Skip to content
Snippets Groups Projects
Commit 5b2702ac authored by Henoch Einbier's avatar Henoch Einbier
Browse files

Update userprofil.php

-secured PDO queries with bindParam
parent 9e5caba2
2 merge requests!46Release 3.0,!26Update userprofil.php
...@@ -14,20 +14,37 @@ if (!isset($mailstatus)) $mailstatus = ""; ...@@ -14,20 +14,37 @@ if (!isset($mailstatus)) $mailstatus = "";
if (!isset($delchange)) $delchange = ""; if (!isset($delchange)) $delchange = "";
if ($_POST['acc_del'] == 'Jetzt löschen!' && $_POST['del_passwort']) { if ($_POST['acc_del'] == 'Jetzt löschen!' && $_POST['del_passwort']) {
$schnittstelle = mysql_fetch_array(db_query("SELECT `passwort` FROM " . _VMS_ . "_kontodaten LIMIT 1")) or die("Userinfo"); $sql = sql::$db->query("SELECT `passwort` FROM " . _VMS_ . "_kontodaten LIMIT 1") or die("Userinfo");
$schnittstelle = $sql->fetch();
if ($schnittstelle['passwort'] != md5($_GET['del_passwort'])) { if ($schnittstelle['passwort'] != md5($_GET['del_passwort'])) {
echo 'Passwort falsch'; echo 'Passwort falsch';
} else { } else {
$sperrzeit = time() + (86400 * 30); $sperrzeit = time() + (86400 * 30);
db_query("DELETE FROM " . _VMS_ . "_kontodaten WHERE uid=" . $_SESSION['uid'] . ""); $sql = sql::$db->prepare("DELETE FROM " . _VMS_ . "_kontodaten WHERE uid=:session_uid");
db_query("DELETE FROM " . _VMS_ . "_emaildaten WHERE uid=" . $_SESSION['uid'] . ""); $sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
db_query("DELETE FROM " . _VMS_ . "_userdaten WHERE uid=" . $_SESSION['uid'] . ""); $sql -> execute();
db_query("DELETE FROM " . _VMS_ . "_werberdaten WHERE uid=" . $_SESSION['uid'] . ""); $sql = sql::$db->prepare("DELETE FROM " . _VMS_ . "_emaildaten WHERE uid=:session_uid");
db_query("UPDATE " . _VMS_ . "_werberdaten SET werber = 0 WHERE werber=" . $_SESSION['uid'] . ""); $sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
db_query ('DELETE FROM ' . _VMS_ . '_admin_abuse WHERE uid = ' . $_SESSION['uid']); $sql -> execute();
db_query ('DELETE FROM vms_buchungen WHERE uid = ' . $_SESSION['uid']); $sql = sql::$db->prepare("DELETE FROM " . _VMS_ . "_userdaten WHERE uid=:session_uid");
db_query ('DELETE FROM vms_reloads WHERE uid = ' . $_SESSION['uid']); $sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
db_query ('DELETE FROM vms_schnittstelle_anfragen WHERE uid = ' . $_SESSION['uid']); $sql -> execute();
$sql = sql::$db->prepare("DELETE FROM " . _VMS_ . "_werberdaten WHERE uid=:session_uid");
$sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
$sql -> execute();
$sql = sql::$db->prepare("UPDATE " . _VMS_ . "_werberdaten SET werber = 0 WHERE werber=:session_uid");
$sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
$sql -> execute();
//db_query ('DELETE FROM ' . _VMS_ . '_admin_abuse WHERE uid = ' . $_SESSION['uid']); //tabelle existiert nicht
$sql = sql::$db->prepare("DELETE FROM " . _VMS_ . "_buchungen WHERE uid=:session_uid");
$sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
$sql -> execute();
$sql = sql::$db->prepare("DELETE FROM " . _VMS_ . "_reloads WHERE uid=:session_uid");
$sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
$sql -> execute();
$sql = sql::$db->prepare("DELETE FROM " . _VMS_ . "_schnittstelle_anfragen WHERE uid=:session_uid");
$sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
$sql -> execute();
echo '<meta http-equiv="refresh" content="0; URL=http://' . $_SERVER['HTTP_HOST'] . '/?content=/intern/startseite&logout=true">'; echo '<meta http-equiv="refresh" content="0; URL=http://' . $_SERVER['HTTP_HOST'] . '/?content=/intern/startseite&logout=true">';
} }
} }
...@@ -37,7 +54,10 @@ if ($_POST['aendern'] == 'Jetzt ändern!') { ...@@ -37,7 +54,10 @@ if ($_POST['aendern'] == 'Jetzt ändern!') {
if ($_POST['pwd'] && $_POST['pwd2']) { if ($_POST['pwd'] && $_POST['pwd2']) {
if ($_POST['pwd'] == $_POST['pwd2']) { if ($_POST['pwd'] == $_POST['pwd2']) {
if (strlen($_POST['pwd']) >= 8) { if (strlen($_POST['pwd']) >= 8) {
db_query("UPDATE " . _VMS_ . "_kontodaten SET passwort = '" . md5($_POST['pwd']) . "' WHERE uid=" . $_SESSION['uid'] . ""); $sql = sql::$db->prepare("UPDATE " . _VMS_ . "_kontodaten SET passwort = :pass WHERE uid = :session_uid");
$sql -> bindParam(':pass', md5($_POST['pwd']), PDO::PARAM_STR);
$sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
$sql -> execute();
echo '<meta http-equiv="refresh" content="0; URL=http://' . $_SERVER['HTTP_HOST'] . '/?content=/intern/startseite&logout=true">'; echo '<meta http-equiv="refresh" content="0; URL=http://' . $_SERVER['HTTP_HOST'] . '/?content=/intern/startseite&logout=true">';
// $change .= 'Das Passwort wurde geändert!<br><b><font color="#FF0000">Bitte logge Dich jetzt aus und wieder neu ein!</font></b><br>'; // $change .= 'Das Passwort wurde geändert!<br><b><font color="#FF0000">Bitte logge Dich jetzt aus und wieder neu ein!</font></b><br>';
} else { } else {
...@@ -51,15 +71,24 @@ if ($_POST['aendern'] == 'Jetzt ändern!') { ...@@ -51,15 +71,24 @@ if ($_POST['aendern'] == 'Jetzt ändern!') {
// Nickname ändern beginn ! // Nickname ändern beginn !
if ($_POST['aendern'] == 'Jetzt ändern!') { if ($_POST['aendern'] == 'Jetzt ändern!') {
if (isset ($_POST['nickname'])) { if (isset ($_POST['nickname'])) {
$nickname = mysql_real_escape_string(ucfirst($_POST['nickname'])); $nickname = ucfirst($_POST['nickname']);
$nickname_check = db_query ("SELECT `nickname` FROM " . _VMS_ . "_userdaten WHERE nickname='" . $nickname . "'"); $nickname_check = sql::$db->prepare("SELECT `nickname` FROM " . _VMS_ . "_userdaten WHERE nickname = :nickname");
$nickname_check2 = db_query ("SELECT `nickname` FROM " . _VMS_ . "_userdaten WHERE nickname='" . $nickname . "'AND uid=" . $_SESSION['uid'] . ""); $nickname_check -> bindParam(':nickname', $nickname, PDO::PARAM_STR);
if (mysql_num_rows($nickname_check)) $nickname_check -> execute();
if (mysql_num_rows($nickname_check2)) { $nickname_check2 = sql::$db->prepare("SELECT `nickname` FROM " . _VMS_ . "_userdaten WHERE nickname = :nickname AND uid = :session_uid");
$nickname_check2 -> bindParam(':nickname', $nickname, PDO::PARAM_STR);
$nickname_check2 -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_STR);
$nickname_check2 -> execute();
if ($nickname_check->rowCount() )
if ($nickname_check2->rowCount() ) {
} else { } else {
$change = 'Dieser Nickname ist schon vergeben!<br>'; $change = 'Dieser Nickname ist schon vergeben!<br>';
} else { } else {
db_query("UPDATE " . _VMS_ . "_userdaten SET nickname = '" . $nickname . "' WHERE uid=" . $_SESSION['uid'] . ""); $sql = sql::$db->prepare("UPDATE " . _VMS_ . "_userdaten SET nickname = :nickname WHERE uid = :session_uid");
$sql -> bindParam(':nickname', $nickname, PDO::PARAM_STR);
$sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_STR);
$sql -> execute();
} }
} }
} }
...@@ -71,13 +100,23 @@ if ($_POST['aendern'] == 'Jetzt ändern!') { ...@@ -71,13 +100,23 @@ if ($_POST['aendern'] == 'Jetzt ändern!') {
if ($_POST['newsletter'] == 0 and $_POST['paidmails'] == 1) $mailstatus = 2; if ($_POST['newsletter'] == 0 and $_POST['paidmails'] == 1) $mailstatus = 2;
if ($_POST['newsletter'] == 1 and $_POST['paidmails'] == 1) $mailstatus = 3; if ($_POST['newsletter'] == 1 and $_POST['paidmails'] == 1) $mailstatus = 3;
$_POST['max_forced'] = (int)$_POST['max_forced']; $_POST['max_forced'] = (int)$_POST['max_forced'];
db_query("UPDATE " . _VMS_ . "_emaildaten SET freigabe_fuer = " . $mailstatus . ", emailadresse = '" . $_POST['emailadresse'] . "' WHERE uid=" . $_SESSION['uid'] . ""); $sql = sql::$db->prepare("UPDATE " . _VMS_ . "_emaildaten SET freigabe_fuer = :mailstatus, emailadresse = :emailadresse WHERE uid = :session_uid");
db_query("UPDATE " . _VMS_ . "_userdaten SET max_forced = '" . $_POST['max_forced'] . "' WHERE uid=" . $_SESSION['uid'] . ""); $sql -> bindParam(':mailstatus', $mailstatus, PDO::PARAM_INT);
$sql -> bindParam(':emailadresse', $_POST['emailadresse'], PDO::PARAM_STR);
$sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
$sql -> execute();
$sql = sql::$db->prepare("UPDATE " . _VMS_ . "_userdaten SET max_forced = :max_forced WHERE uid = :session_uid");
$sql -> bindParam(':max_forced', $_POST['max_forced'], PDO::PARAM_STR);
$sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
$sql -> execute();
$change .= 'Deine Daten wurden aktualisiert!<br>'; $change .= 'Deine Daten wurden aktualisiert!<br>';
} }
} }
$sql = sql::$db->query("SELECT u.*,e.emailadresse,e.freigabe_fuer FROM " . _VMS_ . "_userdaten AS u LEFT JOIN " . _VMS_ . "_emaildaten AS e ON e.uid=u.uid WHERE u.uid=" . $_SESSION['uid'] . " LIMIT 1"); $sql = sql::$db->prepare("SELECT u.*,e.emailadresse,e.freigabe_fuer FROM " . _VMS_ . "_userdaten AS u LEFT JOIN " . _VMS_ . "_emaildaten AS e ON e.uid=u.uid WHERE u.uid = :session_uid LIMIT 1");
$sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
$sql -> execute();
$info = $sql->fetch(); $info = $sql->fetch();
if ($info['freigabe_fuer'] == 0) { if ($info['freigabe_fuer'] == 0) {
...@@ -184,7 +223,10 @@ die Paidmails wenn Du keine haben möchtest!<br> ...@@ -184,7 +223,10 @@ die Paidmails wenn Du keine haben möchtest!<br>
head("Externe Konten"); head("Externe Konten");
if (isset($_POST['veri'])) { if (isset($_POST['veri'])) {
$schnittstelle = mysql_fetch_array(db_query("SELECT * FROM " . _VMS_ . "_schnittstelle WHERE schnittstelle='" . $_POST['schnittstelle'] . "' AND aktiv > 0 LIMIT 1")); $sql = sql::$db->prepare("SELECT * FROM " . _VMS_ . "_schnittstelle WHERE schnittstelle = :schnittstelle AND aktiv > 0 LIMIT 1");
$sql -> bindParam(':schnittstelle', $_POST['schnittstelle'], PDO::PARAM_STR);
$sql -> execute();
$schnittstelle = $sql->fetch();
// User beim Betreiber prüfen // User beim Betreiber prüfen
$sql = sql::$db->prepare("INSERT INTO " . _VMS_ . "_schnittstelle_anfragen (zeit,uid) VALUES (?,?)"); $sql = sql::$db->prepare("INSERT INTO " . _VMS_ . "_schnittstelle_anfragen (zeit,uid) VALUES (?,?)");
$sql->execute(array( $tag, $_SESSION['uid'] )); $sql->execute(array( $tag, $_SESSION['uid'] ));
...@@ -193,12 +235,14 @@ die Paidmails wenn Du keine haben möchtest!<br> ...@@ -193,12 +235,14 @@ die Paidmails wenn Du keine haben möchtest!<br>
$error = $trans_ausgabe; $error = $trans_ausgabe;
print_r($error); print_r($error);
if (!$error) { if (!$error) {
$sql = sql::$db->prepare("INSERT INTO " . _VMS_ . "_multi_konten (uid, kontoid, waehrung) VALUES(?,?,?) ON DUPLICATE KEY UPDATE kontoid='" . $_POST['veri_id'] . "'"); $sql = sql::$db->prepare("INSERT INTO " . _VMS_ . "_multi_konten (uid, kontoid, waehrung) VALUES(?,?,?) ON DUPLICATE KEY UPDATE kontoid=?");
$sql->execute(array( $_SESSION['uid'], $_POST['veri_id'], $_POST['schnittstelle'] )); $sql->execute(array( $_SESSION['uid'], $_POST['veri_id'], $_POST['schnittstelle'], $_POST['veri_id'] ));
} }
} }
$moeglichkeiten_q = sql::$db->query('SELECT schnittstelle FROM ' . _VMS_ . '_schnittstelle WHERE aktiv > 0 AND schnittstelle NOT IN (SELECT waehrung AS schnittstelle FROM vms_multi_konten WHERE uid=' . $_SESSION['uid'] . ')'); $moeglichkeiten_q = sql::$db->prepare('SELECT schnittstelle FROM ' . _VMS_ . '_schnittstelle WHERE aktiv > 0 AND schnittstelle NOT IN (SELECT waehrung AS schnittstelle FROM vms_multi_konten WHERE uid = :session_uid)');
$moeglichkeiten_q -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
$moeglichkeiten_q -> execute();
?> ?>
<form action="" method="post"> <form action="" method="post">
...@@ -230,7 +274,10 @@ die Paidmails wenn Du keine haben möchtest!<br> ...@@ -230,7 +274,10 @@ die Paidmails wenn Du keine haben möchtest!<br>
Bereits&nbsp;verifiziert:<br /> Bereits&nbsp;verifiziert:<br />
<table> <table>
<?php <?php
$veri = sql::$db->query('SELECT * FROM vms_multi_konten WHERE uid=' . $_SESSION['uid'] . ''); $veri = sql::$db->prepare('SELECT * FROM vms_multi_konten WHERE uid=:session_uid');
$veri -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
$veri -> execute();
while ($verid = $veri->fetch() ) { ?> while ($verid = $veri->fetch() ) { ?>
<tr> <tr>
<td><?php echo $verid['waehrung']; ?>:</td> <td><?php echo $verid['waehrung']; ?>:</td>
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment