us.fullname, us.email AS semail FROM {$GLOBALS["OPT"]["table_prefix"]}users ur " .
"INNER JOIN {$GLOBALS["OPT"]["table_prefix"]}users us ON us.userid = $sender " .
"WHERE ur.userid = $recipient";
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
$row = mysql_fetch_array($rs,MYSQL_ASSOC);
if (!$row) die("Recipient does not exist.");
if ($row["email_msgs"] == 1) {
mail(
$row["remail"],
"Gift Registry message from " . $row["fullname"],
$row["fullname"] . " <" . $row["semail"] . "> sends:\r\n" . stripslashes($message),
"From: {$GLOBALS["OPT"]["email_from"]}\r\nReply-To: " . $row["semail"] . "\r\nX-Mailer: {$GLOBALS["OPT"]["email_xmailer"]}\r\n"
) or die("Mail not accepted for " . $row["remail"]);
}
mysql_free_result($rs);
}
function generatePassword() {
//* borrowed from hitech-password.php - a PHP Message board script
//* (c) Hitech Scripts 2003
//* For more information, visit http://www.hitech-scripts.com
//* modified for phpgiftreg by Chris Clonch
mt_srand((double) microtime() * 1000000);
$newstring = "";
if ($GLOBALS["OPT"]["password_length"] > 0) {
while(strlen($newstring) < $GLOBALS["OPT"]["password_length"]) {
switch (mt_rand(1,3)) {
case 1: $newstring .= chr(mt_rand(48,57)); break; // 0-9
case 2: $newstring .= chr(mt_rand(65,90)); break; // A-Z
case 3: $newstring .= chr(mt_rand(97,122)); break; // a-z
}
}
}
return $newstring;
}
function formatPrice($price) {
if ($price == 0.0 && $GLOBALS["OPT"]["hide_zero_price"])
return "&nbsp;";
else
return $GLOBALS["OPT"]["currency_symbol"] . number_format($price,2,".",",");
}
function stampUser($userid) {
$query = "UPDATE {$GLOBALS["OPT"]["table_prefix"]}users SET list_stamp = NOW() WHERE userid = $userid";
mysql_query($query) or die("Could not query: " . mysql_error());
}
function deleteImageForItem($itemid) {
$query = "SELECT image_filename FROM {$GLOBALS["OPT"]["table_prefix"]}items WHERE itemid = $itemid";
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
if ($row = mysql_fetch_array($rs,MYSQL_ASSOC)) {
if ($row["image_filename"] != "") {
unlink($GLOBALS["OPT"]["image_subdir"] . "/" . $row["image_filename"]);
}
}
mysql_free_result($rs);
$query = "UPDATE {$GLOBALS["OPT"]["table_prefix"]}items SET image_filename = NULL WHERE itemid = $itemid";
mysql_query($query) or die("Could not query: " . mysql_error());
}
function fixForJavaScript($s) {
$s = htmlentities($s);
$s = str_replace("'","\\'",$s);
$s = str_replace("\r\n","<br />",$s);
$s = str_replace("\n","<br />",$s);
return $s;
}
?>

129
src/includes/config.php Normal file
View file

@ -0,0 +1,129 @@
<?php
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation; either version 2 of the License, or
// (at your option) any later version.
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
function getGlobalOptions() {
return array(
/* The PDO connection string.
http://www.php.net/manual/en/pdo.connections.php
*/
"pdo_connection_string" => "mysql:host=localhost;dbname=giftreg",
/* The database username and password. */
"pdo_username" => "dbusername",
"pdo_password" => "dbpassword",
/* The maximum number of days before an event which produces a notification. */
"event_threshold" => "60",
/* Whether or not requesting to shop for someone is immediately approved.
0 = auto-approve,
1 = require approval
*/
"shop_requires_approval" => 1,
/* Whether or not requesting a new account is immediately approved.
0 = auto-approve,
1 = require administrator approval
*/
"newuser_requires_approval" => 1,
/* Whether or not whom an item is reserved/bought by is hidden. */
"anonymous_purchasing" => 0,
/* The number of your items that show on each page. */
"items_per_page" => 10,
/* The e-mail From: header. */
"email_from" => "webmaster@" . $_SERVER['SERVER_NAME'],
/* The e-mail Reply-To: header. */
"email_reply_to" => "your@address.com",
/* The e-mail X-Mailer header. */
"email_xmailer" => "PHP/" . phpversion(),
/* Whether or not to show brief blurbs in certain spots which describe how
features work.
0 = don't help text,
1 = show help text
*/
"show_helptext" => 0,
/* Whether or not clicking the Delete Item link requires a JavaScript-based
confirmation.
0 = don't show confirmation,
1 = show confirmation
*/
"confirm_item_deletes" => 0,
/* Whether or not to allow multiple quantities of an item. */
"allow_multiples" => 1,
/* This is prefixed to all currency values, set it as appropriate for your currency. */
"currency_symbol" => "$", // US or other dollars
//"currency_symbol" => "&#163;", // Pound (£) symbol
//"currency_symbol" => "&#165;", // Yen
//"currency_symbol" => "&#8364;", // Euro
//"currency_symbol" => "&euro;", // Euro alternative
/* If this is set to something other than "" then phpgiftreg will expect that
string to prefix all tables in this installation. Useful for running
multiple phpgiftreg installations in the same MySQL database.
*/
"table_prefix" => "",
//"table_prefix" => "gift_", // all tables must be prefixed by `gift_'
/* Whether or not your own events show up on the home page.
0 = don't show my own events,
1 = show my own events
*/
"show_own_events" => 1,
/* The length of random generated passwords. */
"password_length" => 8,
/* Whether or not to hide the price when it's $0.00.
0 = don't hide it,
1 = hide it
*/
"hide_zero_price" => 1,
/* Whether or not to hash passwords. Your version of MySQL may or may not
support it.
"MD5" = use MySQL's MD5() function,
"SHA1" = use MySQL's SHA1() function,
"" = use nothing (store passwords in plaintext).
If you switch this on, you're going to need to do a
UPDATE users SET password = MD5(password)
on your database to convert the passwords. This operation is NON-REVERSIBLE!
*/
"password_hasher" => "SHA1",
/* Whether or not to allow image uploads. If on, the next option must point to
a valid subdirectory that is writeable by the web server. The setup.php
script will confirm this.
0 = don't allow images,
1 = allow images
*/
"allow_images" => 1,
/* The *sub*-directory we we can store item images. If you don't want to
allow images to be attached to items, leave this variable empty ("").
Trailing / is optional.
*/
"image_subdir" => "item_images"
);
}
?>

179
src/includes/funcLib.php Normal file
View file

@ -0,0 +1,179 @@
<?php
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation; either version 2 of the License, or
// (at your option) any later version.
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
function getFullPath($url) {
$fp = $_SERVER["SERVER_PORT"] == "443" ? "https://" : "http://";
$fp .= $_SERVER["HTTP_HOST"];
$dir = dirname($_SERVER["PHP_SELF"]);
if ($dir != "/")
$fp .= $dir;
$fp .= "/" . $url;
return $fp;
}
function jsEscape($s) {
return str_replace("\"","\\u0022",str_replace("'","\\'",str_replace("\r\n","\\r\\n",$s)));
}
function adjustAllocQuantity($itemid, $userid, $bought, $adjust, $dbh, $opt) {
$howmany = getExistingQuantity($itemid, $userid, $bought, $dbh, $opt);
if ($howmany == 0) {
if ($adjust < 0) {
// can't subtract anything from 0.
return 0;
}
else {
$stmt = $dbh->prepare("INSERT INTO {$opt["table_prefix"]}allocs(itemid,userid,bought,quantity) VALUES(?, ?, ?, ?)");
$stmt->bindParam(1, $itemid, PDO::PARAM_INT);
$stmt->bindParam(2, $userid, PDO::PARAM_INT);
$stmt->bindParam(3, $bought, PDO::PARAM_BOOL);
$stmt->bindParam(4, $adjust, PDO::PARAM_INT);
$stmt->execute();
return $howmany;
}
}
else {
/* figure out the real amount to adjust by, in case someone claims to have
received 3 of something from a buyer when they only bought 2. */
if ($adjust < 0) {
if (abs($adjust) > $howmany)
$actual = -$howmany;
else
$actual = $adjust;
}
else {
$actual = $adjust;
}
if ($howmany + $actual == 0) {
$stmt = $dbh->prepare("DELETE FROM {$opt["table_prefix"]}allocs WHERE itemid = ? AND userid = ? AND bought = ?");
$stmt->bindParam(1, $itemid, PDO::PARAM_INT);
$stmt->bindParam(2, $userid, PDO::PARAM_INT);
$stmt->bindParam(3, $bought, PDO::PARAM_BOOL);
$stmt->execute();
}
else {
$stmt = $dbh->prepare("UPDATE {$opt["table_prefix"]}allocs " .
"SET quantity = quantity + ? " . // because "quantity + -5" is okay.
"WHERE itemid = ? AND userid = ? AND bought = ?");
$stmt->bindParam(1, $actual, PDO::PARAM_INT);
$stmt->bindParam(2, $itemid, PDO::PARAM_INT);
$stmt->bindParam(3, $userid, PDO::PARAM_INT);
$stmt->bindParam(4, $bought, PDO::PARAM_BOOL);
$stmt->execute();
}
return $actual;
}
}
function getExistingQuantity($itemid, $userid, $bought, $dbh, $opt) {
$stmt = $dbh->prepare("SELECT quantity FROM {$opt["table_prefix"]}allocs WHERE bought = ? AND userid = ? AND itemid = ?");
$stmt->bindParam(1, $bought, PDO::PARAM_BOOL);
$stmt->bindParam(2, $userid, PDO::PARAM_INT);
$stmt->bindParam(3, $itemid, PDO::PARAM_INT);
$stmt->execute();
if ($row = $stmt->fetch()) {
return $row["quantity"];
}
else {
return 0;
}
}
function sendMessage($sender, $recipient, $message, $dbh, $opt) {
$stmt = $dbh->prepare("INSERT INTO {$opt["table_prefix"]}messages(sender,recipient,message,created) VALUES(?, ?, ?, ?)");
$stmt->bindParam(1, $sender, PDO::PARAM_INT);
$stmt->bindParam(2, $recipient, PDO::PARAM_INT);
$stmt->bindParam(3, $message, PDO::PARAM_STR);
$stmt->bindValue(4, strftime("%Y-%m-%d"), PDO::PARAM_STR);
$stmt->execute();
// determine if e-mail must be sent.
$stmt = $dbh->prepare("SELECT ur.email_msgs, ur.email AS remail, us.fullname, us.email AS semail FROM {$opt["table_prefix"]}users ur " .
"INNER JOIN {$opt["table_prefix"]}users us ON us.userid = ? " .
"WHERE ur.userid = ?");
$stmt->bindParam(1, $sender, PDO::PARAM_INT);
$stmt->bindParam(2, $recipient, PDO::PARAM_INT);
$stmt->execute();
if ($row = $stmt->fetch()) {
if ($row["email_msgs"] == 1) {
mail(
$row["remail"],
"Gift Registry message from " . $row["fullname"],
$row["fullname"] . " <" . $row["semail"] . "> sends:\r\n" . $message,
"From: {$opt["email_from"]}\r\nReply-To: " . $row["semail"] . "\r\nX-Mailer: {$opt["email_xmailer"]}\r\n"
) or die("Mail not accepted for " . $row["remail"]);
}
}
else {
die("recipient doesn't exist");
}
}
function generatePassword($opt) {
//* borrowed from hitech-password.php - a PHP Message board script
//* (c) Hitech Scripts 2003
//* For more information, visit http://www.hitech-scripts.com
//* modified for phpgiftreg by Chris Clonch
mt_srand((double) microtime() * 1000000);
$newstring = "";
if ($opt["password_length"] > 0) {
while(strlen($newstring) < $opt["password_length"]) {
switch (mt_rand(1,3)) {
case 1: $newstring .= chr(mt_rand(48,57)); break; // 0-9
case 2: $newstring .= chr(mt_rand(65,90)); break; // A-Z
case 3: $newstring .= chr(mt_rand(97,122)); break; // a-z
}
}
}
return $newstring;
}
function formatPrice($price, $opt) {
if ($price == 0.0 && $opt["hide_zero_price"])
return "&nbsp;";
else
return $opt["currency_symbol"] . number_format($price,2,".",",");
}
function stampUser($userid, $dbh, $opt) {
$stmt = $dbh->prepare("UPDATE {$opt["table_prefix"]}users SET list_stamp = NOW() WHERE userid = ?");
$stmt->bindParam(1, $userid, PDO::PARAM_INT);
$stmt->execute();
}
function deleteImageForItem($itemid, $dbh, $opt) {
$stmt = $dbh->prepare("SELECT image_filename FROM {$opt["table_prefix"]}items WHERE itemid = ?");
$stmt->bindParam(1, $itemid, PDO::PARAM_INT);
$stmt->execute();
if ($row = $stmt->fetch()) {
if ($row["image_filename"] != "") {
unlink($opt["image_subdir"] . "/" . $row["image_filename"]);
}
$stmt = $dbh->prepare("UPDATE {$opt["table_prefix"]}items SET image_filename = NULL WHERE itemid = ?");
$stmt->bindParam(1, $itemid, PDO::PARAM_INT);
$stmt->execute();
}
}
function fixForJavaScript($s) {
$s = htmlentities($s);
$s = str_replace("'","\\'",$s);
$s = str_replace("\r\n","<br />",$s);
$s = str_replace("\n","<br />",$s);
return $s;
}
?>

196
src/index.php
View file

@ -13,9 +13,10 @@
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
include("config.php");
include("db.php");
include("funcLib.php");
require_once(dirname(__FILE__) . "/includes/funcLib.php");
require_once(dirname(__FILE__) . "/includes/MySmarty.class.php");
$smarty = new MySmarty();
$opt = $smarty->opt();
session_start();
if (!isset($_SESSION["userid"])) {
@ -27,7 +28,7 @@ else {
}
if (!empty($_GET["message"])) {
$message = strip_tags($_GET["message"]);
$message = $_GET["message"];
}
/* if we've got `page' on the query string, set the session page indicator. */
@ -45,30 +46,40 @@ else {
if (!empty($_GET["action"])) {
$action = $_GET["action"];
if ($action == "ack") {
$query = "UPDATE {$OPT["table_prefix"]}messages SET isread = 1 WHERE messageid = " . (int) $_GET["messageid"];
mysql_query($query) or die("Could not query: " . mysql_error());
$stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}messages SET isread = 1 WHERE messageid = ?");
$stmt->bindValue(1, (int) $_GET["messageid"], PDO::PARAM_INT);
$stmt->execute();
}
else if ($action == "approve") {
$query = "UPDATE {$OPT["table_prefix"]}shoppers SET pending = 0 WHERE shopper = " . (int) $_GET["shopper"] . " AND mayshopfor = $userid";
mysql_query($query) or die("Could not query: " . mysql_error());
sendMessage($userid,(int) $_GET["shopper"],addslashes($_SESSION["fullname"] . " has approved your request to shop for him/her."));
$stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}shoppers SET pending = 0 WHERE shopper = ? AND mayshopfor = ?");
$stmt->bindValue(1, (int) $_GET["shopper"], PDO::PARAM_INT);
$stmt->bindParam(2, $userid, PDO::PARAM_INT);
$stmt->execute();
sendMessage($userid,(int) $_GET["shopper"],$_SESSION["fullname"] . " has approved your request to shop for him/her.", $smarty->dbh(), $smarty->opt());
}
else if ($action == "decline") {
$query = "DELETE FROM {$OPT["table_prefix"]}shoppers WHERE shopper = " . (int) $_GET["shopper"] . " AND mayshopfor = $userid";
mysql_query($query) or die("Could not query: " . mysql_error());
sendMessage($userid,(int) $_GET["shopper"],addslashes($_SESSION["fullname"] . " has declined your request to shop for him/her."));
$stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}shoppers WHERE shopper = ? AND mayshopfor = ?");
$stmt->bindValue(1, (int) $_GET["shopper"], PDO::PARAM_INT);
$stmt->bindParam(2, $userid, PDO::PARAM_INT);
$stmt->execute();
sendMessage($userid,(int) $_GET["shopper"],$_SESSION["fullname"] . " has declined your request to shop for him/her.", $smarty->dbh(), $smarty->opt());
}
else if ($action == "request") {
$query = "INSERT INTO {$OPT["table_prefix"]}shoppers(shopper,mayshopfor,pending) VALUES($userid," . (int) $_GET["shopfor"] . ",{$OPT["shop_requires_approval"]})";
mysql_query($query) or die("Could not query: " . mysql_error());
if ($OPT["shop_requires_approval"]) {
sendMessage($userid,(int) $_GET["shopfor"],addslashes($_SESSION["fullname"] . " has requested to shop for you. Please approve or decline this request."));
$stmt = $smarty->dbh()->prepare("INSERT INTO {$opt["table_prefix"]}shoppers(shopper,mayshopfor,pending) VALUES(?, ?, ?)");
$stmt->bindParam(1, $userid, PDO::PARAM_INT);
$stmt->bindValue(2, (int) $_GET["shopfor"], PDO::PARAM_INT);
$stmt->bindValue(3, $opt["shop_requires_approval"], PDO::PARAM_BOOL);
$stmt->execute();
if ($opt["shop_requires_approval"]) {
sendMessage($userid,(int) $_GET["shopfor"],$_SESSION["fullname"] . " has requested to shop for you. Please approve or decline this request.", $smarty->dbh(), $smarty->opt());
}
}
else if ($action == "cancel") {
// this works for either cancelling a request or "unshopping" for a user.
$query = "DELETE FROM {$OPT["table_prefix"]}shoppers WHERE shopper = " . $userid . " AND mayshopfor = " . (int) $_GET["shopfor"];
mysql_query($query) or die("Could not query: " . mysql_error());
$stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}shoppers WHERE shopper = ? AND mayshopfor = ?");
$stmt->bindParam(1, $userid, PDO::PARAM_INT);
$stmt->bindValue(2, (int) $_GET["shopfor"], PDO::PARAM_INT);
$stmt->execute();
}
}
@ -97,69 +108,75 @@ else {
$sortby = "rankorder DESC, i.description";
}
}
$query = "SELECT itemid, description, c.category, price, url, rendered, comment, image_filename FROM {$OPT["table_prefix"]}items i LEFT OUTER JOIN {$OPT["table_prefix"]}categories c ON c.categoryid = i.category LEFT OUTER JOIN {$OPT["table_prefix"]}ranks r ON r.ranking = i.ranking WHERE userid = " . $userid . " ORDER BY $sortby";
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
$myitems_count = mysql_num_rows($rs);
$stmt = $smarty->dbh()->prepare("SELECT itemid, description, c.category, price, url, rendered, comment, image_filename FROM {$opt["table_prefix"]}items i LEFT OUTER JOIN {$opt["table_prefix"]}categories c ON c.categoryid = i.category LEFT OUTER JOIN {$opt["table_prefix"]}ranks r ON r.ranking = i.ranking WHERE userid = ? ORDER BY " . $sortby);
$stmt->bindParam(1, $userid, PDO::PARAM_INT);
$stmt->execute();
$myitems_count = 0;
$myitems = array();
for ($i = 0; $i < $offset; $i++) {
$row = mysql_fetch_array($rs, MYSQL_ASSOC);
for ($i = 0; $i < $offset; $i++, ++$myitems_count) {
$row = $stmt->fetch();
}
$i = 0;
while ($i++ < $OPT["items_per_page"] && $row = mysql_fetch_array($rs, MYSQL_ASSOC)) {
$row['price'] = formatPrice($row['price']);
while ($i++ < $opt["items_per_page"] && $row = $stmt->fetch()) {
$row['price'] = formatPrice($row['price'], $opt);
$myitems[] = $row;
++$myitems_count;
}
while ($stmt->fetch()) {
++$myitems_count;
}
mysql_free_result($rs);
$query = "SELECT u.userid, u.fullname, u.comment, u.list_stamp, COUNT(i.itemid) AS itemcount " .
"FROM {$OPT["table_prefix"]}shoppers s " .
"INNER JOIN {$OPT["table_prefix"]}users u ON u.userid = s.mayshopfor " .
"LEFT OUTER JOIN {$OPT["table_prefix"]}items i ON u.userid = i.userid " .
"WHERE s.shopper = " . $userid . " " .
$stmt = $smarty->dbh()->prepare("SELECT u.userid, u.fullname, u.comment, u.list_stamp, COUNT(i.itemid) AS itemcount " .
"FROM {$opt["table_prefix"]}shoppers s " .
"INNER JOIN {$opt["table_prefix"]}users u ON u.userid = s.mayshopfor " .
"LEFT OUTER JOIN {$opt["table_prefix"]}items i ON u.userid = i.userid " .
"WHERE s.shopper = ? " .
"AND pending = 0 " .
"GROUP BY u.userid, u.fullname, u.list_stamp " .
"ORDER BY u.fullname";
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
"ORDER BY u.fullname");
$stmt->bindParam(1, $userid, PDO::PARAM_INT);
$stmt->execute();
$shoppees = array();
while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) {
while ($row = $stmt->fetch()) {
$row['list_stamp'] = ($row['list_stamp == 0'] ? '-' : strftime("%m/%d/%Y", strtotime($row['list_stamp'])));
$shoppees[] = $row;
}
mysql_free_result($rs);
$query = "SELECT DISTINCT u.userid, u.fullname, s.pending " .
"FROM {$OPT["table_prefix"]}memberships mymem " .
"INNER JOIN {$OPT["table_prefix"]}memberships others " .
"ON others.familyid = mymem.familyid AND others.userid <> " . $userid . " " .
"INNER JOIN {$OPT["table_prefix"]}users u " .
$stmt = $smarty->dbh()->prepare("SELECT DISTINCT u.userid, u.fullname, s.pending " .
"FROM {$opt["table_prefix"]}memberships mymem " .
"INNER JOIN {$opt["table_prefix"]}memberships others " .
"ON others.familyid = mymem.familyid AND others.userid <> ? " .
"INNER JOIN {$opt["table_prefix"]}users u " .
"ON u.userid = others.userid " .
"LEFT OUTER JOIN {$OPT["table_prefix"]}shoppers s " .
"ON s.mayshopfor = others.userid AND s.shopper = " . $userid . " " .
"WHERE mymem.userid = " . $userid . " " .
"LEFT OUTER JOIN {$opt["table_prefix"]}shoppers s " .
"ON s.mayshopfor = others.userid AND s.shopper = ? " .
"WHERE mymem.userid = ? " .
"AND (s.pending IS NULL OR s.pending = 1) " .
"AND u.approved = 1 " .
"ORDER BY u.fullname";
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
"ORDER BY u.fullname");
$stmt->bindParam(1, $userid, PDO::PARAM_INT);
$stmt->bindParam(2, $userid, PDO::PARAM_INT);
$stmt->bindParam(3, $userid, PDO::PARAM_INT);
$stmt->execute();
$prospects = array();
while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) {
while ($row = $stmt->fetch()) {
$prospects[] = $row;
}
mysql_free_result($rs);
$query = "SELECT messageid, u.fullname, message, created " .
"FROM {$OPT["table_prefix"]}messages m " .
"INNER JOIN {$OPT["table_prefix"]}users u ON u.userid = m.sender " .
"WHERE m.recipient = " . $userid . " " .
$stmt = $smarty->dbh()->prepare("SELECT messageid, u.fullname, message, created " .
"FROM {$opt["table_prefix"]}messages m " .
"INNER JOIN {$opt["table_prefix"]}users u ON u.userid = m.sender " .
"WHERE m.recipient = ? " .
"AND m.isread = 0 " .
"ORDER BY created DESC";
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
"ORDER BY created DESC");
$stmt->bindParam(1, $userid, PDO::PARAM_INT);
$stmt->execute();
$messages = array();
while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) {
$row['created'] = strftime("%a, %b %d", strtotime($row['created']));
while ($row = $stmt->fetch()) {
$row['created'] = strftime("%m/%d/%Y", strtotime($row['created']));
$messages[] = $row;
}
mysql_free_result($rs);
$query = "SELECT CONCAT(YEAR(CURDATE()),'-',MONTH(eventdate),'-',DAYOFMONTH(eventdate)) AS DateThisYear, " .
"TO_DAYS(CONCAT(YEAR(CURDATE()),'-',MONTH(eventdate),'-',DAYOFMONTH(eventdate))) AS ToDaysDateThisYear, " .
"CONCAT(YEAR(CURDATE()) + 1,'-',MONTH(eventdate),'-',DAYOFMONTH(eventdate)) AS DateNextYear, " .
@ -167,28 +184,32 @@ $query = "SELECT CONCAT(YEAR(CURDATE()),'-',MONTH(eventdate),'-',DAYOFMONTH(even
"TO_DAYS(CURDATE()) AS ToDaysToday, " .
"TO_DAYS(eventdate) AS ToDaysEventDate, " .
"e.userid, u.fullname, description, eventdate, recurring, s.pending " .
"FROM {$OPT["table_prefix"]}events e " .
"LEFT OUTER JOIN {$OPT["table_prefix"]}users u ON u.userid = e.userid " .
"LEFT OUTER JOIN {$OPT["table_prefix"]}shoppers s ON s.mayshopfor = e.userid AND s.shopper = $userid ";
if ($OPT["show_own_events"])
"FROM {$opt["table_prefix"]}events e " .
"LEFT OUTER JOIN {$opt["table_prefix"]}users u ON u.userid = e.userid " .
"LEFT OUTER JOIN {$opt["table_prefix"]}shoppers s ON s.mayshopfor = e.userid AND s.shopper = ? ";
if ($opt["show_own_events"])
$query .= "WHERE (pending = 0 OR pending IS NULL)";
else
$query .= "WHERE (e.userid <> $userid OR e.userid IS NULL) AND (pending = 0 OR pending IS NULL)";
$query .= "WHERE (e.userid <> ? OR e.userid IS NULL) AND (pending = 0 OR pending IS NULL)";
$query .= "ORDER BY u.fullname";
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
$stmt = $smarty->dbh()->prepare($query);
$stmt->bindParam(1, $userid, PDO::PARAM_INT);
if (!$opt["show_own_events"])
$stmt->bindParam(2, $userid, PDO::PARAM_INT);
$stmt->execute();
$events = array();
while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) {
while ($row = $stmt->fetch()) {
$event_fullname = $row["fullname"];
$days_left = -1;
if (!$row["recurring"] && (($row["ToDaysEventDate"] - $row["ToDaysToday"]) >= 0) && (($row["ToDaysEventDate"] - $row["ToDaysToday"]) <= $OPT["event_threshold"])) {
if (!$row["recurring"] && (($row["ToDaysEventDate"] - $row["ToDaysToday"]) >= 0) && (($row["ToDaysEventDate"] - $row["ToDaysToday"]) <= $opt["event_threshold"])) {
$days_left = $row["ToDaysEventDate"] - $row["ToDaysToday"];
$event_date = strtotime($row["eventdate"]);
}
else if ($row["recurring"] && (($row["ToDaysDateThisYear"] - $row["ToDaysToday"]) >= 0) && (($row["ToDaysDateThisYear"] - $row["ToDaysToday"]) <= $OPT["event_threshold"])) {
else if ($row["recurring"] && (($row["ToDaysDateThisYear"] - $row["ToDaysToday"]) >= 0) && (($row["ToDaysDateThisYear"] - $row["ToDaysToday"]) <= $opt["event_threshold"])) {
$days_left = $row["ToDaysDateThisYear"] - $row["ToDaysToday"];
$event_date = strtotime($row["DateThisYear"]);
}
else if ($row["recurring"] && (($row["ToDaysDateNextYear"] - $row["ToDaysToday"]) >= 0) && (($row["ToDaysDateNextYear"] - $row["ToDaysToday"]) <= $OPT["event_threshold"])) {
else if ($row["recurring"] && (($row["ToDaysDateNextYear"] - $row["ToDaysToday"]) >= 0) && (($row["ToDaysDateNextYear"] - $row["ToDaysToday"]) <= $opt["event_threshold"])) {
$days_left = $row["ToDaysDateNextYear"] - $row["ToDaysToday"];
$event_date = strtotime($row["DateNextYear"]);
}
@ -202,7 +223,6 @@ while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) {
$events[] = $thisevent;
}
}
mysql_free_result($rs);
function compareEvents($a, $b) {
if ($a[0] == $b[0])
@ -215,38 +235,36 @@ function compareEvents($a, $b) {
// sort() wanted to sort based on the array keys, which were 0..n - 1, so that was useless.
usort($events, "compareEvents");
if ($OPT["shop_requires_approval"]) {
if ($opt["shop_requires_approval"]) {
$query = "SELECT u.userid, u.fullname " .
"FROM {$OPT["table_prefix"]}shoppers s " .
"INNER JOIN {$OPT["table_prefix"]}users u ON u.userid = s.shopper " .
"WHERE s.mayshopfor = " . $userid . " " .
"FROM {$opt["table_prefix"]}shoppers s " .
"INNER JOIN {$opt["table_prefix"]}users u ON u.userid = s.shopper " .
"WHERE s.mayshopfor = ? " .
"AND s.pending = 1 " .
"ORDER BY u.fullname";
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
$stmt = $smarty->dbh()->prepare($query);
$stmt->bindParam(1, $userid, PDO::PARAM_INT);
$stmt->execute();
$pending = array();
while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) {
while ($row = $stmt->fetch()) {
$pending[] = $row;
}
mysql_free_result($rs);
}
if (($_SESSION["admin"] == 1) && $OPT["newuser_requires_approval"]) {
if (($_SESSION["admin"] == 1) && $opt["newuser_requires_approval"]) {
$query = "SELECT userid, fullname, email, approved, initialfamilyid, familyname " .
"FROM {$OPT["table_prefix"]}users u " .
"LEFT OUTER JOIN {$OPT["table_prefix"]}families f ON f.familyid = u.initialfamilyid " .
"FROM {$opt["table_prefix"]}users u " .
"LEFT OUTER JOIN {$opt["table_prefix"]}families f ON f.familyid = u.initialfamilyid " .
"WHERE approved = 0 " .
"ORDER BY fullname";
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
$stmt = $smarty->dbh()->prepare($query);
$stmt->execute();
$approval = array();
while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) {
while ($row = $stmt->fetch()) {
$approval[] = $row;
}
mysql_free_result($rs);
}
define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/');
require_once(SMARTY_DIR . 'Smarty.class.php');
$smarty = new Smarty();
$smarty->assign('fullname', $_SESSION['fullname']);
if (isset($message)) {
$smarty->assign('message', $message);
@ -258,10 +276,14 @@ $smarty->assign('shoppees', $shoppees);
$smarty->assign('prospects', $prospects);
$smarty->assign('messages', $messages);
$smarty->assign('events', $events);
$smarty->assign('pending', $pending);
$smarty->assign('approval', $approval);
if (isset($pending)) {
$smarty->assign('pending', $pending);
}
if (isset($approval)) {
$smarty->assign('approval', $approval);
}
$smarty->assign('userid', $userid);
$smarty->assign('isadmin', $_SESSION['admin']);
$smarty->assign('opt', $OPT);
$smarty->assign('opt', $smarty->opt());
$smarty->display('home.tpl');
?>

174
src/item.php
View file

@ -13,9 +13,10 @@
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
include("config.php");
include("db.php");
include("funcLib.php");
require_once(dirname(__FILE__) . "/includes/funcLib.php");
require_once(dirname(__FILE__) . "/includes/MySmarty.class.php");
$smarty = new MySmarty();
$opt = $smarty->opt();
session_start();
if (!isset($_SESSION["userid"])) {
@ -30,12 +31,18 @@ else {
// to $userid. all operations on this page should only be performed by
// the item's owner.
if (isset($_REQUEST["itemid"]) && $_REQUEST["itemid"] != "") {
$rs = mysql_query("SELECT * FROM {$OPT["table_prefix"]}items WHERE userid = $userid AND itemid = " . (int) $_REQUEST["itemid"]) or die("Could not query: " . mysql_error());
if (mysql_num_rows($rs) == 0) {
echo "Nice try! (That's not your item.)";
exit;
try {
$stmt = $smarty->dbh()->prepare("SELECT * FROM {$opt["table_prefix"]}items WHERE userid = ? AND itemid = ?");
$stmt->bindParam(1, $userid, PDO::PARAM_INT);
$stmt->bindValue(2, (int) $_REQUEST["itemid"], PDO::PARAM_INT);
$stmt->execute();
if (!$stmt->fetch()) {
die("Nice try! (That's not your item.)");
}
}
catch (PDOException $e) {
die("sql exception: " . $e->getMessage());
}
mysql_free_result($rs);
}
$action = "";
@ -53,16 +60,6 @@ if (!empty($_REQUEST["action"])) {
$comment = $_REQUEST["comment"];
$quantity = (int) $_REQUEST["quantity"];
if (!get_magic_quotes_gpc()) {
$description = addslashes($description);
$price = addslashes($price);
$source = addslashes($source);
$url = addslashes($url);
$category = addslashes($category);
$ranking = addslashes($ranking);
$comment = addslashes($comment);
}
$haserror = false;
if ($description == "") {
$haserror = true;
@ -92,7 +89,7 @@ if (!empty($_REQUEST["action"])) {
if (!$haserror) {
if ($_REQUEST["image"] == "remove" || $_REQUEST["image"] == "replace") {
deleteImageForItem((int) $_REQUEST["itemid"]);
deleteImageForItem((int) $_REQUEST["itemid"], $smarty->dbh(), $smarty->opt());
}
if ($_REQUEST["image"] == "upload" || $_REQUEST["image"] == "replace") {
/* TODO: verify that it's an image using $_FILES["imagefile"]["type"] */
@ -103,7 +100,7 @@ if (!empty($_REQUEST["action"])) {
$parts = pathinfo($_SERVER["SCRIPT_FILENAME"]);
$upload_dir = $parts['dirname'];
// generate a temporary file in the configured directory.
$temp_name = tempnam($upload_dir . "/" . $OPT["image_subdir"],"");
$temp_name = tempnam($upload_dir . "/" . $opt["image_subdir"],"");
// unlink it, we really want an extension on that.
unlink($temp_name);
// here's the name we really want to use. full path is included.
@ -116,29 +113,44 @@ if (!empty($_REQUEST["action"])) {
}
if ($action == "delete") {
/* find out if this item is bought or reserved. */
$query = "SELECT a.userid, a.quantity, a.bought, i.description FROM {$OPT["table_prefix"]}allocs a INNER JOIN {$OPT["table_prefix"]}items i ON i.itemid = a.itemid WHERE a.itemid = " . (int) $_REQUEST["itemid"];
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
while ($row = mysql_fetch_array($rs,MYSQL_ASSOC)) {
$buyerid = $row["userid"];
$quantity = $row["quantity"];
$bought = $row["bought"];
sendMessage($userid,
try {
/* find out if this item is bought or reserved. */
$stmt = $smarty->dbh()->prepare("SELECT a.userid, a.quantity, a.bought, i.description FROM {$opt["table_prefix"]}allocs a INNER JOIN {$opt["table_prefix"]}items i ON i.itemid = a.itemid WHERE a.itemid = ?");
$stmt->bindValue(1, (int) $_REQUEST["itemid"], PDO::PARAM_INT);
$stmt->execute();
while ($row = $stmt->fetch()) {
$buyerid = $row["userid"];
$quantity = $row["quantity"];
$bought = $row["bought"];
sendMessage($userid,
$buyerid,
addslashes("\"" . mysql_escape_string($row["description"]) . "\" that you " . (($bought == 1) ? "bought" : "reserved") . " $quantity of for {$_SESSION["fullname"]} has been deleted. Check your reservation/purchase to ensure it's still needed."));
$row["description"] . " that you " . (($bought == 1) ? "bought" : "reserved") . " $quantity of for {$_SESSION["fullname"]} has been deleted. Check your reservation/purchase to ensure it's still needed.",
$smarty->dbh(),
$smarty->opt());
}
deleteImageForItem((int) $_REQUEST["itemid"], $smarty->dbh(), $smarty->opt());
$stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}items WHERE itemid = ?");
$stmt->bindValue(1, (int) $_REQUEST["itemid"], PDO::PARAM_INT);
$stmt->execute();
// TODO: are we leaking allocs records here?
stampUser($userid, $smarty->dbh(), $smarty->opt());
header("Location: " . getFullPath("index.php?message=Item+deleted."));
exit;
}
catch (PDOException $e) {
die("sql exception: " . $e->getMessage());
}
mysql_free_result($rs);
deleteImageForItem((int) $_REQUEST["itemid"]);
$query = "DELETE FROM {$OPT["table_prefix"]}items WHERE itemid = " . (int) $_REQUEST["itemid"];
mysql_query($query) or die("Could not query: " . mysql_error());
stampUser($userid);
header("Location: " . getFullPath("index.php?message=Item+deleted."));
exit;
}
else if ($action == "edit") {
$query = "SELECT description, price, source, category, url, ranking, comment, quantity, image_filename FROM {$OPT["table_prefix"]}items WHERE itemid = " . (int) $_REQUEST["itemid"];
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
if ($row = mysql_fetch_array($rs,MYSQL_ASSOC)) {
$stmt = $smarty->dbh()->prepare("SELECT description, price, source, category, url, ranking, comment, quantity, image_filename FROM {$opt["table_prefix"]}items WHERE itemid = ?");
$stmt->bindValue(1, (int) $_REQUEST["itemid"], PDO::PARAM_INT);
$stmt->execute();
if ($row = $stmt->fetch()) {
$description = $row["description"];
$price = number_format($row["price"],2,".",",");
$source = $row["source"];
@ -149,7 +161,6 @@ if (!empty($_REQUEST["action"])) {
$quantity = (int) $row["quantity"];
$image_filename = $row["image_filename"];
}
mysql_free_result($rs);
}
else if ($action == "add") {
$description = "";
@ -164,10 +175,24 @@ if (!empty($_REQUEST["action"])) {
}
else if ($action == "insert") {
if (!$haserror) {
$query = "INSERT INTO {$OPT["table_prefix"]}items(userid,description,price,source,category,url,ranking,comment,quantity" . ($image_base_filename != "" ? ",image_filename" : "") . ") " .
"VALUES($userid,'$description',$price,'$source'," . (($category == "") ? "NULL" : "'$category'") . "," . (($url == "") ? "NULL" : "'$url'") . ",$ranking," . (($comment == "") ? "NULL" : "'$comment'") . ",$quantity" . ($image_base_filename != "" ? ",'$image_base_filename'" : "") . ")";
mysql_query($query) or die("Could not query: " . mysql_error());
stampUser($userid);
$stmt = $smarty->dbh()->prepare("INSERT INTO {$opt["table_prefix"]}items(userid,description,price,source,category,url,ranking,comment,quantity" . ($image_base_filename != "" ? ",image_filename" : "") . ") " .
"VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?" . ($image_base_filename != "" ? ", ?)" : ")"));
$stmt->bindParam(1, $userid, PDO::PARAM_INT);
$stmt->bindParam(2, $description, PDO::PARAM_STR);
$stmt->bindParam(3, $price);
$stmt->bindParam(4, $source, PDO::PARAM_STR);
$stmt->bindParam(5, $category, PDO::PARAM_INT);
$stmt->bindParam(6, $url, PDO::PARAM_STR);
$stmt->bindParam(7, $ranking, PDO::PARAM_INT);
$stmt->bindParam(8, $comment, PDO::PARAM_STR);
$stmt->bindParam(9, $quantity, PDO::PARAM_INT);
if ($image_base_filename != "") {
$stmt->bindParam(10, $image_base_filename);
}
$stmt->execute();
stampUser($userid, $smarty->dbh(), $smarty->opt());
header("Location: " . getFullPath("index.php"));
exit;
}
@ -175,19 +200,37 @@ if (!empty($_REQUEST["action"])) {
else if ($action == "update") {
if (!$haserror) {
// TODO: if the quantity is updated, send a message to everyone who has an allocation for it.
$query = "UPDATE {$OPT["table_prefix"]}items SET " .
"description = '$description', " .
"price = $price, " .
"source = '$source', " .
"category = " . (($category == "") ? "NULL" : "'$category'") . ", " .
"url = " . (($url == "") ? "NULL" : "'$url'") . ", " .
"ranking = $ranking, " .
"comment = " . (($comment == "") ? "NULL" : "'$comment'") . ", " .
"quantity = $quantity " .
($image_base_filename != "" ? ", image_filename = '$image_base_filename' " : "") .
"WHERE itemid = " . (int) $_REQUEST["itemid"];
mysql_query($query) or die("Could not query: " . mysql_error());
stampUser($userid);
$stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}items SET " .
"description = ?, " .
"price = ?, " .
"source = ?, " .
"category = ?, " .
"url = ?, " .
"ranking = ?, " .
"comment = ?, " .
"quantity = ? " .
($image_base_filename != "" ? ", image_filename = ? " : "") .
"WHERE itemid = ?");
$stmt->bindParam(1, $userid, PDO::PARAM_INT);
$stmt->bindParam(2, $description, PDO::PARAM_STR);
$stmt->bindParam(3, $price);
$stmt->bindParam(4, $source, PDO::PARAM_STR);
$stmt->bindParam(5, $category, PDO::PARAM_INT);
$stmt->bindParam(6, $url, PDO::PARAM_STR);
$stmt->bindParam(7, $ranking, PDO::PARAM_INT);
$stmt->bindParam(8, $comment, PDO::PARAM_STR);
$stmt->bindParam(9, $quantity, PDO::PARAM_INT);
if ($image_base_filename != "") {
$stmt->bindParam(10, $image_base_filename);
$stmt->bindParam(11, (int) $_REQUEST["itemid"], PDO::PARAM_INT);
}
else {
$stmt->bindParam(10, (int) $_REQUEST["itemid"], PDO::PARAM_INT);
}
$stmt->execute();
stampUser($userid, $smarty->dbh(), $smarty->opt());
header("Location: " . getFullPath("index.php"));
exit;
}
@ -198,23 +241,20 @@ if (!empty($_REQUEST["action"])) {
}
}
$rs = mysql_query("SELECT categoryid, category FROM {$OPT["table_prefix"]}categories ORDER BY category");
$stmt = $smarty->dbh()->prepare("SELECT categoryid, category FROM {$opt["table_prefix"]}categories ORDER BY category");
$stmt->execute();
$categories = array();
while ($row = mysql_fetch_assoc($rs, MYSQL_ASSOC)) {
while ($row = $stmt->fetch()) {
$categories[] = $row;
}
mysql_free_result($rs);
$query = "SELECT ranking, title FROM {$OPT["table_prefix"]}ranks ORDER BY rankorder";
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
$stmt = $smarty->dbh()->prepare("SELECT ranking, title FROM {$opt["table_prefix"]}ranks ORDER BY rankorder");
$stmt->execute();
$ranks = array();
while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) {
while ($row = $stmt->fetch()) {
$ranks[] = $row;
}
define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/');
require_once(SMARTY_DIR . 'Smarty.class.php');
$smarty = new Smarty();
$smarty->assign('userid', $userid);
$smarty->assign('action', $action);
$smarty->assign('haserror', $haserror);
@ -254,6 +294,6 @@ $smarty->assign('comment', $comment);
$smarty->assign('categories', $categories);
$smarty->assign('ranks', $ranks);
$smarty->assign('isadmin', $_SESSION["admin"]);
$smarty->assign('opt', $OPT);
$smarty->assign('opt', $smarty->opt());
$smarty->display('item.tpl');
?>

56
src/login.php
View file

@ -13,9 +13,10 @@
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
include("config.php");
include("db.php");
include("funcLib.php");
require_once(dirname(__FILE__) . "/includes/funcLib.php");
require_once(dirname(__FILE__) . "/includes/MySmarty.class.php");
$smarty = new MySmarty();
$opt = $smarty->opt();
if (isset($_GET["action"])) {
if ($_GET["action"] == "logout") {
@ -25,30 +26,35 @@ if (isset($_GET["action"])) {
}
if (!empty($_POST["username"])) {
include "db.php";
$username = $_POST["username"];
$password = $_POST["password"];
if (!get_magic_quotes_gpc()) {
$username = addslashes($username);
$password = addslashes($password);
try {
$stmt = $smarty->dbh()->prepare("SELECT userid, fullname, admin FROM {$opt["table_prefix"]}users WHERE username = ? AND password = {$opt["password_hasher"]}(?) AND approved = 1");
$stmt->bindParam(1, $username, PDO::PARAM_STR);
$stmt->bindParam(2, $password, PDO::PARAM_STR);
$stmt->execute();
if ($row = $stmt->fetch()) {
session_start();
$_SESSION["userid"] = $row["userid"];
$_SESSION["fullname"] = $row["fullname"];
$_SESSION["admin"] = $row["admin"];
header("Location: " . getFullPath("index.php"));
exit;
}
}
catch (PDOException $e) {
die("sql exception: " . $e->getMessage());
}
$query = "SELECT userid, fullname, admin FROM {$OPT["table_prefix"]}users WHERE username = '$username' AND password = {$OPT["password_hasher"]}('$password') AND approved = 1";
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
if ($row = mysql_fetch_array($rs,MYSQL_ASSOC)) {
session_start();
$_SESSION["userid"] = $row["userid"];
$_SESSION["fullname"] = $row["fullname"];
$_SESSION["admin"] = $row["admin"];
header("Location: " . getFullPath("index.php"));
mysql_free_result($rs);
exit;
}
$smarty->assign('username', $username);
$smarty->assign('opt', $smarty->opt());
$smarty->display('login.tpl');
}
define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/');
require_once(SMARTY_DIR . 'Smarty.class.php');
$smarty = new Smarty();
$smarty->assign('username', $_POST['username']);
$smarty->assign('opt', $OPT);
$smarty->display('login.tpl');
else {
$smarty->assign('opt', $smarty->opt());
$smarty->display('login.tpl');
}
?>

77
src/message.php
View file

@ -13,9 +13,10 @@
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
include("config.php");
include("db.php");
include("funcLib.php");
require_once(dirname(__FILE__) . "/includes/funcLib.php");
require_once(dirname(__FILE__) . "/includes/MySmarty.class.php");
$smarty = new MySmarty();
$opt = $smarty->opt();
session_start();
if (!isset($_SESSION["userid"])) {
@ -26,48 +27,42 @@ else {
$userid = $_SESSION["userid"];
}
$action = "";
if (!empty($_GET["action"])) {
$action = $_GET["action"];
if ($action == "send") {
$msg = $_GET["msg"];
if (!get_magic_quotes_gpc())
$msg = addslashes($msg);
$action = empty($_GET["action"]) ? "" : $_GET["action"];
for ($i = 0; $i < count($_GET["recipients"]); $i++)
sendMessage($userid,(int) $_GET["recipients"][$i],$msg);
if ($action == "send") {
$msg = $_GET["msg"];
for ($i = 0; $i < count($_GET["recipients"]); $i++)
sendMessage($userid, (int) $_GET["recipients"][$i], $msg, $smarty->dbh(), $smarty->opt());
header("Location: " . getFullPath("index.php?message=Your+message+has+been+sent+to+" . count($_GET["recipients"]) . "+recipient(s)."));
exit;
}
else {
echo "Unknown verb.";
exit;
}
header("Location: " . getFullPath("index.php?message=Your+message+has+been+sent+to+" . count($_GET["recipients"]) . "+recipient(s)."));
exit;
}
$query = "SELECT u.userid, u.fullname " .
"FROM {$OPT["table_prefix"]}shoppers s " .
"INNER JOIN {$OPT["table_prefix"]}users u ON u.userid = s.mayshopfor " .
"WHERE s.shopper = " . $userid . " " .
try {
$stmt = $smarty->dbh()->prepare("SELECT u.userid, u.fullname " .
"FROM {$opt["table_prefix"]}shoppers s " .
"INNER JOIN {$opt["table_prefix"]}users u ON u.userid = s.mayshopfor " .
"WHERE s.shopper = ? " .
"AND pending = 0 " .
"ORDER BY u.fullname";
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
$recipients = array();
while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) {
$recipients[] = $row;
}
$rcount = mysql_num_rows($rs);
mysql_free_result($rs);
"ORDER BY u.fullname");
$stmt->bindParam(1, $userid, PDO::PARAM_INT);
$stmt->execute();
$recipients = array();
$rcount = 0;
while ($row = $stmt->fetch()) {
$recipients[] = $row;
++$rcount;
}
define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/');
require_once(SMARTY_DIR . 'Smarty.class.php');
$smarty = new Smarty();
$smarty->assign('recipients', $recipients);
$smarty->assign('rcount', $rcount);
$smarty->assign('userid', $userid);
$smarty->assign('isadmin', $_SESSION["admin"]);
$smarty->assign('opt', $OPT);
$smarty->display('message.tpl');
$smarty->assign('recipients', $recipients);
$smarty->assign('rcount', $rcount);
$smarty->assign('userid', $userid);
$smarty->assign('isadmin', $_SESSION["admin"]);
$smarty->assign('opt', $smarty->opt());
$smarty->display('message.tpl');
}
catch (PDOException $e) {
die("sql exception: " . $e->getMessage());
}
?>

73
src/mylist.php
View file

@ -13,9 +13,10 @@
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
include("config.php");
include("db.php");
include("funcLib.php");
require_once(dirname(__FILE__) . "/includes/funcLib.php");
require_once(dirname(__FILE__) . "/includes/MySmarty.class.php");
$smarty = new MySmarty();
$opt = $smarty->opt();
session_start();
if (!isset($_SESSION["userid"])) {
@ -51,36 +52,40 @@ switch($sort) {
$sortby = "rankorder DESC, source, price";
}
$query = "SELECT description, source, price, i.comment, i.quantity, i.quantity * i.price AS total, rendered, c.category " .
"FROM {$OPT["table_prefix"]}items i " .
"INNER JOIN {$OPT["table_prefix"]}users u ON u.userid = i.userid " .
"INNER JOIN {$OPT["table_prefix"]}ranks r ON r.ranking = i.ranking " .
"LEFT OUTER JOIN {$OPT["table_prefix"]}categories c ON c.categoryid = i.category " .
"WHERE u.userid = " . $_SESSION["userid"] . " " .
"ORDER BY $sortby";
$rs = mysql_query($query) or die("Could not query $query: " . mysql_error());
$shoplist = array();
$totalprice = 0;
while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) {
$totalprice += $row["total"];
if ($row["quantity"] == 1)
$row["price"] = formatPrice($row["price"]);
else
$row["price"] = $row["quantity"] . " @ " . formatPrice($row["price"]) . " = " . formatPrice($row["total"]);
$shoplist[] = $row;
try {
// not worried about SQL injection since $sortby is calculated above.
$stmt = $smarty->dbh()->prepare("SELECT description, source, price, i.comment, i.quantity, i.quantity * i.price AS total, rendered, c.category " .
"FROM {$opt["table_prefix"]}items i " .
"INNER JOIN {$opt["table_prefix"]}users u ON u.userid = i.userid " .
"INNER JOIN {$opt["table_prefix"]}ranks r ON r.ranking = i.ranking " .
"LEFT OUTER JOIN {$opt["table_prefix"]}categories c ON c.categoryid = i.category " .
"WHERE u.userid = ? " .
"ORDER BY " . $sortby);
$stmt->bindParam(1, $userid, PDO::PARAM_INT);
$stmt->execute();
$shoplist = array();
$totalprice = 0;
$itemcount = 0;
while ($row = $stmt->fetch()) {
$totalprice += $row["total"];
++$itemcount;
if ($row["quantity"] == 1)
$row["price"] = formatPrice($row["price"], $opt);
else
$row["price"] = $row["quantity"] . " @ " . formatPrice($row["price"], $opt) . " = " . formatPrice($row["total"], $opt);
$shoplist[] = $row;
}
$smarty->assign('shoplist', $shoplist);
$smarty->assign('totalprice', formatPrice($totalprice, $opt));
$smarty->assign('itemcount', $itemcount);
$smarty->assign('userid', $userid);
$smarty->assign('isadmin', $_SESSION["admin"]);
$smarty->assign('opt', $smarty->opt());
$smarty->display('mylist.tpl');
}
catch (PDOException $e) {
die("sql exception: " . $e->getMessage());
}
$itemcount = mysql_num_rows($rs);
mysql_free_result($rs);
define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/');
require_once(SMARTY_DIR . 'Smarty.class.php');
$smarty = new Smarty();
$smarty->assign('shoplist', $shoplist);
$smarty->assign('totalprice', formatPrice($totalprice));
$smarty->assign('itemcount', $itemcount);
$smarty->assign('userid', $userid);
$smarty->assign('isadmin', $_SESSION["admin"]);
$smarty->assign('opt', $OPT);
$smarty->display('mylist.tpl');
?>

96
src/profile.php
View file

@ -14,9 +14,10 @@
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
include("config.php");
include("db.php");
include("funcLib.php");
require_once(dirname(__FILE__) . "/includes/funcLib.php");
require_once(dirname(__FILE__) . "/includes/MySmarty.class.php");
$smarty = new MySmarty();
$opt = $smarty->opt();
session_start();
if (!isset($_SESSION["userid"])) {
@ -33,55 +34,70 @@ if (!empty($_POST["action"])) {
if ($action == "changepwd") {
$newpwd = $_POST["newpwd"];
if (!get_magic_quotes_gpc())
$newpwd = addslashes($newpwd);
$query = "UPDATE {$OPT["table_prefix"]}users SET password = {$OPT["password_hasher"]}('$newpwd') WHERE userid = $userid";
mysql_query($query) or die("Could run query: " . mysql_error());
header("Location: " . getFullPath("index.php?message=Password+changed."));
exit;
try {
$stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}users SET password = {$opt["password_hasher"]}(?) WHERE userid = ?");
$stmt->bindParam(1, $newpwd, PDO::PARAM_STR);
$stmt->bindParam(2, $userid, PDO::PARAM_INT);
$stmt->execute();
header("Location: " . getFullPath("index.php?message=Password+changed."));
exit;
}
catch (PDOException $e) {
die("sql exception: " . $e->getMessage());
}
}
else if ($action == "save") {
$fullname = $_POST["fullname"];
$email = $_POST["email"];
$comment = $_POST["comment"];
$email_msgs = ($_POST["email_msgs"] == "on" ? 1 : 0);
if (!get_magic_quotes_gpc()) {
$fullname = addslashes($fullname);
$email = addslashes($email);
$comment = addslashes($comment);
try {
$stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}users SET fullname = ?, email = ?, email_msgs = ?, comment = ? WHERE userid = ?");
$stmt->bindParam(1, $fullname, PDO::PARAM_STR);
$stmt->bindParam(2, $email, PDO::PARAM_STR);
$stmt->bindParam(3, $email_msgs, PDO::PARAM_BOOL);
$stmt->bindParam(4, $comment, PDO::PARAM_STR);
$stmt->bindParam(5, $userid, PDO::PARAM_INT);
$stmt->execute();
$_SESSION["fullname"] = $fullname;
header("Location: " . getFullPath("index.php?message=Profile+updated."));
exit;
}
catch (PDOException $e) {
die("sql exception: " . $e->getMessage());
}
$query = "UPDATE {$OPT["table_prefix"]}users SET fullname = '$fullname', email = '$email', email_msgs = $email_msgs, comment = " . ($comment == "" ? "NULL" : "'$comment'") . " WHERE userid = $userid";
mysql_query($query) or die("Couldn't run query: " . mysql_error());
$_SESSION["fullname"] = stripslashes($fullname);
header("Location: " . getFullPath("index.php?message=Profile+updated."));
exit;
}
else {
echo "Unknown verb.";
exit;
die("Unknown verb.");
}
}
$query = "SELECT fullname, email, email_msgs, comment FROM {$OPT["table_prefix"]}users WHERE userid = " . $userid;
$rs = mysql_query($query) or die("You don't exist: " . mysql_error());
$row = mysql_fetch_array($rs, MYSQL_ASSOC);
$fullname = $row['fullname'];
$email = $row['email'];
$email_msgs = $row['email_msgs'];
$comment = $row['comment'];
mysql_free_result($rs);
try {
$stmt = $smarty->dbh()->prepare("SELECT fullname, email, email_msgs, comment FROM {$opt["table_prefix"]}users WHERE userid = ?");
$stmt->bindParam(1, $userid, PDO::PARAM_INT);
define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/');
require_once(SMARTY_DIR . 'Smarty.class.php');
$smarty = new Smarty();
$smarty->assign('fullname', $fullname);
$smarty->assign('email', $email);
$smarty->assign('email_msgs', $email_msgs);
$smarty->assign('comment', $comment);
$smarty->assign('isadmin', $_SESSION["admin"]);
$smarty->assign('opt', $OPT);
$smarty->display('profile.tpl');
$stmt->execute();
if ($row = $stmt->fetch()) {
$smarty->assign('fullname', $row["fullname"]);
$smarty->assign('email', $row["email"]);
$smarty->assign('email_msgs', $row["email_msgs"]);
$smarty->assign('comment', $row["comment"]);
$smarty->assign('isadmin', $_SESSION["admin"]);
$smarty->assign('opt', $smarty->opt());
$smarty->display('profile.tpl');
}
else {
die("You don't exist.");
}
}
catch (PDOException $e) {
die("sql exception: " . $e->getMessage());
}
?>

113
src/ranks.php
View file

@ -13,9 +13,10 @@
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
include("config.php");
include("db.php");
include("funcLib.php");
require_once(dirname(__FILE__) . "/includes/funcLib.php");
require_once(dirname(__FILE__) . "/includes/MySmarty.class.php");
$smarty = new MySmarty();
$opt = $smarty->opt();
session_start();
if (!isset($_SESSION["userid"])) {
@ -30,7 +31,7 @@ else {
$userid = $_SESSION["userid"];
}
if (!empty($_GET["message"])) {
$message = strip_tags($_GET["message"]);
$message = $_GET["message"];
}
$action = $_GET["action"];
@ -39,10 +40,6 @@ if ($action == "insert" || $action == "update") {
/* validate the data. */
$title = trim($_GET["title"]);
$rendered = trim($_GET["rendered"]);
if (!get_magic_quotes_gpc()) {
$title = addslashes($title);
$rendered = addslashes($rendered);
}
$haserror = false;
if ($title == "") {
@ -57,37 +54,49 @@ if ($action == "insert" || $action == "update") {
if ($action == "delete") {
/* first, NULL all ranking FKs for items that use this rank. */
$query = "UPDATE {$OPT["table_prefix"]}items SET ranking = NULL WHERE ranking = " . addslashes($_GET["ranking"]);
mysql_query($query) or die("Could not query: " . mysql_error());
$query = "DELETE FROM {$OPT["table_prefix"]}ranks WHERE ranking = " . addslashes($_GET["ranking"]);
mysql_query($query) or die("Could not query: " . mysql_error());
$stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}items SET ranking = NULL WHERE ranking = ?");
$stmt->bindValue(1, (int) $_GET["ranking"], PDO::PARAM_INT);
$stmt->execute();
$stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}ranks WHERE ranking = ?");
$stmt->bindValue(1, (int) $_GET["ranking"], PDO::PARAM_INT);
$stmt->execute();
header("Location: " . getFullPath("ranks.php?message=Rank+deleted."));
exit;
}
else if ($action == "promote") {
$query = "UPDATE {$OPT["table_prefix"]}ranks SET rankorder = rankorder + 1 WHERE rankorder = " . addslashes($_GET["rankorder"]) . " - 1";
mysql_query($query) or die("Could not query: " . mysql_error());
$query = "UPDATE {$OPT["table_prefix"]}ranks SET rankorder = rankorder - 1 WHERE ranking = " . addslashes($_GET["ranking"]);
mysql_query($query) or die("Could not query: " . mysql_error());
$stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}ranks SET rankorder = rankorder + 1 WHERE rankorder = ? - 1");
$stmt->bindValue(1, (int) $_GET["rankorder"], PDO::PARAM_INT);
$stmt->execute();
$stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}ranks SET rankorder = rankorder - 1 WHERE ranking = ?");
$stmt->bindValue(1, (int) $_GET["ranking"], PDO::PARAM_INT);
$stmt->execute();
header("Location: " . getFullPath("ranks.php?message=Rank+promoted."));
exit;
}
else if ($action == "demote") {
$query = "UPDATE {$OPT["table_prefix"]}ranks SET rankorder = rankorder - 1 WHERE rankorder = " . addslashes($_GET["rankorder"]) . " + 1";
mysql_query($query) or die("Could not query: " . mysql_error());
$query = "UPDATE {$OPT["table_prefix"]}ranks SET rankorder = rankorder + 1 WHERE ranking = " . addslashes($_GET["ranking"]);
mysql_query($query) or die("Could not query: " . mysql_error());
header("Location: " . getFullPath("ranks.php?message=Rank+demoted."));
$stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}ranks SET rankorder = rankorder - 1 WHERE rankorder = ? + 1");
$stmt->bindValue(1, (int) $_GET["rankorder"], PDO::PARAM_INT);
$stmt->execute();
$stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}ranks SET rankorder = rankorder + 1 WHERE ranking = ?");
$stmt->bindValue(1, (int) $_GET["ranking"], PDO::PARAM_INT);
$stmt->execute();
header("Location: " . getFullPath("ranks.php?message=Rank+demoted."));
exit;
}
else if ($action == "edit") {
$query = "SELECT title, rendered FROM {$OPT["table_prefix"]}ranks WHERE ranking = " . addslashes($_GET["ranking"]);
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
if ($row = mysql_fetch_array($rs,MYSQL_ASSOC)) {
$stmt = $smarty->dbh()->prepare("SELECT title, rendered FROM {$opt["table_prefix"]}ranks WHERE ranking = ?");
$stmt->bindValue(1, (int) $_GET["ranking"], PDO::PARAM_INT);
$stmt->execute();
if ($row = $stmt->fetch()) {
$title = $row["title"];
$rendered = $row["rendered"];
}
mysql_free_result($rs);
}
else if ($action == "") {
$title = "";
@ -95,47 +104,49 @@ else if ($action == "") {
}
else if ($action == "insert") {
if (!$haserror) {
/* first determine the highest rankorder and add one. */
$query = "SELECT MAX(rankorder) as maxrankorder FROM {$OPT["table_prefix"]}ranks";
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
if ($row = mysql_fetch_array($rs,MYSQL_ASSOC))
/* we can't assume the DB has a sequence on this so determine the highest rankorder and add one. */
$stmt = $smarty->dbh()->prepare("SELECT MAX(rankorder) as maxrankorder FROM {$opt["table_prefix"]}ranks");
$stmt->execute();
if ($row = $stmt->fetch()) {
$rankorder = $row["maxrankorder"] + 1;
mysql_free_result($rs);
$query = "INSERT INTO {$OPT["table_prefix"]}ranks(title,rendered,rankorder) " .
"VALUES('$title','$rendered',$rankorder)";
mysql_query($query) or die("Could not query: " . mysql_error());
header("Location: " . getFullPath("ranks.php?message=Rank+added."));
exit;
$stmt = $smarty->dbh()->prepare("INSERT INTO {$opt["table_prefix"]}ranks(title,rendered,rankorder) VALUES(?, ?, ?)");
$stmt->bindParam(1, $title, PDO::PARAM_STR);
$stmt->bindParam(2, $rendered, PDO::PARAM_STR);
$stmt->bindParam(3, $rankorder, PDO::PARAM_INT);
$stmt->execute();
header("Location: " . getFullPath("ranks.php?message=Rank+added."));
exit;
}
}
}
else if ($action == "update") {
if (!$haserror) {
$query = "UPDATE {$OPT["table_prefix"]}ranks " .
"SET title = '$title', rendered = '$rendered' " .
"WHERE ranking = " . addslashes($_GET["ranking"]);
mysql_query($query) or die("Could not query: " . mysql_error());
$stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}ranks " .
"SET title = ?, rendered = ? " .
"WHERE ranking = ?");
$stmt->bindParam(1, $title, PDO::PARAM_STR);
$stmt->bindParam(2, $rendered, PDO::PARAM_STR);
$stmt->bindValue(3, (int) $_GET["ranking"], PDO::PARAM_INT);
$stmt->execute();
header("Location: " . getFullPath("ranks.php?message=Rank+updated."));
exit;
}
}
else {
echo "Unknown verb.";
exit;
die("Unknown verb.");
}
$query = "SELECT ranking, title, rendered, rankorder " .
"FROM {$OPT["table_prefix"]}ranks " .
"ORDER BY rankorder";
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
$stmt = $smarty->dbh()->prepare("SELECT ranking, title, rendered, rankorder " .
"FROM {$opt["table_prefix"]}ranks " .
"ORDER BY rankorder");
$stmt->execute();
$ranks = array();
while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) {
while ($row = $stmt->fetch()) {
$ranks[] = $row;
}
mysql_free_result($rs);
define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/');
require_once(SMARTY_DIR . 'Smarty.class.php');
$smarty = new Smarty();
$smarty->assign('action', $action);
$smarty->assign('ranks', $ranks);
if (isset($message)) {
@ -152,6 +163,6 @@ if (isset($rendered_error)) {
$smarty->assign('ranking', $_GET["ranking"]);
$smarty->assign('haserror', $haserror);
$smarty->assign('isadmin', $_SESSION["admin"]);
$smarty->assign('opt', $OPT);
$smarty->assign('opt', $smarty->opt());
$smarty->display('ranks.tpl');
?>

142
src/receive.php
View file

@ -13,9 +13,10 @@
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
include("config.php");
include("db.php");
include("funcLib.php");
require_once(dirname(__FILE__) . "/includes/funcLib.php");
require_once(dirname(__FILE__) . "/includes/MySmarty.class.php");
$smarty = new MySmarty();
$opt = $smarty->opt();
session_start();
if (!isset($_SESSION["userid"])) {
@ -30,72 +31,85 @@ $action = (!empty($_GET["action"]) ? $_GET["action"] : "");
$itemid = (int) $_GET["itemid"];
// get details. is this a single-quantity item?
$query = "SELECT quantity FROM {$OPT["table_prefix"]}items WHERE itemid = $itemid";
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
$row = mysql_fetch_array($rs,MYSQL_ASSOC);
if (!$row) die("Item does not exist.");
$quantity = $row["quantity"];
mysql_free_result($rs);
stampUser($userid);
if ($quantity == 1) {
/* just delete the alloc and the item and get out.
yes, it's possible the item was RESERVED, not PURCHASED. */
deleteImageForItem($itemid);
$query = "DELETE FROM {$OPT["table_prefix"]}allocs WHERE itemid = $itemid";
mysql_query($query) or die("Could not query: " . mysql_error());
$query = "DELETE FROM {$OPT["table_prefix"]}items WHERE itemid = $itemid";
mysql_query($query) or die("Could not query: " . mysql_error());
header("Location: " . getFullPath("index.php?message=Item+marked+as+received."));
exit;
}
else if ($action == "receive") {
// $actual will be a negative number, so let's flip it.
$actual = -adjustAllocQuantity($itemid,(int) $_GET["buyer"],1,-1 * (int) $_GET["quantity"]);
if ($actual < (int) $_GET["quantity"]) {
// $userid didn't have that many bought, so some might have been reserved.
$actual += -adjustAllocQuantity($itemid,(int) $_GET["buyer"],0,-1 * ((int) $_GET["quantity"] - $actual));
}
if ($actual == $quantity) {
// now they're all gone.
deleteImageForItem($itemid);
$query = "DELETE FROM {$OPT["table_prefix"]}items WHERE itemid = $itemid";
try {
$stmt = $smarty->dbh()->prepare("SELECT quantity FROM {$opt["table_prefix"]}items WHERE itemid = ?");
$stmt->bindParam(1, $itemid, PDO::PARAM_INT);
$stmt->execute();
if ($row = $stmt->fetch()) {
$quantity = $row["quantity"];
}
else {
// decrement the item's desired quantity.
$query = "UPDATE {$OPT["table_prefix"]}items SET quantity = quantity - $actual WHERE itemid = $itemid";
die("Item does not exist.");
}
stampUser($userid, $smarty->dbh(), $smarty->opt());
if ($quantity == 1) {
/* just delete the alloc and the item and get out.
yes, it's possible the item was RESERVED, not PURCHASED. */
deleteImageForItem($itemid, $smarty->dbh(), $smarty->opt());
$stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}allocs WHERE itemid = ?");
$stmt->bindParam(1, $itemid, PDO::PARAM_INT);
$stmt->execute();
$stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}items WHERE itemid = ?");
$stmt->bindParam(1, $itemid, PDO::PARAM_INT);
$stmt->execute();
header("Location: " . getFullPath("index.php?message=Item+marked+as+received."));
exit;
}
else if ($action == "receive") {
// $actual will be a negative number, so let's flip it.
$actual = -adjustAllocQuantity($itemid, (int) $_GET["buyer"], 1, -1 * (int) $_GET["quantity"], $smarty->dbh(), $smarty->opt());
mysql_query($query) or die("Could not query: " . mysql_error());
if ($actual < (int) $_GET["quantity"]) {
// $userid didn't have that many bought, so some might have been reserved.
$actual += -adjustAllocQuantity($itemid,(int) $_GET["buyer"],0,-1 * ((int) $_GET["quantity"] - $actual), $smarty->dbh(), $smarty->opt());
}
if ($actual == $quantity) {
// now they're all gone.
deleteImageForItem($itemid, $smarty->dbh(), $smarty->opt());
$stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}items WHERE itemid = ?");
$stmt->bindParam(1, $itemid, PDO::PARAM_INT);
$stmt->execute();
}
else {
// decrement the item's desired quantity.
$stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}items SET quantity = quantity - ? WHERE itemid = ?");
$stmt->bindParam(1, $actual, PDO::PARAM_INT);
$stmt->bindParam(2, $itemid, PDO::PARAM_INT);
$stmt->execute();
}
header("Location: " . getFullPath("index.php?message=Item+marked+as+received."));
exit;
}
header("Location: " . getFullPath("index.php?message=Item+marked+as+received."));
exit;
}
$query = "SELECT u.userid, u.fullname " .
"FROM {$OPT["table_prefix"]}shoppers s " .
"INNER JOIN {$OPT["table_prefix"]}users u ON u.userid = s.shopper " .
"WHERE s.mayshopfor = " . $userid . " " .
$stmt = $smarty->dbh()->prepare("SELECT u.userid, u.fullname " .
"FROM {$opt["table_prefix"]}shoppers s " .
"INNER JOIN {$opt["table_prefix"]}users u ON u.userid = s.shopper " .
"WHERE s.mayshopfor = ? " .
"AND pending = 0 " .
"ORDER BY u.fullname";
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
$buyers = array();
while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) {
$buyers[] = $row;
}
mysql_free_result($buyers);
"ORDER BY u.fullname");
$stmt->bindParam(1, $userid, PDO::PARAM_INT);
$stmt->execute();
$buyers = array();
while ($row = $stmt->fetch()) {
$buyers[] = $row;
}
define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/');
require_once(SMARTY_DIR . 'Smarty.class.php');
$smarty = new Smarty();
$smarty->assign('buyers', $buyers);
$smarty->assign('quantity', $quantity);
$smarty->assign('itemid', $itemid);
$smarty->assign('userid', $userid);
$smarty->assign('isadmin', $_SESSION["admin"]);
$smarty->assign('opt', $OPT);
$smarty->display('receive.tpl');
$smarty->assign('buyers', $buyers);
$smarty->assign('quantity', $quantity);
$smarty->assign('itemid', $itemid);
$smarty->assign('userid', $userid);
$smarty->assign('isadmin', $_SESSION["admin"]);
$smarty->assign('opt', $smarty->opt());
$smarty->display('receive.tpl');
}
catch (PDOException $e) {
die("sql exception: " . $e->getMessage());
}
?>

133
src/shop.php
View file

@ -13,9 +13,10 @@
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
include("config.php");
include("db.php");
include("funcLib.php");
require_once(dirname(__FILE__) . "/includes/funcLib.php");
require_once(dirname(__FILE__) . "/includes/MySmarty.class.php");
$smarty = new MySmarty();
$opt = $smarty->opt();
session_start();
if (!isset($_SESSION["userid"])) {
@ -31,44 +32,54 @@ if (!empty($_GET["action"])) {
$action = $_GET["action"];
$itemid = (int) $_GET["itemid"];
if ($action == "reserve") {
adjustAllocQuantity($itemid,$userid,0,+1);
adjustAllocQuantity($itemid,$userid,0,+1, $smarty->dbh(), $smarty->opt());
}
else if ($action == "purchase") {
// decrement reserved.
adjustAllocQuantity($itemid,$userid,0,-1);
adjustAllocQuantity($itemid,$userid,0,-1, $smarty->dbh(), $smarty->opt());
// increment purchased.
adjustAllocQuantity($itemid,$userid,1,+1);
adjustAllocQuantity($itemid,$userid,1,+1, $smarty->dbh(), $smarty->opt());
}
else if ($action == "return") {
// increment reserved.
adjustAllocQuantity($itemid,$userid,0,+1);
adjustAllocQuantity($itemid,$userid,0,+1, $smarty->dbh(), $smarty->opt());
// decrement purchased.
adjustAllocQuantity($itemid,$userid,1,-1);
adjustAllocQuantity($itemid,$userid,1,-1, $smarty->dbh(), $smarty->opt());
}
else if ($action == "release") {
adjustAllocQuantity($itemid,$userid,0,-1);
adjustAllocQuantity($itemid,$userid,0,-1, $smarty->dbh(), $smarty->opt());
}
else if ($action == "copy") {
/*
can't do this because MySQL 3.x doesn't seem to support it (at least the version i was using).
$query = "INSERT INTO items(userid,description,price,source,url,category) SELECT $userid, description, price, source, url, category FROM items WHERE itemid = " . $_GET["itemid"];
mysql_query($query) or die("Could not query: " . mysql_error());
*/
/* TODO: copy the image too? */
$query = "SELECT userid, description, price, source, url, category, comment FROM {$OPT["table_prefix"]}items WHERE itemid = " . (int) $_GET["itemid"];
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
$row = mysql_fetch_array($rs,MYSQL_ASSOC) or die("No item to copy.");
$desc = mysql_escape_string($row["description"]);
$source = mysql_escape_string($row["source"]);
$url = mysql_escape_string($row["url"]);
$comment = mysql_escape_string($row["comment"]);
$price = (float) $row["price"];
$cat = (int) $row["category"];
mysql_free_result($rs);
$query = "INSERT INTO {$OPT["table_prefix"]}items(userid,description,price,source,url,comment,category,ranking,quantity) VALUES($userid,'$desc','$price','$source'," . (($url == "") ? "NULL" : "'$url'") . "," . (($comment == "") ? "NULL" : "'$comment'") . "," . (($cat == "") ? "NULL" : $cat) . ",1,1)";
mysql_query($query) or die("Could not query: $query " . mysql_error());
stampUser($userid);
$message = "Added '" . stripslashes($desc) . "' to your gift list.";
$stmt = $smarty->dbh()->prepare("SELECT userid, description, price, source, url, category, comment FROM {$opt["table_prefix"]}items WHERE itemid = ?");
$stmt->bindParam(1, $itemid, PDO::PARAM_INT);
$stmt->execute();
if ($row = $stmt->fetch()) {
$desc = $row["description"];
$source = $row["source"];
$url = $row["url"];
$comment = $row["comment"];
$price = (float) $row["price"];
$cat = (int) $row["category"];
$stmt = $smarty->dbh()->prepare("INSERT INTO {$opt["table_prefix"]}items(userid,description,price,source,url,comment,category,ranking,quantity) VALUES(?, ?, ?, ?, ?, ?, ?, 1, 1");
$stmt->bindParam(1, $userid, PDO::PARAM_INT);
$stmt->bindParam(2, $desc, PDO::PARAM_STR);
$stmt->bindParam(3, $price);
$stmt->bindParam(4, $source, PDO::PARAM_STR);
$stmt->bindParam(5, $url, PDO::PARAM_STR);
$stmt->bindParam(6, $comment, PDO::PARAM_STR);
$stmt->bindParam(7, $cat, PDO::PARAM_INT);
$stmt->execute();
stampUser($userid, $smarty->dbh(), $smarty->opt());
$message = "Added '" . $desc . "' to your gift list.";
}
}
}
@ -77,12 +88,14 @@ if ($shopfor == $userid) {
echo "Nice try! (You can't shop for yourself.)";
exit;
}
$rs = mysql_query("SELECT * FROM {$OPT["table_prefix"]}shoppers WHERE shopper = $userid AND mayshopfor = $shopfor AND pending = 0") or die("Could not query: " . mysql_error());
if (mysql_num_rows($rs) == 0) {
$stmt = $smarty->dbh()->prepare("SELECT * FROM {$opt["table_prefix"]}shoppers WHERE shopper = ? AND mayshopfor = ? AND pending = 0");
$stmt->bindParam(1, $userid, PDO::PARAM_INT);
$stmt->bindParam(2, $shopfor, PDO::PARAM_INT);
$stmt->execute();
if (!($stmt->fetch())) {
echo "Nice try! (You can't shop for someone who hasn't approved it.)";
exit;
}
mysql_free_result($rs);
if (!isset($_GET["sort"])) {
$sortby = "rankorder DESC, description";
@ -120,46 +133,47 @@ else {
for those items with a quantity of 1. if the item's quantity > 1 we'll query alloc when we
get to that record. the theory is that most items will have quantity = 1 so we'll make the least
number of trips. */
$query = "SELECT i.itemid, description, price, source, c.category, url, image_filename, " .
$stmt = $smarty->dbh()->prepare("SELECT i.itemid, description, price, source, c.category, url, image_filename, " .
"ub.fullname AS bfullname, ub.userid AS boughtid, " .
"ur.fullname AS rfullname, ur.userid AS reservedid, " .
"rendered, i.comment, i.quantity " .
"FROM {$OPT["table_prefix"]}items i " .
"LEFT OUTER JOIN {$OPT["table_prefix"]}categories c ON c.categoryid = i.category " .
"LEFT OUTER JOIN {$OPT["table_prefix"]}ranks r ON r.ranking = i.ranking " .
"LEFT OUTER JOIN {$OPT["table_prefix"]}allocs a ON a.itemid = i.itemid AND i.quantity = 1 " . // only join allocs for single-quantity items.
"LEFT OUTER JOIN {$OPT["table_prefix"]}users ub ON ub.userid = a.userid AND a.bought = 1 " .
"LEFT OUTER JOIN {$OPT["table_prefix"]}users ur ON ur.userid = a.userid AND a.bought = 0 " .
"FROM {$opt["table_prefix"]}items i " .
"LEFT OUTER JOIN {$opt["table_prefix"]}categories c ON c.categoryid = i.category " .
"LEFT OUTER JOIN {$opt["table_prefix"]}ranks r ON r.ranking = i.ranking " .
"LEFT OUTER JOIN {$opt["table_prefix"]}allocs a ON a.itemid = i.itemid AND i.quantity = 1 " . // only join allocs for single-quantity items.
"LEFT OUTER JOIN {$opt["table_prefix"]}users ub ON ub.userid = a.userid AND a.bought = 1 " .
"LEFT OUTER JOIN {$opt["table_prefix"]}users ur ON ur.userid = a.userid AND a.bought = 0 " .
"WHERE i.userid = $shopfor " .
"ORDER BY $sortby";
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
"ORDER BY " . $sortby);
$stmt->bindParam(1, $shopfor, PDO::PARAM_INT);
$stmt->execute();
$shoprows = array();
while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) {
$row['price'] = formatPrice($row['price']);
while ($row = $stmt->fetch()) {
$row['price'] = formatPrice($row['price'], $opt);
if ($row['quantity'] > 1) {
// check the allocs table to see what has been allocated.
$avail = $row['quantity'];
$query = "SELECT a.quantity, a.bought, a.userid, " .
$substmt = $smarty->dbh()->prepare("SELECT a.quantity, a.bought, a.userid, " .
"ub.fullname AS bfullname, ub.userid AS boughtid, " .
"ur.fullname AS rfullname, ur.userid AS reservedid " .
"FROM {$OPT["table_prefix"]}allocs a " .
"LEFT OUTER JOIN {$OPT["table_prefix"]}users ub ON ub.userid = a.userid AND a.bought = 1 " .
"LEFT OUTER JOIN {$OPT["table_prefix"]}users ur ON ur.userid = a.userid AND a.bought = 0 " .
"WHERE a.itemid = " . $row['itemid'] . " " .
"ORDER BY a.bought, a.quantity";
$allocs = mysql_query($query) or die("Could not query: " . mysql_error());
"FROM {$opt["table_prefix"]}allocs a " .
"LEFT OUTER JOIN {$opt["table_prefix"]}users ub ON ub.userid = a.userid AND a.bought = 1 " .
"LEFT OUTER JOIN {$opt["table_prefix"]}users ur ON ur.userid = a.userid AND a.bought = 0 " .
"WHERE a.itemid = ? " .
"ORDER BY a.bought, a.quantity");
$substmt->bindValue(1, $row['itemid'], PDO::PARAM_INT);
$substmt->execute();
$ibought = 0;
$ireserved = 0;
$itemallocs = array();
while ($allocrow = mysql_fetch_array($allocs, MYSQL_ASSOC)) {
while ($allocrow = $substmt->fetch()) {
if ($allocrow['bfullname'] != '') {
if ($allocrow['boughtid'] == $userid) {
$ibought += $allocrow['quantity'];
$itemallocs[] = ($allocrow['quantity'] . " bought by you.");
}
else {
if (!$OPT["anonymous_purchasing"]) {
if (!$opt["anonymous_purchasing"]) {
$itemallocs[] = ($allocrow['quantity'] . " bought by " . $allocrow['bfullname'] . ".");
}
else {
@ -173,7 +187,7 @@ while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) {
$itemallocs[] = ($allocrow['quantity'] . " reserved by you.");
}
else {
if (!$OPT["anonymous_purchasing"]) {
if (!$opt["anonymous_purchasing"]) {
$itemallocs[] = ($allocrow['quantity'] . " reserved by " . $allocrow['rfullname'] . ".");
}
else {
@ -183,7 +197,6 @@ while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) {
}
$avail -= $allocrow['quantity'];
}
mysql_free_result($allocs);
$row['allocs'] = $itemallocs;
$row['avail'] = $avail;
$row['ibought'] = $ibought;
@ -191,26 +204,26 @@ while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) {
}
$shoprows[] = $row;
}
mysql_free_result($rs);
/* okay, I *would* retrieve the shoppee's fullname from the items recordset,
except that I wouldn't get it if he had no items, so I *could* LEFT OUTER
JOIN, but then it would complicate the iteration logic, so let's just
hit the DB again. */
$query = "SELECT fullname FROM {$OPT["table_prefix"]}users WHERE userid = $shopfor";
$urs = mysql_query($query) or die("Could not query: " . mysql_error());
$ufullname = mysql_fetch_array($urs, MYSQL_ASSOC);
$ufullname = $ufullname["fullname"];
mysql_free_result($urs);
$stmt = $smarty->dbh()->prepare("SELECT fullname FROM {$opt["table_prefix"]}users WHERE userid = ?");
$stmt->bindParam(1, $shopfor, PDO::PARAM_INT);
$stmt->execute();
if ($row = $stmt->fetch()) {
$ufullname = $row["fullname"];
}
define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/');
require_once(SMARTY_DIR . 'Smarty.class.php');
$smarty = new Smarty();
$smarty->assign('ufullname', $ufullname);
$smarty->assign('shopfor', $shopfor);
$smarty->assign('shoprows', $shoprows);
$smarty->assign('userid', $userid);
if (isset($message)) {
$smarty->assign('message', $message);
}
$smarty->assign('isadmin', $_SESSION["admin"]);
$smarty->assign('opt', $OPT);
$smarty->assign('opt', $smarty->opt());
$smarty->display('shop.tpl');
?>

73
src/shoplist.php
View file

@ -13,9 +13,10 @@
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
include("config.php");
include("db.php");
include("funcLib.php");
require_once(dirname(__FILE__) . "/includes/funcLib.php");
require_once(dirname(__FILE__) . "/includes/MySmarty.class.php");
$smarty = new MySmarty();
$opt = $smarty->opt();
session_start();
if (!isset($_SESSION["userid"])) {
@ -50,38 +51,42 @@ switch($sort) {
default:
$sortby = "source, fullname, rankorder DESC";
}
$query = "SELECT description, source, price, i.comment, a.quantity, a.quantity * i.price AS total, rendered, fullname " .
"FROM {$OPT["table_prefix"]}items i " .
"INNER JOIN {$OPT["table_prefix"]}users u ON u.userid = i.userid " .
"INNER JOIN {$OPT["table_prefix"]}ranks r ON r.ranking = i.ranking " .
"INNER JOIN {$OPT["table_prefix"]}allocs a ON a.userid = $userid AND a.itemid = i.itemid AND bought = 0 " .
"ORDER BY $sortby";
$rs = mysql_query($query) or die("Could not query $query: " . mysql_error());
$shoplist = array();
$totalprice = 0;
while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) {
$totalprice += $row["total"];
if ($row["quantity"] == 1) {
$row["price"] = formatPrice($row["price"]);
try {
// not worried about sql injection here since $sortby is a function of $sort, which falls through.
$stmt = $smarty->dbh()->prepare("SELECT description, source, price, i.comment, a.quantity, a.quantity * i.price AS total, rendered, fullname " .
"FROM {$opt["table_prefix"]}items i " .
"INNER JOIN {$opt["table_prefix"]}users u ON u.userid = i.userid " .
"INNER JOIN {$opt["table_prefix"]}ranks r ON r.ranking = i.ranking " .
"INNER JOIN {$opt["table_prefix"]}allocs a ON a.userid = ? AND a.itemid = i.itemid AND bought = 0 " .
"ORDER BY " . $sortby);
$stmt->bindParam(1, $userid, PDO::PARAM_INT);
$stmt->execute();
$shoplist = array();
$totalprice = 0;
$itemcount = 0;
while ($row = $stmt->fetch()) {
$totalprice += $row["total"];
++$itemcount;
if ($row["quantity"] == 1) {
$row["price"] = formatPrice($row["price"], $opt);
}
else {
$row["price"] = $row["quantity"] . " @ " . formatPrice($row["price"], $opt) . " = " . formatPrice($row["total"], $opt);
}
$shoplist[] = $row;
}
else {
$row["price"] = $row["quantity"] . " @ " . formatPrice($row["price"]) . " = " . formatPrice($row["total"]);
}
$shoplist[] = $row;
$smarty->assign('shoplist', $shoplist);
$smarty->assign('totalprice', formatPrice($totalprice, $opt));
$smarty->assign('itemcount', $itemcount);
$smarty->assign('userid', $userid);
$smarty->assign('isadmin', $_SESSION["admin"]);
$smarty->assign('opt', $smarty->opt());
$smarty->display('shoplist.tpl');
}
catch (PDOException $e) {
die("sql exception: " . $e->getMessage());
}
$itemcount = mysql_num_rows($rs);
mysql_free_result($rs);
define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/');
require_once(SMARTY_DIR . 'Smarty.class.php');
$smarty = new Smarty();
$smarty->assign('shoplist', $shoplist);
$smarty->assign('totalprice', formatPrice($totalprice));
$smarty->assign('itemcount', $itemcount);
$smarty->assign('userid', $userid);
$smarty->assign('isadmin', $_SESSION["admin"]);
$smarty->assign('opt', $OPT);
$smarty->display('shoplist.tpl');
?>

130
src/signup.php
View file

@ -13,70 +13,67 @@
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
include("config.php");
include("db.php");
include("funcLib.php");
require_once(dirname(__FILE__) . "/includes/funcLib.php");
require_once(dirname(__FILE__) . "/includes/MySmarty.class.php");
$smarty = new MySmarty();
$opt = $smarty->opt();
if (isset($_POST["action"])) {
if ($_POST["action"] == "signup") {
$username = $_POST["username"];
$fullname = $_POST["fullname"];
$email = $_POST["email"];
$familyid = $_POST["familyid"];
if (!get_magic_quotes_gpc()) {
$username = addslashes($username);
$fullname = addslashes($fullname);
$email = addslashes($email);
$familyid = addslashes($familyid);
}
if ($familyid == "")
$familyid = "NULL";
if (isset($_POST["action"]) && $_POST["action"] == "signup") {
$username = $_POST["username"];
$fullname = $_POST["fullname"];
$email = $_POST["email"];
$familyid = $_POST["familyid"];
// make sure that username isn't taken.
$query = "SELECT userid FROM {$OPT["table_prefix"]}users WHERE username = '$username'";
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
if (mysql_num_rows($rs) > 0) {
$error = "The username '" . stripslashes($username) . "' is already taken. Please choose another.";
mysql_free_result($rs);
// make sure that username isn't taken.
$stmt = $smarty->dbh()->prepare("SELECT userid FROM {$opt["table_prefix"]}users WHERE username = ?");
$stmt->bindParam(1, $username, PDO::PARAM_STR);
$stmt->execute();
if ($stmt->fetch()) {
$error = "The username '" . $username . "' is already taken. Please choose another.";
}
else {
// generate a password and insert the row.
// NOTE: if approval is required, this password will be replaced
// when the account is approved.
$pwd = generatePassword($opt);
$stmt = $smarty->dbh()->prepare("INSERT INTO {$opt["table_prefix"]}users(username,fullname,password,email,approved,initialfamilyid) VALUES(?, ?, {$opt["password_hasher"]}(?), ?, ?, ?)");
$stmt->bindParam(1, $username, PDO::PARAM_STR);
$stmt->bindParam(2, $fullname, PDO::PARAM_STR);
$stmt->bindParam(3, $pwd, PDO::PARAM_STR);
$stmt->bindParam(4, $email, PDO::PARAM_STR);
$stmt->bindValue(5, !$opt["newuser_requires_approval"], PDO::PARAM_BOOL);
$stmt->bindParam(6, $familyid, PDO::PARAM_INT);
$stmt->execute();
if ($opt["newuser_requires_approval"]) {
// send the e-mails to the administrators.
$stmt = $smarty->dbh()->prepare("SELECT fullname, email FROM {$opt["table_prefix"]}users WHERE admin = 1 AND email IS NOT NULL");
$stmt->execute();
while ($row = $stmt->fetch()) {
mail(
$row["email"],
"Gift Registry approval request for " . $fullname,
$fullname . " <" . $email . "> would like you to approve him/her for access to the Gift Registry.",
"From: {$opt["email_from"]}\r\nReply-To: {$opt["email_reply_to"]}\r\nX-Mailer: {$opt["email_xmailer"]}\r\n"
) or die("Mail not accepted for " . $row["email"]);
}
}
else {
mysql_free_result($rs);
// generate a password and insert the row.
// NOTE: if approval is required, this password will be replaced
// when the account is approved.
$pwd = generatePassword();
$query = "INSERT INTO {$OPT["table_prefix"]}users(username,fullname,password,email,approved,initialfamilyid) VALUES('$username','$fullname',{$OPT["password_hasher"]}('$pwd'),'$email'," . ($OPT["newuser_requires_approval"] ? "0" : "1") . ",$familyid)";
mysql_query($query) or die("Could not query: " . mysql_error());
if ($OPT["newuser_requires_approval"]) {
// send the e-mails to the administrators.
$query = "SELECT fullname, email FROM {$OPT["table_prefix"]}users WHERE admin = 1 AND email IS NOT NULL";
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
while ($row = mysql_fetch_assoc($rs)) {
mail(
$row["email"],
"Gift Registry approval request for " . stripslashes($fullname),
stripslashes($fullname) . " <" . stripslashes($email) . "> would like you to approve him/her for access to the Gift Registry.",
"From: {$OPT["email_from"]}\r\nReply-To: {$OPT["email_reply_to"]}\r\nX-Mailer: {$OPT["email_xmailer"]}\r\n"
) or die("Mail not accepted for " . $row["email"]);
}
mysql_free_result($rs);
}
else {
// we don't require approval,
// so immediately send them their initial password.
// also, join them up to their initial family (if requested).
if ($familyid != "NULL") {
$query = "SELECT userid FROM {$OPT["table_prefix"]}users WHERE username = '$username'";
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
$row = mysql_fetch_assoc($rs);
// we don't require approval,
// so immediately send them their initial password.
// also, join them up to their initial family (if requested).
if ($familyid != NULL) {
$stmt = $smarty->dbh()->prepare("SELECT userid FROM {$opt["table_prefix"]}users WHERE username = ?");
$stmt->bindParam(1, $username, PDO::PARAM_STR);
$stmt->execute();
if ($row = $stmt->fetch()) {
$userid = $row["userid"];
mysql_free_result($rs);
$query = "INSERT INTO {$OPT["table_prefix"]}memberships(userid,familyid) VALUES($userid,$familyid)";
echo $query;
mysql_query($query) or die("Could not query: " . mysql_error());
$stmt = $smarty->dbh()->prepare("INSERT INTO {$opt["table_prefix"]}memberships(userid,familyid) VALUES(?, ?)");
$stmt->bindParam(1, $userid, PDO::PARAM_INT);
$stmt->bindParam(2, $familyid, PDO::PARAM_INT);
$stmt->execute();
}
mail(
@ -84,25 +81,20 @@ if (isset($_POST["action"])) {
"Gift Registry account created",
"Your Gift Registry account was created.\r\n" .
"Your username is $username and your password is $pwd.",
"From: {$OPT["email_from"]}\r\nReply-To: {$OPT["email_reply_to"]}\r\nX-Mailer: {$OPT["email_xmailer"]}\r\n"
"From: {$opt["email_from"]}\r\nReply-To: {$opt["email_reply_to"]}\r\nX-Mailer: {$opt["email_xmailer"]}\r\n"
) or die("Mail not accepted for $email");
}
}
}
}
$query = "SELECT familyid, familyname FROM {$OPT["table_prefix"]}families ORDER BY familyname";
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
$stmt = $smarty->dbh()->prepare("SELECT familyid, familyname FROM {$opt["table_prefix"]}families ORDER BY familyname");
$stmt->execute();
$families = array();
while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) {
while ($row = $stmt->fetch()) {
$families[] = $row;
}
mysql_free_result($rs);
define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/');
require_once(SMARTY_DIR . 'Smarty.class.php');
$smarty = new Smarty();
$smarty->assign('families', $families);
$smarty->assign('username', $username);
$smarty->assign('fullname', $fullname);
@ -113,6 +105,6 @@ if (isset($error)) {
$smarty->assign('error', $error);
}
$smarty->assign('isadmin', $_SESSION['admin']);
$smarty->assign('opt', $OPT);
$smarty->assign('opt', $smarty->opt());
$smarty->display('signup.tpl');
?>

2
src/templates/event.tpl
View file

@ -29,7 +29,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
{if isset($message)}
<div class="row">
<div class="span12">
<div class="alert alert-info">
<div class="alert alert-block">
{$message|escape:'htmlall'}
</div>
</div>

2
src/templates/families.tpl
View file

@ -30,7 +30,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
{if isset($message)}
<div class="row">
<div class="span12">
<div class="alert alert-info">{$message|escape:'htmlall'}</div>
<div class="alert alert-block">{$message|escape:'htmlall'}</div>
</div>
</div>
{/if}

110
src/templates/home.tpl
View file

@ -151,7 +151,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
<td>
<a href="shop.php?shopfor={$row.userid}">{$row.fullname|escape:'htmlall'}</a>
{if $row.comment != ''}
<img src="images/view.gif" alt="{$row.comment|escape:'htmlall'}" border="0">
<a class="btn btn-small" rel="popover" href="#" data-placement="right" data-original-title="Comment" data-content="{$row.comment|escape:'htmlall'}">...</a>
{/if}
</td>
<td align="right">{$row.list_stamp}</td>
@ -271,62 +271,62 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
</div>
</div>
</div>
{if $opt.shop_requires_approval}
{if $opt.shop_requires_approval || ($isadmin && $opt.newuser_requires_approval)}
<div class="row">
<div class="span6">
<div class="well">
<h3>People who want to shop for me</h3>
<table class="table table-bordered table-striped">
<thead>
<tr>
<th class="colheader">Name</th>
<th>&nbsp;</th>
</tr>
</thead>
<tbody>
{foreach from=$pending item=row}
<tr>
<td>{$row.fullname|escape:'htmlall'}</td>
<td align="right">
<a href="index.php?action=approve&shopper={$row.userid}">Approve</a>&nbsp;/
<a href="index.php?action=decline&shopper={$row.userid}">Decline</a>
</td>
</tr>
{/foreach}
</tbody>
</table>
</div>
</div>
</div>
{/if}
{if $isadmin && $opt.newuser_requires_approval}
<div class="row">
<div class="span6">
<div class="well">
<h3>People waiting for approval</h3>
<table class="table table-bordered table-striped">
<thead>
<tr>
<th class="colheader">Name</th>
<th class="colheader">Family</th>
<th>&nbsp;</th>
</tr>
</thead>
<tbody>
{foreach from=$approval item=row}
<tr>
<td>{$row.fullname|escape:'htmlall'} &lt;<a href="mailto:{$row.email|escape:'htmlall'}">{$row.email|escape:'htmlall'}</a>&gt;</td>
<td>{$row.familyname|escape:'htmlall'}</td>
<td align="right">
<a href="admin.php?action=approve&userid={$row.userid}&familyid={$row.initialfamilyid}">Approve</a>&nbsp;/
<a href="admin.php?action=reject&userid={$row.userid}">Reject</a>
</td>
</tr>
{/foreach}
</tbody>
</table>
{if $opt.shop_requires_approval}
<div class="span6">
<div class="well">
<h3>People who want to shop for me</h3>
<table class="table table-bordered table-striped">
<thead>
<tr>
<th class="colheader">Name</th>
<th>&nbsp;</th>
</tr>
</thead>
<tbody>
{foreach from=$pending item=row}
<tr>
<td>{$row.fullname|escape:'htmlall'}</td>
<td align="right">
<a href="index.php?action=approve&shopper={$row.userid}">Approve</a>&nbsp;/
<a href="index.php?action=decline&shopper={$row.userid}">Decline</a>
</td>
</tr>
{/foreach}
</tbody>
</table>
</div>
</div>
</div>
{/if}
{if $isadmin && $opt.newuser_requires_approval}
<div class="span6">
<div class="well">
<h3>People waiting for approval</h3>
<table class="table table-bordered table-striped">
<thead>
<tr>
<th class="colheader">Name</th>
<th class="colheader">Family</th>
<th>&nbsp;</th>
</tr>
</thead>
<tbody>
{foreach from=$approval item=row}
<tr>
<td>{$row.fullname|escape:'htmlall'} &lt;<a href="mailto:{$row.email|escape:'htmlall'}">{$row.email|escape:'htmlall'}</a>&gt;</td>
<td>{$row.familyname|escape:'htmlall'}</td>
<td align="right">
<a href="admin.php?action=approve&userid={$row.userid}&familyid={$row.initialfamilyid}">Approve</a>&nbsp;/
<a href="admin.php?action=reject&userid={$row.userid}">Reject</a>
</td>
</tr>
{/foreach}
</tbody>
</table>
</div>
</div>
{/if}
</div>
{/if}
</section>

4
src/templates/login.tpl
View file

@ -23,12 +23,12 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
<link href="bootstrap/css/bootstrap-responsive.css" rel="stylesheet">
</head>
<body>
<div class="container">
<div class="container" style="padding-top: 30px;">
<div class="row">
<div class="span8 offset2">
<h1>Gift Registry</h1>
<form name="login" method="post" action="login.php" class="well form-horizontal">
<fieldset>
<legend>Gift Registry</legend>
{if isset($username)}
<div class="alert alert-error">Bad login.</div>
{/if}

2
src/templates/message.tpl
View file

@ -50,7 +50,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
</div>
<div class="form-actions">
<button type="submit" class="btn btn-primary">Send Message</button>
<button type="button" onClick="document.location.href='index.php';">Cancel</button>
<button type="button" class="btn" onClick="document.location.href='index.php';">Cancel</button>
</div>
</fieldset>
</form>

4
src/templates/mylist.tpl
View file

@ -76,14 +76,14 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
<h5>{$itemcount} item(s), {$totalprice} total.</h5>
</div>
</div>
<div>
</div>
<div class="row">
<div class="span6">
<div class="well">
<a onClick="printPage()" href="#">Send to printer</a>
</div>
</diiv>
</div>
</div>
</div>

2
src/templates/shop.tpl
View file

@ -49,7 +49,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
{if isset($message)}
<div class="row">
<div class="span12">
<div class="alert alert-success">
<div class="alert alert-block">
{$message|escape:'htmlall'}
</div>
</div>

2
src/templates/signup.tpl
View file

@ -49,7 +49,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
</script>
</head>
<body>
<div class="container">
<div class="container" style="padding-top: 30px;">
{if isset($error)}
<div class="row">
<div class="span8 offset2">

2
src/templates/users.tpl
View file

@ -36,7 +36,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
{if isset($message)}
<div class="row">
<div class="span12">
<div class="alert alert-info">{$message|escape:'htmlall'}</div>
<div class="alert alert-block">{$message|escape:'htmlall'}</div>
</div>
</div>
{/if}

121
src/users.php
View file

@ -13,9 +13,10 @@
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
include("config.php");
include("db.php");
include("funcLib.php");
require_once(dirname(__FILE__) . "/includes/funcLib.php");
require_once(dirname(__FILE__) . "/includes/MySmarty.class.php");
$smarty = new MySmarty();
$opt = $smarty->opt();
session_start();
if (!isset($_SESSION["userid"])) {
@ -32,7 +33,7 @@ if ($_SESSION["admin"] != 1) {
}
if (!empty($_GET["message"])) {
$message = strip_tags($_GET["message"]);
$message = $_GET["message"];
}
if (isset($_GET["action"]))
@ -48,11 +49,6 @@ if ($action == "insert" || $action == "update") {
$email_msgs = (strtoupper($_GET["email_msgs"]) == "ON" ? 1 : 0);
$approved = (strtoupper($_GET["approved"]) == "ON" ? 1 : 0);
$userisadmin = (strtoupper($_GET["admin"]) == "ON" ? 1 : 0);
if (!get_magic_quotes_gpc()) {
$username = addslashes($username);
$fullname = addslashes($fullname);
$email = addslashes($email);
}
$haserror = false;
if ($username == "") {
@ -75,19 +71,37 @@ if ($action == "delete") {
// work ourselves.
$deluserid = (int) $_GET["userid"];
mysql_query("DELETE FROM {$OPT["table_prefix"]}shoppers WHERE shopper = $deluserid OR mayshopfor = $deluserid") or die("Could not query: " . mysql_error());
$stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}shoppers WHERE shopper = ? OR mayshopfor = ?");
$stmt->bindParam(1, $deluserid, PDO::PARAM_INT);
$stmt->bindParam(2, $deluserid, PDO::PARAM_INT);
$stmt->execute();
// we can't leave messages with dangling senders, so delete those too.
mysql_query("DELETE FROM {$OPT["table_prefix"]}messages WHERE sender = $deluserid OR recipient = $deluserid") or die("Could not query: " . mysql_error());
mysql_query("DELETE FROM {$OPT["table_prefix"]}events WHERE userid = $deluserid") or die("Could not query: " . mysql_error());
mysql_query("DELETE FROM {$OPT["table_prefix"]}items WHERE userid = $deluserid") or die("Could not query: " . mysql_error());
mysql_query("DELETE FROM {$OPT["table_prefix"]}users WHERE userid = $deluserid") or die("Could not query: " . mysql_error());
$stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}messages WHERE sender = ? OR recipient = ?");
$stmt->bindParam(1, $deluserid, PDO::PARAM_INT);
$stmt->bindParam(2, $deluserid, PDO::PARAM_INT);
$stmt->execute();
$stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}events WHERE userid = ?");
$stmt->bindParam(1, $deluserid, PDO::PARAM_INT);
$stmt->execute();
$stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}items WHERE userid = ?");
$stmt->bindParam(1, $deluserid, PDO::PARAM_INT);
$stmt->execute();
$stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}users WHERE userid = ?");
$stmt->bindParam(1, $deluserid, PDO::PARAM_INT);
$stmt->execute();
header("Location: " . getFullPath("users.php?message=User+deleted."));
exit;
}
else if ($action == "edit") {
$query = "SELECT username, fullname, email, email_msgs, approved, admin FROM {$OPT["table_prefix"]}users WHERE userid = " . (int) $_GET["userid"];
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
if ($row = mysql_fetch_array($rs,MYSQL_ASSOC)) {
$stmt = $smarty->dbh()->prepare("SELECT username, fullname, email, email_msgs, approved, admin FROM {$opt["table_prefix"]}users WHERE userid = ?");
$stmt->bindValue(1, (int) $_GET["userid"], PDO::PARAM_INT);
$stmt->execute();
if ($row = $stmt->fetch()) {
$username = $row["username"];
$fullname = $row["fullname"];
$email = $row["email"];
@ -108,16 +122,23 @@ else if ($action == "") {
else if ($action == "insert") {
if (!$haserror) {
// generate a password and insert the row.
$pwd = generatePassword();
$query = "INSERT INTO {$OPT["table_prefix"]}users(username,password,fullname,email,email_msgs,approved,admin) " .
"VALUES('$username',{$OPT["password_hasher"]}('$pwd'),'$fullname'," . ($email == "" ? "NULL" : "'$email'") . ",$email_msgs,$approved,$userisadmin)";
mysql_query($query) or die("Could not query: " . mysql_error());
$pwd = generatePassword($opt);
$stmt = $smarty->dbh()->prepare("INSERT INTO {$opt["table_prefix"]}users(username,password,fullname,email,email_msgs,approved,admin) VALUES(?, {$opt["password_hasher"]}(?), ?, ?, ?, ?, ?)");
$stmt->bindParam(1, $username, PDO::PARAM_STR);
$stmt->bindParam(2, $pwd, PDO::PARAM_STR);
$stmt->bindParam(3, $fullname, PDO::PARAM_STR);
$stmt->bindParam(4, $email, PDO::PARAM_STR);
$stmt->bindParam(5, $email_msgs, PDO::PARAM_BOOL);
$stmt->bindParam(6, $approved, PDO::PARAM_BOOL);
$stmt->bindParam(7, $userisadmin, PDO::PARAM_BOOL);
$stmt->execute();
mail(
$email,
"Gift Registry account created",
"Your Gift Registry account was created.\r\n" .
"Your username is $username and your password is $pwd.",
"From: {$OPT["email_from"]}\r\nReply-To: {$OPT["email_reply_to"]}\r\nX-Mailer: {$OPT["email_xmailer"]}\r\n"
"From: {$opt["email_from"]}\r\nReply-To: {$opt["email_reply_to"]}\r\nX-Mailer: {$opt["email_xmailer"]}\r\n"
) or die("Mail not accepted for $email");
header("Location: " . getFullPath("users.php?message=User+added+and+e-mail+sent."));
exit;
@ -125,15 +146,23 @@ else if ($action == "insert") {
}
else if ($action == "update") {
if (!$haserror) {
$query = "UPDATE {$OPT["table_prefix"]}users SET " .
"username = '$username', " .
"fullname = '$fullname', " .
"email = " . ($email == "" ? "NULL" : "'$email'") . ", " .
"email_msgs = $email_msgs, " .
"approved = $approved, " .
"admin = $userisadmin " .
"WHERE userid = " . $_GET["userid"];
mysql_query($query) or die("Could not query: " . mysql_error());
$stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}users SET " .
"username = ?, " .
"fullname = ?, " .
"email = ?, " .
"email_msgs = ?, " .
"approved = ?, " .
"admin = ? " .
"WHERE userid = ?");
$stmt->bindParam(1, $username, PDO::PARAM_STR);
$stmt->bindParam(2, $pwd, PDO::PARAM_STR);
$stmt->bindParam(3, $fullname, PDO::PARAM_STR);
$stmt->bindParam(4, $email, PDO::PARAM_STR);
$stmt->bindParam(5, $email_msgs, PDO::PARAM_BOOL);
$stmt->bindParam(6, $approved, PDO::PARAM_BOOL);
$stmt->bindParam(7, $userisadmin, PDO::PARAM_BOOL);
$stmt->bindValue(8, (int) $_GET["userid"], PDO::PARAM_INT);
$stmt->execute();
header("Location: " . getFullPath("users.php?message=User+updated."));
exit;
}
@ -141,19 +170,18 @@ else if ($action == "update") {
else if ($action == "reset") {
$resetuserid = $_GET["userid"];
$resetemail = $_GET["email"];
if (!get_magic_quotes_gpc()) {
$resetuserid = addslashes($resetuserid);
$resetemail = addslashes($resetemail);
}
// generate a password and insert the row.
$pwd = generatePassword();
$query = "UPDATE {$OPT["table_prefix"]}users SET password = {$OPT["password_hasher"]}('$pwd') WHERE userid = $resetuserid";
mysql_query($query) or die("Could not query: " . mysql_error());
$pwd = generatePassword($opt);
$stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}users SET password = {$opt["password_hasher"]}(?) WHERE userid = ?");
$stmt->bindParam(1, $pwd, PDO::PARAM_STR);
$stmt->bindParam(2, $resetuserid, PDO::PARAM_INT);
$stmt->execute();
mail(
$resetemail,
"Gift Registry password reset",
"Your Gift Registry password was reset to $pwd.",
"From: {$OPT["email_from"]}\r\nReply-To: {$OPT["email_reply_to"]}\r\nX-Mailer: {$OPT["email_xmailer"]}\r\n"
"From: {$opt["email_from"]}\r\nReply-To: {$opt["email_reply_to"]}\r\nX-Mailer: {$opt["email_xmailer"]}\r\n"
) or die("Mail not accepted for $email");
header("Location: " . getFullPath("users.php?message=Password+reset."));
exit;
@ -163,17 +191,14 @@ else {
exit;
}
$query = "SELECT userid, username, fullname, email, email_msgs, approved, admin FROM {$OPT["table_prefix"]}users ORDER BY username";
$rs = mysql_query($query) or die("Could not query: " . mysql_error());
$stmt = $smarty->dbh()->prepare("SELECT userid, username, fullname, email, email_msgs, approved, admin FROM {$opt["table_prefix"]}users ORDER BY username");
$stmt->execute();
$users = array();
while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) {
while ($row = $stmt->fetch()) {
$users[] = $row;
}
mysql_free_result($rs);
define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/');
require_once(SMARTY_DIR . 'Smarty.class.php');
$smarty = new Smarty();
$smarty->assign('action', $action);
$smarty->assign('username', $username);
if (isset($username_error)) {
@ -190,13 +215,15 @@ if (isset($email_error)) {
$smarty->assign('email_msgs', $email_msgs);
$smarty->assign('approved', $approved);
$smarty->assign('userisadmin', $userisadmin);
$smarty->assign('haserror', $haserror);
if (isset($haserror)) {
$smarty->assign('haserror', $haserror);
}
$smarty->assign('users', $users);
if (isset($message)) {
$smarty->assign('message', $message);
}
$smarty->assign('userid', $userid);
$smarty->assign('isadmin', $_SESSION["admin"]);
$smarty->assign('opt', $OPT);
$smarty->assign('opt', $smarty->opt());
$smarty->display('users.tpl');
?>