From c6c76ea30d68a338434d21f32978f1b22c104d1f Mon Sep 17 00:00:00 2001 From: Quitta Date: Fri, 5 Jul 2013 00:37:48 +0200 Subject: [PATCH] Added functionality to update country + gender + added some xss security --- .../ryzom_ams/www/html/func/change_info.php | 48 ++++++++++++++----- .../ryzom_ams/www/html/func/change_mail.php | 12 +++-- .../www/html/func/change_password.php | 16 +++++-- .../ryzom_ams/www/html/inc/settings.php | 8 ++++ 4 files changed, 65 insertions(+), 19 deletions(-) diff --git a/code/ryzom/tools/server/ryzom_ams/www/html/func/change_info.php b/code/ryzom/tools/server/ryzom_ams/www/html/func/change_info.php index 4bbe9ea24..860b207ea 100644 --- a/code/ryzom/tools/server/ryzom_ams/www/html/func/change_info.php +++ b/code/ryzom/tools/server/ryzom_ams/www/html/func/change_info.php @@ -3,7 +3,7 @@ function change_info(){ try{ - //if logged in + //if logged in if(WebUsers::isLoggedIn()){ if(isset($_POST['target_id'])){ @@ -19,17 +19,24 @@ function change_info(){ $webUser = new WebUsers(); //use current info to check for changes $current_info = $webUser->getInfo($_POST['target_id']); + //TODO: XSS filtering + $current_info['FirstName'] = filter_var($current_info['FirstName'], FILTER_SANITIZE_STRING); + $current_info['LastName'] = filter_var($current_info['LastName'], FILTER_SANITIZE_STRING); + $current_info['Country'] = filter_var($current_info['Country'], FILTER_SANITIZE_STRING); + $current_info['Gender'] = filter_var($current_info['Gender'], FILTER_SANITIZE_NUMBER_INT); + - //make the query that will update the data. $updated = false; $values = Array(); $values['user'] = $target_username; + + //make the query that will update the data. $query = "UPDATE ams_user SET "; if(($_POST['FirstName'] != "") && ($_POST['FirstName'] != $current_info['FirstName'])){ $query = $query . "FirstName = :fName "; $updated = true; - $values['fName'] = $_POST['FirstName']; + $values['fName'] = filter_var($_POST['FirstName'], FILTER_SANITIZE_STRING); } if(($_POST['LastName'] != "") && ($_POST['LastName'] != $current_info['LastName'])){ if($updated){ @@ -38,9 +45,27 @@ function change_info(){ $query = $query . "LastName = :lName "; } $updated = true; - $values['lName'] = $_POST['LastName']; + $values['lName'] = filter_var($_POST['LastName'], FILTER_SANITIZE_STRING); } - //TODO: add the other fields too + if(($_POST['Country'] != "AA") && ($_POST['Country'] != $current_info['Country'])){ + if($updated){ + $query = $query . ", Country = :country "; + }else{ + $query = $query . "Country = :country "; + } + $updated = true; + $values['country'] = filter_var($_POST['Country'], FILTER_SANITIZE_STRING); + } + if($_POST['Gender'] != $current_info['Gender']){ + if($updated){ + $query = $query . ", Gender = :gender "; + }else{ + $query = $query . "Gender = :gender "; + } + $updated = true; + $values['gender'] = filter_var($_POST['Gender'], FILTER_SANITIZE_NUMBER_INT); + } + //finish the query! $query = $query . "WHERE Login = :user"; //if some field is update then: @@ -61,24 +86,25 @@ function change_info(){ $result['username'] = $_SESSION['user']; $result['no_visible_elements'] = 'FALSE'; $result['target_id'] = $_POST['target_id']; - if(isset($_GET['id'])){ - if(WebUsers::isAdmin() && ($_POST['target_id'] != $_SESSION['id'])){ - $result['isAdmin'] = "TRUE"; - } - } helpers :: loadtemplate( 'settings', $result); exit; }else{ //ERROR: permission denied! + $_SESSION['error_code'] = "403"; + header("Location: index.php?page=error"); + exit; } }else{ //ERROR: The form was not filled in correclty + header("Location: index.php?page=settings"); + exit; } }else{ //ERROR: user is not logged in - exit; + header("Location: index.php"); + exit; } }catch (PDOException $e) { diff --git a/code/ryzom/tools/server/ryzom_ams/www/html/func/change_mail.php b/code/ryzom/tools/server/ryzom_ams/www/html/func/change_mail.php index dafcd6975..6905febae 100644 --- a/code/ryzom/tools/server/ryzom_ams/www/html/func/change_mail.php +++ b/code/ryzom/tools/server/ryzom_ams/www/html/func/change_mail.php @@ -28,10 +28,10 @@ function change_mail(){ }else{ $result['EMAIL_ERROR'] = 'FALSE'; } - $result['prevNewEmail'] = $_POST["NewEmail"]; + $result['prevNewEmail'] = filter_var($_POST["NewEmail"], FILTER_SANITIZE_EMAIL); if ($reply== "success"){ - $status = WebUsers::setEmail($target_username, $_POST["NewEmail"] ); + $status = WebUsers::setEmail($target_username, filter_var($_POST["NewEmail"], FILTER_SANITIZE_EMAIL) ); if($status == 'ok'){ $result['SUCCESS_MAIL'] = "OK"; }else if($status == 'shardoffline'){ @@ -66,14 +66,20 @@ function change_mail(){ }else{ //ERROR: permission denied! + $_SESSION['error_code'] = "403"; + header("Location: index.php?page=error"); + exit; } }else{ //ERROR: The form was not filled in correclty + header("Location: index.php?page=settings"); + exit; } }else{ //ERROR: user is not logged in - exit; + header("Location: index.php"); + exit; } }catch (PDOException $e) { diff --git a/code/ryzom/tools/server/ryzom_ams/www/html/func/change_password.php b/code/ryzom/tools/server/ryzom_ams/www/html/func/change_password.php index 3008849b1..e13e859c3 100644 --- a/code/ryzom/tools/server/ryzom_ams/www/html/func/change_password.php +++ b/code/ryzom/tools/server/ryzom_ams/www/html/func/change_password.php @@ -42,12 +42,12 @@ function change_password(){ exit; }else{ - $result['prevCurrentPass'] = $_POST["CurrentPass"]; - $result['prevNewPass'] = $_POST["NewPass"]; - $result['prevConfirmNewPass'] = $_POST["ConfirmNewPass"]; + $result['prevCurrentPass'] = filter_var($_POST["CurrentPass"], FILTER_SANITIZE_STRING); + $result['prevNewPass'] = filter_var($_POST["NewPass"], FILTER_SANITIZE_STRING); + $result['prevConfirmNewPass'] = filter_var($_POST["ConfirmNewPass"], FILTER_SANITIZE_STRING); $result['permission'] = $_SESSION['permission']; $result['no_visible_elements'] = 'FALSE'; - $return['username'] = $_SESSION['user']; + $result['username'] = $_SESSION['user']; $result['target_id'] = $_POST['target_id']; global $SITEBASE; @@ -61,14 +61,20 @@ function change_password(){ }else{ //ERROR: permission denied! + $_SESSION['error_code'] = "403"; + header("Location: index.php?page=error"); + exit; } }else{ //ERROR: The form was not filled in correclty + header("Location: index.php?page=settings"); + exit; } }else{ //ERROR: user is not logged in - exit; + header("Location: index.php"); + exit; } }catch (PDOException $e) { diff --git a/code/ryzom/tools/server/ryzom_ams/www/html/inc/settings.php b/code/ryzom/tools/server/ryzom_ams/www/html/inc/settings.php index 259ce258f..52c7b445d 100644 --- a/code/ryzom/tools/server/ryzom_ams/www/html/inc/settings.php +++ b/code/ryzom/tools/server/ryzom_ams/www/html/inc/settings.php @@ -21,6 +21,14 @@ function settings(){ $result = WebUsers::getInfo($_SESSION['id']); $result['target_id'] = $_SESSION['id']; $result['current_mail'] = WebUsers::getEmail($_SESSION['id']); + + //Sanitize Data + $result['current_mail'] = filter_var($result['current_mail'], FILTER_SANITIZE_EMAIL); + $result['Login'] = filter_var($result['Login'], FILTER_SANITIZE_STRING); + $result['FirstName'] = filter_var($result['FirstName'], FILTER_SANITIZE_STRING); + $result['LastName'] = filter_var($result['LastName'], FILTER_SANITIZE_STRING); + $result['Country'] = filter_var($result['Country'], FILTER_SANITIZE_STRING); + $result['Gender'] = filter_var($result['Gender'], FILTER_SANITIZE_NUMBER_INT); } $result['country_array'] = getCountryArray(); return $result;