Skip to content
Snippets Groups Projects
Commit 5b2702ac authored by Henoch Einbier's avatar Henoch Einbier
Browse files

Update userprofil.php 

-secured PDO queries with bindParam
parent 9e5caba2
Branches
Tags
2 merge requests!46Release 3.0,!26Update userprofil.php
Hide whitespace changes
Inline Side-by-side
content/konto/userprofil.php
+ 72
25
View file @ 5b2702ac
......@@ -14,20 +14,37 @@ if (!isset($mailstatus)) $mailstatus = "";
if (!isset($delchange)) $delchange = "";
if ($_POST['acc_del'] == 'Jetzt löschen!' && $_POST['del_passwort']) {
$schnittstelle = mysql_fetch_array(db_query("SELECT `passwort` FROM " . _VMS_ . "_kontodaten LIMIT 1")) or die("Userinfo");
$sql = sql::$db->query("SELECT `passwort` FROM " . _VMS_ . "_kontodaten LIMIT 1") or die("Userinfo");
$schnittstelle = $sql->fetch();
if ($schnittstelle['passwort'] != md5($_GET['del_passwort'])) {
echo 'Passwort falsch';
} else {
$sperrzeit = time() + (86400 * 30);
db_query("DELETE FROM " . _VMS_ . "_kontodaten WHERE uid=" . $_SESSION['uid'] . "");
db_query("DELETE FROM " . _VMS_ . "_emaildaten WHERE uid=" . $_SESSION['uid'] . "");
db_query("DELETE FROM " . _VMS_ . "_userdaten WHERE uid=" . $_SESSION['uid'] . "");
db_query("DELETE FROM " . _VMS_ . "_werberdaten WHERE uid=" . $_SESSION['uid'] . "");
db_query("UPDATE " . _VMS_ . "_werberdaten SET werber = 0 WHERE werber=" . $_SESSION['uid'] . "");
db_query ('DELETE FROM ' . _VMS_ . '_admin_abuse WHERE uid = ' . $_SESSION['uid']);
db_query ('DELETE FROM vms_buchungen WHERE uid = ' . $_SESSION['uid']);
db_query ('DELETE FROM vms_reloads WHERE uid = ' . $_SESSION['uid']);
db_query ('DELETE FROM vms_schnittstelle_anfragen WHERE uid = ' . $_SESSION['uid']);
$sql = sql::$db->prepare("DELETE FROM " . _VMS_ . "_kontodaten WHERE uid=:session_uid");
$sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
$sql -> execute();
$sql = sql::$db->prepare("DELETE FROM " . _VMS_ . "_emaildaten WHERE uid=:session_uid");
$sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
$sql -> execute();
$sql = sql::$db->prepare("DELETE FROM " . _VMS_ . "_userdaten WHERE uid=:session_uid");
$sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
$sql -> execute();
$sql = sql::$db->prepare("DELETE FROM " . _VMS_ . "_werberdaten WHERE uid=:session_uid");
$sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
$sql -> execute();
$sql = sql::$db->prepare("UPDATE " . _VMS_ . "_werberdaten SET werber = 0 WHERE werber=:session_uid");
$sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
$sql -> execute();
//db_query ('DELETE FROM ' . _VMS_ . '_admin_abuse WHERE uid = ' . $_SESSION['uid']); //tabelle existiert nicht
$sql = sql::$db->prepare("DELETE FROM " . _VMS_ . "_buchungen WHERE uid=:session_uid");
$sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
$sql -> execute();
$sql = sql::$db->prepare("DELETE FROM " . _VMS_ . "_reloads WHERE uid=:session_uid");
$sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
$sql -> execute();
$sql = sql::$db->prepare("DELETE FROM " . _VMS_ . "_schnittstelle_anfragen WHERE uid=:session_uid");
$sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
$sql -> execute();
echo '<meta http-equiv="refresh" content="0; URL=http://' . $_SERVER['HTTP_HOST'] . '/?content=/intern/startseite&logout=true">';
}
}
......@@ -37,7 +54,10 @@ if ($_POST['aendern'] == 'Jetzt ändern!') {
if ($_POST['pwd'] && $_POST['pwd2']) {
if ($_POST['pwd'] == $_POST['pwd2']) {
if (strlen($_POST['pwd']) >= 8) {
db_query("UPDATE " . _VMS_ . "_kontodaten SET passwort = '" . md5($_POST['pwd']) . "' WHERE uid=" . $_SESSION['uid'] . "");
$sql = sql::$db->prepare("UPDATE " . _VMS_ . "_kontodaten SET passwort = :pass WHERE uid = :session_uid");
$sql -> bindParam(':pass', md5($_POST['pwd']), PDO::PARAM_STR);
$sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
$sql -> execute();
echo '<meta http-equiv="refresh" content="0; URL=http://' . $_SERVER['HTTP_HOST'] . '/?content=/intern/startseite&logout=true">';
// $change .= 'Das Passwort wurde geändert!<br><b><font color="#FF0000">Bitte logge Dich jetzt aus und wieder neu ein!</font></b><br>';
} else {
......@@ -51,15 +71,24 @@ if ($_POST['aendern'] == 'Jetzt ändern!') {
// Nickname ändern beginn !
if ($_POST['aendern'] == 'Jetzt ändern!') {
if (isset ($_POST['nickname'])) {
$nickname = mysql_real_escape_string(ucfirst($_POST['nickname']));
$nickname_check = db_query ("SELECT `nickname` FROM " . _VMS_ . "_userdaten WHERE nickname='" . $nickname . "'");
$nickname_check2 = db_query ("SELECT `nickname` FROM " . _VMS_ . "_userdaten WHERE nickname='" . $nickname . "'AND uid=" . $_SESSION['uid'] . "");
if (mysql_num_rows($nickname_check))
if (mysql_num_rows($nickname_check2)) {
$nickname = ucfirst($_POST['nickname']);
$nickname_check = sql::$db->prepare("SELECT `nickname` FROM " . _VMS_ . "_userdaten WHERE nickname = :nickname");
$nickname_check -> bindParam(':nickname', $nickname, PDO::PARAM_STR);
$nickname_check -> execute();
$nickname_check2 = sql::$db->prepare("SELECT `nickname` FROM " . _VMS_ . "_userdaten WHERE nickname = :nickname AND uid = :session_uid");
$nickname_check2 -> bindParam(':nickname', $nickname, PDO::PARAM_STR);
$nickname_check2 -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_STR);
$nickname_check2 -> execute();
if ($nickname_check->rowCount() )
if ($nickname_check2->rowCount() ) {
} else {
$change = 'Dieser Nickname ist schon vergeben!<br>';
} else {
db_query("UPDATE " . _VMS_ . "_userdaten SET nickname = '" . $nickname . "' WHERE uid=" . $_SESSION['uid'] . "");
$sql = sql::$db->prepare("UPDATE " . _VMS_ . "_userdaten SET nickname = :nickname WHERE uid = :session_uid");
$sql -> bindParam(':nickname', $nickname, PDO::PARAM_STR);
$sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_STR);
$sql -> execute();
}
}
}
......@@ -71,13 +100,23 @@ if ($_POST['aendern'] == 'Jetzt ändern!') {
if ($_POST['newsletter'] == 0 and $_POST['paidmails'] == 1) $mailstatus = 2;
if ($_POST['newsletter'] == 1 and $_POST['paidmails'] == 1) $mailstatus = 3;
$_POST['max_forced'] = (int)$_POST['max_forced'];
db_query("UPDATE " . _VMS_ . "_emaildaten SET freigabe_fuer = " . $mailstatus . ", emailadresse = '" . $_POST['emailadresse'] . "' WHERE uid=" . $_SESSION['uid'] . "");
db_query("UPDATE " . _VMS_ . "_userdaten SET max_forced = '" . $_POST['max_forced'] . "' WHERE uid=" . $_SESSION['uid'] . "");
$sql = sql::$db->prepare("UPDATE " . _VMS_ . "_emaildaten SET freigabe_fuer = :mailstatus, emailadresse = :emailadresse WHERE uid = :session_uid");
$sql -> bindParam(':mailstatus', $mailstatus, PDO::PARAM_INT);
$sql -> bindParam(':emailadresse', $_POST['emailadresse'], PDO::PARAM_STR);
$sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
$sql -> execute();
$sql = sql::$db->prepare("UPDATE " . _VMS_ . "_userdaten SET max_forced = :max_forced WHERE uid = :session_uid");
$sql -> bindParam(':max_forced', $_POST['max_forced'], PDO::PARAM_STR);
$sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
$sql -> execute();
$change .= 'Deine Daten wurden aktualisiert!<br>';
}
}
$sql = sql::$db->query("SELECT u.*,e.emailadresse,e.freigabe_fuer FROM " . _VMS_ . "_userdaten AS u LEFT JOIN " . _VMS_ . "_emaildaten AS e ON e.uid=u.uid WHERE u.uid=" . $_SESSION['uid'] . " LIMIT 1");
$sql = sql::$db->prepare("SELECT u.*,e.emailadresse,e.freigabe_fuer FROM " . _VMS_ . "_userdaten AS u LEFT JOIN " . _VMS_ . "_emaildaten AS e ON e.uid=u.uid WHERE u.uid = :session_uid LIMIT 1");
$sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
$sql -> execute();
$info = $sql->fetch();
if ($info['freigabe_fuer'] == 0) {
......@@ -184,7 +223,10 @@ die Paidmails wenn Du keine haben möchtest!<br>
head("Externe Konten");
if (isset($_POST['veri'])) {
$schnittstelle = mysql_fetch_array(db_query("SELECT * FROM " . _VMS_ . "_schnittstelle WHERE schnittstelle='" . $_POST['schnittstelle'] . "' AND aktiv > 0 LIMIT 1"));
$sql = sql::$db->prepare("SELECT * FROM " . _VMS_ . "_schnittstelle WHERE schnittstelle = :schnittstelle AND aktiv > 0 LIMIT 1");
$sql -> bindParam(':schnittstelle', $_POST['schnittstelle'], PDO::PARAM_STR);
$sql -> execute();
$schnittstelle = $sql->fetch();
// User beim Betreiber prüfen
$sql = sql::$db->prepare("INSERT INTO " . _VMS_ . "_schnittstelle_anfragen (zeit,uid) VALUES (?,?)");
$sql->execute(array( $tag, $_SESSION['uid'] ));
......@@ -193,12 +235,14 @@ die Paidmails wenn Du keine haben möchtest!<br>
$error = $trans_ausgabe;
print_r($error);
if (!$error) {
$sql = sql::$db->prepare("INSERT INTO " . _VMS_ . "_multi_konten (uid, kontoid, waehrung) VALUES(?,?,?) ON DUPLICATE KEY UPDATE kontoid='" . $_POST['veri_id'] . "'");
$sql->execute(array( $_SESSION['uid'], $_POST['veri_id'], $_POST['schnittstelle'] ));
$sql = sql::$db->prepare("INSERT INTO " . _VMS_ . "_multi_konten (uid, kontoid, waehrung) VALUES(?,?,?) ON DUPLICATE KEY UPDATE kontoid=?");
$sql->execute(array( $_SESSION['uid'], $_POST['veri_id'], $_POST['schnittstelle'], $_POST['veri_id'] ));
}
}
$moeglichkeiten_q = sql::$db->query('SELECT schnittstelle FROM ' . _VMS_ . '_schnittstelle WHERE aktiv > 0 AND schnittstelle NOT IN (SELECT waehrung AS schnittstelle FROM vms_multi_konten WHERE uid=' . $_SESSION['uid'] . ')');
$moeglichkeiten_q = sql::$db->prepare('SELECT schnittstelle FROM ' . _VMS_ . '_schnittstelle WHERE aktiv > 0 AND schnittstelle NOT IN (SELECT waehrung AS schnittstelle FROM vms_multi_konten WHERE uid = :session_uid)');
$moeglichkeiten_q -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
$moeglichkeiten_q -> execute();
?>
<form action="" method="post">
......@@ -230,7 +274,10 @@ die Paidmails wenn Du keine haben möchtest!<br>
Bereits&nbsp;verifiziert:<br />
<table>
<?php
$veri = sql::$db->query('SELECT * FROM vms_multi_konten WHERE uid=' . $_SESSION['uid'] . '');
$veri = sql::$db->prepare('SELECT * FROM vms_multi_konten WHERE uid=:session_uid');
$veri -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
$veri -> execute();
while ($verid = $veri->fetch() ) { ?>
<tr>
<td><?php echo $verid['waehrung']; ?>:</td>
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment