diff --git a/src/categories.php b/src/categories.php index b8fecc5..02c42d9 100644 --- a/src/categories.php +++ b/src/categories.php @@ -13,9 +13,10 @@ // along with this program; if not, write to the Free Software // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -include("config.php"); -include("db.php"); -include("funcLib.php"); +require_once(dirname(__FILE__) . "/includes/funcLib.php"); +require_once(dirname(__FILE__) . "/includes/MySmarty.class.php"); +$smarty = new MySmarty(); +$opt = $smarty->opt(); session_start(); if (!isset($_SESSION["userid"])) { @@ -30,7 +31,7 @@ else { $userid = $_SESSION["userid"]; } if (!empty($_GET["message"])) { - $message = strip_tags($_GET["message"]); + $message = $_GET["message"]; } $action = $_GET["action"]; @@ -38,8 +39,6 @@ $action = $_GET["action"]; if ($action == "insert" || $action == "update") { /* validate the data. */ $category = trim($_GET["category"]); - if (!get_magic_quotes_gpc()) - $category = addslashes($category); $haserror = false; if ($category == "") { @@ -50,66 +49,73 @@ if ($action == "insert" || $action == "update") { if ($action == "delete") { /* first, NULL all category FKs for items that use this category. */ - $query = "UPDATE {$OPT["table_prefix"]}items SET category = NULL WHERE category = " . addslashes($_GET["categoryid"]); - mysql_query($query) or die("Could not query: " . mysql_error()); - $query = "DELETE FROM {$OPT["table_prefix"]}categories WHERE categoryid = " . addslashes($_GET["categoryid"]); - mysql_query($query) or die("Could not query: " . mysql_error()); + $stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}items SET category = NULL WHERE category = ?"); + $stmt->bindValue(1, (int) $_GET["categoryid"], PDO::PARAM_INT); + $stmt->execute(); + + $stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}categories WHERE categoryid = ?"); + $stmt->bindValue(1, (int) $_GET["categoryid"], PDO::PARAM_INT); + $stmt->execute(); + header("Location: " . getFullPath("categories.php?message=Category+deleted.")); exit; } else if ($action == "edit") { - $query = "SELECT category FROM {$OPT["table_prefix"]}categories WHERE categoryid = " . addslashes($_GET["categoryid"]); - $rs = mysql_query($query) or die("Could not query: " . mysql_error()); - if ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) { + $stmt = $smarty->dbh()->prepare("SELECT category FROM {$opt["table_prefix"]}categories WHERE categoryid = ?"); + $stmt->bindValue(1, (int) $_GET["categoryid"], PDO::PARAM_INT); + $stmt->execute(); + if ($row = $stmt->fetch()) { $category = $row["category"]; } - mysql_free_result($rs); } else if ($action == "") { $category = ""; } else if ($action == "insert") { if (!$haserror) { - $query = "INSERT INTO {$OPT["table_prefix"]}categories(categoryid,category) " . - "VALUES(NULL,'$category')"; - mysql_query($query) or die("Could not query: " . mysql_error()); + $stmt = $smarty->dbh()->prepare("INSERT INTO {$opt["table_prefix"]}categories(categoryid,category) VALUES(NULL, ?)"); + $stmt->bindParam(1, $category, PDO::PARAM_STR); + $stmt->execute(); + header("Location: " . getFullPath("categories.php?message=Category+added.")); exit; } } else if ($action == "update") { if (!$haserror) { - $query = "UPDATE {$OPT["table_prefix"]}categories " . - "SET category = '$category' " . - "WHERE categoryid = " . addslashes($_GET["categoryid"]); - mysql_query($query) or die("Could not query: " . mysql_error()); + $stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}categories " . + "SET category = ? " . + "WHERE categoryid = ?"); + $stmt->bindParam(1, $category, PDO::PARAM_STR); + $stmt->bindValue(2, (int) $_GET["categoryid"], PDO::PARAM_INT); + $stmt->execute(); + header("Location: " . getFullPath("categories.php?message=Category+updated.")); exit; } } else { - echo "Unknown verb."; - exit; + die("Unknown verb."); } -$query = "SELECT c.categoryid, c.category, COUNT(itemid) AS itemsin " . - "FROM {$OPT["table_prefix"]}categories c " . - "LEFT OUTER JOIN {$OPT["table_prefix"]}items i ON i.category = c.categoryid " . +$stmt = $smarty->dbh()->prepare("SELECT c.categoryid, c.category, COUNT(itemid) AS itemsin " . + "FROM {$opt["table_prefix"]}categories c " . + "LEFT OUTER JOIN {$opt["table_prefix"]}items i ON i.category = c.categoryid " . "GROUP BY c.categoryid, category " . - "ORDER BY category"; -$rs = mysql_query($query) or die("Could not query: " . mysql_error()); + "ORDER BY category"); +$stmt->execute(); $categories = array(); -while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) { +while ($row = $stmt->fetch()) { $categories[] = $row; } -mysql_free_result($rs); -define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/'); -require_once(SMARTY_DIR . 'Smarty.class.php'); -$smarty = new Smarty(); -$smarty->assign('action', $action); +if (isset($action)) { + $smarty->assign('action', $action); +} $smarty->assign('categories', $categories); -$smarty->assign('categoryid', addslashes($_GET["categoryid"])); +if (isset($_GET["categoryid"])) { + $smarty->assign('categoryid', (int) $_GET["categoryid"]); +} if (isset($message)) { $smarty->assign('message', $message); } @@ -119,6 +125,6 @@ if (isset($category_error)) { } $smarty->assign('haserror', $haserror); $smarty->assign('isadmin', $_SESSION["admin"]); -$smarty->assign('opt', $OPT); +$smarty->assign('opt', $smarty->opt()); $smarty->display('categories.tpl'); ?> diff --git a/src/config.php b/src/config.php deleted file mode 100644 index 31f420b..0000000 --- a/src/config.php +++ /dev/null @@ -1,118 +0,0 @@ - diff --git a/src/db.php b/src/db.php deleted file mode 100644 index 1dc5b09..0000000 --- a/src/db.php +++ /dev/null @@ -1,18 +0,0 @@ - diff --git a/src/event.php b/src/event.php index 45886a0..fc51c91 100644 --- a/src/event.php +++ b/src/event.php @@ -13,9 +13,10 @@ // along with this program; if not, write to the Free Software // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -include("config.php"); -include("db.php"); -include("funcLib.php"); +require_once(dirname(__FILE__) . "/includes/funcLib.php"); +require_once(dirname(__FILE__) . "/includes/MySmarty.class.php"); +$smarty = new MySmarty(); +$opt = $smarty->opt(); session_start(); if (!isset($_SESSION["userid"])) { @@ -27,28 +28,34 @@ else { } if (!empty($_GET["message"])) { - $message = strip_tags($_GET["message"]); + $message = $_GET["message"]; } if (isset($_GET["eventid"])) { - $eventid = (int) $_GET["eventid"]; + $eventid = $_GET["eventid"]; } // for security, let's make sure that if an eventid was passed in, it belongs // to $userid (or is a system event and the user is an admin). // all operations on this page should only be performed by the event's owner. if (isset($eventid)) { - $query = "SELECT * FROM {$OPT["table_prefix"]}events WHERE eventid = $eventid AND "; - if ($_SESSION["admin"] == 1) - $query .= "(userid = " . $_SESSION["userid"] . " OR userid IS NULL)"; - else - $query .= "userid = " . $_SESSION["userid"]; - $rs = mysql_query($query) or die("Could not query: " . mysql_error()); - if (mysql_num_rows($rs) == 0) { - echo "Nice try! (That's not your event.)"; - exit; + try { + $query = "SELECT * FROM {$opt["table_prefix"]}events WHERE eventid = ? AND "; + if ($_SESSION["admin"] == 1) + $query .= "(userid = ? OR userid IS NULL)"; + else + $query .= "userid = ?"; + $stmt = $smarty->dbh()->prepare($query); + $stmt->bindParam(1, $eventid, PDO::PARAM_INT); + $stmt->bindParam(2, $userid, PDO::PARAM_INT); + + $stmt->execute(); + if (!$stmt->fetch()) + die("Nice try! (That's not your event.)"); + } + catch (PDOException $e) { + die("sql exception: " . $e->getMessage()); } - mysql_free_result($rs); } $action = isset($_GET["action"]) ? $_GET["action"] : ""; @@ -59,9 +66,7 @@ if ($action == "insert" || $action == "update") { $eventdate = $_GET["eventdate"]; $ts = strtotime($eventdate); $recurring = (strtoupper($_GET["recurring"]) == "ON" ? 1 : 0); - $systemevent = (strtoupper($_GET["system"]) == "ON" ? 1 : 0); - if (!get_magic_quotes_gpc()) - $description = addslashes($description); + $systemevent = (strtoupper($_GET["systemevent"]) == "ON" ? 1 : 0); $haserror = false; if ($description == "") { @@ -75,21 +80,36 @@ if ($action == "insert" || $action == "update") { } if ($action == "delete") { - $query = "DELETE FROM {$OPT["table_prefix"]}events WHERE eventid = $eventid"; - mysql_query($query) or die("Could not query: " . mysql_error()); - header("Location: " . getFullPath("event.php?message=Event+deleted.")); - exit; + try { + $stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}events WHERE eventid = ?"); + $stmt->bindParam(1, $eventid, PDO::PARAM_INT); + + $stmt->execute(); + + header("Location: " . getFullPath("event.php?message=Event+deleted.")); + exit; + } + catch (PDOException $e) { + die("sql exception: " . $e->getMessage()); + } } else if ($action == "edit") { - $query = "SELECT description, eventdate, recurring, userid FROM {$OPT["table_prefix"]}events WHERE eventid = $eventid"; - $rs = mysql_query($query) or die("Could not query: " . mysql_error()); - if ($row = mysql_fetch_array($rs,MYSQL_ASSOC)) { + try { + $stmt = $smarty->dbh()->prepare("SELECT description, eventdate, recurring, userid FROM {$opt["table_prefix"]}events WHERE eventid = ?"); + $stmt->bindParam(1, $eventid, PDO::PARAM_INT); + + $stmt->execute(); + + // we know this will work, see above. + $row = $stmt->fetch(); $description = $row["description"]; $eventdate = $row["eventdate"]; $recurring = $row["recurring"]; $systemevent = ($row["userid"] == ""); } - mysql_free_result($rs); + catch (PDOException $e) { + die("sql exception: " . $e->getMessage()); + } } else if ($action == "") { $description = ""; @@ -99,67 +119,95 @@ else if ($action == "") { } else if ($action == "insert") { if (!$haserror) { - $query = "INSERT INTO {$OPT["table_prefix"]}events(userid,description,eventdate,recurring) " . - "VALUES(" . ($systemevent ? "NULL" : $userid) . ",'$description','" . strftime("%Y-%m-%d", $ts) . "',$recurring)"; - mysql_query($query) or die("Could not query: " . mysql_error()); - header("Location: " . getFullPath("event.php?message=Event+added.")); - exit; + try { + $stmt = $smarty->dbh()->prepare("INSERT INTO {$opt["table_prefix"]}events(userid,description,eventdate,recurring) VALUES(?, ?, ?, ?)"); + $stmt->bindValue(1, $systemevent ? NULL : $userid, PDO::PARAM_BOOL); + $stmt->bindParam(2, $description, PDO::PARAM_STR); + $stmt->bindValue(3, strftime("%Y-%m-%d", $ts), PDO::PARAM_STR); + $stmt->bindParam(4, $recurring, PDO::PARAM_BOOL); + + $stmt->execute(); + + header("Location: " . getFullPath("event.php?message=Event+added.")); + exit; + } + catch (PDOException $e) { + die("sql exception: " . $e->getMessage()); + } } } else if ($action == "update") { if (!$haserror) { - $query = "UPDATE {$OPT["table_prefix"]}events SET " . - "userid = " . ($systemevent ? "NULL" : $userid) . ", " . - "description = '$description', " . - "eventdate = '" . strftime("%Y-%m-%d", $ts) . "', " . - "recurring = $recurring " . - "WHERE eventid = $eventid"; - mysql_query($query) or die("Could not query: " . mysql_error()); - header("Location: " . getFullPath("event.php?message=Event+updated.")); - exit; + try { + $stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}events SET " . + "userid = ?, " . + "description = ?, " . + "eventdate = ?, " . + "recurring = ? " . + "WHERE eventid = ?"); + $stmt->bindValue(1, $systemevent ? NULL : $userid, PDO::PARAM_BOOL); + $stmt->bindParam(2, $description, PDO::PARAM_STR); + $stmt->bindValue(3, strftime("%Y-%m-%d", $ts), PDO::PARAM_STR); + $stmt->bindParam(4, $recurring, PDO::PARAM_BOOL); + $stmt->bindParam(5, $eventid, PDO::PARAM_INT); + + $stmt->execute(); + + header("Location: " . getFullPath("event.php?message=Event+updated.")); + exit; + } + catch (PDOException $e) { + die("sql exception: " . $e->getMessage()); + } } } else { - echo "Unknown verb."; - exit; + die("Unknown verb."); } -$query = "SELECT eventid, userid, description, eventdate, recurring " . - "FROM {$OPT["table_prefix"]}events " . - "WHERE userid = $userid"; -if ($_SESSION["admin"] == 1) - $query .= " OR userid IS NULL"; // add in system events -$query .= " ORDER BY userid, eventdate"; -$rs = mysql_query($query) or die("Could not query: " . mysql_error()); -$events = array(); -while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) { - $row['eventdate'] = strftime("%m/%d/%Y", strtotime($row['eventdate'])); - $events[] = $row; -} -mysql_free_result($events); +try { + $query = "SELECT eventid, userid, description, eventdate, recurring " . + "FROM {$opt["table_prefix"]}events " . + "WHERE userid = ?"; + if ($_SESSION["admin"] == 1) + $query .= " OR userid IS NULL"; // add in system events + $query .= " ORDER BY userid, eventdate"; + $stmt = $smarty->dbh()->prepare($query); + $stmt->bindParam(1, $userid, PDO::PARAM_INT); -define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/'); -require_once(SMARTY_DIR . 'Smarty.class.php'); -$smarty = new Smarty(); -if (isset($message)) { - $smarty->assign('message', $message); + $stmt->execute(); + + $events = array(); + while ($row = $stmt->fetch()) { + $row['eventdate'] = strftime("%m/%d/%Y", strtotime($row['eventdate'])); + $events[] = $row; + } + + if (isset($message)) { + $smarty->assign('message', $message); + } + $smarty->assign('action', $action); + $smarty->assign('haserror', $haserror); + $smarty->assign('events', $events); + $smarty->assign('eventdate', strftime("%m/%d/%Y", strtotime($eventdate))); + if (isset($eventdate_error)) { + $smarty->assign('eventdate_error', $eventdate_error); + } + $smarty->assign('description', $description); + if (isset($description_error)) { + $smarty->assign('description_error', $description_error); + } + $smarty->assign('recurring', $recurring); + $smarty->assign('systemevent', $systemevent); + if (isset($eventid)) { + $smarty->assign('eventid', $eventid); + } + $smarty->assign('userid', $userid); + $smarty->assign('isadmin', $_SESSION['admin']); + $smarty->assign('opt', $smarty->opt()); + $smarty->display('event.tpl'); } -$smarty->assign('action', $action); -$smarty->assign('haserror', $haserror); -$smarty->assign('events', $events); -$smarty->assign('eventdate', strftime("%m/%d/%Y", strtotime($eventdate))); -if (isset($eventdate_error)) { - $smarty->assign('eventdate_error', $eventdate_error); +catch (PDOException $e) { + die("sql exception: " . $e->getMessage()); } -$smarty->assign('description', $description); -if (isset($description_error)) { - $smarty->assign('description_error', $description_error); -} -$smarty->assign('recurring', $recurring); -$smarty->assign('systemevent', $systemevent); -$smarty->assign('eventid', $eventid); -$smarty->assign('userid', $userid); -$smarty->assign('isadmin', $_SESSION['admin']); -$smarty->assign('opt', $OPT); -$smarty->display('event.tpl'); ?> diff --git a/src/families.php b/src/families.php index 6349050..f90e1ba 100644 --- a/src/families.php +++ b/src/families.php @@ -13,9 +13,10 @@ // along with this program; if not, write to the Free Software // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -include("config.php"); -include("db.php"); -include("funcLib.php"); +require_once(dirname(__FILE__) . "/includes/funcLib.php"); +require_once(dirname(__FILE__) . "/includes/MySmarty.class.php"); +$smarty = new MySmarty(); +$opt = $smarty->opt(); session_start(); if (!isset($_SESSION["userid"])) { @@ -30,16 +31,17 @@ else { $userid = $_SESSION["userid"]; } if (!empty($_GET["message"])) { - $message = strip_tags($_GET["message"]); + $message = $_GET["message"]; } $action = empty($_GET["action"]) ? "" : $_GET["action"]; +if (!empty($_GET["familyid"])) + $familyid = (int) $_GET["familyid"]; + if ($action == "insert" || $action == "update") { /* validate the data. */ $familyname = trim($_GET["familyname"]); - if (!get_magic_quotes_gpc()) - $familyname = addslashes($familyname); $haserror = false; if ($familyname == "") { @@ -49,104 +51,145 @@ if ($action == "insert" || $action == "update") { } if ($action == "delete") { - /* first, delete all memberships for this family. */ - $query = "DELETE FROM {$OPT["table_prefix"]}memberships WHERE familyid = " . addslashes($_GET["familyid"]); - mysql_query($query) or die("Could not query: " . mysql_error()); - $query = "DELETE FROM {$OPT["table_prefix"]}families WHERE familyid = " . addslashes($_GET["familyid"]); - mysql_query($query) or die("Could not query: " . mysql_error()); - header("Location: " . getFullPath("families.php?message=Family+deleted.")); - exit; + try { + /* first, delete all memberships for this family. */ + $stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}memberships WHERE familyid = ?"); + $stmt->bindParam(1, $familyid, PDO::PARAM_INT); + $stmt->execute(); + + $stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}families WHERE familyid = ?"); + $stmt->bindValue(1, $familyid, PDO::PARAM_INT); + $stmt->execute(); + + header("Location: " . getFullPath("families.php?message=Family+deleted.")); + exit; + } + catch (PDOException $e) { + die("sql exception: " . $e->getMessage()); + } } else if ($action == "edit") { - $query = "SELECT familyname FROM {$OPT["table_prefix"]}families WHERE familyid = " . addslashes($_GET["familyid"]); - $rs = mysql_query($query) or die("Could not query: " . mysql_error()); - if ($row = mysql_fetch_array($rs,MYSQL_ASSOC)) { - $familyname = $row["familyname"]; + try { + $stmt = $smarty->dbh()->prepare("SELECT familyname FROM {$opt["table_prefix"]}families WHERE familyid = ?"); + $stmt->bindValue(1, $familyid, PDO::PARAM_INT); + $stmt->execute(); + if ($row = $stmt->fetch()) { + $familyname = $row["familyname"]; + } + else { + die("family doesn't exist."); + } + } + catch (PDOException $e) { + die("sql exception: " . $e->getMessage()); } - mysql_free_result($rs); } else if ($action == "") { $familyname = ""; } else if ($action == "insert") { if (!$haserror) { - $query = "INSERT INTO {$OPT["table_prefix"]}families(familyid,familyname) " . - "VALUES(NULL,'$familyname')"; - mysql_query($query) or die("Could not query: " . mysql_error()); + try { + $stmt = $smarty->dbh()->prepare("INSERT INTO {$opt["table_prefix"]}families(familyid,familyname) VALUES(NULL, ?)"); + $stmt->bindParam(1, $familyname, PDO::PARAM_STR); + $stmt->execute(); + } + catch (PDOException $e) { + die("sql exception: " . $e->getMessage()); + } + header("Location: " . getFullPath("families.php?message=Family+added.")); exit; } } else if ($action == "update") { if (!$haserror) { - $query = "UPDATE {$OPT["table_prefix"]}families " . - "SET familyname = '$familyname' " . - "WHERE familyid = " . addslashes($_GET["familyid"]); - mysql_query($query) or die("Could not query: " . mysql_error()); + try { + $stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}families " . + "SET familyname = ? " . + "WHERE familyid = ?"); + $stmt->bindParam(1, $familyname, PDO::PARAM_STR); + $stmt->bindValue(2, $familyid, PDO::PARAM_INT); + $stmt->execute(); + } + catch (PDOException $e) { + die("sql exception: " . $e->getMessage()); + } + header("Location: " . getFullPath("families.php?message=Family+updated.")); exit; } } else if ($action == "members") { $members = $_GET["members"]; - /* first, delete all memberships for this family. */ - $query = "DELETE FROM {$OPT["table_prefix"]}memberships WHERE familyid = " . addslashes($_GET["familyid"]); - mysql_query($query) or die("Could not query: " . mysql_error()); - /* now add them back. */ - foreach ($members as $userid) { - $query = "INSERT INTO {$OPT["table_prefix"]}memberships(userid,familyid) VALUES(" . addslashes($userid) . "," . addslashes($_GET["familyid"]) . ")"; - mysql_query($query) or die("Could not query: " . mysql_error()); + try { + /* first, delete all memberships for this family. */ + $stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}memberships WHERE familyid = ?"); + $stmt->bindValue(1, $familyid, PDO::PARAM_INT); + $stmt->execute(); + + /* now add them back. */ + foreach ($members as $userid) { + $stmt = $smarty->dbh()->prepare("INSERT INTO {$opt["table_prefix"]}memberships(userid,familyid) VALUES(?, ?)"); + $stmt->bindParam(1, $userid, PDO::PARAM_INT); + $stmt->bindParam(2, $familyid, PDO::PARAM_INT); + $stmt->execute(); + } } + catch (PDOException $e) { + die("sql exception: " . $e->getMessage()); + } + header("Location: " . getFullPath("families.php?message=Members+changed.")); exit; } else { - echo "Unknown verb."; - exit; + die("Unknown verb."); } -$query = "SELECT f.familyid, familyname, COUNT(userid) AS members " . - "FROM {$OPT["table_prefix"]}families f " . - "LEFT OUTER JOIN {$OPT["table_prefix"]}memberships m ON m.familyid = f.familyid " . +try { + $stmt = $smarty->dbh()->prepare("SELECT f.familyid, familyname, COUNT(userid) AS members " . + "FROM {$opt["table_prefix"]}families f " . + "LEFT OUTER JOIN {$opt["table_prefix"]}memberships m ON m.familyid = f.familyid " . "GROUP BY f.familyid " . - "ORDER BY familyname"; -$rs = mysql_query($query) or die("Could not query: " . mysql_error()); -$families = array(); -while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) { - $families[] = $row; -} -mysql_free_result($rs); - -if ($action == "edit") { - $query = "SELECT u.userid, u.fullname, m.familyid FROM {$OPT["table_prefix"]}users u " . - "LEFT OUTER JOIN {$OPT["table_prefix"]}memberships m ON m.userid = u.userid AND m.familyid = " . addslashes($_GET["familyid"]) . " " . - "ORDER BY u.fullname"; - $rs = mysql_query($query) or die("Could not query: " . mysql_error()); - $nonmembers = array(); - while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) { - $nonmembers[] = $row; + "ORDER BY familyname"); + $stmt->execute(); + $families = array(); + while ($row = $stmt->fetch()) { + $families[] = $row; } - mysql_free_result($rs); -} -define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/'); -require_once(SMARTY_DIR . 'Smarty.class.php'); -$smarty = new Smarty(); -$smarty->assign('action', $action); -$smarty->assign('haserror', $haserror); -if (isset($familyname_error)) { - $smarty->assign('familyname_error', $familyname_error); + if ($action == "edit") { + $stmt = $smarty->dbh()->prepare("SELECT u.userid, u.fullname, m.familyid FROM {$opt["table_prefix"]}users u " . + "LEFT OUTER JOIN {$opt["table_prefix"]}memberships m ON m.userid = u.userid AND m.familyid = ? " . + "ORDER BY u.fullname"); + $stmt->bindParam(1, $familyid, PDO::PARAM_INT); + $stmt->execute(); + $nonmembers = array(); + while ($row = $stmt->fetch()) { + $nonmembers[] = $row; + } + } + + $smarty->assign('action', $action); + $smarty->assign('haserror', $haserror); + if (isset($familyname_error)) { + $smarty->assign('familyname_error', $familyname_error); + } + $smarty->assign('families', $families); + $smarty->assign('familyid', $familyid); + $smarty->assign('familyname', $familyname); + if (isset($nonmembers)) { + $smarty->assign('nonmembers', $nonmembers); + } + if (isset($message)) { + $smarty->assign('message', $message); + } + $smarty->assign('isadmin', $_SESSION["admin"]); + $smarty->assign('opt', $smarty->opt()); + $smarty->display('families.tpl'); } -$smarty->assign('families', $families); -$smarty->assign('familyid', $_GET["familyid"]); -$smarty->assign('familyname', $familyname); -if (isset($nonmembers)) { - $smarty->assign('nonmembers', $nonmembers); +catch (PDOException $e) { + die("sql exception: " . $e->getMessage()); } -if (isset($message)) { - $smarty->assign('message', $message); -} -$smarty->assign('isadmin', $_SESSION["admin"]); -$smarty->assign('opt', $OPT); -$smarty->display('families.tpl'); ?> diff --git a/src/footer.php b/src/footer.php deleted file mode 100644 index a83711c..0000000 --- a/src/footer.php +++ /dev/null @@ -1,12 +0,0 @@ -

-

- - - - - - - -
Powered by PHPPowered by MySQL
-
-

diff --git a/src/forgot.php b/src/forgot.php index 80f32a2..1bebe88 100644 --- a/src/forgot.php +++ b/src/forgot.php @@ -13,57 +13,59 @@ // along with this program; if not, write to the Free Software // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -include("config.php"); -include("db.php"); -include("funcLib.php"); +require_once(dirname(__FILE__) . "/includes/funcLib.php"); +require_once(dirname(__FILE__) . "/includes/MySmarty.class.php"); +$smarty = new MySmarty(); +$opt = $smarty->opt(); -$error = ""; +if (isset($_POST["action"]) && $_POST["action"] == "forgot") { + $username = $_POST["username"]; -if (isset($_POST["action"])) { - if ($_POST["action"] == "forgot") { - $username = $_POST["username"]; - if (!get_magic_quotes_gpc()) { - $username = addslashes($username); - } - + try { // make sure that username is valid - $query = "SELECT email FROM {$OPT["table_prefix"]}users WHERE username = '$username'"; - $rs = mysql_query($query) or die("Could not query: " . mysql_error()); - if (mysql_num_rows($rs) == 0) { - $error = "The username '" . stripslashes($username) . "' could not be found."; - mysql_free_result($rs); - } - else { - $row = mysql_fetch_array($rs,MYSQL_ASSOC); - $email = $row["email"]; - mysql_free_result($rs); + $stmt = $smarty->dbh()->prepare("SELECT email FROM {$opt["table_prefix"]}users WHERE username = ?"); + $stmt->bindParam(1, $username, PDO::PARAM_STR); + $stmt->execute(); + if ($row = $stmt->fetch()) { + $email = $row["email"]; + if ($email == "") - $error = "The username '" . stripslashes($username) . "' does not have an e-mail address, so the password could not be sent."; + $error = "The username '" . $username . "' does not have an e-mail address, so the password could not be sent."; else { - $pwd = generatePassword(); - $query = "UPDATE {$OPT["table_prefix"]}users SET password = {$OPT["password_hasher"]}('$pwd') WHERE username = '$username'"; - mysql_query($query) or die("Could not query: " . mysql_error()); + $pwd = generatePassword($opt); + $stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}users SET password = {$opt["password_hasher"]}(?) WHERE username = ?"); + $stmt->bindParam(1, $pwd, PDO:PARAM_STR); + $stmt->bindParam(2, $username, PDO::PARAM_STR); + + $stmt->execute(); mail( $email, "Gift Registry password reset", "Your Gift Registry account information:\r\n" . "Your username is '" . $username . "' and your new password is '$pwd'.", - "From: {$GLOBALS["OPT"]["email_from"]}\r\nReply-To: {$OPT["email_reply_to"]}\r\nX-Mailer: {$GLOBALS["OPT"]["email_xmailer"]}\r\n" - ) or die("Mail not accepted for $email"); + "From: {$opt["email_from"]}\r\nReply-To: {$opt["email_reply_to"]}\r\nX-Mailer: {$opt["email_xmailer"]}\r\n" + ) or die("Mail not accepted for $email"); } } + else { + $error = "The username '" . $username . "' could not be found."; + } + + if (!empty($error)) { + $smarty->assign('error', $error); + } + $smarty->assign('action', $_POST["action"]); + $smarty->assign('username', $username); + $smarty->assign('opt', $smarty->opt()); + $smarty->display('forgot.tpl'); + } + catch (PDOException $e) { + die("sql exception: " . $e->getMessage()); } } - -define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/'); -require_once(SMARTY_DIR . 'Smarty.class.php'); -$smarty = new Smarty(); -if (isset($error) && $error != "") { - $smarty->assign('error', $error); +else { + $smarty->assign('opt', $smarty->opt()); + $smarty->display('forgot.tpl'); } -$smarty->assign('action', $_POST["action"]); -$smarty->assign('username', $username); -$smarty->assign('opt', $OPT); -$smarty->display('forgot.tpl'); ?> diff --git a/src/funcLib.php b/src/funcLib.php deleted file mode 100644 index bf77d0e..0000000 --- a/src/funcLib.php +++ /dev/null @@ -1,162 +0,0 @@ - $howmany) - $actual = -$howmany; - else - $actual = $adjust; - } - else { - $actual = $adjust; - } - - if ($howmany + $actual == 0) - $query = "DELETE FROM {$GLOBALS["OPT"]["table_prefix"]}allocs WHERE itemid = $itemid AND userid = $userid AND bought = $bought"; - else - $query = "UPDATE {$GLOBALS["OPT"]["table_prefix"]}allocs " . - "SET quantity = quantity + $actual " . // because "quantity + -5" is okay. - "WHERE itemid = $itemid AND userid = $userid AND bought = $bought"; - - mysql_query($query) or die("Could not query: " . mysql_error()); - return $actual; - } -} - -function getExistingQuantity($itemid, $userid, $bought) { - $query = "SELECT quantity FROM {$GLOBALS["OPT"]["table_prefix"]}allocs WHERE bought = $bought AND userid = $userid AND itemid = $itemid"; - $rs = mysql_query($query) or die("Could not query: " . mysql_error()); - $row = mysql_fetch_array($rs,MYSQL_ASSOC); - if (!$row) - return 0; - else { - $qty = $row["quantity"]; - mysql_free_result($rs); - return $qty; - } -} - -function sendMessage($sender, $recipient, $message) { - // assumes $message has already been slashed. - $query = "INSERT INTO {$GLOBALS["OPT"]["table_prefix"]}messages(sender,recipient,message,created) " . - "VALUES($sender,$recipient,'$message','" . strftime("%Y-%m-%d") . "')"; - mysql_query($query) or die("Could not query: " . mysql_error()); - - // determine if e-mail must be sent. - $query = "SELECT ur.email_msgs, ur.email AS remail, us.fullname, us.email AS semail FROM {$GLOBALS["OPT"]["table_prefix"]}users ur " . - "INNER JOIN {$GLOBALS["OPT"]["table_prefix"]}users us ON us.userid = $sender " . - "WHERE ur.userid = $recipient"; - $rs = mysql_query($query) or die("Could not query: " . mysql_error()); - $row = mysql_fetch_array($rs,MYSQL_ASSOC); - if (!$row) die("Recipient does not exist."); - if ($row["email_msgs"] == 1) { - mail( - $row["remail"], - "Gift Registry message from " . $row["fullname"], - $row["fullname"] . " <" . $row["semail"] . "> sends:\r\n" . stripslashes($message), - "From: {$GLOBALS["OPT"]["email_from"]}\r\nReply-To: " . $row["semail"] . "\r\nX-Mailer: {$GLOBALS["OPT"]["email_xmailer"]}\r\n" - ) or die("Mail not accepted for " . $row["remail"]); - } - mysql_free_result($rs); -} - -function generatePassword() { - //* borrowed from hitech-password.php - a PHP Message board script - //* (c) Hitech Scripts 2003 - //* For more information, visit http://www.hitech-scripts.com - //* modified for phpgiftreg by Chris Clonch - mt_srand((double) microtime() * 1000000); - $newstring = ""; - if ($GLOBALS["OPT"]["password_length"] > 0) { - while(strlen($newstring) < $GLOBALS["OPT"]["password_length"]) { - switch (mt_rand(1,3)) { - case 1: $newstring .= chr(mt_rand(48,57)); break; // 0-9 - case 2: $newstring .= chr(mt_rand(65,90)); break; // A-Z - case 3: $newstring .= chr(mt_rand(97,122)); break; // a-z - } - } - } - return $newstring; -} - -function formatPrice($price) { - if ($price == 0.0 && $GLOBALS["OPT"]["hide_zero_price"]) - return " "; - else - return $GLOBALS["OPT"]["currency_symbol"] . number_format($price,2,".",","); -} - -function stampUser($userid) { - $query = "UPDATE {$GLOBALS["OPT"]["table_prefix"]}users SET list_stamp = NOW() WHERE userid = $userid"; - mysql_query($query) or die("Could not query: " . mysql_error()); -} - -function deleteImageForItem($itemid) { - $query = "SELECT image_filename FROM {$GLOBALS["OPT"]["table_prefix"]}items WHERE itemid = $itemid"; - $rs = mysql_query($query) or die("Could not query: " . mysql_error()); - if ($row = mysql_fetch_array($rs,MYSQL_ASSOC)) { - if ($row["image_filename"] != "") { - unlink($GLOBALS["OPT"]["image_subdir"] . "/" . $row["image_filename"]); - } - } - mysql_free_result($rs); - $query = "UPDATE {$GLOBALS["OPT"]["table_prefix"]}items SET image_filename = NULL WHERE itemid = $itemid"; - mysql_query($query) or die("Could not query: " . mysql_error()); -} - -function fixForJavaScript($s) { - $s = htmlentities($s); - $s = str_replace("'","\\'",$s); - $s = str_replace("\r\n","
",$s); - $s = str_replace("\n","
",$s); - return $s; -} -?> diff --git a/src/includes/config.php b/src/includes/config.php new file mode 100644 index 0000000..429716f --- /dev/null +++ b/src/includes/config.php @@ -0,0 +1,129 @@ + "mysql:host=localhost;dbname=giftreg", + + /* The database username and password. */ + "pdo_username" => "dbusername", + "pdo_password" => "dbpassword", + + /* The maximum number of days before an event which produces a notification. */ + "event_threshold" => "60", + + /* Whether or not requesting to shop for someone is immediately approved. + 0 = auto-approve, + 1 = require approval + */ + "shop_requires_approval" => 1, + + /* Whether or not requesting a new account is immediately approved. + 0 = auto-approve, + 1 = require administrator approval + */ + "newuser_requires_approval" => 1, + + /* Whether or not whom an item is reserved/bought by is hidden. */ + "anonymous_purchasing" => 0, + + /* The number of your items that show on each page. */ + "items_per_page" => 10, + + /* The e-mail From: header. */ + "email_from" => "webmaster@" . $_SERVER['SERVER_NAME'], + + /* The e-mail Reply-To: header. */ + "email_reply_to" => "your@address.com", + + /* The e-mail X-Mailer header. */ + "email_xmailer" => "PHP/" . phpversion(), + + /* Whether or not to show brief blurbs in certain spots which describe how + features work. + 0 = don't help text, + 1 = show help text + */ + "show_helptext" => 0, + + /* Whether or not clicking the Delete Item link requires a JavaScript-based + confirmation. + 0 = don't show confirmation, + 1 = show confirmation + */ + "confirm_item_deletes" => 0, + + /* Whether or not to allow multiple quantities of an item. */ + "allow_multiples" => 1, + + /* This is prefixed to all currency values, set it as appropriate for your currency. */ + "currency_symbol" => "$", // US or other dollars + //"currency_symbol" => "£", // Pound (£) symbol + //"currency_symbol" => "¥", // Yen + //"currency_symbol" => "€", // Euro + //"currency_symbol" => "€", // Euro alternative + + /* If this is set to something other than "" then phpgiftreg will expect that + string to prefix all tables in this installation. Useful for running + multiple phpgiftreg installations in the same MySQL database. + */ + "table_prefix" => "", + //"table_prefix" => "gift_", // all tables must be prefixed by `gift_' + + /* Whether or not your own events show up on the home page. + 0 = don't show my own events, + 1 = show my own events + */ + "show_own_events" => 1, + + /* The length of random generated passwords. */ + "password_length" => 8, + + /* Whether or not to hide the price when it's $0.00. + 0 = don't hide it, + 1 = hide it + */ + "hide_zero_price" => 1, + + /* Whether or not to hash passwords. Your version of MySQL may or may not + support it. + "MD5" = use MySQL's MD5() function, + "SHA1" = use MySQL's SHA1() function, + "" = use nothing (store passwords in plaintext). + If you switch this on, you're going to need to do a + UPDATE users SET password = MD5(password) + on your database to convert the passwords. This operation is NON-REVERSIBLE! + */ + "password_hasher" => "SHA1", + + /* Whether or not to allow image uploads. If on, the next option must point to + a valid subdirectory that is writeable by the web server. The setup.php + script will confirm this. + 0 = don't allow images, + 1 = allow images + */ + "allow_images" => 1, + + /* The *sub*-directory we we can store item images. If you don't want to + allow images to be attached to items, leave this variable empty (""). + Trailing / is optional. + */ + "image_subdir" => "item_images" + ); +} +?> diff --git a/src/includes/funcLib.php b/src/includes/funcLib.php new file mode 100644 index 0000000..4ce13ae --- /dev/null +++ b/src/includes/funcLib.php @@ -0,0 +1,179 @@ +prepare("INSERT INTO {$opt["table_prefix"]}allocs(itemid,userid,bought,quantity) VALUES(?, ?, ?, ?)"); + $stmt->bindParam(1, $itemid, PDO::PARAM_INT); + $stmt->bindParam(2, $userid, PDO::PARAM_INT); + $stmt->bindParam(3, $bought, PDO::PARAM_BOOL); + $stmt->bindParam(4, $adjust, PDO::PARAM_INT); + $stmt->execute(); + return $howmany; + } + } + else { + /* figure out the real amount to adjust by, in case someone claims to have + received 3 of something from a buyer when they only bought 2. */ + if ($adjust < 0) { + if (abs($adjust) > $howmany) + $actual = -$howmany; + else + $actual = $adjust; + } + else { + $actual = $adjust; + } + + if ($howmany + $actual == 0) { + $stmt = $dbh->prepare("DELETE FROM {$opt["table_prefix"]}allocs WHERE itemid = ? AND userid = ? AND bought = ?"); + $stmt->bindParam(1, $itemid, PDO::PARAM_INT); + $stmt->bindParam(2, $userid, PDO::PARAM_INT); + $stmt->bindParam(3, $bought, PDO::PARAM_BOOL); + $stmt->execute(); + } + else { + $stmt = $dbh->prepare("UPDATE {$opt["table_prefix"]}allocs " . + "SET quantity = quantity + ? " . // because "quantity + -5" is okay. + "WHERE itemid = ? AND userid = ? AND bought = ?"); + $stmt->bindParam(1, $actual, PDO::PARAM_INT); + $stmt->bindParam(2, $itemid, PDO::PARAM_INT); + $stmt->bindParam(3, $userid, PDO::PARAM_INT); + $stmt->bindParam(4, $bought, PDO::PARAM_BOOL); + $stmt->execute(); + } + return $actual; + } +} + +function getExistingQuantity($itemid, $userid, $bought, $dbh, $opt) { + $stmt = $dbh->prepare("SELECT quantity FROM {$opt["table_prefix"]}allocs WHERE bought = ? AND userid = ? AND itemid = ?"); + $stmt->bindParam(1, $bought, PDO::PARAM_BOOL); + $stmt->bindParam(2, $userid, PDO::PARAM_INT); + $stmt->bindParam(3, $itemid, PDO::PARAM_INT); + $stmt->execute(); + if ($row = $stmt->fetch()) { + return $row["quantity"]; + } + else { + return 0; + } +} + +function sendMessage($sender, $recipient, $message, $dbh, $opt) { + $stmt = $dbh->prepare("INSERT INTO {$opt["table_prefix"]}messages(sender,recipient,message,created) VALUES(?, ?, ?, ?)"); + $stmt->bindParam(1, $sender, PDO::PARAM_INT); + $stmt->bindParam(2, $recipient, PDO::PARAM_INT); + $stmt->bindParam(3, $message, PDO::PARAM_STR); + $stmt->bindValue(4, strftime("%Y-%m-%d"), PDO::PARAM_STR); + $stmt->execute(); + + // determine if e-mail must be sent. + $stmt = $dbh->prepare("SELECT ur.email_msgs, ur.email AS remail, us.fullname, us.email AS semail FROM {$opt["table_prefix"]}users ur " . + "INNER JOIN {$opt["table_prefix"]}users us ON us.userid = ? " . + "WHERE ur.userid = ?"); + $stmt->bindParam(1, $sender, PDO::PARAM_INT); + $stmt->bindParam(2, $recipient, PDO::PARAM_INT); + $stmt->execute(); + if ($row = $stmt->fetch()) { + if ($row["email_msgs"] == 1) { + mail( + $row["remail"], + "Gift Registry message from " . $row["fullname"], + $row["fullname"] . " <" . $row["semail"] . "> sends:\r\n" . $message, + "From: {$opt["email_from"]}\r\nReply-To: " . $row["semail"] . "\r\nX-Mailer: {$opt["email_xmailer"]}\r\n" + ) or die("Mail not accepted for " . $row["remail"]); + } + } + else { + die("recipient doesn't exist"); + } +} + +function generatePassword($opt) { + //* borrowed from hitech-password.php - a PHP Message board script + //* (c) Hitech Scripts 2003 + //* For more information, visit http://www.hitech-scripts.com + //* modified for phpgiftreg by Chris Clonch + mt_srand((double) microtime() * 1000000); + $newstring = ""; + if ($opt["password_length"] > 0) { + while(strlen($newstring) < $opt["password_length"]) { + switch (mt_rand(1,3)) { + case 1: $newstring .= chr(mt_rand(48,57)); break; // 0-9 + case 2: $newstring .= chr(mt_rand(65,90)); break; // A-Z + case 3: $newstring .= chr(mt_rand(97,122)); break; // a-z + } + } + } + return $newstring; +} + +function formatPrice($price, $opt) { + if ($price == 0.0 && $opt["hide_zero_price"]) + return " "; + else + return $opt["currency_symbol"] . number_format($price,2,".",","); +} + +function stampUser($userid, $dbh, $opt) { + $stmt = $dbh->prepare("UPDATE {$opt["table_prefix"]}users SET list_stamp = NOW() WHERE userid = ?"); + $stmt->bindParam(1, $userid, PDO::PARAM_INT); + $stmt->execute(); +} + +function deleteImageForItem($itemid, $dbh, $opt) { + $stmt = $dbh->prepare("SELECT image_filename FROM {$opt["table_prefix"]}items WHERE itemid = ?"); + $stmt->bindParam(1, $itemid, PDO::PARAM_INT); + $stmt->execute(); + if ($row = $stmt->fetch()) { + if ($row["image_filename"] != "") { + unlink($opt["image_subdir"] . "/" . $row["image_filename"]); + } + + $stmt = $dbh->prepare("UPDATE {$opt["table_prefix"]}items SET image_filename = NULL WHERE itemid = ?"); + $stmt->bindParam(1, $itemid, PDO::PARAM_INT); + $stmt->execute(); + } +} + +function fixForJavaScript($s) { + $s = htmlentities($s); + $s = str_replace("'","\\'",$s); + $s = str_replace("\r\n","
",$s); + $s = str_replace("\n","
",$s); + return $s; +} +?> diff --git a/src/index.php b/src/index.php index c9fb880..ce5b432 100644 --- a/src/index.php +++ b/src/index.php @@ -13,9 +13,10 @@ // along with this program; if not, write to the Free Software // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -include("config.php"); -include("db.php"); -include("funcLib.php"); +require_once(dirname(__FILE__) . "/includes/funcLib.php"); +require_once(dirname(__FILE__) . "/includes/MySmarty.class.php"); +$smarty = new MySmarty(); +$opt = $smarty->opt(); session_start(); if (!isset($_SESSION["userid"])) { @@ -27,7 +28,7 @@ else { } if (!empty($_GET["message"])) { - $message = strip_tags($_GET["message"]); + $message = $_GET["message"]; } /* if we've got `page' on the query string, set the session page indicator. */ @@ -45,30 +46,40 @@ else { if (!empty($_GET["action"])) { $action = $_GET["action"]; if ($action == "ack") { - $query = "UPDATE {$OPT["table_prefix"]}messages SET isread = 1 WHERE messageid = " . (int) $_GET["messageid"]; - mysql_query($query) or die("Could not query: " . mysql_error()); + $stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}messages SET isread = 1 WHERE messageid = ?"); + $stmt->bindValue(1, (int) $_GET["messageid"], PDO::PARAM_INT); + $stmt->execute(); } else if ($action == "approve") { - $query = "UPDATE {$OPT["table_prefix"]}shoppers SET pending = 0 WHERE shopper = " . (int) $_GET["shopper"] . " AND mayshopfor = $userid"; - mysql_query($query) or die("Could not query: " . mysql_error()); - sendMessage($userid,(int) $_GET["shopper"],addslashes($_SESSION["fullname"] . " has approved your request to shop for him/her.")); + $stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}shoppers SET pending = 0 WHERE shopper = ? AND mayshopfor = ?"); + $stmt->bindValue(1, (int) $_GET["shopper"], PDO::PARAM_INT); + $stmt->bindParam(2, $userid, PDO::PARAM_INT); + $stmt->execute(); + sendMessage($userid,(int) $_GET["shopper"],$_SESSION["fullname"] . " has approved your request to shop for him/her.", $smarty->dbh(), $smarty->opt()); } else if ($action == "decline") { - $query = "DELETE FROM {$OPT["table_prefix"]}shoppers WHERE shopper = " . (int) $_GET["shopper"] . " AND mayshopfor = $userid"; - mysql_query($query) or die("Could not query: " . mysql_error()); - sendMessage($userid,(int) $_GET["shopper"],addslashes($_SESSION["fullname"] . " has declined your request to shop for him/her.")); + $stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}shoppers WHERE shopper = ? AND mayshopfor = ?"); + $stmt->bindValue(1, (int) $_GET["shopper"], PDO::PARAM_INT); + $stmt->bindParam(2, $userid, PDO::PARAM_INT); + $stmt->execute(); + sendMessage($userid,(int) $_GET["shopper"],$_SESSION["fullname"] . " has declined your request to shop for him/her.", $smarty->dbh(), $smarty->opt()); } else if ($action == "request") { - $query = "INSERT INTO {$OPT["table_prefix"]}shoppers(shopper,mayshopfor,pending) VALUES($userid," . (int) $_GET["shopfor"] . ",{$OPT["shop_requires_approval"]})"; - mysql_query($query) or die("Could not query: " . mysql_error()); - if ($OPT["shop_requires_approval"]) { - sendMessage($userid,(int) $_GET["shopfor"],addslashes($_SESSION["fullname"] . " has requested to shop for you. Please approve or decline this request.")); + $stmt = $smarty->dbh()->prepare("INSERT INTO {$opt["table_prefix"]}shoppers(shopper,mayshopfor,pending) VALUES(?, ?, ?)"); + $stmt->bindParam(1, $userid, PDO::PARAM_INT); + $stmt->bindValue(2, (int) $_GET["shopfor"], PDO::PARAM_INT); + $stmt->bindValue(3, $opt["shop_requires_approval"], PDO::PARAM_BOOL); + $stmt->execute(); + if ($opt["shop_requires_approval"]) { + sendMessage($userid,(int) $_GET["shopfor"],$_SESSION["fullname"] . " has requested to shop for you. Please approve or decline this request.", $smarty->dbh(), $smarty->opt()); } } else if ($action == "cancel") { // this works for either cancelling a request or "unshopping" for a user. - $query = "DELETE FROM {$OPT["table_prefix"]}shoppers WHERE shopper = " . $userid . " AND mayshopfor = " . (int) $_GET["shopfor"]; - mysql_query($query) or die("Could not query: " . mysql_error()); + $stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}shoppers WHERE shopper = ? AND mayshopfor = ?"); + $stmt->bindParam(1, $userid, PDO::PARAM_INT); + $stmt->bindValue(2, (int) $_GET["shopfor"], PDO::PARAM_INT); + $stmt->execute(); } } @@ -97,69 +108,75 @@ else { $sortby = "rankorder DESC, i.description"; } } -$query = "SELECT itemid, description, c.category, price, url, rendered, comment, image_filename FROM {$OPT["table_prefix"]}items i LEFT OUTER JOIN {$OPT["table_prefix"]}categories c ON c.categoryid = i.category LEFT OUTER JOIN {$OPT["table_prefix"]}ranks r ON r.ranking = i.ranking WHERE userid = " . $userid . " ORDER BY $sortby"; -$rs = mysql_query($query) or die("Could not query: " . mysql_error()); -$myitems_count = mysql_num_rows($rs); +$stmt = $smarty->dbh()->prepare("SELECT itemid, description, c.category, price, url, rendered, comment, image_filename FROM {$opt["table_prefix"]}items i LEFT OUTER JOIN {$opt["table_prefix"]}categories c ON c.categoryid = i.category LEFT OUTER JOIN {$opt["table_prefix"]}ranks r ON r.ranking = i.ranking WHERE userid = ? ORDER BY " . $sortby); +$stmt->bindParam(1, $userid, PDO::PARAM_INT); +$stmt->execute(); +$myitems_count = 0; $myitems = array(); -for ($i = 0; $i < $offset; $i++) { - $row = mysql_fetch_array($rs, MYSQL_ASSOC); +for ($i = 0; $i < $offset; $i++, ++$myitems_count) { + $row = $stmt->fetch(); } $i = 0; -while ($i++ < $OPT["items_per_page"] && $row = mysql_fetch_array($rs, MYSQL_ASSOC)) { - $row['price'] = formatPrice($row['price']); +while ($i++ < $opt["items_per_page"] && $row = $stmt->fetch()) { + $row['price'] = formatPrice($row['price'], $opt); $myitems[] = $row; + ++$myitems_count; +} +while ($stmt->fetch()) { + ++$myitems_count; } -mysql_free_result($rs); -$query = "SELECT u.userid, u.fullname, u.comment, u.list_stamp, COUNT(i.itemid) AS itemcount " . - "FROM {$OPT["table_prefix"]}shoppers s " . - "INNER JOIN {$OPT["table_prefix"]}users u ON u.userid = s.mayshopfor " . - "LEFT OUTER JOIN {$OPT["table_prefix"]}items i ON u.userid = i.userid " . - "WHERE s.shopper = " . $userid . " " . +$stmt = $smarty->dbh()->prepare("SELECT u.userid, u.fullname, u.comment, u.list_stamp, COUNT(i.itemid) AS itemcount " . + "FROM {$opt["table_prefix"]}shoppers s " . + "INNER JOIN {$opt["table_prefix"]}users u ON u.userid = s.mayshopfor " . + "LEFT OUTER JOIN {$opt["table_prefix"]}items i ON u.userid = i.userid " . + "WHERE s.shopper = ? " . "AND pending = 0 " . "GROUP BY u.userid, u.fullname, u.list_stamp " . - "ORDER BY u.fullname"; -$rs = mysql_query($query) or die("Could not query: " . mysql_error()); + "ORDER BY u.fullname"); +$stmt->bindParam(1, $userid, PDO::PARAM_INT); +$stmt->execute(); $shoppees = array(); -while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) { +while ($row = $stmt->fetch()) { $row['list_stamp'] = ($row['list_stamp == 0'] ? '-' : strftime("%m/%d/%Y", strtotime($row['list_stamp']))); $shoppees[] = $row; } -mysql_free_result($rs); -$query = "SELECT DISTINCT u.userid, u.fullname, s.pending " . - "FROM {$OPT["table_prefix"]}memberships mymem " . - "INNER JOIN {$OPT["table_prefix"]}memberships others " . - "ON others.familyid = mymem.familyid AND others.userid <> " . $userid . " " . - "INNER JOIN {$OPT["table_prefix"]}users u " . +$stmt = $smarty->dbh()->prepare("SELECT DISTINCT u.userid, u.fullname, s.pending " . + "FROM {$opt["table_prefix"]}memberships mymem " . + "INNER JOIN {$opt["table_prefix"]}memberships others " . + "ON others.familyid = mymem.familyid AND others.userid <> ? " . + "INNER JOIN {$opt["table_prefix"]}users u " . "ON u.userid = others.userid " . - "LEFT OUTER JOIN {$OPT["table_prefix"]}shoppers s " . - "ON s.mayshopfor = others.userid AND s.shopper = " . $userid . " " . - "WHERE mymem.userid = " . $userid . " " . + "LEFT OUTER JOIN {$opt["table_prefix"]}shoppers s " . + "ON s.mayshopfor = others.userid AND s.shopper = ? " . + "WHERE mymem.userid = ? " . "AND (s.pending IS NULL OR s.pending = 1) " . "AND u.approved = 1 " . - "ORDER BY u.fullname"; -$rs = mysql_query($query) or die("Could not query: " . mysql_error()); + "ORDER BY u.fullname"); +$stmt->bindParam(1, $userid, PDO::PARAM_INT); +$stmt->bindParam(2, $userid, PDO::PARAM_INT); +$stmt->bindParam(3, $userid, PDO::PARAM_INT); +$stmt->execute(); $prospects = array(); -while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) { +while ($row = $stmt->fetch()) { $prospects[] = $row; } -mysql_free_result($rs); -$query = "SELECT messageid, u.fullname, message, created " . - "FROM {$OPT["table_prefix"]}messages m " . - "INNER JOIN {$OPT["table_prefix"]}users u ON u.userid = m.sender " . - "WHERE m.recipient = " . $userid . " " . +$stmt = $smarty->dbh()->prepare("SELECT messageid, u.fullname, message, created " . + "FROM {$opt["table_prefix"]}messages m " . + "INNER JOIN {$opt["table_prefix"]}users u ON u.userid = m.sender " . + "WHERE m.recipient = ? " . "AND m.isread = 0 " . - "ORDER BY created DESC"; -$rs = mysql_query($query) or die("Could not query: " . mysql_error()); + "ORDER BY created DESC"); +$stmt->bindParam(1, $userid, PDO::PARAM_INT); +$stmt->execute(); $messages = array(); -while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) { - $row['created'] = strftime("%a, %b %d", strtotime($row['created'])); +while ($row = $stmt->fetch()) { + $row['created'] = strftime("%m/%d/%Y", strtotime($row['created'])); $messages[] = $row; } -mysql_free_result($rs); - + $query = "SELECT CONCAT(YEAR(CURDATE()),'-',MONTH(eventdate),'-',DAYOFMONTH(eventdate)) AS DateThisYear, " . "TO_DAYS(CONCAT(YEAR(CURDATE()),'-',MONTH(eventdate),'-',DAYOFMONTH(eventdate))) AS ToDaysDateThisYear, " . "CONCAT(YEAR(CURDATE()) + 1,'-',MONTH(eventdate),'-',DAYOFMONTH(eventdate)) AS DateNextYear, " . @@ -167,28 +184,32 @@ $query = "SELECT CONCAT(YEAR(CURDATE()),'-',MONTH(eventdate),'-',DAYOFMONTH(even "TO_DAYS(CURDATE()) AS ToDaysToday, " . "TO_DAYS(eventdate) AS ToDaysEventDate, " . "e.userid, u.fullname, description, eventdate, recurring, s.pending " . - "FROM {$OPT["table_prefix"]}events e " . - "LEFT OUTER JOIN {$OPT["table_prefix"]}users u ON u.userid = e.userid " . - "LEFT OUTER JOIN {$OPT["table_prefix"]}shoppers s ON s.mayshopfor = e.userid AND s.shopper = $userid "; -if ($OPT["show_own_events"]) + "FROM {$opt["table_prefix"]}events e " . + "LEFT OUTER JOIN {$opt["table_prefix"]}users u ON u.userid = e.userid " . + "LEFT OUTER JOIN {$opt["table_prefix"]}shoppers s ON s.mayshopfor = e.userid AND s.shopper = ? "; +if ($opt["show_own_events"]) $query .= "WHERE (pending = 0 OR pending IS NULL)"; else - $query .= "WHERE (e.userid <> $userid OR e.userid IS NULL) AND (pending = 0 OR pending IS NULL)"; + $query .= "WHERE (e.userid <> ? OR e.userid IS NULL) AND (pending = 0 OR pending IS NULL)"; $query .= "ORDER BY u.fullname"; -$rs = mysql_query($query) or die("Could not query: " . mysql_error()); +$stmt = $smarty->dbh()->prepare($query); +$stmt->bindParam(1, $userid, PDO::PARAM_INT); +if (!$opt["show_own_events"]) + $stmt->bindParam(2, $userid, PDO::PARAM_INT); +$stmt->execute(); $events = array(); -while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) { +while ($row = $stmt->fetch()) { $event_fullname = $row["fullname"]; $days_left = -1; - if (!$row["recurring"] && (($row["ToDaysEventDate"] - $row["ToDaysToday"]) >= 0) && (($row["ToDaysEventDate"] - $row["ToDaysToday"]) <= $OPT["event_threshold"])) { + if (!$row["recurring"] && (($row["ToDaysEventDate"] - $row["ToDaysToday"]) >= 0) && (($row["ToDaysEventDate"] - $row["ToDaysToday"]) <= $opt["event_threshold"])) { $days_left = $row["ToDaysEventDate"] - $row["ToDaysToday"]; $event_date = strtotime($row["eventdate"]); } - else if ($row["recurring"] && (($row["ToDaysDateThisYear"] - $row["ToDaysToday"]) >= 0) && (($row["ToDaysDateThisYear"] - $row["ToDaysToday"]) <= $OPT["event_threshold"])) { + else if ($row["recurring"] && (($row["ToDaysDateThisYear"] - $row["ToDaysToday"]) >= 0) && (($row["ToDaysDateThisYear"] - $row["ToDaysToday"]) <= $opt["event_threshold"])) { $days_left = $row["ToDaysDateThisYear"] - $row["ToDaysToday"]; $event_date = strtotime($row["DateThisYear"]); } - else if ($row["recurring"] && (($row["ToDaysDateNextYear"] - $row["ToDaysToday"]) >= 0) && (($row["ToDaysDateNextYear"] - $row["ToDaysToday"]) <= $OPT["event_threshold"])) { + else if ($row["recurring"] && (($row["ToDaysDateNextYear"] - $row["ToDaysToday"]) >= 0) && (($row["ToDaysDateNextYear"] - $row["ToDaysToday"]) <= $opt["event_threshold"])) { $days_left = $row["ToDaysDateNextYear"] - $row["ToDaysToday"]; $event_date = strtotime($row["DateNextYear"]); } @@ -202,7 +223,6 @@ while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) { $events[] = $thisevent; } } -mysql_free_result($rs); function compareEvents($a, $b) { if ($a[0] == $b[0]) @@ -215,38 +235,36 @@ function compareEvents($a, $b) { // sort() wanted to sort based on the array keys, which were 0..n - 1, so that was useless. usort($events, "compareEvents"); -if ($OPT["shop_requires_approval"]) { +if ($opt["shop_requires_approval"]) { $query = "SELECT u.userid, u.fullname " . - "FROM {$OPT["table_prefix"]}shoppers s " . - "INNER JOIN {$OPT["table_prefix"]}users u ON u.userid = s.shopper " . - "WHERE s.mayshopfor = " . $userid . " " . + "FROM {$opt["table_prefix"]}shoppers s " . + "INNER JOIN {$opt["table_prefix"]}users u ON u.userid = s.shopper " . + "WHERE s.mayshopfor = ? " . "AND s.pending = 1 " . "ORDER BY u.fullname"; - $rs = mysql_query($query) or die("Could not query: " . mysql_error()); + $stmt = $smarty->dbh()->prepare($query); + $stmt->bindParam(1, $userid, PDO::PARAM_INT); + $stmt->execute(); $pending = array(); - while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) { + while ($row = $stmt->fetch()) { $pending[] = $row; } - mysql_free_result($rs); } -if (($_SESSION["admin"] == 1) && $OPT["newuser_requires_approval"]) { +if (($_SESSION["admin"] == 1) && $opt["newuser_requires_approval"]) { $query = "SELECT userid, fullname, email, approved, initialfamilyid, familyname " . - "FROM {$OPT["table_prefix"]}users u " . - "LEFT OUTER JOIN {$OPT["table_prefix"]}families f ON f.familyid = u.initialfamilyid " . + "FROM {$opt["table_prefix"]}users u " . + "LEFT OUTER JOIN {$opt["table_prefix"]}families f ON f.familyid = u.initialfamilyid " . "WHERE approved = 0 " . "ORDER BY fullname"; - $rs = mysql_query($query) or die("Could not query: " . mysql_error()); + $stmt = $smarty->dbh()->prepare($query); + $stmt->execute(); $approval = array(); - while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) { + while ($row = $stmt->fetch()) { $approval[] = $row; } - mysql_free_result($rs); } -define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/'); -require_once(SMARTY_DIR . 'Smarty.class.php'); -$smarty = new Smarty(); $smarty->assign('fullname', $_SESSION['fullname']); if (isset($message)) { $smarty->assign('message', $message); @@ -258,10 +276,14 @@ $smarty->assign('shoppees', $shoppees); $smarty->assign('prospects', $prospects); $smarty->assign('messages', $messages); $smarty->assign('events', $events); -$smarty->assign('pending', $pending); -$smarty->assign('approval', $approval); +if (isset($pending)) { + $smarty->assign('pending', $pending); +} +if (isset($approval)) { + $smarty->assign('approval', $approval); +} $smarty->assign('userid', $userid); $smarty->assign('isadmin', $_SESSION['admin']); -$smarty->assign('opt', $OPT); +$smarty->assign('opt', $smarty->opt()); $smarty->display('home.tpl'); ?> diff --git a/src/item.php b/src/item.php index b5d65d0..4e4cee8 100644 --- a/src/item.php +++ b/src/item.php @@ -13,9 +13,10 @@ // along with this program; if not, write to the Free Software // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -include("config.php"); -include("db.php"); -include("funcLib.php"); +require_once(dirname(__FILE__) . "/includes/funcLib.php"); +require_once(dirname(__FILE__) . "/includes/MySmarty.class.php"); +$smarty = new MySmarty(); +$opt = $smarty->opt(); session_start(); if (!isset($_SESSION["userid"])) { @@ -30,12 +31,18 @@ else { // to $userid. all operations on this page should only be performed by // the item's owner. if (isset($_REQUEST["itemid"]) && $_REQUEST["itemid"] != "") { - $rs = mysql_query("SELECT * FROM {$OPT["table_prefix"]}items WHERE userid = $userid AND itemid = " . (int) $_REQUEST["itemid"]) or die("Could not query: " . mysql_error()); - if (mysql_num_rows($rs) == 0) { - echo "Nice try! (That's not your item.)"; - exit; + try { + $stmt = $smarty->dbh()->prepare("SELECT * FROM {$opt["table_prefix"]}items WHERE userid = ? AND itemid = ?"); + $stmt->bindParam(1, $userid, PDO::PARAM_INT); + $stmt->bindValue(2, (int) $_REQUEST["itemid"], PDO::PARAM_INT); + $stmt->execute(); + if (!$stmt->fetch()) { + die("Nice try! (That's not your item.)"); + } + } + catch (PDOException $e) { + die("sql exception: " . $e->getMessage()); } - mysql_free_result($rs); } $action = ""; @@ -53,16 +60,6 @@ if (!empty($_REQUEST["action"])) { $comment = $_REQUEST["comment"]; $quantity = (int) $_REQUEST["quantity"]; - if (!get_magic_quotes_gpc()) { - $description = addslashes($description); - $price = addslashes($price); - $source = addslashes($source); - $url = addslashes($url); - $category = addslashes($category); - $ranking = addslashes($ranking); - $comment = addslashes($comment); - } - $haserror = false; if ($description == "") { $haserror = true; @@ -92,7 +89,7 @@ if (!empty($_REQUEST["action"])) { if (!$haserror) { if ($_REQUEST["image"] == "remove" || $_REQUEST["image"] == "replace") { - deleteImageForItem((int) $_REQUEST["itemid"]); + deleteImageForItem((int) $_REQUEST["itemid"], $smarty->dbh(), $smarty->opt()); } if ($_REQUEST["image"] == "upload" || $_REQUEST["image"] == "replace") { /* TODO: verify that it's an image using $_FILES["imagefile"]["type"] */ @@ -103,7 +100,7 @@ if (!empty($_REQUEST["action"])) { $parts = pathinfo($_SERVER["SCRIPT_FILENAME"]); $upload_dir = $parts['dirname']; // generate a temporary file in the configured directory. - $temp_name = tempnam($upload_dir . "/" . $OPT["image_subdir"],""); + $temp_name = tempnam($upload_dir . "/" . $opt["image_subdir"],""); // unlink it, we really want an extension on that. unlink($temp_name); // here's the name we really want to use. full path is included. @@ -116,29 +113,44 @@ if (!empty($_REQUEST["action"])) { } if ($action == "delete") { - /* find out if this item is bought or reserved. */ - $query = "SELECT a.userid, a.quantity, a.bought, i.description FROM {$OPT["table_prefix"]}allocs a INNER JOIN {$OPT["table_prefix"]}items i ON i.itemid = a.itemid WHERE a.itemid = " . (int) $_REQUEST["itemid"]; - $rs = mysql_query($query) or die("Could not query: " . mysql_error()); - while ($row = mysql_fetch_array($rs,MYSQL_ASSOC)) { - $buyerid = $row["userid"]; - $quantity = $row["quantity"]; - $bought = $row["bought"]; - sendMessage($userid, + try { + /* find out if this item is bought or reserved. */ + $stmt = $smarty->dbh()->prepare("SELECT a.userid, a.quantity, a.bought, i.description FROM {$opt["table_prefix"]}allocs a INNER JOIN {$opt["table_prefix"]}items i ON i.itemid = a.itemid WHERE a.itemid = ?"); + $stmt->bindValue(1, (int) $_REQUEST["itemid"], PDO::PARAM_INT); + $stmt->execute(); + while ($row = $stmt->fetch()) { + $buyerid = $row["userid"]; + $quantity = $row["quantity"]; + $bought = $row["bought"]; + sendMessage($userid, $buyerid, - addslashes("\"" . mysql_escape_string($row["description"]) . "\" that you " . (($bought == 1) ? "bought" : "reserved") . " $quantity of for {$_SESSION["fullname"]} has been deleted. Check your reservation/purchase to ensure it's still needed.")); + $row["description"] . " that you " . (($bought == 1) ? "bought" : "reserved") . " $quantity of for {$_SESSION["fullname"]} has been deleted. Check your reservation/purchase to ensure it's still needed.", + $smarty->dbh(), + $smarty->opt()); + } + + deleteImageForItem((int) $_REQUEST["itemid"], $smarty->dbh(), $smarty->opt()); + + $stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}items WHERE itemid = ?"); + $stmt->bindValue(1, (int) $_REQUEST["itemid"], PDO::PARAM_INT); + $stmt->execute(); + + // TODO: are we leaking allocs records here? + + stampUser($userid, $smarty->dbh(), $smarty->opt()); + header("Location: " . getFullPath("index.php?message=Item+deleted.")); + exit; + } + catch (PDOException $e) { + die("sql exception: " . $e->getMessage()); } - mysql_free_result($rs); - deleteImageForItem((int) $_REQUEST["itemid"]); - $query = "DELETE FROM {$OPT["table_prefix"]}items WHERE itemid = " . (int) $_REQUEST["itemid"]; - mysql_query($query) or die("Could not query: " . mysql_error()); - stampUser($userid); - header("Location: " . getFullPath("index.php?message=Item+deleted.")); - exit; } else if ($action == "edit") { - $query = "SELECT description, price, source, category, url, ranking, comment, quantity, image_filename FROM {$OPT["table_prefix"]}items WHERE itemid = " . (int) $_REQUEST["itemid"]; - $rs = mysql_query($query) or die("Could not query: " . mysql_error()); - if ($row = mysql_fetch_array($rs,MYSQL_ASSOC)) { + $stmt = $smarty->dbh()->prepare("SELECT description, price, source, category, url, ranking, comment, quantity, image_filename FROM {$opt["table_prefix"]}items WHERE itemid = ?"); + $stmt->bindValue(1, (int) $_REQUEST["itemid"], PDO::PARAM_INT); + $stmt->execute(); + + if ($row = $stmt->fetch()) { $description = $row["description"]; $price = number_format($row["price"],2,".",","); $source = $row["source"]; @@ -149,7 +161,6 @@ if (!empty($_REQUEST["action"])) { $quantity = (int) $row["quantity"]; $image_filename = $row["image_filename"]; } - mysql_free_result($rs); } else if ($action == "add") { $description = ""; @@ -164,10 +175,24 @@ if (!empty($_REQUEST["action"])) { } else if ($action == "insert") { if (!$haserror) { - $query = "INSERT INTO {$OPT["table_prefix"]}items(userid,description,price,source,category,url,ranking,comment,quantity" . ($image_base_filename != "" ? ",image_filename" : "") . ") " . - "VALUES($userid,'$description',$price,'$source'," . (($category == "") ? "NULL" : "'$category'") . "," . (($url == "") ? "NULL" : "'$url'") . ",$ranking," . (($comment == "") ? "NULL" : "'$comment'") . ",$quantity" . ($image_base_filename != "" ? ",'$image_base_filename'" : "") . ")"; - mysql_query($query) or die("Could not query: " . mysql_error()); - stampUser($userid); + $stmt = $smarty->dbh()->prepare("INSERT INTO {$opt["table_prefix"]}items(userid,description,price,source,category,url,ranking,comment,quantity" . ($image_base_filename != "" ? ",image_filename" : "") . ") " . + "VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?" . ($image_base_filename != "" ? ", ?)" : ")")); + $stmt->bindParam(1, $userid, PDO::PARAM_INT); + $stmt->bindParam(2, $description, PDO::PARAM_STR); + $stmt->bindParam(3, $price); + $stmt->bindParam(4, $source, PDO::PARAM_STR); + $stmt->bindParam(5, $category, PDO::PARAM_INT); + $stmt->bindParam(6, $url, PDO::PARAM_STR); + $stmt->bindParam(7, $ranking, PDO::PARAM_INT); + $stmt->bindParam(8, $comment, PDO::PARAM_STR); + $stmt->bindParam(9, $quantity, PDO::PARAM_INT); + if ($image_base_filename != "") { + $stmt->bindParam(10, $image_base_filename); + } + $stmt->execute(); + + stampUser($userid, $smarty->dbh(), $smarty->opt()); + header("Location: " . getFullPath("index.php")); exit; } @@ -175,19 +200,37 @@ if (!empty($_REQUEST["action"])) { else if ($action == "update") { if (!$haserror) { // TODO: if the quantity is updated, send a message to everyone who has an allocation for it. - $query = "UPDATE {$OPT["table_prefix"]}items SET " . - "description = '$description', " . - "price = $price, " . - "source = '$source', " . - "category = " . (($category == "") ? "NULL" : "'$category'") . ", " . - "url = " . (($url == "") ? "NULL" : "'$url'") . ", " . - "ranking = $ranking, " . - "comment = " . (($comment == "") ? "NULL" : "'$comment'") . ", " . - "quantity = $quantity " . - ($image_base_filename != "" ? ", image_filename = '$image_base_filename' " : "") . - "WHERE itemid = " . (int) $_REQUEST["itemid"]; - mysql_query($query) or die("Could not query: " . mysql_error()); - stampUser($userid); + $stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}items SET " . + "description = ?, " . + "price = ?, " . + "source = ?, " . + "category = ?, " . + "url = ?, " . + "ranking = ?, " . + "comment = ?, " . + "quantity = ? " . + ($image_base_filename != "" ? ", image_filename = ? " : "") . + "WHERE itemid = ?"); + $stmt->bindParam(1, $userid, PDO::PARAM_INT); + $stmt->bindParam(2, $description, PDO::PARAM_STR); + $stmt->bindParam(3, $price); + $stmt->bindParam(4, $source, PDO::PARAM_STR); + $stmt->bindParam(5, $category, PDO::PARAM_INT); + $stmt->bindParam(6, $url, PDO::PARAM_STR); + $stmt->bindParam(7, $ranking, PDO::PARAM_INT); + $stmt->bindParam(8, $comment, PDO::PARAM_STR); + $stmt->bindParam(9, $quantity, PDO::PARAM_INT); + if ($image_base_filename != "") { + $stmt->bindParam(10, $image_base_filename); + $stmt->bindParam(11, (int) $_REQUEST["itemid"], PDO::PARAM_INT); + } + else { + $stmt->bindParam(10, (int) $_REQUEST["itemid"], PDO::PARAM_INT); + } + $stmt->execute(); + + stampUser($userid, $smarty->dbh(), $smarty->opt()); + header("Location: " . getFullPath("index.php")); exit; } @@ -198,23 +241,20 @@ if (!empty($_REQUEST["action"])) { } } -$rs = mysql_query("SELECT categoryid, category FROM {$OPT["table_prefix"]}categories ORDER BY category"); +$stmt = $smarty->dbh()->prepare("SELECT categoryid, category FROM {$opt["table_prefix"]}categories ORDER BY category"); +$stmt->execute(); $categories = array(); -while ($row = mysql_fetch_assoc($rs, MYSQL_ASSOC)) { +while ($row = $stmt->fetch()) { $categories[] = $row; } -mysql_free_result($rs); -$query = "SELECT ranking, title FROM {$OPT["table_prefix"]}ranks ORDER BY rankorder"; -$rs = mysql_query($query) or die("Could not query: " . mysql_error()); +$stmt = $smarty->dbh()->prepare("SELECT ranking, title FROM {$opt["table_prefix"]}ranks ORDER BY rankorder"); +$stmt->execute(); $ranks = array(); -while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) { +while ($row = $stmt->fetch()) { $ranks[] = $row; } -define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/'); -require_once(SMARTY_DIR . 'Smarty.class.php'); -$smarty = new Smarty(); $smarty->assign('userid', $userid); $smarty->assign('action', $action); $smarty->assign('haserror', $haserror); @@ -254,6 +294,6 @@ $smarty->assign('comment', $comment); $smarty->assign('categories', $categories); $smarty->assign('ranks', $ranks); $smarty->assign('isadmin', $_SESSION["admin"]); -$smarty->assign('opt', $OPT); +$smarty->assign('opt', $smarty->opt()); $smarty->display('item.tpl'); ?> diff --git a/src/login.php b/src/login.php index a3d5e76..99cad38 100644 --- a/src/login.php +++ b/src/login.php @@ -13,9 +13,10 @@ // along with this program; if not, write to the Free Software // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -include("config.php"); -include("db.php"); -include("funcLib.php"); +require_once(dirname(__FILE__) . "/includes/funcLib.php"); +require_once(dirname(__FILE__) . "/includes/MySmarty.class.php"); +$smarty = new MySmarty(); +$opt = $smarty->opt(); if (isset($_GET["action"])) { if ($_GET["action"] == "logout") { @@ -25,30 +26,35 @@ if (isset($_GET["action"])) { } if (!empty($_POST["username"])) { - include "db.php"; $username = $_POST["username"]; $password = $_POST["password"]; - if (!get_magic_quotes_gpc()) { - $username = addslashes($username); - $password = addslashes($password); + + try { + $stmt = $smarty->dbh()->prepare("SELECT userid, fullname, admin FROM {$opt["table_prefix"]}users WHERE username = ? AND password = {$opt["password_hasher"]}(?) AND approved = 1"); + $stmt->bindParam(1, $username, PDO::PARAM_STR); + $stmt->bindParam(2, $password, PDO::PARAM_STR); + + $stmt->execute(); + if ($row = $stmt->fetch()) { + session_start(); + $_SESSION["userid"] = $row["userid"]; + $_SESSION["fullname"] = $row["fullname"]; + $_SESSION["admin"] = $row["admin"]; + + header("Location: " . getFullPath("index.php")); + exit; + } + } + catch (PDOException $e) { + die("sql exception: " . $e->getMessage()); } - $query = "SELECT userid, fullname, admin FROM {$OPT["table_prefix"]}users WHERE username = '$username' AND password = {$OPT["password_hasher"]}('$password') AND approved = 1"; - $rs = mysql_query($query) or die("Could not query: " . mysql_error()); - if ($row = mysql_fetch_array($rs,MYSQL_ASSOC)) { - session_start(); - $_SESSION["userid"] = $row["userid"]; - $_SESSION["fullname"] = $row["fullname"]; - $_SESSION["admin"] = $row["admin"]; - header("Location: " . getFullPath("index.php")); - mysql_free_result($rs); - exit; - } + $smarty->assign('username', $username); + $smarty->assign('opt', $smarty->opt()); + $smarty->display('login.tpl'); } - -define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/'); -require_once(SMARTY_DIR . 'Smarty.class.php'); -$smarty = new Smarty(); -$smarty->assign('username', $_POST['username']); -$smarty->assign('opt', $OPT); -$smarty->display('login.tpl'); +else { + $smarty->assign('opt', $smarty->opt()); + $smarty->display('login.tpl'); +} +?> diff --git a/src/message.php b/src/message.php index 2e1a44b..18c9d12 100644 --- a/src/message.php +++ b/src/message.php @@ -13,9 +13,10 @@ // along with this program; if not, write to the Free Software // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -include("config.php"); -include("db.php"); -include("funcLib.php"); +require_once(dirname(__FILE__) . "/includes/funcLib.php"); +require_once(dirname(__FILE__) . "/includes/MySmarty.class.php"); +$smarty = new MySmarty(); +$opt = $smarty->opt(); session_start(); if (!isset($_SESSION["userid"])) { @@ -26,48 +27,42 @@ else { $userid = $_SESSION["userid"]; } -$action = ""; -if (!empty($_GET["action"])) { - $action = $_GET["action"]; - - if ($action == "send") { - $msg = $_GET["msg"]; - if (!get_magic_quotes_gpc()) - $msg = addslashes($msg); +$action = empty($_GET["action"]) ? "" : $_GET["action"]; - for ($i = 0; $i < count($_GET["recipients"]); $i++) - sendMessage($userid,(int) $_GET["recipients"][$i],$msg); +if ($action == "send") { + $msg = $_GET["msg"]; + + for ($i = 0; $i < count($_GET["recipients"]); $i++) + sendMessage($userid, (int) $_GET["recipients"][$i], $msg, $smarty->dbh(), $smarty->opt()); - header("Location: " . getFullPath("index.php?message=Your+message+has+been+sent+to+" . count($_GET["recipients"]) . "+recipient(s).")); - exit; - } - else { - echo "Unknown verb."; - exit; - } + header("Location: " . getFullPath("index.php?message=Your+message+has+been+sent+to+" . count($_GET["recipients"]) . "+recipient(s).")); + exit; } -$query = "SELECT u.userid, u.fullname " . - "FROM {$OPT["table_prefix"]}shoppers s " . - "INNER JOIN {$OPT["table_prefix"]}users u ON u.userid = s.mayshopfor " . - "WHERE s.shopper = " . $userid . " " . +try { + $stmt = $smarty->dbh()->prepare("SELECT u.userid, u.fullname " . + "FROM {$opt["table_prefix"]}shoppers s " . + "INNER JOIN {$opt["table_prefix"]}users u ON u.userid = s.mayshopfor " . + "WHERE s.shopper = ? " . "AND pending = 0 " . - "ORDER BY u.fullname"; -$rs = mysql_query($query) or die("Could not query: " . mysql_error()); -$recipients = array(); -while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) { - $recipients[] = $row; -} -$rcount = mysql_num_rows($rs); -mysql_free_result($rs); + "ORDER BY u.fullname"); + $stmt->bindParam(1, $userid, PDO::PARAM_INT); + $stmt->execute(); + $recipients = array(); + $rcount = 0; + while ($row = $stmt->fetch()) { + $recipients[] = $row; + ++$rcount; + } -define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/'); -require_once(SMARTY_DIR . 'Smarty.class.php'); -$smarty = new Smarty(); -$smarty->assign('recipients', $recipients); -$smarty->assign('rcount', $rcount); -$smarty->assign('userid', $userid); -$smarty->assign('isadmin', $_SESSION["admin"]); -$smarty->assign('opt', $OPT); -$smarty->display('message.tpl'); + $smarty->assign('recipients', $recipients); + $smarty->assign('rcount', $rcount); + $smarty->assign('userid', $userid); + $smarty->assign('isadmin', $_SESSION["admin"]); + $smarty->assign('opt', $smarty->opt()); + $smarty->display('message.tpl'); +} +catch (PDOException $e) { + die("sql exception: " . $e->getMessage()); +} ?> diff --git a/src/mylist.php b/src/mylist.php index e099bc9..99dd7fc 100644 --- a/src/mylist.php +++ b/src/mylist.php @@ -13,9 +13,10 @@ // along with this program; if not, write to the Free Software // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -include("config.php"); -include("db.php"); -include("funcLib.php"); +require_once(dirname(__FILE__) . "/includes/funcLib.php"); +require_once(dirname(__FILE__) . "/includes/MySmarty.class.php"); +$smarty = new MySmarty(); +$opt = $smarty->opt(); session_start(); if (!isset($_SESSION["userid"])) { @@ -51,36 +52,40 @@ switch($sort) { $sortby = "rankorder DESC, source, price"; } -$query = "SELECT description, source, price, i.comment, i.quantity, i.quantity * i.price AS total, rendered, c.category " . - "FROM {$OPT["table_prefix"]}items i " . - "INNER JOIN {$OPT["table_prefix"]}users u ON u.userid = i.userid " . - "INNER JOIN {$OPT["table_prefix"]}ranks r ON r.ranking = i.ranking " . - "LEFT OUTER JOIN {$OPT["table_prefix"]}categories c ON c.categoryid = i.category " . - "WHERE u.userid = " . $_SESSION["userid"] . " " . - "ORDER BY $sortby"; -$rs = mysql_query($query) or die("Could not query $query: " . mysql_error()); -$shoplist = array(); -$totalprice = 0; -while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) { - $totalprice += $row["total"]; - if ($row["quantity"] == 1) - $row["price"] = formatPrice($row["price"]); - else - $row["price"] = $row["quantity"] . " @ " . formatPrice($row["price"]) . " = " . formatPrice($row["total"]); - $shoplist[] = $row; +try { + // not worried about SQL injection since $sortby is calculated above. + $stmt = $smarty->dbh()->prepare("SELECT description, source, price, i.comment, i.quantity, i.quantity * i.price AS total, rendered, c.category " . + "FROM {$opt["table_prefix"]}items i " . + "INNER JOIN {$opt["table_prefix"]}users u ON u.userid = i.userid " . + "INNER JOIN {$opt["table_prefix"]}ranks r ON r.ranking = i.ranking " . + "LEFT OUTER JOIN {$opt["table_prefix"]}categories c ON c.categoryid = i.category " . + "WHERE u.userid = ? " . + "ORDER BY " . $sortby); + $stmt->bindParam(1, $userid, PDO::PARAM_INT); + + $stmt->execute(); + $shoplist = array(); + $totalprice = 0; + $itemcount = 0; + while ($row = $stmt->fetch()) { + $totalprice += $row["total"]; + ++$itemcount; + if ($row["quantity"] == 1) + $row["price"] = formatPrice($row["price"], $opt); + else + $row["price"] = $row["quantity"] . " @ " . formatPrice($row["price"], $opt) . " = " . formatPrice($row["total"], $opt); + $shoplist[] = $row; + } + + $smarty->assign('shoplist', $shoplist); + $smarty->assign('totalprice', formatPrice($totalprice, $opt)); + $smarty->assign('itemcount', $itemcount); + $smarty->assign('userid', $userid); + $smarty->assign('isadmin', $_SESSION["admin"]); + $smarty->assign('opt', $smarty->opt()); + $smarty->display('mylist.tpl'); +} +catch (PDOException $e) { + die("sql exception: " . $e->getMessage()); } -$itemcount = mysql_num_rows($rs); -mysql_free_result($rs); - -define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/'); -require_once(SMARTY_DIR . 'Smarty.class.php'); -$smarty = new Smarty(); -$smarty->assign('shoplist', $shoplist); -$smarty->assign('totalprice', formatPrice($totalprice)); -$smarty->assign('itemcount', $itemcount); -$smarty->assign('userid', $userid); -$smarty->assign('isadmin', $_SESSION["admin"]); -$smarty->assign('opt', $OPT); -$smarty->display('mylist.tpl'); ?> - diff --git a/src/profile.php b/src/profile.php index bae1b31..9652030 100644 --- a/src/profile.php +++ b/src/profile.php @@ -14,9 +14,10 @@ // along with this program; if not, write to the Free Software // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -include("config.php"); -include("db.php"); -include("funcLib.php"); +require_once(dirname(__FILE__) . "/includes/funcLib.php"); +require_once(dirname(__FILE__) . "/includes/MySmarty.class.php"); +$smarty = new MySmarty(); +$opt = $smarty->opt(); session_start(); if (!isset($_SESSION["userid"])) { @@ -33,55 +34,70 @@ if (!empty($_POST["action"])) { if ($action == "changepwd") { $newpwd = $_POST["newpwd"]; - if (!get_magic_quotes_gpc()) - $newpwd = addslashes($newpwd); - $query = "UPDATE {$OPT["table_prefix"]}users SET password = {$OPT["password_hasher"]}('$newpwd') WHERE userid = $userid"; - mysql_query($query) or die("Could run query: " . mysql_error()); - header("Location: " . getFullPath("index.php?message=Password+changed.")); - exit; + try { + $stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}users SET password = {$opt["password_hasher"]}(?) WHERE userid = ?"); + $stmt->bindParam(1, $newpwd, PDO::PARAM_STR); + $stmt->bindParam(2, $userid, PDO::PARAM_INT); + + $stmt->execute(); + + header("Location: " . getFullPath("index.php?message=Password+changed.")); + exit; + } + catch (PDOException $e) { + die("sql exception: " . $e->getMessage()); + } } else if ($action == "save") { $fullname = $_POST["fullname"]; $email = $_POST["email"]; $comment = $_POST["comment"]; $email_msgs = ($_POST["email_msgs"] == "on" ? 1 : 0); - if (!get_magic_quotes_gpc()) { - $fullname = addslashes($fullname); - $email = addslashes($email); - $comment = addslashes($comment); + + try { + $stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}users SET fullname = ?, email = ?, email_msgs = ?, comment = ? WHERE userid = ?"); + $stmt->bindParam(1, $fullname, PDO::PARAM_STR); + $stmt->bindParam(2, $email, PDO::PARAM_STR); + $stmt->bindParam(3, $email_msgs, PDO::PARAM_BOOL); + $stmt->bindParam(4, $comment, PDO::PARAM_STR); + $stmt->bindParam(5, $userid, PDO::PARAM_INT); + + $stmt->execute(); + + $_SESSION["fullname"] = $fullname; + + header("Location: " . getFullPath("index.php?message=Profile+updated.")); + exit; + } + catch (PDOException $e) { + die("sql exception: " . $e->getMessage()); } - - $query = "UPDATE {$OPT["table_prefix"]}users SET fullname = '$fullname', email = '$email', email_msgs = $email_msgs, comment = " . ($comment == "" ? "NULL" : "'$comment'") . " WHERE userid = $userid"; - mysql_query($query) or die("Couldn't run query: " . mysql_error()); - $_SESSION["fullname"] = stripslashes($fullname); - - header("Location: " . getFullPath("index.php?message=Profile+updated.")); - exit; } else { - echo "Unknown verb."; - exit; + die("Unknown verb."); } } -$query = "SELECT fullname, email, email_msgs, comment FROM {$OPT["table_prefix"]}users WHERE userid = " . $userid; -$rs = mysql_query($query) or die("You don't exist: " . mysql_error()); -$row = mysql_fetch_array($rs, MYSQL_ASSOC); -$fullname = $row['fullname']; -$email = $row['email']; -$email_msgs = $row['email_msgs']; -$comment = $row['comment']; -mysql_free_result($rs); +try { + $stmt = $smarty->dbh()->prepare("SELECT fullname, email, email_msgs, comment FROM {$opt["table_prefix"]}users WHERE userid = ?"); + $stmt->bindParam(1, $userid, PDO::PARAM_INT); -define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/'); -require_once(SMARTY_DIR . 'Smarty.class.php'); -$smarty = new Smarty(); -$smarty->assign('fullname', $fullname); -$smarty->assign('email', $email); -$smarty->assign('email_msgs', $email_msgs); -$smarty->assign('comment', $comment); -$smarty->assign('isadmin', $_SESSION["admin"]); -$smarty->assign('opt', $OPT); -$smarty->display('profile.tpl'); + $stmt->execute(); + if ($row = $stmt->fetch()) { + $smarty->assign('fullname', $row["fullname"]); + $smarty->assign('email', $row["email"]); + $smarty->assign('email_msgs', $row["email_msgs"]); + $smarty->assign('comment', $row["comment"]); + $smarty->assign('isadmin', $_SESSION["admin"]); + $smarty->assign('opt', $smarty->opt()); + $smarty->display('profile.tpl'); + } + else { + die("You don't exist."); + } +} +catch (PDOException $e) { + die("sql exception: " . $e->getMessage()); +} ?> diff --git a/src/ranks.php b/src/ranks.php index 6852cff..0a50321 100644 --- a/src/ranks.php +++ b/src/ranks.php @@ -13,9 +13,10 @@ // along with this program; if not, write to the Free Software // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -include("config.php"); -include("db.php"); -include("funcLib.php"); +require_once(dirname(__FILE__) . "/includes/funcLib.php"); +require_once(dirname(__FILE__) . "/includes/MySmarty.class.php"); +$smarty = new MySmarty(); +$opt = $smarty->opt(); session_start(); if (!isset($_SESSION["userid"])) { @@ -30,7 +31,7 @@ else { $userid = $_SESSION["userid"]; } if (!empty($_GET["message"])) { - $message = strip_tags($_GET["message"]); + $message = $_GET["message"]; } $action = $_GET["action"]; @@ -39,10 +40,6 @@ if ($action == "insert" || $action == "update") { /* validate the data. */ $title = trim($_GET["title"]); $rendered = trim($_GET["rendered"]); - if (!get_magic_quotes_gpc()) { - $title = addslashes($title); - $rendered = addslashes($rendered); - } $haserror = false; if ($title == "") { @@ -57,37 +54,49 @@ if ($action == "insert" || $action == "update") { if ($action == "delete") { /* first, NULL all ranking FKs for items that use this rank. */ - $query = "UPDATE {$OPT["table_prefix"]}items SET ranking = NULL WHERE ranking = " . addslashes($_GET["ranking"]); - mysql_query($query) or die("Could not query: " . mysql_error()); - $query = "DELETE FROM {$OPT["table_prefix"]}ranks WHERE ranking = " . addslashes($_GET["ranking"]); - mysql_query($query) or die("Could not query: " . mysql_error()); + $stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}items SET ranking = NULL WHERE ranking = ?"); + $stmt->bindValue(1, (int) $_GET["ranking"], PDO::PARAM_INT); + $stmt->execute(); + + $stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}ranks WHERE ranking = ?"); + $stmt->bindValue(1, (int) $_GET["ranking"], PDO::PARAM_INT); + $stmt->execute(); + header("Location: " . getFullPath("ranks.php?message=Rank+deleted.")); exit; } else if ($action == "promote") { - $query = "UPDATE {$OPT["table_prefix"]}ranks SET rankorder = rankorder + 1 WHERE rankorder = " . addslashes($_GET["rankorder"]) . " - 1"; - mysql_query($query) or die("Could not query: " . mysql_error()); - $query = "UPDATE {$OPT["table_prefix"]}ranks SET rankorder = rankorder - 1 WHERE ranking = " . addslashes($_GET["ranking"]); - mysql_query($query) or die("Could not query: " . mysql_error()); + $stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}ranks SET rankorder = rankorder + 1 WHERE rankorder = ? - 1"); + $stmt->bindValue(1, (int) $_GET["rankorder"], PDO::PARAM_INT); + $stmt->execute(); + + $stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}ranks SET rankorder = rankorder - 1 WHERE ranking = ?"); + $stmt->bindValue(1, (int) $_GET["ranking"], PDO::PARAM_INT); + $stmt->execute(); + header("Location: " . getFullPath("ranks.php?message=Rank+promoted.")); exit; } else if ($action == "demote") { - $query = "UPDATE {$OPT["table_prefix"]}ranks SET rankorder = rankorder - 1 WHERE rankorder = " . addslashes($_GET["rankorder"]) . " + 1"; - mysql_query($query) or die("Could not query: " . mysql_error()); - $query = "UPDATE {$OPT["table_prefix"]}ranks SET rankorder = rankorder + 1 WHERE ranking = " . addslashes($_GET["ranking"]); - mysql_query($query) or die("Could not query: " . mysql_error()); - header("Location: " . getFullPath("ranks.php?message=Rank+demoted.")); + $stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}ranks SET rankorder = rankorder - 1 WHERE rankorder = ? + 1"); + $stmt->bindValue(1, (int) $_GET["rankorder"], PDO::PARAM_INT); + $stmt->execute(); + + $stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}ranks SET rankorder = rankorder + 1 WHERE ranking = ?"); + $stmt->bindValue(1, (int) $_GET["ranking"], PDO::PARAM_INT); + $stmt->execute(); + + header("Location: " . getFullPath("ranks.php?message=Rank+demoted.")); exit; } else if ($action == "edit") { - $query = "SELECT title, rendered FROM {$OPT["table_prefix"]}ranks WHERE ranking = " . addslashes($_GET["ranking"]); - $rs = mysql_query($query) or die("Could not query: " . mysql_error()); - if ($row = mysql_fetch_array($rs,MYSQL_ASSOC)) { + $stmt = $smarty->dbh()->prepare("SELECT title, rendered FROM {$opt["table_prefix"]}ranks WHERE ranking = ?"); + $stmt->bindValue(1, (int) $_GET["ranking"], PDO::PARAM_INT); + $stmt->execute(); + if ($row = $stmt->fetch()) { $title = $row["title"]; $rendered = $row["rendered"]; } - mysql_free_result($rs); } else if ($action == "") { $title = ""; @@ -95,47 +104,49 @@ else if ($action == "") { } else if ($action == "insert") { if (!$haserror) { - /* first determine the highest rankorder and add one. */ - $query = "SELECT MAX(rankorder) as maxrankorder FROM {$OPT["table_prefix"]}ranks"; - $rs = mysql_query($query) or die("Could not query: " . mysql_error()); - if ($row = mysql_fetch_array($rs,MYSQL_ASSOC)) + /* we can't assume the DB has a sequence on this so determine the highest rankorder and add one. */ + $stmt = $smarty->dbh()->prepare("SELECT MAX(rankorder) as maxrankorder FROM {$opt["table_prefix"]}ranks"); + $stmt->execute(); + if ($row = $stmt->fetch()) { $rankorder = $row["maxrankorder"] + 1; - mysql_free_result($rs); - $query = "INSERT INTO {$OPT["table_prefix"]}ranks(title,rendered,rankorder) " . - "VALUES('$title','$rendered',$rankorder)"; - mysql_query($query) or die("Could not query: " . mysql_error()); - header("Location: " . getFullPath("ranks.php?message=Rank+added.")); - exit; + $stmt = $smarty->dbh()->prepare("INSERT INTO {$opt["table_prefix"]}ranks(title,rendered,rankorder) VALUES(?, ?, ?)"); + $stmt->bindParam(1, $title, PDO::PARAM_STR); + $stmt->bindParam(2, $rendered, PDO::PARAM_STR); + $stmt->bindParam(3, $rankorder, PDO::PARAM_INT); + $stmt->execute(); + + header("Location: " . getFullPath("ranks.php?message=Rank+added.")); + exit; + } } } else if ($action == "update") { if (!$haserror) { - $query = "UPDATE {$OPT["table_prefix"]}ranks " . - "SET title = '$title', rendered = '$rendered' " . - "WHERE ranking = " . addslashes($_GET["ranking"]); - mysql_query($query) or die("Could not query: " . mysql_error()); + $stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}ranks " . + "SET title = ?, rendered = ? " . + "WHERE ranking = ?"); + $stmt->bindParam(1, $title, PDO::PARAM_STR); + $stmt->bindParam(2, $rendered, PDO::PARAM_STR); + $stmt->bindValue(3, (int) $_GET["ranking"], PDO::PARAM_INT); + $stmt->execute(); + header("Location: " . getFullPath("ranks.php?message=Rank+updated.")); exit; } } else { - echo "Unknown verb."; - exit; + die("Unknown verb."); } -$query = "SELECT ranking, title, rendered, rankorder " . - "FROM {$OPT["table_prefix"]}ranks " . - "ORDER BY rankorder"; -$rs = mysql_query($query) or die("Could not query: " . mysql_error()); +$stmt = $smarty->dbh()->prepare("SELECT ranking, title, rendered, rankorder " . + "FROM {$opt["table_prefix"]}ranks " . + "ORDER BY rankorder"); +$stmt->execute(); $ranks = array(); -while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) { +while ($row = $stmt->fetch()) { $ranks[] = $row; } -mysql_free_result($rs); -define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/'); -require_once(SMARTY_DIR . 'Smarty.class.php'); -$smarty = new Smarty(); $smarty->assign('action', $action); $smarty->assign('ranks', $ranks); if (isset($message)) { @@ -152,6 +163,6 @@ if (isset($rendered_error)) { $smarty->assign('ranking', $_GET["ranking"]); $smarty->assign('haserror', $haserror); $smarty->assign('isadmin', $_SESSION["admin"]); -$smarty->assign('opt', $OPT); +$smarty->assign('opt', $smarty->opt()); $smarty->display('ranks.tpl'); ?> diff --git a/src/receive.php b/src/receive.php index fca69de..13b86a9 100644 --- a/src/receive.php +++ b/src/receive.php @@ -13,9 +13,10 @@ // along with this program; if not, write to the Free Software // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -include("config.php"); -include("db.php"); -include("funcLib.php"); +require_once(dirname(__FILE__) . "/includes/funcLib.php"); +require_once(dirname(__FILE__) . "/includes/MySmarty.class.php"); +$smarty = new MySmarty(); +$opt = $smarty->opt(); session_start(); if (!isset($_SESSION["userid"])) { @@ -30,72 +31,85 @@ $action = (!empty($_GET["action"]) ? $_GET["action"] : ""); $itemid = (int) $_GET["itemid"]; // get details. is this a single-quantity item? -$query = "SELECT quantity FROM {$OPT["table_prefix"]}items WHERE itemid = $itemid"; -$rs = mysql_query($query) or die("Could not query: " . mysql_error()); -$row = mysql_fetch_array($rs,MYSQL_ASSOC); -if (!$row) die("Item does not exist."); -$quantity = $row["quantity"]; -mysql_free_result($rs); - -stampUser($userid); - -if ($quantity == 1) { - /* just delete the alloc and the item and get out. - yes, it's possible the item was RESERVED, not PURCHASED. */ - deleteImageForItem($itemid); - $query = "DELETE FROM {$OPT["table_prefix"]}allocs WHERE itemid = $itemid"; - mysql_query($query) or die("Could not query: " . mysql_error()); - $query = "DELETE FROM {$OPT["table_prefix"]}items WHERE itemid = $itemid"; - mysql_query($query) or die("Could not query: " . mysql_error()); - header("Location: " . getFullPath("index.php?message=Item+marked+as+received.")); - exit; -} -else if ($action == "receive") { - // $actual will be a negative number, so let's flip it. - $actual = -adjustAllocQuantity($itemid,(int) $_GET["buyer"],1,-1 * (int) $_GET["quantity"]); - - if ($actual < (int) $_GET["quantity"]) { - // $userid didn't have that many bought, so some might have been reserved. - $actual += -adjustAllocQuantity($itemid,(int) $_GET["buyer"],0,-1 * ((int) $_GET["quantity"] - $actual)); - } - - if ($actual == $quantity) { - // now they're all gone. - deleteImageForItem($itemid); - $query = "DELETE FROM {$OPT["table_prefix"]}items WHERE itemid = $itemid"; +try { + $stmt = $smarty->dbh()->prepare("SELECT quantity FROM {$opt["table_prefix"]}items WHERE itemid = ?"); + $stmt->bindParam(1, $itemid, PDO::PARAM_INT); + $stmt->execute(); + if ($row = $stmt->fetch()) { + $quantity = $row["quantity"]; } else { - // decrement the item's desired quantity. - $query = "UPDATE {$OPT["table_prefix"]}items SET quantity = quantity - $actual WHERE itemid = $itemid"; + die("Item does not exist."); } + + stampUser($userid, $smarty->dbh(), $smarty->opt()); + + if ($quantity == 1) { + /* just delete the alloc and the item and get out. + yes, it's possible the item was RESERVED, not PURCHASED. */ + deleteImageForItem($itemid, $smarty->dbh(), $smarty->opt()); + + $stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}allocs WHERE itemid = ?"); + $stmt->bindParam(1, $itemid, PDO::PARAM_INT); + $stmt->execute(); + + $stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}items WHERE itemid = ?"); + $stmt->bindParam(1, $itemid, PDO::PARAM_INT); + $stmt->execute(); + + header("Location: " . getFullPath("index.php?message=Item+marked+as+received.")); + exit; + } + else if ($action == "receive") { + // $actual will be a negative number, so let's flip it. + $actual = -adjustAllocQuantity($itemid, (int) $_GET["buyer"], 1, -1 * (int) $_GET["quantity"], $smarty->dbh(), $smarty->opt()); - mysql_query($query) or die("Could not query: " . mysql_error()); + if ($actual < (int) $_GET["quantity"]) { + // $userid didn't have that many bought, so some might have been reserved. + $actual += -adjustAllocQuantity($itemid,(int) $_GET["buyer"],0,-1 * ((int) $_GET["quantity"] - $actual), $smarty->dbh(), $smarty->opt()); + } + + if ($actual == $quantity) { + // now they're all gone. + deleteImageForItem($itemid, $smarty->dbh(), $smarty->opt()); + $stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}items WHERE itemid = ?"); + $stmt->bindParam(1, $itemid, PDO::PARAM_INT); + $stmt->execute(); + } + else { + // decrement the item's desired quantity. + $stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}items SET quantity = quantity - ? WHERE itemid = ?"); + $stmt->bindParam(1, $actual, PDO::PARAM_INT); + $stmt->bindParam(2, $itemid, PDO::PARAM_INT); + $stmt->execute(); + } + + header("Location: " . getFullPath("index.php?message=Item+marked+as+received.")); + exit; + } - header("Location: " . getFullPath("index.php?message=Item+marked+as+received.")); - exit; -} - -$query = "SELECT u.userid, u.fullname " . - "FROM {$OPT["table_prefix"]}shoppers s " . - "INNER JOIN {$OPT["table_prefix"]}users u ON u.userid = s.shopper " . - "WHERE s.mayshopfor = " . $userid . " " . + $stmt = $smarty->dbh()->prepare("SELECT u.userid, u.fullname " . + "FROM {$opt["table_prefix"]}shoppers s " . + "INNER JOIN {$opt["table_prefix"]}users u ON u.userid = s.shopper " . + "WHERE s.mayshopfor = ? " . "AND pending = 0 " . - "ORDER BY u.fullname"; -$rs = mysql_query($query) or die("Could not query: " . mysql_error()); -$buyers = array(); -while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) { - $buyers[] = $row; -} -mysql_free_result($buyers); + "ORDER BY u.fullname"); + $stmt->bindParam(1, $userid, PDO::PARAM_INT); + $stmt->execute(); + $buyers = array(); + while ($row = $stmt->fetch()) { + $buyers[] = $row; + } -define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/'); -require_once(SMARTY_DIR . 'Smarty.class.php'); -$smarty = new Smarty(); -$smarty->assign('buyers', $buyers); -$smarty->assign('quantity', $quantity); -$smarty->assign('itemid', $itemid); -$smarty->assign('userid', $userid); -$smarty->assign('isadmin', $_SESSION["admin"]); -$smarty->assign('opt', $OPT); -$smarty->display('receive.tpl'); + $smarty->assign('buyers', $buyers); + $smarty->assign('quantity', $quantity); + $smarty->assign('itemid', $itemid); + $smarty->assign('userid', $userid); + $smarty->assign('isadmin', $_SESSION["admin"]); + $smarty->assign('opt', $smarty->opt()); + $smarty->display('receive.tpl'); +} +catch (PDOException $e) { + die("sql exception: " . $e->getMessage()); +} ?> diff --git a/src/shop.php b/src/shop.php index ea8b9ce..cc30dc6 100644 --- a/src/shop.php +++ b/src/shop.php @@ -13,9 +13,10 @@ // along with this program; if not, write to the Free Software // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -include("config.php"); -include("db.php"); -include("funcLib.php"); +require_once(dirname(__FILE__) . "/includes/funcLib.php"); +require_once(dirname(__FILE__) . "/includes/MySmarty.class.php"); +$smarty = new MySmarty(); +$opt = $smarty->opt(); session_start(); if (!isset($_SESSION["userid"])) { @@ -31,44 +32,54 @@ if (!empty($_GET["action"])) { $action = $_GET["action"]; $itemid = (int) $_GET["itemid"]; if ($action == "reserve") { - adjustAllocQuantity($itemid,$userid,0,+1); + adjustAllocQuantity($itemid,$userid,0,+1, $smarty->dbh(), $smarty->opt()); } else if ($action == "purchase") { // decrement reserved. - adjustAllocQuantity($itemid,$userid,0,-1); + adjustAllocQuantity($itemid,$userid,0,-1, $smarty->dbh(), $smarty->opt()); // increment purchased. - adjustAllocQuantity($itemid,$userid,1,+1); + adjustAllocQuantity($itemid,$userid,1,+1, $smarty->dbh(), $smarty->opt()); } else if ($action == "return") { // increment reserved. - adjustAllocQuantity($itemid,$userid,0,+1); + adjustAllocQuantity($itemid,$userid,0,+1, $smarty->dbh(), $smarty->opt()); // decrement purchased. - adjustAllocQuantity($itemid,$userid,1,-1); + adjustAllocQuantity($itemid,$userid,1,-1, $smarty->dbh(), $smarty->opt()); } else if ($action == "release") { - adjustAllocQuantity($itemid,$userid,0,-1); + adjustAllocQuantity($itemid,$userid,0,-1, $smarty->dbh(), $smarty->opt()); } else if ($action == "copy") { /* can't do this because MySQL 3.x doesn't seem to support it (at least the version i was using). $query = "INSERT INTO items(userid,description,price,source,url,category) SELECT $userid, description, price, source, url, category FROM items WHERE itemid = " . $_GET["itemid"]; - mysql_query($query) or die("Could not query: " . mysql_error()); */ /* TODO: copy the image too? */ - $query = "SELECT userid, description, price, source, url, category, comment FROM {$OPT["table_prefix"]}items WHERE itemid = " . (int) $_GET["itemid"]; - $rs = mysql_query($query) or die("Could not query: " . mysql_error()); - $row = mysql_fetch_array($rs,MYSQL_ASSOC) or die("No item to copy."); - $desc = mysql_escape_string($row["description"]); - $source = mysql_escape_string($row["source"]); - $url = mysql_escape_string($row["url"]); - $comment = mysql_escape_string($row["comment"]); - $price = (float) $row["price"]; - $cat = (int) $row["category"]; - mysql_free_result($rs); - $query = "INSERT INTO {$OPT["table_prefix"]}items(userid,description,price,source,url,comment,category,ranking,quantity) VALUES($userid,'$desc','$price','$source'," . (($url == "") ? "NULL" : "'$url'") . "," . (($comment == "") ? "NULL" : "'$comment'") . "," . (($cat == "") ? "NULL" : $cat) . ",1,1)"; - mysql_query($query) or die("Could not query: $query " . mysql_error()); - stampUser($userid); - $message = "Added '" . stripslashes($desc) . "' to your gift list."; + $stmt = $smarty->dbh()->prepare("SELECT userid, description, price, source, url, category, comment FROM {$opt["table_prefix"]}items WHERE itemid = ?"); + $stmt->bindParam(1, $itemid, PDO::PARAM_INT); + $stmt->execute(); + if ($row = $stmt->fetch()) { + $desc = $row["description"]; + $source = $row["source"]; + $url = $row["url"]; + $comment = $row["comment"]; + $price = (float) $row["price"]; + $cat = (int) $row["category"]; + + $stmt = $smarty->dbh()->prepare("INSERT INTO {$opt["table_prefix"]}items(userid,description,price,source,url,comment,category,ranking,quantity) VALUES(?, ?, ?, ?, ?, ?, ?, 1, 1"); + $stmt->bindParam(1, $userid, PDO::PARAM_INT); + $stmt->bindParam(2, $desc, PDO::PARAM_STR); + $stmt->bindParam(3, $price); + $stmt->bindParam(4, $source, PDO::PARAM_STR); + $stmt->bindParam(5, $url, PDO::PARAM_STR); + $stmt->bindParam(6, $comment, PDO::PARAM_STR); + $stmt->bindParam(7, $cat, PDO::PARAM_INT); + $stmt->execute(); + + stampUser($userid, $smarty->dbh(), $smarty->opt()); + + $message = "Added '" . $desc . "' to your gift list."; + } } } @@ -77,12 +88,14 @@ if ($shopfor == $userid) { echo "Nice try! (You can't shop for yourself.)"; exit; } -$rs = mysql_query("SELECT * FROM {$OPT["table_prefix"]}shoppers WHERE shopper = $userid AND mayshopfor = $shopfor AND pending = 0") or die("Could not query: " . mysql_error()); -if (mysql_num_rows($rs) == 0) { +$stmt = $smarty->dbh()->prepare("SELECT * FROM {$opt["table_prefix"]}shoppers WHERE shopper = ? AND mayshopfor = ? AND pending = 0"); +$stmt->bindParam(1, $userid, PDO::PARAM_INT); +$stmt->bindParam(2, $shopfor, PDO::PARAM_INT); +$stmt->execute(); +if (!($stmt->fetch())) { echo "Nice try! (You can't shop for someone who hasn't approved it.)"; exit; } -mysql_free_result($rs); if (!isset($_GET["sort"])) { $sortby = "rankorder DESC, description"; @@ -120,46 +133,47 @@ else { for those items with a quantity of 1. if the item's quantity > 1 we'll query alloc when we get to that record. the theory is that most items will have quantity = 1 so we'll make the least number of trips. */ -$query = "SELECT i.itemid, description, price, source, c.category, url, image_filename, " . +$stmt = $smarty->dbh()->prepare("SELECT i.itemid, description, price, source, c.category, url, image_filename, " . "ub.fullname AS bfullname, ub.userid AS boughtid, " . "ur.fullname AS rfullname, ur.userid AS reservedid, " . "rendered, i.comment, i.quantity " . - "FROM {$OPT["table_prefix"]}items i " . - "LEFT OUTER JOIN {$OPT["table_prefix"]}categories c ON c.categoryid = i.category " . - "LEFT OUTER JOIN {$OPT["table_prefix"]}ranks r ON r.ranking = i.ranking " . - "LEFT OUTER JOIN {$OPT["table_prefix"]}allocs a ON a.itemid = i.itemid AND i.quantity = 1 " . // only join allocs for single-quantity items. - "LEFT OUTER JOIN {$OPT["table_prefix"]}users ub ON ub.userid = a.userid AND a.bought = 1 " . - "LEFT OUTER JOIN {$OPT["table_prefix"]}users ur ON ur.userid = a.userid AND a.bought = 0 " . + "FROM {$opt["table_prefix"]}items i " . + "LEFT OUTER JOIN {$opt["table_prefix"]}categories c ON c.categoryid = i.category " . + "LEFT OUTER JOIN {$opt["table_prefix"]}ranks r ON r.ranking = i.ranking " . + "LEFT OUTER JOIN {$opt["table_prefix"]}allocs a ON a.itemid = i.itemid AND i.quantity = 1 " . // only join allocs for single-quantity items. + "LEFT OUTER JOIN {$opt["table_prefix"]}users ub ON ub.userid = a.userid AND a.bought = 1 " . + "LEFT OUTER JOIN {$opt["table_prefix"]}users ur ON ur.userid = a.userid AND a.bought = 0 " . "WHERE i.userid = $shopfor " . - "ORDER BY $sortby"; -$rs = mysql_query($query) or die("Could not query: " . mysql_error()); - + "ORDER BY " . $sortby); +$stmt->bindParam(1, $shopfor, PDO::PARAM_INT); +$stmt->execute(); $shoprows = array(); -while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) { - $row['price'] = formatPrice($row['price']); +while ($row = $stmt->fetch()) { + $row['price'] = formatPrice($row['price'], $opt); if ($row['quantity'] > 1) { // check the allocs table to see what has been allocated. $avail = $row['quantity']; - $query = "SELECT a.quantity, a.bought, a.userid, " . + $substmt = $smarty->dbh()->prepare("SELECT a.quantity, a.bought, a.userid, " . "ub.fullname AS bfullname, ub.userid AS boughtid, " . "ur.fullname AS rfullname, ur.userid AS reservedid " . - "FROM {$OPT["table_prefix"]}allocs a " . - "LEFT OUTER JOIN {$OPT["table_prefix"]}users ub ON ub.userid = a.userid AND a.bought = 1 " . - "LEFT OUTER JOIN {$OPT["table_prefix"]}users ur ON ur.userid = a.userid AND a.bought = 0 " . - "WHERE a.itemid = " . $row['itemid'] . " " . - "ORDER BY a.bought, a.quantity"; - $allocs = mysql_query($query) or die("Could not query: " . mysql_error()); + "FROM {$opt["table_prefix"]}allocs a " . + "LEFT OUTER JOIN {$opt["table_prefix"]}users ub ON ub.userid = a.userid AND a.bought = 1 " . + "LEFT OUTER JOIN {$opt["table_prefix"]}users ur ON ur.userid = a.userid AND a.bought = 0 " . + "WHERE a.itemid = ? " . + "ORDER BY a.bought, a.quantity"); + $substmt->bindValue(1, $row['itemid'], PDO::PARAM_INT); + $substmt->execute(); $ibought = 0; $ireserved = 0; $itemallocs = array(); - while ($allocrow = mysql_fetch_array($allocs, MYSQL_ASSOC)) { + while ($allocrow = $substmt->fetch()) { if ($allocrow['bfullname'] != '') { if ($allocrow['boughtid'] == $userid) { $ibought += $allocrow['quantity']; $itemallocs[] = ($allocrow['quantity'] . " bought by you."); } else { - if (!$OPT["anonymous_purchasing"]) { + if (!$opt["anonymous_purchasing"]) { $itemallocs[] = ($allocrow['quantity'] . " bought by " . $allocrow['bfullname'] . "."); } else { @@ -173,7 +187,7 @@ while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) { $itemallocs[] = ($allocrow['quantity'] . " reserved by you."); } else { - if (!$OPT["anonymous_purchasing"]) { + if (!$opt["anonymous_purchasing"]) { $itemallocs[] = ($allocrow['quantity'] . " reserved by " . $allocrow['rfullname'] . "."); } else { @@ -183,7 +197,6 @@ while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) { } $avail -= $allocrow['quantity']; } - mysql_free_result($allocs); $row['allocs'] = $itemallocs; $row['avail'] = $avail; $row['ibought'] = $ibought; @@ -191,26 +204,26 @@ while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) { } $shoprows[] = $row; } -mysql_free_result($rs); /* okay, I *would* retrieve the shoppee's fullname from the items recordset, except that I wouldn't get it if he had no items, so I *could* LEFT OUTER JOIN, but then it would complicate the iteration logic, so let's just hit the DB again. */ -$query = "SELECT fullname FROM {$OPT["table_prefix"]}users WHERE userid = $shopfor"; -$urs = mysql_query($query) or die("Could not query: " . mysql_error()); -$ufullname = mysql_fetch_array($urs, MYSQL_ASSOC); -$ufullname = $ufullname["fullname"]; -mysql_free_result($urs); +$stmt = $smarty->dbh()->prepare("SELECT fullname FROM {$opt["table_prefix"]}users WHERE userid = ?"); +$stmt->bindParam(1, $shopfor, PDO::PARAM_INT); +$stmt->execute(); +if ($row = $stmt->fetch()) { + $ufullname = $row["fullname"]; +} -define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/'); -require_once(SMARTY_DIR . 'Smarty.class.php'); -$smarty = new Smarty(); $smarty->assign('ufullname', $ufullname); $smarty->assign('shopfor', $shopfor); $smarty->assign('shoprows', $shoprows); $smarty->assign('userid', $userid); +if (isset($message)) { + $smarty->assign('message', $message); +} $smarty->assign('isadmin', $_SESSION["admin"]); -$smarty->assign('opt', $OPT); +$smarty->assign('opt', $smarty->opt()); $smarty->display('shop.tpl'); ?> diff --git a/src/shoplist.php b/src/shoplist.php index 3b2caa6..b0d9ef6 100644 --- a/src/shoplist.php +++ b/src/shoplist.php @@ -13,9 +13,10 @@ // along with this program; if not, write to the Free Software // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -include("config.php"); -include("db.php"); -include("funcLib.php"); +require_once(dirname(__FILE__) . "/includes/funcLib.php"); +require_once(dirname(__FILE__) . "/includes/MySmarty.class.php"); +$smarty = new MySmarty(); +$opt = $smarty->opt(); session_start(); if (!isset($_SESSION["userid"])) { @@ -50,38 +51,42 @@ switch($sort) { default: $sortby = "source, fullname, rankorder DESC"; } - -$query = "SELECT description, source, price, i.comment, a.quantity, a.quantity * i.price AS total, rendered, fullname " . - "FROM {$OPT["table_prefix"]}items i " . - "INNER JOIN {$OPT["table_prefix"]}users u ON u.userid = i.userid " . - "INNER JOIN {$OPT["table_prefix"]}ranks r ON r.ranking = i.ranking " . - "INNER JOIN {$OPT["table_prefix"]}allocs a ON a.userid = $userid AND a.itemid = i.itemid AND bought = 0 " . - "ORDER BY $sortby"; -$rs = mysql_query($query) or die("Could not query $query: " . mysql_error()); -$shoplist = array(); -$totalprice = 0; -while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) { - $totalprice += $row["total"]; - if ($row["quantity"] == 1) { - $row["price"] = formatPrice($row["price"]); +try { + // not worried about sql injection here since $sortby is a function of $sort, which falls through. + $stmt = $smarty->dbh()->prepare("SELECT description, source, price, i.comment, a.quantity, a.quantity * i.price AS total, rendered, fullname " . + "FROM {$opt["table_prefix"]}items i " . + "INNER JOIN {$opt["table_prefix"]}users u ON u.userid = i.userid " . + "INNER JOIN {$opt["table_prefix"]}ranks r ON r.ranking = i.ranking " . + "INNER JOIN {$opt["table_prefix"]}allocs a ON a.userid = ? AND a.itemid = i.itemid AND bought = 0 " . + "ORDER BY " . $sortby); + $stmt->bindParam(1, $userid, PDO::PARAM_INT); + + $stmt->execute(); + $shoplist = array(); + $totalprice = 0; + $itemcount = 0; + while ($row = $stmt->fetch()) { + $totalprice += $row["total"]; + ++$itemcount; + if ($row["quantity"] == 1) { + $row["price"] = formatPrice($row["price"], $opt); + } + else { + $row["price"] = $row["quantity"] . " @ " . formatPrice($row["price"], $opt) . " = " . formatPrice($row["total"], $opt); + } + $shoplist[] = $row; } - else { - $row["price"] = $row["quantity"] . " @ " . formatPrice($row["price"]) . " = " . formatPrice($row["total"]); - } - $shoplist[] = $row; + + $smarty->assign('shoplist', $shoplist); + $smarty->assign('totalprice', formatPrice($totalprice, $opt)); + $smarty->assign('itemcount', $itemcount); + $smarty->assign('userid', $userid); + $smarty->assign('isadmin', $_SESSION["admin"]); + $smarty->assign('opt', $smarty->opt()); + $smarty->display('shoplist.tpl'); +} +catch (PDOException $e) { + die("sql exception: " . $e->getMessage()); } -$itemcount = mysql_num_rows($rs); -mysql_free_result($rs); - -define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/'); -require_once(SMARTY_DIR . 'Smarty.class.php'); -$smarty = new Smarty(); -$smarty->assign('shoplist', $shoplist); -$smarty->assign('totalprice', formatPrice($totalprice)); -$smarty->assign('itemcount', $itemcount); -$smarty->assign('userid', $userid); -$smarty->assign('isadmin', $_SESSION["admin"]); -$smarty->assign('opt', $OPT); -$smarty->display('shoplist.tpl'); ?> diff --git a/src/signup.php b/src/signup.php index 5aa9537..78f7474 100644 --- a/src/signup.php +++ b/src/signup.php @@ -13,70 +13,67 @@ // along with this program; if not, write to the Free Software // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -include("config.php"); -include("db.php"); -include("funcLib.php"); +require_once(dirname(__FILE__) . "/includes/funcLib.php"); +require_once(dirname(__FILE__) . "/includes/MySmarty.class.php"); +$smarty = new MySmarty(); +$opt = $smarty->opt(); -if (isset($_POST["action"])) { - if ($_POST["action"] == "signup") { - $username = $_POST["username"]; - $fullname = $_POST["fullname"]; - $email = $_POST["email"]; - $familyid = $_POST["familyid"]; - if (!get_magic_quotes_gpc()) { - $username = addslashes($username); - $fullname = addslashes($fullname); - $email = addslashes($email); - $familyid = addslashes($familyid); - } - if ($familyid == "") - $familyid = "NULL"; +if (isset($_POST["action"]) && $_POST["action"] == "signup") { + $username = $_POST["username"]; + $fullname = $_POST["fullname"]; + $email = $_POST["email"]; + $familyid = $_POST["familyid"]; - // make sure that username isn't taken. - $query = "SELECT userid FROM {$OPT["table_prefix"]}users WHERE username = '$username'"; - $rs = mysql_query($query) or die("Could not query: " . mysql_error()); - if (mysql_num_rows($rs) > 0) { - $error = "The username '" . stripslashes($username) . "' is already taken. Please choose another."; - mysql_free_result($rs); + // make sure that username isn't taken. + $stmt = $smarty->dbh()->prepare("SELECT userid FROM {$opt["table_prefix"]}users WHERE username = ?"); + $stmt->bindParam(1, $username, PDO::PARAM_STR); + $stmt->execute(); + if ($stmt->fetch()) { + $error = "The username '" . $username . "' is already taken. Please choose another."; + } + else { + // generate a password and insert the row. + // NOTE: if approval is required, this password will be replaced + // when the account is approved. + $pwd = generatePassword($opt); + + $stmt = $smarty->dbh()->prepare("INSERT INTO {$opt["table_prefix"]}users(username,fullname,password,email,approved,initialfamilyid) VALUES(?, ?, {$opt["password_hasher"]}(?), ?, ?, ?)"); + $stmt->bindParam(1, $username, PDO::PARAM_STR); + $stmt->bindParam(2, $fullname, PDO::PARAM_STR); + $stmt->bindParam(3, $pwd, PDO::PARAM_STR); + $stmt->bindParam(4, $email, PDO::PARAM_STR); + $stmt->bindValue(5, !$opt["newuser_requires_approval"], PDO::PARAM_BOOL); + $stmt->bindParam(6, $familyid, PDO::PARAM_INT); + $stmt->execute(); + + if ($opt["newuser_requires_approval"]) { + // send the e-mails to the administrators. + $stmt = $smarty->dbh()->prepare("SELECT fullname, email FROM {$opt["table_prefix"]}users WHERE admin = 1 AND email IS NOT NULL"); + $stmt->execute(); + while ($row = $stmt->fetch()) { + mail( + $row["email"], + "Gift Registry approval request for " . $fullname, + $fullname . " <" . $email . "> would like you to approve him/her for access to the Gift Registry.", + "From: {$opt["email_from"]}\r\nReply-To: {$opt["email_reply_to"]}\r\nX-Mailer: {$opt["email_xmailer"]}\r\n" + ) or die("Mail not accepted for " . $row["email"]); + } } else { - mysql_free_result($rs); - - // generate a password and insert the row. - // NOTE: if approval is required, this password will be replaced - // when the account is approved. - $pwd = generatePassword(); - $query = "INSERT INTO {$OPT["table_prefix"]}users(username,fullname,password,email,approved,initialfamilyid) VALUES('$username','$fullname',{$OPT["password_hasher"]}('$pwd'),'$email'," . ($OPT["newuser_requires_approval"] ? "0" : "1") . ",$familyid)"; - mysql_query($query) or die("Could not query: " . mysql_error()); - - if ($OPT["newuser_requires_approval"]) { - // send the e-mails to the administrators. - $query = "SELECT fullname, email FROM {$OPT["table_prefix"]}users WHERE admin = 1 AND email IS NOT NULL"; - $rs = mysql_query($query) or die("Could not query: " . mysql_error()); - while ($row = mysql_fetch_assoc($rs)) { - mail( - $row["email"], - "Gift Registry approval request for " . stripslashes($fullname), - stripslashes($fullname) . " <" . stripslashes($email) . "> would like you to approve him/her for access to the Gift Registry.", - "From: {$OPT["email_from"]}\r\nReply-To: {$OPT["email_reply_to"]}\r\nX-Mailer: {$OPT["email_xmailer"]}\r\n" - ) or die("Mail not accepted for " . $row["email"]); - } - mysql_free_result($rs); - } - else { - // we don't require approval, - // so immediately send them their initial password. - // also, join them up to their initial family (if requested). - if ($familyid != "NULL") { - $query = "SELECT userid FROM {$OPT["table_prefix"]}users WHERE username = '$username'"; - $rs = mysql_query($query) or die("Could not query: " . mysql_error()); - $row = mysql_fetch_assoc($rs); + // we don't require approval, + // so immediately send them their initial password. + // also, join them up to their initial family (if requested). + if ($familyid != NULL) { + $stmt = $smarty->dbh()->prepare("SELECT userid FROM {$opt["table_prefix"]}users WHERE username = ?"); + $stmt->bindParam(1, $username, PDO::PARAM_STR); + $stmt->execute(); + if ($row = $stmt->fetch()) { $userid = $row["userid"]; - mysql_free_result($rs); - $query = "INSERT INTO {$OPT["table_prefix"]}memberships(userid,familyid) VALUES($userid,$familyid)"; - echo $query; - mysql_query($query) or die("Could not query: " . mysql_error()); + $stmt = $smarty->dbh()->prepare("INSERT INTO {$opt["table_prefix"]}memberships(userid,familyid) VALUES(?, ?)"); + $stmt->bindParam(1, $userid, PDO::PARAM_INT); + $stmt->bindParam(2, $familyid, PDO::PARAM_INT); + $stmt->execute(); } mail( @@ -84,25 +81,20 @@ if (isset($_POST["action"])) { "Gift Registry account created", "Your Gift Registry account was created.\r\n" . "Your username is $username and your password is $pwd.", - "From: {$OPT["email_from"]}\r\nReply-To: {$OPT["email_reply_to"]}\r\nX-Mailer: {$OPT["email_xmailer"]}\r\n" + "From: {$opt["email_from"]}\r\nReply-To: {$opt["email_reply_to"]}\r\nX-Mailer: {$opt["email_xmailer"]}\r\n" ) or die("Mail not accepted for $email"); } } - } } - -$query = "SELECT familyid, familyname FROM {$OPT["table_prefix"]}families ORDER BY familyname"; -$rs = mysql_query($query) or die("Could not query: " . mysql_error()); + +$stmt = $smarty->dbh()->prepare("SELECT familyid, familyname FROM {$opt["table_prefix"]}families ORDER BY familyname"); +$stmt->execute(); $families = array(); -while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) { +while ($row = $stmt->fetch()) { $families[] = $row; } -mysql_free_result($rs); -define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/'); -require_once(SMARTY_DIR . 'Smarty.class.php'); -$smarty = new Smarty(); $smarty->assign('families', $families); $smarty->assign('username', $username); $smarty->assign('fullname', $fullname); @@ -113,6 +105,6 @@ if (isset($error)) { $smarty->assign('error', $error); } $smarty->assign('isadmin', $_SESSION['admin']); -$smarty->assign('opt', $OPT); +$smarty->assign('opt', $smarty->opt()); $smarty->display('signup.tpl'); ?> diff --git a/src/templates/event.tpl b/src/templates/event.tpl index 9935cfa..16dbce2 100644 --- a/src/templates/event.tpl +++ b/src/templates/event.tpl @@ -29,7 +29,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA {if isset($message)}
-
+
{$message|escape:'htmlall'}
diff --git a/src/templates/families.tpl b/src/templates/families.tpl index f3ceb67..995e676 100644 --- a/src/templates/families.tpl +++ b/src/templates/families.tpl @@ -30,7 +30,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA {if isset($message)}
-
{$message|escape:'htmlall'}
+
{$message|escape:'htmlall'}
{/if} diff --git a/src/templates/home.tpl b/src/templates/home.tpl index 17c79ca..5b79e31 100644 --- a/src/templates/home.tpl +++ b/src/templates/home.tpl @@ -151,7 +151,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA {$row.fullname|escape:'htmlall'} {if $row.comment != ''} - {$row.comment|escape:'htmlall'} + ... {/if} {$row.list_stamp} @@ -271,62 +271,62 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- {if $opt.shop_requires_approval} + {if $opt.shop_requires_approval || ($isadmin && $opt.newuser_requires_approval)}
-
-
-

People who want to shop for me

- - - - - - - - - {foreach from=$pending item=row} - - - - - {/foreach} - -
Name 
{$row.fullname|escape:'htmlall'} - Approve / - Decline -
-
-
-
- {/if} - {if $isadmin && $opt.newuser_requires_approval} -
-
-
-

People waiting for approval

- - - - - - - - - - {foreach from=$approval item=row} - - - - - - {/foreach} - -
NameFamily 
{$row.fullname|escape:'htmlall'} <{$row.email|escape:'htmlall'}>{$row.familyname|escape:'htmlall'} - Approve / - Reject -
+ {if $opt.shop_requires_approval} +
+
+

People who want to shop for me

+ + + + + + + + + {foreach from=$pending item=row} + + + + + {/foreach} + +
Name 
{$row.fullname|escape:'htmlall'} + Approve / + Decline +
+
-
+ {/if} + {if $isadmin && $opt.newuser_requires_approval} +
+
+

People waiting for approval

+ + + + + + + + + + {foreach from=$approval item=row} + + + + + + {/foreach} + +
NameFamily 
{$row.fullname|escape:'htmlall'} <{$row.email|escape:'htmlall'}>{$row.familyname|escape:'htmlall'} + Approve / + Reject +
+
+
+ {/if}
{/if} diff --git a/src/templates/login.tpl b/src/templates/login.tpl index dcd9a2a..9d9177e 100644 --- a/src/templates/login.tpl +++ b/src/templates/login.tpl @@ -23,12 +23,12 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -
+
+

Gift Registry

- Gift Registry {if isset($username)}
Bad login.
{/if} diff --git a/src/templates/message.tpl b/src/templates/message.tpl index c4f87ef..64cffa4 100644 --- a/src/templates/message.tpl +++ b/src/templates/message.tpl @@ -50,7 +50,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- +
diff --git a/src/templates/mylist.tpl b/src/templates/mylist.tpl index e111e79..602bfb4 100644 --- a/src/templates/mylist.tpl +++ b/src/templates/mylist.tpl @@ -76,14 +76,14 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
{$itemcount} item(s), {$totalprice} total.
-
+
Send to printer
- +
diff --git a/src/templates/shop.tpl b/src/templates/shop.tpl index e46566b..148843d 100644 --- a/src/templates/shop.tpl +++ b/src/templates/shop.tpl @@ -49,7 +49,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA {if isset($message)}
-
+
{$message|escape:'htmlall'}
diff --git a/src/templates/signup.tpl b/src/templates/signup.tpl index 60b74b0..7d95fcc 100644 --- a/src/templates/signup.tpl +++ b/src/templates/signup.tpl @@ -49,7 +49,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -
+
{if isset($error)}
diff --git a/src/templates/users.tpl b/src/templates/users.tpl index c9c6a41..cc50045 100644 --- a/src/templates/users.tpl +++ b/src/templates/users.tpl @@ -36,7 +36,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA {if isset($message)}
-
{$message|escape:'htmlall'}
+
{$message|escape:'htmlall'}
{/if} diff --git a/src/users.php b/src/users.php index cc97aa8..f28446a 100644 --- a/src/users.php +++ b/src/users.php @@ -13,9 +13,10 @@ // along with this program; if not, write to the Free Software // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -include("config.php"); -include("db.php"); -include("funcLib.php"); +require_once(dirname(__FILE__) . "/includes/funcLib.php"); +require_once(dirname(__FILE__) . "/includes/MySmarty.class.php"); +$smarty = new MySmarty(); +$opt = $smarty->opt(); session_start(); if (!isset($_SESSION["userid"])) { @@ -32,7 +33,7 @@ if ($_SESSION["admin"] != 1) { } if (!empty($_GET["message"])) { - $message = strip_tags($_GET["message"]); + $message = $_GET["message"]; } if (isset($_GET["action"])) @@ -48,11 +49,6 @@ if ($action == "insert" || $action == "update") { $email_msgs = (strtoupper($_GET["email_msgs"]) == "ON" ? 1 : 0); $approved = (strtoupper($_GET["approved"]) == "ON" ? 1 : 0); $userisadmin = (strtoupper($_GET["admin"]) == "ON" ? 1 : 0); - if (!get_magic_quotes_gpc()) { - $username = addslashes($username); - $fullname = addslashes($fullname); - $email = addslashes($email); - } $haserror = false; if ($username == "") { @@ -75,19 +71,37 @@ if ($action == "delete") { // work ourselves. $deluserid = (int) $_GET["userid"]; - mysql_query("DELETE FROM {$OPT["table_prefix"]}shoppers WHERE shopper = $deluserid OR mayshopfor = $deluserid") or die("Could not query: " . mysql_error()); + $stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}shoppers WHERE shopper = ? OR mayshopfor = ?"); + $stmt->bindParam(1, $deluserid, PDO::PARAM_INT); + $stmt->bindParam(2, $deluserid, PDO::PARAM_INT); + $stmt->execute(); + // we can't leave messages with dangling senders, so delete those too. - mysql_query("DELETE FROM {$OPT["table_prefix"]}messages WHERE sender = $deluserid OR recipient = $deluserid") or die("Could not query: " . mysql_error()); - mysql_query("DELETE FROM {$OPT["table_prefix"]}events WHERE userid = $deluserid") or die("Could not query: " . mysql_error()); - mysql_query("DELETE FROM {$OPT["table_prefix"]}items WHERE userid = $deluserid") or die("Could not query: " . mysql_error()); - mysql_query("DELETE FROM {$OPT["table_prefix"]}users WHERE userid = $deluserid") or die("Could not query: " . mysql_error()); + $stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}messages WHERE sender = ? OR recipient = ?"); + $stmt->bindParam(1, $deluserid, PDO::PARAM_INT); + $stmt->bindParam(2, $deluserid, PDO::PARAM_INT); + $stmt->execute(); + + $stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}events WHERE userid = ?"); + $stmt->bindParam(1, $deluserid, PDO::PARAM_INT); + $stmt->execute(); + + $stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}items WHERE userid = ?"); + $stmt->bindParam(1, $deluserid, PDO::PARAM_INT); + $stmt->execute(); + + $stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}users WHERE userid = ?"); + $stmt->bindParam(1, $deluserid, PDO::PARAM_INT); + $stmt->execute(); + header("Location: " . getFullPath("users.php?message=User+deleted.")); exit; } else if ($action == "edit") { - $query = "SELECT username, fullname, email, email_msgs, approved, admin FROM {$OPT["table_prefix"]}users WHERE userid = " . (int) $_GET["userid"]; - $rs = mysql_query($query) or die("Could not query: " . mysql_error()); - if ($row = mysql_fetch_array($rs,MYSQL_ASSOC)) { + $stmt = $smarty->dbh()->prepare("SELECT username, fullname, email, email_msgs, approved, admin FROM {$opt["table_prefix"]}users WHERE userid = ?"); + $stmt->bindValue(1, (int) $_GET["userid"], PDO::PARAM_INT); + $stmt->execute(); + if ($row = $stmt->fetch()) { $username = $row["username"]; $fullname = $row["fullname"]; $email = $row["email"]; @@ -108,16 +122,23 @@ else if ($action == "") { else if ($action == "insert") { if (!$haserror) { // generate a password and insert the row. - $pwd = generatePassword(); - $query = "INSERT INTO {$OPT["table_prefix"]}users(username,password,fullname,email,email_msgs,approved,admin) " . - "VALUES('$username',{$OPT["password_hasher"]}('$pwd'),'$fullname'," . ($email == "" ? "NULL" : "'$email'") . ",$email_msgs,$approved,$userisadmin)"; - mysql_query($query) or die("Could not query: " . mysql_error()); + $pwd = generatePassword($opt); + $stmt = $smarty->dbh()->prepare("INSERT INTO {$opt["table_prefix"]}users(username,password,fullname,email,email_msgs,approved,admin) VALUES(?, {$opt["password_hasher"]}(?), ?, ?, ?, ?, ?)"); + $stmt->bindParam(1, $username, PDO::PARAM_STR); + $stmt->bindParam(2, $pwd, PDO::PARAM_STR); + $stmt->bindParam(3, $fullname, PDO::PARAM_STR); + $stmt->bindParam(4, $email, PDO::PARAM_STR); + $stmt->bindParam(5, $email_msgs, PDO::PARAM_BOOL); + $stmt->bindParam(6, $approved, PDO::PARAM_BOOL); + $stmt->bindParam(7, $userisadmin, PDO::PARAM_BOOL); + $stmt->execute(); + mail( $email, "Gift Registry account created", "Your Gift Registry account was created.\r\n" . "Your username is $username and your password is $pwd.", - "From: {$OPT["email_from"]}\r\nReply-To: {$OPT["email_reply_to"]}\r\nX-Mailer: {$OPT["email_xmailer"]}\r\n" + "From: {$opt["email_from"]}\r\nReply-To: {$opt["email_reply_to"]}\r\nX-Mailer: {$opt["email_xmailer"]}\r\n" ) or die("Mail not accepted for $email"); header("Location: " . getFullPath("users.php?message=User+added+and+e-mail+sent.")); exit; @@ -125,15 +146,23 @@ else if ($action == "insert") { } else if ($action == "update") { if (!$haserror) { - $query = "UPDATE {$OPT["table_prefix"]}users SET " . - "username = '$username', " . - "fullname = '$fullname', " . - "email = " . ($email == "" ? "NULL" : "'$email'") . ", " . - "email_msgs = $email_msgs, " . - "approved = $approved, " . - "admin = $userisadmin " . - "WHERE userid = " . $_GET["userid"]; - mysql_query($query) or die("Could not query: " . mysql_error()); + $stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}users SET " . + "username = ?, " . + "fullname = ?, " . + "email = ?, " . + "email_msgs = ?, " . + "approved = ?, " . + "admin = ? " . + "WHERE userid = ?"); + $stmt->bindParam(1, $username, PDO::PARAM_STR); + $stmt->bindParam(2, $pwd, PDO::PARAM_STR); + $stmt->bindParam(3, $fullname, PDO::PARAM_STR); + $stmt->bindParam(4, $email, PDO::PARAM_STR); + $stmt->bindParam(5, $email_msgs, PDO::PARAM_BOOL); + $stmt->bindParam(6, $approved, PDO::PARAM_BOOL); + $stmt->bindParam(7, $userisadmin, PDO::PARAM_BOOL); + $stmt->bindValue(8, (int) $_GET["userid"], PDO::PARAM_INT); + $stmt->execute(); header("Location: " . getFullPath("users.php?message=User+updated.")); exit; } @@ -141,19 +170,18 @@ else if ($action == "update") { else if ($action == "reset") { $resetuserid = $_GET["userid"]; $resetemail = $_GET["email"]; - if (!get_magic_quotes_gpc()) { - $resetuserid = addslashes($resetuserid); - $resetemail = addslashes($resetemail); - } + // generate a password and insert the row. - $pwd = generatePassword(); - $query = "UPDATE {$OPT["table_prefix"]}users SET password = {$OPT["password_hasher"]}('$pwd') WHERE userid = $resetuserid"; - mysql_query($query) or die("Could not query: " . mysql_error()); + $pwd = generatePassword($opt); + $stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}users SET password = {$opt["password_hasher"]}(?) WHERE userid = ?"); + $stmt->bindParam(1, $pwd, PDO::PARAM_STR); + $stmt->bindParam(2, $resetuserid, PDO::PARAM_INT); + $stmt->execute(); mail( $resetemail, "Gift Registry password reset", "Your Gift Registry password was reset to $pwd.", - "From: {$OPT["email_from"]}\r\nReply-To: {$OPT["email_reply_to"]}\r\nX-Mailer: {$OPT["email_xmailer"]}\r\n" + "From: {$opt["email_from"]}\r\nReply-To: {$opt["email_reply_to"]}\r\nX-Mailer: {$opt["email_xmailer"]}\r\n" ) or die("Mail not accepted for $email"); header("Location: " . getFullPath("users.php?message=Password+reset.")); exit; @@ -163,17 +191,14 @@ else { exit; } -$query = "SELECT userid, username, fullname, email, email_msgs, approved, admin FROM {$OPT["table_prefix"]}users ORDER BY username"; -$rs = mysql_query($query) or die("Could not query: " . mysql_error()); +$stmt = $smarty->dbh()->prepare("SELECT userid, username, fullname, email, email_msgs, approved, admin FROM {$opt["table_prefix"]}users ORDER BY username"); +$stmt->execute(); $users = array(); -while ($row = mysql_fetch_array($rs, MYSQL_ASSOC)) { +while ($row = $stmt->fetch()) { $users[] = $row; } mysql_free_result($rs); -define('SMARTY_DIR',str_replace("\\","/",getcwd()).'/includes/Smarty-3.1.12/libs/'); -require_once(SMARTY_DIR . 'Smarty.class.php'); -$smarty = new Smarty(); $smarty->assign('action', $action); $smarty->assign('username', $username); if (isset($username_error)) { @@ -190,13 +215,15 @@ if (isset($email_error)) { $smarty->assign('email_msgs', $email_msgs); $smarty->assign('approved', $approved); $smarty->assign('userisadmin', $userisadmin); -$smarty->assign('haserror', $haserror); +if (isset($haserror)) { + $smarty->assign('haserror', $haserror); +} $smarty->assign('users', $users); if (isset($message)) { $smarty->assign('message', $message); } $smarty->assign('userid', $userid); $smarty->assign('isadmin', $_SESSION["admin"]); -$smarty->assign('opt', $OPT); +$smarty->assign('opt', $smarty->opt()); $smarty->display('users.tpl'); ?>