www/adiumxtras.com 33:4425cadd2860: 'Burninate user' option to A...
commits at adium.im
commits at adium.im
Fri Dec 2 18:16:31 UTC 2011
details: http://hg.adium.im/www/adiumxtras.com/rev/4425cadd2860
revision: 33:4425cadd2860
branch: adiumxtras.com
author: Zachary West <zacw at adium.im>
date: Fri Dec 02 13:16:25 2011 -0500
'Burninate user' option to Admins and more database sanitization.
Seriously I should not have been allowed near a database 6 years ago.
diffs (291 lines):
diff -r 63b6b90cbe26 -r 4425cadd2860 include.php
--- a/include.php Fri Dec 02 12:50:51 2011 -0500
+++ b/include.php Fri Dec 02 13:16:25 2011 -0500
@@ -106,7 +106,7 @@
// We return the user_id to make life simpler.
function validUser($userName, $password) {
global $sql;
- $sql->query("SELECT user_id FROM users WHERE username='%s' AND password='%s' AND status='Active'", $userName, $password);
+ $sql->query("SELECT user_id FROM users WHERE username='%s' AND password='%s' AND status='Active'", mysql_escape_string($userName), mysql_escape_string($password));
return ($sql->num_rows() > 0) ? $sql->fetch_row_single() : FALSE;
}
diff -r 63b6b90cbe26 -r 4425cadd2860 manage.php
--- a/manage.php Fri Dec 02 12:50:51 2011 -0500
+++ b/manage.php Fri Dec 02 13:16:25 2011 -0500
@@ -188,7 +188,7 @@
case "save":
$_POST['xtra_id'] = intval($_POST['xtra_id']);
- $sql->query("SELECT user_id, binary_name, status FROM xtras WHERE xtra_id='%d'", $_POST['xtra_id']);
+ $sql->query("SELECT user_id, binary_name, status FROM xtras WHERE xtra_id='%d'", intval($_POST['xtra_id']));
list ($xtraOwner, $binaryName, $status) = $sql->fetch_row();
// Does the user have sufficient access to edit?
// Admin/Moderator or *this Xtra's* contributor ONLY
@@ -218,9 +218,9 @@
// Update the static text fields.
// This is, truly, the easy part.
- $sql->query("UPDATE xtras SET title='%s', description='%s', changes='%s', credits='%s', version='%s' WHERE xtra_id='%d'", $_POST['title'], $_POST['description'], $_POST['changes'], $_POST['credits'], $_POST['version'], $_POST['xtra_id']);
+ $sql->query("UPDATE xtras SET title='%s', description='%s', changes='%s', credits='%s', version='%s' WHERE xtra_id='%d'", mysql_escape_string($_POST['title']), mysql_escape_string($_POST['description']), mysql_escape_string($_POST['changes']), mysql_escape_string($_POST['credits']), mysql_escape_string($_POST['version']), mysql_escape_string($_POST['xtra_id']));
// Change the category.
- $sql->query("UPDATE assoc SET cat_id='%d' WHERE xtra_id='%d'", $_POST['category'], $_POST['xtra_id']);
+ $sql->query("UPDATE assoc SET cat_id='%d' WHERE xtra_id='%d'", intval($_POST['category']), intval($_POST['xtra_id']));
$mime_exts['application/zip'] = 'zip';
$mime_exts['application/x-gzip'] = 'tgz';
@@ -252,9 +252,9 @@
chmod($binaryName, 0644);
if ($status == 'Approved')
- $sql->query("UPDATE xtras SET binary_name='%s', bin_mime='%s', filesize='%s', bin_updated=NOW(), status='Pending' WHERE xtra_id='%d'", basename($binaryName), $_FILES['archive']['type'], dlSize($_FILES['archive']['size']), $_POST['xtra_id']);
+ $sql->query("UPDATE xtras SET binary_name='%s', bin_mime='%s', filesize='%s', bin_updated=NOW(), status='Pending' WHERE xtra_id='%d'", basename($binaryName), $_FILES['archive']['type'], dlSize($_FILES['archive']['size']), intval($_POST['xtra_id']));
else
- $sql->query("UPDATE xtras SET binary_name='%s', bin_mime='%s', filesize='%s', bin_updated=NOW() WHERE xtra_id='%d'", basename($binaryName), $_FILES['archive']['type'], dlSize($_FILES['archive']['size']), $_POST['xtra_id']);
+ $sql->query("UPDATE xtras SET binary_name='%s', bin_mime='%s', filesize='%s', bin_updated=NOW() WHERE xtra_id='%d'", basename($binaryName), $_FILES['archive']['type'], dlSize($_FILES['archive']['size']), intval($_POST['xtra_id']));
}
} else if ($_FILES['archive']['error'] == UPLOAD_ERR_INI_SIZE) {
$error[] = "The archive was too large vs. the PHP .ini file. Please try again.";
@@ -268,7 +268,7 @@
if (!preg_match("/jpe?g|png|gif/", $_FILES['thumbnail']['type'])) {
$error[] = "The thumbnail you provided was not png, gif or jpeg format. Please try again.";
} else {
- $sql->query("SELECT thumbnail FROM xtras WHERE xtra_id='%d'", $_POST['xtra_id']);
+ $sql->query("SELECT thumbnail FROM xtras WHERE xtra_id='%d'", intval($_POST['xtra_id']));
$thumbnail = $sql->fetch_row_single();
if ($thumbnail)
@@ -283,7 +283,7 @@
if ($imgwidth > 50 || $imgheight > 50)
system(sprintf("/usr/bin/convert -size 50x50 %s -resize 50x50 %s", $thumbName, $thumbName), $thumb_error);
- $sql->query("UPDATE xtras SET thumbnail='%s' WHERE xtra_id='%d'", basename($thumbName), $_POST['xtra_id']);
+ $sql->query("UPDATE xtras SET thumbnail='%s' WHERE xtra_id='%d'", basename($thumbName), intval($_POST['xtra_id']));
}
}
@@ -296,7 +296,7 @@
} elseif (!preg_match("/jpe?g|png|gif/", $_FILES['previewImage']['type'][$key])) {
$error[] = sprintf("The preview image (%s) you provided was not png, gif or jpeg format. Please try again.", $_FILES['previewImage']['name'][$key]);
} else {
- $sql->query("INSERT INTO images SET xtra_id='%d'", $_POST['xtra_id']);
+ $sql->query("INSERT INTO images SET xtra_id='%d'", intval($_POST['xtra_id']));
$newImageID = $sql->insert_id();
$imageName = sprintf("%s%s_image_%s.%s", $picturesLocation, $baseFileName, $newImageID, $mime_exts[$_FILES['previewImage']['type'][$key]]);
@@ -316,12 +316,12 @@
}
if ($_POST['delete']) {
- $sql->query("SELECT imgfile, thumbfile FROM images WHERE xtra_id='%d' AND image_id IN (%s)", $_POST['xtra_id'], implode(",", $_POST['delete']));
+ $sql->query("SELECT imgfile, thumbfile FROM images WHERE xtra_id='%d' AND image_id IN (%s)", $_POST['xtra_id'], implode(",", mysql_escape_string($_POST['delete'])));
while (list($imgfile, $thumbfile) = $sql->fetch_row()) {
checkAndDelete(sprintf("%s%s", "/home/adiumx/public_html/images/pictures/", $imgfile));
checkAndDelete(sprintf("%s%s", "/home/adiumx/public_html/images/pictures/", $thumbfile));
}
- $sql->query("DELETE FROM images WHERE xtra_id='%d' AND image_id IN (%s)", $_POST['xtra_id'], implode(",", $_POST['delete']));
+ $sql->query("DELETE FROM images WHERE xtra_id='%d' AND image_id IN (%s)", intval($_POST['xtra_id']), implode(",", mysql_escape_string($_POST['delete'])));
}
$smarty->assign("title", "Xtra Saved");
@@ -333,7 +333,7 @@
case "create_xtra":
if ($_POST['name'] && $_POST['category']) {
// Yeehaw, let's create it and redirect them.
- $sql->query("INSERT INTO xtras (user_id, title, status, date_added) VALUES ('%d', '%s', 'Build', NOW())", $currentUserID, strip_tags($_POST['name']));
+ $sql->query("INSERT INTO xtras (user_id, title, status, date_added) VALUES ('%d', '%s', 'Build', NOW())", $currentUserID, mysql_escape_string(strip_tags($_POST['name'])));
$newID = $sql->insert_id();
$sql->query("INSERT INTO assoc (xtra_id, cat_id) VALUES ('%d', '%d')", $newID, intval($_POST['category']));
header(sprintf("Location: index.php?a=xtras&xtra_id=%d&do=edit", $newID));
diff -r 63b6b90cbe26 -r 4425cadd2860 templates/loginForm.tpl
--- a/templates/loginForm.tpl Fri Dec 02 12:50:51 2011 -0500
+++ b/templates/loginForm.tpl Fri Dec 02 13:16:25 2011 -0500
@@ -22,10 +22,7 @@
</tr>
<tr>
<td colspan="2">
- <labelset>
- <input type="checkbox" name="remember" value="Y" />
- Remember me
- </labelset> <small>(Only recommended on <span style="color: red; font-weight: bold;">secure</span> computers.)</small>
+ <label><input type="checkbox" name="remember" value="Y" /> Keep me logged in</label>
</td>
</tr>
<tr>
diff -r 63b6b90cbe26 -r 4425cadd2860 templates/profile.tpl
--- a/templates/profile.tpl Fri Dec 02 12:50:51 2011 -0500
+++ b/templates/profile.tpl Fri Dec 02 13:16:25 2011 -0500
@@ -8,6 +8,14 @@
<h2>Profile: {if $user.lname || $user.fname}{$user.fname} {$user.lname} ({/if}{$user.username}{if $user.lname || $user.fname}){/if}</h2>
+{if $burninate}
+<form method="post" action="/index.php?a=users&do=burninate">
+ <input type="hidden" name="del_user_id" value="{$user.user_id}" />
+ <label><input type="checkbox" name="confirm" value="1" /> Confirm</label>
+ <input type="submit" value="Burninate">
+</form>
+{/if}
+
<table border="0" cellspacing="2" cellpadding="2">
{if $user.privs ne 'Contributor'}
<tr>
diff -r 63b6b90cbe26 -r 4425cadd2860 templates/registerForm.tpl
--- a/templates/registerForm.tpl Fri Dec 02 12:50:51 2011 -0500
+++ b/templates/registerForm.tpl Fri Dec 02 13:16:25 2011 -0500
@@ -6,6 +6,7 @@
<form method="post" action="index.php">
<input type="hidden" name="a" value="users" />
<input type="hidden" name="do" value="create_account" />
+<input type="hidden" name="username" value="" />
<table border="0" cellspacing="2" cellpadding="2">
<tr>
@@ -13,7 +14,7 @@
</tr>
<tr>
<td style="text-align: right;"><strong>Username:</strong></td>
- <td><input type="text" name="username" value="{$username}" /></td>
+ <td><input type="text" name="banana" value="{$username}" /></td>
</tr>
<tr>
diff -r 63b6b90cbe26 -r 4425cadd2860 users.php
--- a/users.php Fri Dec 02 12:50:51 2011 -0500
+++ b/users.php Fri Dec 02 13:16:25 2011 -0500
@@ -16,14 +16,14 @@
break;
case "reset_password":
- $sql->query("SELECT user_id FROM users WHERE vcode='%s' AND vcode != ''", $_POST['vcode']);
+ $sql->query("SELECT user_id FROM users WHERE vcode='%s' AND vcode != ''", mysql_escape_string($_POST['vcode']));
if ($sql->num_rows() == 0) {
$smarty->assign("title", "Error Resetting Password");
$smarty->assign("message", "The verification code you have provided is incorrect. Please try copy-and-pasting the address again.");
$smarty->display('error.tpl');
} else {
if ($_POST['password1'] == $_POST['password2'] && $_POST['password1'] != "") {
- $sql->query("UPDATE users SET password='%s', vcode='' WHERE vcode='%s'", md5($_POST['password1']), $_POST['vcode']);
+ $sql->query("UPDATE users SET password='%s', vcode='' WHERE vcode='%s'", md5($_POST['password1']), mysql_escape_string($_POST['vcode']));
$smarty->assign("title", "Password Reset");
$smarty->assign("message", "Your password has been successfully reset. Please login.");
$smarty->display('loginForm.tpl');
@@ -61,11 +61,11 @@
} else {
if (strpos($_POST['username'], "@")) {
// They've provided an email.
- $sql->query("SELECT user_id, username, email, vcode, status FROM users WHERE email LIKE '%s'", $_POST['username']);
+ $sql->query("SELECT user_id, username, email, vcode, status FROM users WHERE email LIKE '%s'", mysql_escape_string($_POST['username']));
$userInfo = $sql->fetch_assoc();
} else {
// Just a normal username.
- $sql->query("SELECT user_id, username, email, vcode, status FROM users WHERE username LIKE '%s'", $_POST['username']);
+ $sql->query("SELECT user_id, username, email, vcode, status FROM users WHERE username LIKE '%s'", mysql_escape_string($_POST['username']));
$userInfo = $sql->fetch_assoc();
}
@@ -165,10 +165,10 @@
break;
case "create_account":
- $username = trim(strip_tags($_POST['username']));
+ $username = mysql_escape_string(trim(strip_tags($_POST['banana'])));
$password1 = strip_tags($_POST['password1']);
$password2 = strip_tags($_POST['password2']);
- $email = strip_tags($_POST['email']);
+ $email = mysql_escape_string(strip_tags($_POST['email']));
$error = "";
@@ -201,7 +201,7 @@
// This is utterly long and difficult to read.
$sql->query("INSERT INTO users (username, password, vcode, email, show_email, reg_date, reg_ip)
VALUES ('%s', '%s', '%s', '%s', '%s', NOW(), '%s')",
- $username, md5($password1), $verificationCode, $email, $_POST['show_email'], $_SERVER['REMOTE_ADDR']);
+ $username, md5($password1), $verificationCode, $email, intval($_POST['show_email']), $_SERVER['REMOTE_ADDR']);
$message = sprintf("%s,\n\nThis message confirms your registration at the Adium Xtras website.\n\nYour account will not be activated until you confirm your email address. To do so, go to:\n\nhttp://www.adiumxtras.com/index.php?a=users&do=validate&vc=%s\n\nThanks for registering!", $username, $verificationCode);
mail ($email, "Adium Xtras Registration: Verification Required", $message, "From: xtras at adiumxtras.com");
$smarty->assign("title", "Registration");
@@ -280,14 +280,14 @@
} else {
$user_id = currentUID();
if ($_POST['password1'] == $_POST['password2'] && $_POST['password1'] != "")
- $sql->query("UPDATE users SET show_email='%s', fname='%s', lname='%s', email='%s', website='%s', password='%s' WHERE user_id='%d'", $_POST['show_email'], $fname, $lname, $email, $website, md5($_POST['password1']), $user_id);
+ $sql->query("UPDATE users SET show_email='%s', fname='%s', lname='%s', email='%s', website='%s', password='%s' WHERE user_id='%d'", intval($_POST['show_email']), mysql_escape_string($fname), mysql_escape_string($lname), mysql_escape_string($email), mysql_escape_string($website), md5($_POST['password1']), intval($user_id));
else
- $sql->query("UPDATE users SET show_email='%s', fname='%s', lname='%s', email='%s', website='%s' WHERE user_id='%d'", $_POST['show_email'], $fname, $lname, $email, $website, $user_id);
+ $sql->query("UPDATE users SET show_email='%s', fname='%s', lname='%s', email='%s', website='%s' WHERE user_id='%d'", intval($_POST['show_email']), mysql_escape_string($fname), mysql_escape_string($lname), mysql_escape_string($email), mysql_escape_string($website), intval($user_id));
$sql->query("DELETE FROM contactinfo WHERE user_id='%d'", $user_id);
if ($_POST['service'])
foreach ($_POST['service'] as $key => $value)
if ($_POST['serviceName'][$key])
- $sql->query("INSERT INTO contactinfo (user_id, service, name) VALUES ('%d', '%s', '%s')", $user_id, $value, $_POST['serviceName'][$key]);
+ $sql->query("INSERT INTO contactinfo (user_id, service, name) VALUES ('%d', '%s', '%s')", intval($user_id), mysql_escape_string($value), mysql_escape_string($_POST['serviceName'][$key]));
header(sprintf("Location: index.php?a=users&do=profile&user_id=%d", $user_id));
}
} else {
@@ -298,6 +298,39 @@
}
break;
+ case "burninate":
+ if (userLevel(currentUID()) != "Admin") {
+ $smarty->assign("title", "Burninate not available to non-admins");
+ $smarty->assign("message", "You cannot burninate a user!");
+ $smarty->display('error.tpl');
+ exit();
+ }
+
+ if($_POST['confirm']) {
+ $user_to_delete = intval($_POST['del_user_id']);
+
+ $sql->query("SELECT privs FROM users WHERE user_id='%d'", $user_to_delete);
+ if(!$sql->num_rows() || $sql->fetch_row_single() != "Contributor") {
+ $smarty->assign("title", "Can't burninate them");
+ $smarty->assign("message", "You cannot burninate a privileged user!");
+ $smarty->display('error.tpl');
+ exit();
+ }
+
+ // Oh, for want of a relational database with cascade and wonderfulness
+ $sql->query("DELETE FROM users WHERE user_id='%d'", $user_to_delete);
+ $sql->query("DELETE FROM comments WHERE user_id='%d'", $user_to_delete);
+ $sql->query("DELETE FROM xtras WHERE user_id='%d'", $user_to_delete);
+
+ $smarty->assign("title", "User burninated");
+ $smarty->assign("message", "They shouldn't be causing you any trouble anymore.");
+ $smarty->display('message.tpl');
+ } else {
+ header(sprintf("Location: %s", $_SERVER['HTTP_REFERER']));
+ }
+
+ break;
+
// General user operations.
case "profile":
$sql->query("SELECT * FROM users WHERE user_id='%d'", intval($_GET['user_id']));
@@ -315,6 +348,7 @@
$smarty->assign("xtraCount", $sql->fetch_row_single());
$smarty->assign("title", sprintf("User Profile: %s", $user['username']));
+ $smarty->assign("burninate", userLevel(currentUID()) == "Admin");
$smarty->assign("accounts", $accounts);
$smarty->assign("user", $user);
$smarty->display("profile.tpl");
diff -r 63b6b90cbe26 -r 4425cadd2860 xtras.php
--- a/xtras.php Fri Dec 02 12:50:51 2011 -0500
+++ b/xtras.php Fri Dec 02 13:16:25 2011 -0500
@@ -5,11 +5,11 @@
case "add_comment":
if ($_POST['comment'] && $_POST['xtra_id']) {
if (currentUID()) {
- $sql->query("INSERT INTO comments (xtra_id, parent_id, comment, user_id, posted) VALUES ('%d', '%d', '%s', '%d', NOW())", intval($_POST['xtra_id']), intval($_POST['parent_id']), strip_tags($_POST['comment']), currentUID());
+ $sql->query("INSERT INTO comments (xtra_id, parent_id, comment, user_id, posted) VALUES ('%d', '%d', '%s', '%d', NOW())", intval($_POST['xtra_id']), intval($_POST['parent_id']), mysql_escape_string(strip_tags($_POST['comment'])), currentUID());
$newCommentID = $sql->insert_id();
// Email the author about the new comment.
- $sql->query("SELECT xtras.title, users.username, users.email FROM xtras, users WHERE xtras.user_id=users.user_id AND xtras.xtra_id='%d'", $_POST['xtra_id']);
+ $sql->query("SELECT xtras.title, users.username, users.email FROM xtras, users WHERE xtras.user_id=users.user_id AND xtras.xtra_id='%d'", intval($_POST['xtra_id']));
$emailInfo = $sql->fetch_assoc();
$message = sprintf("%s\n\nA new comment has been added to one of your xtras.\n\n", $emailInfo['username']);
$message .= sprintf("*******************\n%s\n<http://adiumxtras.com/index.php?a=xtras&xtra_id=%d#c%d>\n*******************\n\n", $emailInfo['title'], $_POST['xtra_id'], $newCommentID);
More information about the commits
mailing list