From abbaafbd5877385e831b2f1eea1c12471a52512b Mon Sep 17 00:00:00 2001
From: Robert Anderson <randerson@lbsd.net>
Date: Thu, 16 Apr 2009 12:21:24 +0000
Subject: [PATCH] Fixed up syntax Improved security Improved readability
---
webui/group-add.php | 8 +--
webui/group-attribute-add.php | 8 +--
webui/group-attribute-change.php | 9 +--
webui/group-attribute-delete.php | 43 ++++++++++-----
webui/group-attributes.php | 84 +++++++++++++++++++---------
webui/group-delete.php | 94 +++++++++++++++-----------------
webui/group-main.php | 33 ++++++-----
webui/group-users.php | 69 +++++++++++------------
webui/index.php | 18 +++---
webui/user-add.php | 30 +++++++++-
webui/user-attribute-add.php | 34 ++++++++++--
webui/user-attribute-change.php | 62 ++++++++++++++-------
webui/user-attribute-delete.php | 48 +++++++++++-----
webui/user-attributes.php | 25 +++------
webui/user-delete.php | 23 ++++----
webui/user-groups-add.php | 18 +++---
webui/user-groups-delete.php | 59 ++++++++++++++------
webui/user-groups.php | 30 +++++-----
webui/user-logs.php | 9 +--
webui/user-main.php | 4 ++
webui/wisp-multiuser-add.php | 9 +--
webui/wisp-user-delete.php | 8 +--
webui/wisp-user-edit.php | 13 ++---
webui/wisp-user-list.php | 20 +++----
webui/wisp-user-logs.php | 3 +-
25 files changed, 447 insertions(+), 314 deletions(-)
diff --git a/webui/group-add.php b/webui/group-add.php
index afc37d02..e55ccf07 100644
--- a/webui/group-add.php
+++ b/webui/group-add.php
@@ -34,16 +34,14 @@ printHeader(array(
));
-if ($_POST['frmaction'] == "add") {
+if (isset($_POST['frmaction']) && $_POST['frmaction'] == "add") {
?>
<p class="pageheader">Add Group</p>
<form method="post" action="group-add.php">
- <div>
- <input type="hidden" name="frmaction" value="add2" />
- </div>
+ <input type="hidden" name="frmaction" value="add2" />
<table class="entry">
<tr>
<td class="entrytitle">Name</td>
@@ -76,7 +74,7 @@ if ($_POST['frmaction'] == "add") {
<?php
# Check we have all params
-} elseif ($_POST['frmaction'] == "add2") {
+} elseif (isset($_POST['frmaction'] && $_POST['frmaction'] == "add2") {
?>
diff --git a/webui/group-attribute-add.php b/webui/group-attribute-add.php
index 33a331b1..b6247f39 100644
--- a/webui/group-attribute-add.php
+++ b/webui/group-attribute-add.php
@@ -35,13 +35,13 @@ printHeader(array(
if (isset($_POST['frmaction']) && $_POST['frmaction'] == "add") {
+
?>
+
<p class="pageheader">Add attribute</p>
<form method="post" action="group-attribute-add.php">
- <div>
- <input type="hidden" name="frmaction" value="add2" />
- </div>
+ <input type="hidden" name="frmaction" value="add2" />
<table class="entry">
<tr>
<td class="entrytitle">Attribute Name</td>
@@ -83,7 +83,7 @@ if (isset($_POST['frmaction']) && $_POST['frmaction'] == "add") {
<?php
# Check we have all params
-} elseif ($_POST['frmaction'] == "add2") {
+} elseif (isset($_POST['frmaction']) && $_POST['frmaction'] == "add2") {
?>
diff --git a/webui/group-attribute-change.php b/webui/group-attribute-change.php
index 359927f5..6c50ffa2 100644
--- a/webui/group-attribute-change.php
+++ b/webui/group-attribute-change.php
@@ -40,8 +40,7 @@ if (isset($_POST['frmaction'] && $_POST['frmaction'] == "change") {
# Check an attribute was selected
if (isset($_POST['attr_id'])) {
# Prepare statement
- $temp = $_POST['attr_id'];
- $sql = "SELECT ID, Name, Operator, Value, Disabled FROM ${DB_TABLE_PREFIX}group_attributes WHERE ID = '$temp'";
+ $sql = "SELECT ID, Name, Operator, Value, Disabled FROM ${DB_TABLE_PREFIX}group_attributes WHERE ID = ".$db->quote($_POST['attr_id']);
$res = $db->query($sql);
$row = $res->fetchObject();
@@ -50,10 +49,8 @@ if (isset($_POST['frmaction'] && $_POST['frmaction'] == "change") {
<p class="pageheader">Update Group Attribute</p>
<form action="group-attribute-change.php" method="post">
- <div>
- <input type="hidden" name="frmaction" value="change2" />
- <input type="hidden" name="attr_id" value="<?php echo $_POST['attr_id']; ?>" />
- </div>
+ <input type="hidden" name="frmaction" value="change2" />
+ <input type="hidden" name="attr_id" value="<?php echo $_POST['attr_id']; ?>" />
<table class="entry" style="width: 75%;">
<tr>
<td></td>
diff --git a/webui/group-attribute-delete.php b/webui/group-attribute-delete.php
index a4bedf25..0cc3650b 100644
--- a/webui/group-attribute-delete.php
+++ b/webui/group-attribute-delete.php
@@ -35,12 +35,13 @@ printHeader(array(
));
-
# Display delete confirm screen
if (isset($_POST['frmaction'] && $_POST['frmaction'] == "delete") {
# Check a user was selected
if (isset($_POST['attr_id'])) {
+
?>
+
<p class="pageheader">Delete Attribute</p>
<form action="group-attribute-delete.php" method="post">
@@ -54,51 +55,67 @@ if (isset($_POST['frmaction'] && $_POST['frmaction'] == "delete") {
<input type="submit" name="confirm" value="no" />
</div>
</form>
+
<?php
+
} else {
+
?>
+
<div class="warning">No attribute selected</div>
-<?php
- }
+<?php
+ }
# SQL Updates
} elseif (isset($_POST['frmaction']) && $_POST['frmaction'] == "delete2") {
+
?>
+
<p class="pageheader">Attribute Delete Results</p>
-<?php
- if (isset($_POST['attr_id'])) {
+<?php
- if ($_POST['confirm'] == "yes") {
- $res = $db->exec("DELETE FROM ${DB_TABLE_PREFIX}group_attributes WHERE ID = ".$_POST['attr_id']);
+ if (isset($_POST['attr_id'])) {
+ if (isset($_POST['confirm']) && $_POST['confirm'] == "yes") {
+ $res = $db->exec("DELETE FROM ${DB_TABLE_PREFIX}group_attributes WHERE ID = ".$db->quote($_POST['attr_id']));
if ($res !== FALSE) {
+
?>
+
<div class="notice">Attribute with ID: <?php print_r($_POST['attr_id']);?> deleted</div>
+
<?php
+
} else {
+
?>
+
<div class="warning">Error deleting attribute</div>
<div class="warning"><?php print_r($db->errorInfo()) ?></div>
-<?php
- }
-?>
<?php
+
+ }
# Warn
} else {
+
?>
+
<div class="warning">Delete attribute aborted</div>
+
<?php
+
}
-?>
-<?php
} else {
+
?>
+
<div class="warning">Invocation error, no attribute ID selected</div>
+
<?php
- }
+ }
}
printFooter();
diff --git a/webui/group-attributes.php b/webui/group-attributes.php
index f4daa02d..9a8a2501 100644
--- a/webui/group-attributes.php
+++ b/webui/group-attributes.php
@@ -34,6 +34,7 @@ printHeader(array(
));
?>
+
<p class="pageheader">Attribute List</p>
<form id="main_form" action="group-attributes.php" method="post">
@@ -63,7 +64,7 @@ printHeader(array(
</select>
</div>
-<p />
+ <p />
<table class="results" style="width: 75%;">
<tr class="resultstitle">
@@ -73,44 +74,73 @@ printHeader(array(
<td class="textcenter">Value</td>
<td class="textcenter">Disabled</td>
</tr>
+
<?php
- $_SESSION['attr_group_id'] = $_POST['group_id'];
- if (isset($_POST['group_id'])) {
+
+ $_SESSION['attr_group_id'] = $_POST['group_id'];
+ if (isset($_POST['group_id'])) {
- $temp = $_SESSION['attr_group_id'];
- $sql = "SELECT ID, Name, Operator, Value, Disabled FROM ${DB_TABLE_PREFIX}group_attributes WHERE GroupID = $temp ORDER BY ID";
- $res = $db->query($sql);
+ $sql = "SELECT
+ ID,
+ Name,
+ Operator,
+ Value,
+ Disabled
+ FROM
+ ${DB_TABLE_PREFIX}group_attributes
+ WHERE
+ GroupID = ".$db->quote($_POST['group_id'])."
+ ORDER BY
+ ID
+ ";
+
+ $res = $db->query($sql);
+
+ while ($row = $res->fetchObject()) {
- while ($row = $res->fetchObject()) {
?>
- <tr class="resultsitem">
- <td><input type="radio" name="attr_id" value="<?php echo $row->id ?>"/><?php echo $row->id ?></td>
- <td><?php echo $row->name ?></td>
- <td><?php echo $row->operator ?></td>
- <td><?php echo $row->value ?></td>
- <td class="textcenter"><?php echo $row->disabled ? 'yes' : 'no' ?></td>
- </tr>
+
+ <tr class="resultsitem">
+ <td><input type="radio" name="attr_id" value="<?php echo $row->id; ?>"/><?php echo $row->id; ?></td>
+ <td><?php echo $row->name; ?></td>
+ <td><?php echo $row->operator; ?></td>
+ <td><?php echo $row->value; ?></td>
+ <td class="textcenter"><?php echo $row->disabled ? 'yes' : 'no'; ?></td>
+ </tr>
+
<?php
- }
- $res->closeCursor();
- if ($res->rowCount() == 0) {
+
+ }
+ $res->closeCursor();
+ if ($res->rowCount() == 0) {
+
?>
- <p />
- <tr>
- <td colspan="5" class="textcenter">Group attribute list is empty</td>
- </tr>
+
+ <p />
+ <tr>
+ <td colspan="5" class="textcenter">Group attribute list is empty</td>
+ </tr>
+
<?php
- }
- } else {
+
+ }
+ } else {
+
?>
- <tr class="resultitem">
- <td colspan="5" class="textcenter">No Group ID selected</td>
- </tr>
+
+ <tr class="resultitem">
+ <td colspan="5" class="textcenter">No Group ID selected</td>
+ </tr>
+
<?php
- }
+
+ }
+
?>
+
</table>
</form>
+
<?php
printFooter();
diff --git a/webui/group-delete.php b/webui/group-delete.php
index f9313364..5f9b3927 100644
--- a/webui/group-delete.php
+++ b/webui/group-delete.php
@@ -36,109 +36,101 @@ printHeader(array(
# Display delete confirm screen
-if ($_POST['frmaction'] == "delete") {
-
+if (isset($_POST['frmaction']) && $_POST['frmaction'] == "delete") {
# Check a policy group was selected
if (isset($_POST['group_id'])) {
+
?>
+
<p class="pageheader">Delete Group</p>
<form action="group-delete.php" method="post">
- <div>
- <input type="hidden" name="frmaction" value="delete2" />
- <input type="hidden" name="group_id" value="<?php echo $_POST['group_id']; ?>" />
- </div>
-
+ <input type="hidden" name="frmaction" value="delete2" />
+ <input type="hidden" name="group_id" value="<?php echo $_POST['group_id']; ?>" />
<div class="textcenter">
Are you very sure? <br />
<input type="submit" name="confirm" value="yes" />
<input type="submit" name="confirm" value="no" />
</div>
</form>
+
<?php
+
} else {
+
?>
- <div class="warning">No group selected</div>
-<?php
- }
+ <div class="warning">No group selected</div>
+<?php
+ }
# SQL Updates
-} elseif ($_POST['frmaction'] == "delete2") {
+} elseif (isset($_POST['frmaction']) && $_POST['frmaction'] == "delete2") {
+
?>
+
<p class="pageheader">Group Delete Results</p>
+
<?php
+
if (isset($_POST['group_id'])) {
+ if (isset($_POST['confirm']) && $_POST['confirm'] == "yes") {
- if ($_POST['confirm'] == "yes") {
$db->beginTransaction();
- $res = $db->exec("DELETE FROM ${DB_TABLE_PREFIX}users_to_groups WHERE GroupID = ".$db->quote($_POST['group_id']));
- if ($res !== FALSE) {
-?>
- <div class="notice">Users removed</div>
-<?php
- } else {
-?>
- <div class="warning">Error removing users</div>
- <div class="warning"><?php print_r($db->errorInfo()) ?></div>
-<?php
- $db->rollback();
- }
+ $resultRemoveMembers = $db->exec("DELETE FROM ${DB_TABLE_PREFIX}users_to_groups WHERE GroupID = ".$db->quote($_POST['group_id']));
+ $resultRemoveAttributes = $db->exec("DELETE FROM ${DB_TABLE_PREFIX}group_attributes WHERE GroupID = ".$db->quote($_POST['group_id']));
+ $resultRemoveGroup = $db->exec("DELETE FROM ${DB_TABLE_PREFIX}groups WHERE ID = ".$db->quote($_POST['group_id']));
+
+ if ($resultRemoveMembers && $resultRemoveAttributes && $resultRemoveGroup) {
- $res = $db->exec("DELETE FROM ${DB_TABLE_PREFIX}group_attributes WHERE GroupID = ".$db->quote($_POST['group_id']));
- if ($res !== FALSE) {
?>
- <div class="notice">Attributes removed</div>
+
+ <div class="notice">Group deleted</div>
+
<?php
+
+ $db->commit();
} else {
+
?>
- <div class="warning">Error removing attributes</div>
+
+ <div class="warning">Error deleting group</div>
<div class="warning"><?php print_r($db->errorInfo()) ?></div>
-<?php
- $db->rollback();
- }
- if ($res !== FALSE) {
- $res = $db->exec("DELETE FROM ${DB_TABLE_PREFIX}groups WHERE ID = ".$db->quote($_POST['group_id']));
- if ($res) {
-?>
- <div class="notice">Group deleted</div>
<?php
- } else {
-?>
- <div class="warning">Error deleting group!</div>
- <div class="warning"><?php print_r($db->errorInfo()) ?></div>
-<?php
- $db->rollback();
- }
- }
- if ($res) {
- $db->commit();
+ $db->rollback();
}
} else {
+
?>
+
<div class="notice">Group not deleted, aborted by user</div>
+
<?php
- }
+ }
# Warn
} else {
+
?>
- <div class="warning">Invocation error, no group ID</div>
-<?php
- }
+ <div class="warning">Invocation error, no group ID</div>
+<?php
+ }
} else {
+
?>
+
<div class="warning">Invalid invocation</div>
+
<?php
-}
+}
printFooter();
diff --git a/webui/group-main.php b/webui/group-main.php
index 103aff07..b54db367 100644
--- a/webui/group-main.php
+++ b/webui/group-main.php
@@ -32,6 +32,7 @@ printHeader(array(
));
?>
+
<p class="pageheader">User Groups</p>
<form id="main_form" action="group-main.php" method="post">
@@ -76,40 +77,46 @@ printHeader(array(
<td class="textcenter">Disabled</td>
<td class="textcenter">Comment</td>
</tr>
+
<?php
+
$sql = "SELECT ID, Name, Priority, Disabled, Comment FROM ${DB_TABLE_PREFIX}groups ORDER BY ID";
$res = $db->query($sql);
$rownums = 0;
while ($row = $res->fetchObject()) {
- if ($row->id != NULL) {
- $rownums = $rownums + 1;
- } else {
- $rownums = $rownums - 1;
- }
+
?>
<tr class="resultsitem">
- <td><input type="radio" name="group_id" value="<?php echo $row->id ?>" /></td>
- <td><?php echo $row->name ?></td>
- <td><?php echo $row->priority ?></td>
- <td class="textcenter"><?php echo $row->disabled ? 'yes' : 'no' ?></td>
- <td><?php echo $row->comment ?></td>
+ <td><input type="radio" name="group_id" value="<?php echo $row->id; ?>" /></td>
+ <td><?php echo $row->name; ?></td>
+ <td><?php echo $row->priority; ?></td>
+ <td class="textcenter"><?php echo $row->disabled ? 'yes' : 'no'; ?></td>
+ <td><?php echo $row->comment; ?></td>
</tr>
+
<?php
+
}
- $res->closeCursor();
- if ($rownums <= 0) {
+ if ($res->rowCount() == 0) {
+
?>
+
<p />
<tr>
<td colspan="5" class="textcenter">Group list is empty</td>
</tr>
+
<?php
+
}
- unset($rownums);
+ $res->closeCursor();
+
?>
+
</table>
</form>
+
<?php
printFooter();
diff --git a/webui/group-users.php b/webui/group-users.php
index a7d66568..efc05ef3 100644
--- a/webui/group-users.php
+++ b/webui/group-users.php
@@ -50,67 +50,60 @@ if (isset($_POST['group_id'])) {
?>
- <table class="results" style="width: 75%;">
- <tr class="resultstitle">
- <td class="textcenter">ID</td>
- <td class="textcenter">Member</td>
- <td class="textcenter">Disabled</td>
- </tr>
+ <table class="results" style="width: 75%;">
+ <tr class="resultstitle">
+ <td class="textcenter">ID</td>
+ <td class="textcenter">Member</td>
+ <td class="textcenter">Disabled</td>
+ </tr>
<?php
- # Get list of members belonging to this group
- $stmt = $db->prepare("SELECT UserID FROM ${DB_TABLE_PREFIX}users_to_groups WHERE GroupID = ?");
- $res = $stmt->execute(array($_REQUEST['group_id']));
+ # Get list of members belonging to this group
+ $stmt = $db->prepare("SELECT UserID FROM ${DB_TABLE_PREFIX}users_to_groups WHERE GroupID = ?");
+ $stmtResult = $stmt->execute(array($_REQUEST['group_id']));
- $rownums = 0;
- # Loop with rows
- while ($row = $stmt->fetchObject()) {
- if ($row->userid != NULL) {
- $rownums = $rownums + 1;
- } else {
- $rownums = $rownums - 1;
- }
+ # Loop with rows
+ while ($row = $stmt->fetchObject()) {
- $sql = "SELECT ID, Username, Disabled FROM ${DB_TABLE_PREFIX}users WHERE ID = ".$row->userid;
- $res = $db->query($sql);
+ $sql = "SELECT ID, Username, Disabled FROM ${DB_TABLE_PREFIX}users WHERE ID = ".$db->quote($row->userid);
+ $res = $db->query($sql);
- # List users
- while ($row = $res->fetchObject()) {
+ # List users
+ while ($row = $res->fetchObject()) {
?>
- <tr class="resultsitem">
- <td><?php echo $row->id ?></td>
- <td><?php echo $row->username ?></td>
- <td class="textcenter"><?php echo $row->disabled ? 'yes' : 'no' ?></td>
- </tr>
+ <tr class="resultsitem">
+ <td><?php echo $row->id; ?></td>
+ <td><?php echo $row->username; ?></td>
+ <td class="textcenter"><?php echo $row->disabled ? 'yes' : 'no'; ?></td>
+ </tr>
<?php
- }
- $res->closeCursor();
}
- $stmt->closeCursor();
+ $res->closeCursor();
+ }
- # Did we get any results?
- if ($rownums <= 0) {
+ # Did we get any results?
+ if ($stmt->rowCount() == 0) {
?>
- <p />
- <tr>
- <td colspan="3" class="textcenter">Group has no users</td>
- </tr>
+ <p />
+ <tr>
+ <td colspan="3" class="textcenter">Group has no users</td>
+ </tr>
<?php
- }
- unset($rownums);
+ }
+ $stmt->closeCursor();
?>
- </table>
+ </table>
<?php
diff --git a/webui/index.php b/webui/index.php
index c6c05491..0a3b538f 100644
--- a/webui/index.php
+++ b/webui/index.php
@@ -25,14 +25,18 @@ printHeader();
?>
<p class="pageheader">Features Supported</p>
<ul>
-
- <li>Users & Groups
- <a title="Help on policies and groups" href="http://www.policyd.org/tiki-index.php?page=Policies%20%26%20Groups&structure=Documentation" class="help">
- <img src="images/help.gif" alt="Help" />
- </a>
+ <li>Users
+ <ul>
+ <li>Add, remove and edit users</li>
+ <li>Add, remove and edit user attributes</li>
+ <li>Add groups, remove groups and edit group attributes</li>
+ </ul>
+ </li>
+ <li>Groups
<ul>
- <li>Define policy groups made up of various combinations of tags.</li>
- <li>Define and manage policies comprising of ACL's which can include groups.</li>
+ <li>Add and remove groups</li>
+ <li>Add, remove and edit group attributes</li>
+ <li>Assign users to groups</li>
</ul>
</li>
</ul>
diff --git a/webui/user-add.php b/webui/user-add.php
index 104888a0..6f346c1c 100644
--- a/webui/user-add.php
+++ b/webui/user-add.php
@@ -29,9 +29,10 @@ printHeader(array(
),
));
+if (isset($_POST['frmaction']) && $_POST['frmaction'] == "add") {
-if ($_POST['frmaction'] == "add") {
?>
+
<p class="pageheader">Add user</p>
<form method="post" action="user-add.php">
<div>
@@ -49,23 +50,36 @@ if ($_POST['frmaction'] == "add") {
</tr>
</table>
</form>
+
<?php
# Check we have all params
-} elseif ($_POST['frmaction'] == "add2") {
+} elseif (isset($_POST['frmaction']) && $_POST['frmaction'] == "add2") {
+
?>
+
<p class="pageheader">User Add Results</p>
+
<?php
+
# Check name
if (empty($_POST['user_name'])) {
+
?>
+
<div class="warning">Username cannot be empty</div>
+
<?php
+
}
else if (!preg_match('/^[a-z0-9]+$/i', $_POST['user_name'])) {
+
?>
+
<div class="warning">Username invalid: must be alphanumeric</div>
+
<?php
+
# Add to database
} else {
$stmt = $db->prepare("INSERT INTO ${DB_TABLE_PREFIX}users (Username) VALUES (?)");
@@ -74,20 +88,32 @@ if ($_POST['frmaction'] == "add") {
));
# Was it successful?
if ($res) {
+
?>
+
<div class="notice">User added</div>
+
<?php
+
} else {
+
?>
+
<div class="warning">Failed to add user</div>
<div class="warning"><?php print_r($stmt->errorInfo()) ?></div>
+
<?php
+
}
}
} else {
+
?>
+
<div class="warning">Invalid invocation</div>
+
<?php
+
}
printFooter();
diff --git a/webui/user-attribute-add.php b/webui/user-attribute-add.php
index 4f626f4f..66c8d6d4 100644
--- a/webui/user-attribute-add.php
+++ b/webui/user-attribute-add.php
@@ -37,8 +37,10 @@ printHeader(array(
-if ($_POST['frmaction'] == "add") {
+if (isset($_POST['frmaction']) && $_POST['frmaction'] == "add") {
+
?>
+
<p class="pageheader">Add attribute</p>
<form method="post" action="attribute-add.php">
@@ -59,10 +61,10 @@ if ($_POST['frmaction'] == "add") {
<option value=":=">:=</option>
<option value="+=">+=</option>
<option value="!=">!=</option>
- <option value=">">></option>
- <option value="<"><</option>
- <option value=">=">>=</option>
- <option value="<="><=</option>
+ <option value=">">></option>
+ <option value="<"><</option>
+ <option value=">=">>=</option>
+ <option value="<="><=</option>
<option value="=~">=~</option>
<option value="!~">!~</option>
<option value="=*">=*</option>
@@ -83,19 +85,27 @@ if ($_POST['frmaction'] == "add") {
</tr>
</table>
</form>
+
<?php
# Check we have all params
-} elseif ($_POST['frmaction'] == "add2") {
+} elseif (isset($_POST['frmaction']) && $_POST['frmaction'] == "add2") {
+
?>
+
<p class="pageheader">Attribute Add Results</p>
<?php
+
# Check for empty values
if (empty($_POST['attr_name']) || empty($_POST['attr_operator']) || empty($_POST['attr_value'])) {
+
?>
+
<div class="warning">Submission cannot have empty value</div>
+
<?php
+
} else {
$stmt = $db->prepare("INSERT INTO ${DB_TABLE_PREFIX}user_attributes (UserID,Name,Operator,Value) VALUES (?,?,?,?)");
# Which user am I working with?
@@ -108,22 +118,34 @@ if ($_POST['frmaction'] == "add") {
$_POST['attr_value'],
));
if ($res) {
+
?>
+
<div class="notice">Attribute added</div>
+
<?php
+
session_destroy();
} else {
+
?>
+
<div class="warning">Failed to add attribute</div>
<div class="warning"><?php print_r($stmt->errorInfo()) ?></div>
+
<?php
+
}
}
} else {
+
?>
+
<div class="warning">Invalid invocation</div>
+
<?php
+
}
printFooter();
diff --git a/webui/user-attribute-change.php b/webui/user-attribute-change.php
index a37f3543..1de70c89 100644
--- a/webui/user-attribute-change.php
+++ b/webui/user-attribute-change.php
@@ -37,15 +37,16 @@ printHeader(array(
# Display change screen
-if ($_POST['frmaction'] == "change") {
+if (isset($_POST['frmaction']) && $_POST['frmaction'] == "change") {
# Check an attribute was selected
if (isset($_POST['attr_id'])) {
# Prepare statement
- $temp = $_POST['attr_id'];
- $sql = "SELECT ID, Name, Operator, Value, Disabled FROM ${DB_TABLE_PREFIX}user_attributes WHERE ID = $temp";
+ $sql = "SELECT ID, Name, Operator, Value, Disabled FROM ${DB_TABLE_PREFIX}user_attributes WHERE ID = ".$db->quote($_POST['attr_id']);
$res = $db->query($sql);
$row = $res->fetchObject();
+
?>
+
<p class="pageheader">Update User</p>
<form action="attribute-change.php" method="post">
@@ -64,14 +65,14 @@ if ($_POST['frmaction'] == "change") {
Name
<?php tooltip('user_attributes_name'); ?>
</td>
- <td class="oldval texttop"><?php echo $row->name ?></td>
+ <td class="oldval texttop"><?php echo $row->name; ?></td>
<td><textarea name="user_attributes_name" cols="40" rows="1"></textarea></td>
</tr>
<tr>
<td class="entrytitle texttop">
Operator
</td>
- <td class="oldval texttop"><?php echo $row->operator ?></td>
+ <td class="oldval texttop"><?php echo $row->operator; ?></td>
<td>
<select name="user_attributes_operator">
<option value="=">=</option>
@@ -79,10 +80,10 @@ if ($_POST['frmaction'] == "change") {
<option value=":=">:=</option>
<option value="+=">+=</option>
<option value="!=">!=</option>
- <option value=">">></option>
- <option value="<"><</option>
- <option value=">=">>=</option>
- <option value="<="><=</option>
+ <option value=">">></option>
+ <option value="<"><</option>
+ <option value=">=">>=</option>
+ <option value="<="><=</option>
<option value="=~">=~</option>
<option value="!~">!~</option>
<option value="=*">=*</option>
@@ -94,12 +95,12 @@ if ($_POST['frmaction'] == "change") {
</tr>
<tr>
<td class="entrytitle texttop">Value</td>
- <td class="oldval texttop"><?php echo $row->value ?></td>
+ <td class="oldval texttop"><?php echo $row->value; ?></td>
<td><textarea name="user_attributes_value" cols="40" rows="5"></textarea></td>
</tr>
<tr>
<td class="entrytitle">Disabled</td>
- <td class="oldval"><?php echo $row->disabled ? 'yes' : 'no' ?></td>
+ <td class="oldval"><?php echo $row->disabled ? 'yes' : 'no'; ?></td>
<td>
<select name="user_attributes_disabled">
<option value="">--</option>
@@ -116,21 +117,28 @@ if ($_POST['frmaction'] == "change") {
<input type="submit" />
</div>
</form>
+
<?php
+
$res->closeCursor();
} else {
+
?>
- <div class="warning">No attribute selected</div>
-<?php
- }
+ <div class="warning">No attribute selected</div>
+<?php
+ }
# SQL Updates
-} elseif ($_POST['frmaction'] == "change2") {
+} elseif (isset($_POST['frmaction']) && $_POST['frmaction'] == "change2") {
+
?>
+
<p class="pageheader">Attribute Update Results</p>
+
<?php
+
# Check an attribute was selected
if (isset($_POST['attr_id'])) {
@@ -155,35 +163,51 @@ if ($_POST['frmaction'] == "change") {
$res = $db->exec("UPDATE ${DB_TABLE_PREFIX}user_attributes SET $updateStr WHERE ID = ".$db->quote($_POST['attr_id']));
if ($res) {
+
?>
+
<div class="notice">Attribute updated</div>
+
<?php
+
} else {
+
?>
+
<div class="warning">Error updating attribute</div>
<div class="warning"><?php print_r($db->errorInfo()) ?></div>
+
<?php
- }
+ }
# Warn
} else {
+
?>
+
<div class="warning">No attribute updates</div>
+
<?php
- }
+ }
# Warn
} else {
+
?>
+
<div class="error">No attribute data available</div>
-<?php
- }
+<?php
+ }
} else {
+
?>
+
<div class="warning">Invalid invocation</div>
+
<?php
+
}
diff --git a/webui/user-attribute-delete.php b/webui/user-attribute-delete.php
index 5dd55ae5..6e31f45c 100644
--- a/webui/user-attribute-delete.php
+++ b/webui/user-attribute-delete.php
@@ -37,10 +37,12 @@ printHeader(array(
# Display delete confirm screen
-if ($_POST['frmaction'] == "delete") {
+if (isset($_POST['frmaction']) && $_POST['frmaction'] == "delete") {
# Check a user was selected
if (isset($_POST['attr_id'])) {
+
?>
+
<p class="pageheader">Delete Attribute</p>
<form action="attribute-delete.php" method="post">
@@ -54,51 +56,67 @@ if ($_POST['frmaction'] == "delete") {
<input type="submit" name="confirm" value="no" />
</div>
</form>
+
<?php
+
} else {
+
?>
+
<div class="warning">No attribute selected</div>
-<?php
- }
+<?php
+ }
# SQL Updates
-} elseif ($_POST['frmaction'] == "delete2") {
+} elseif (isset($_POST['frmaction'] && $_POST['frmaction'] == "delete2") {
+
?>
+
<p class="pageheader">Attribute Delete Results</p>
+
<?php
- if (isset($_POST['attr_id'])) {
+ if (isset($_POST['attr_id'])) {
+ if (isset($_POST['confirm']) && $_POST['confirm'] == "yes") {
+ $res = $db->exec("DELETE FROM ${DB_TABLE_PREFIX}user_attributes WHERE ID = ".$db->quote($_POST['attr_id']));
+ if ($res) {
- if ($_POST['confirm'] == "yes") {
- $res = $db->exec("DELETE FROM ${DB_TABLE_PREFIX}user_attributes WHERE ID = ".$_POST['attr_id']);
- if ($res !== FALSE) {
?>
- <div class="notice">Attribute with ID: <?php print_r($_POST['attr_id']);?> deleted</div>
+
+ <div class="notice">Attribute with ID: <?php echo $_POST['attr_id']; ?> deleted</div>
+
<?php
+
} else {
+
?>
+
<div class="warning">Error deleting attribute</div>
<div class="warning"><?php print_r($db->errorInfo()) ?></div>
-<?php
- }
-?>
<?php
+
+ }
# Warn
} else {
+
?>
+
<div class="warning">Delete attribute aborted</div>
+
<?php
+
}
-?>
-<?php
} else {
+
?>
+
<div class="warning">Invocation error, no attribute ID selected</div>
+
<?php
- }
+ }
}
printFooter();
diff --git a/webui/user-attributes.php b/webui/user-attributes.php
index cf604adb..cc0f0d80 100644
--- a/webui/user-attributes.php
+++ b/webui/user-attributes.php
@@ -80,32 +80,25 @@ printHeader(array(
$_SESSION['attr_user_id'] = $_POST['user_id'];
if (isset($_POST['user_id'])) {
- $temp = $_SESSION['attr_user_id'];
- $sql = "SELECT ID, Name, Operator, Value, Disabled FROM ${DB_TABLE_PREFIX}user_attributes WHERE UserID = $temp ORDER BY ID";
+ $sql = "SELECT ID, Name, Operator, Value, Disabled FROM ${DB_TABLE_PREFIX}user_attributes WHERE UserID = ".$db->quote($_POST['user_id'])." ORDER BY ID";
$res = $db->query($sql);
- $rownums = 0;
while ($row = $res->fetchObject()) {
- if ($row->id != NULL) {
- $rownums = $rownums + 1;
- } else {
- $rownums = $rownums - 1;
- }
?>
+
<tr class="resultsitem">
- <td><input type="radio" name="attr_id" value="<?php echo $row->id ?>"/><?php echo $row->id ?></td>
- <td><?php echo $row->name ?></td>
- <td><?php echo $row->operator ?></td>
- <td><?php echo $row->value ?></td>
- <td class="textcenter"><?php echo $row->disabled ? 'yes' : 'no' ?></td>
+ <td><input type="radio" name="attr_id" value="<?php echo $row->id; ?>"/><?php echo $row->id; ?></td>
+ <td><?php echo $row->name; ?></td>
+ <td><?php echo $row->operator; ?></td>
+ <td><?php echo $row->value; ?></td>
+ <td class="textcenter"><?php echo $row->disabled ? 'yes' : 'no'; ?></td>
</tr>
<?php
}
- $res->closeCursor();
- if ($rownums <= 0) {
+ if ($res->rowCount() == 0) {
?>
@@ -117,7 +110,7 @@ printHeader(array(
<?php
}
- unset($rownums);
+ $res->closeCursor();
} else {
?>
diff --git a/webui/user-delete.php b/webui/user-delete.php
index 46cb39fd..0a23eec1 100644
--- a/webui/user-delete.php
+++ b/webui/user-delete.php
@@ -37,7 +37,7 @@ printHeader(array(
# Display delete confirm screen
-if ($_POST['frmaction'] == "delete") {
+if (isset($_POST['frmaction']) && $_POST['frmaction'] == "delete") {
# Check a user was selected
if (isset($_POST['user_id'])) {
@@ -46,10 +46,8 @@ if ($_POST['frmaction'] == "delete") {
<p class="pageheader">Delete User</p>
<form action="user-delete.php" method="post">
- <div>
- <input type="hidden" name="frmaction" value="delete2" />
- <input type="hidden" name="user_id" value="<?php echo $_POST['user_id']; ?>" />
- </div>
+ <input type="hidden" name="frmaction" value="delete2" />
+ <input type="hidden" name="user_id" value="<?php echo $_POST['user_id']; ?>" />
<div class="textcenter">
Are you very sure? <br />
<input type="submit" name="confirm" value="yes" />
@@ -69,7 +67,7 @@ if ($_POST['frmaction'] == "delete") {
}
# SQL Updates
-} elseif ($_POST['frmaction'] == "delete2") {
+} elseif (isset($_POST['frmaction']) && $_POST['frmaction'] == "delete2") {
?>
@@ -79,17 +77,16 @@ if ($_POST['frmaction'] == "delete") {
if (isset($_POST['user_id'])) {
# Check to see if user's attributes are empty
- $userID = $_POST['user_id'];
- $sql = "SELECT * FROM ${DB_TABLE_PREFIX}user_attributes WHERE UserID = $userID";
+ $sql = "SELECT * FROM ${DB_TABLE_PREFIX}user_attributes WHERE UserID = ".$db->quote($_POST['user_id']);
$res = $db->query($sql);
- if ($_POST['confirm'] == "yes") {
- $res = $db->exec("DELETE FROM ${DB_TABLE_PREFIX}users WHERE ID = ".$_POST['user_id']);
- if ($res !== FALSE) {
+ if (isset($_POST['confirm']) && $_POST['confirm'] == "yes") {
+ $res = $db->exec("DELETE FROM ${DB_TABLE_PREFIX}users WHERE ID = ".$db->quote($_POST['user_id']);
+ if ($res) {
?>
- <div class="notice">User with ID: <?php print_r($_POST['user_id']);?> deleted</div>
+ <div class="notice">User with ID: <?php echo $_POST['user_id']; ?> deleted</div>
<?php
@@ -98,7 +95,7 @@ if ($_POST['frmaction'] == "delete") {
?>
<div class="warning">Error deleting user</div>
- <div class="warning"><?php print_r($db->errorInfo()) ?></div>
+ <div class="warning"><?php print_r($db->errorInfo()); ?></div>
<?php
diff --git a/webui/user-groups-add.php b/webui/user-groups-add.php
index 56c03415..16abc187 100644
--- a/webui/user-groups-add.php
+++ b/webui/user-groups-add.php
@@ -33,7 +33,7 @@ printHeader(array(
if (isset($_SESSION['groups_user_id'])) {
- if ($_POST['frmaction'] == "add") {
+ if (isset($_POST['frmaction']) && $_POST['frmaction'] == "add") {
?>
<p class="pageheader">Available Groups</p>
@@ -83,11 +83,11 @@ if (isset($_SESSION['groups_user_id'])) {
?>
<tr class="resultsitem">
- <td><input type="radio" name="group_id" value="<?php echo $row->id ?>" /></td>
- <td><?php echo $row->name ?></td>
- <td><?php echo $row->priority ?></td>
- <td class="textcenter"><?php echo $row->disabled ? 'yes' : 'no' ?></td>
- <td><?php echo $row->comment ?></td>
+ <td><input type="radio" name="group_id" value="<?php echo $row->id; ?>" /></td>
+ <td><?php echo $row->name; ?></td>
+ <td><?php echo $row->priority; ?></td>
+ <td class="textcenter"><?php echo $row->disabled ? 'yes' : 'no'; ?></td>
+ <td><?php echo $row->comment; ?></td>
</tr>
<?php
@@ -102,7 +102,7 @@ if (isset($_SESSION['groups_user_id'])) {
<?php
- } elseif ($_POST['frmaction'] == "add2") {
+ } elseif (isset($_POST['frmaction']) && $_POST['frmaction'] == "add2") {
?>
@@ -112,11 +112,9 @@ if (isset($_SESSION['groups_user_id'])) {
if (isset($_POST['group_id']) && !empty($_POST['users_to_groups_comment'])) {
$stmt = $db->prepare("INSERT INTO ${DB_TABLE_PREFIX}users_to_groups (UserID,GroupID,Comment,Disabled) VALUES (?,?,?,?)");
- # Which user am I working with?
- $groups_user_id = $_SESSION['groups_user_id'];
$res = $stmt->execute(array(
- $groups_user_id,
+ $_SESSION['groups_user_id'],
$_POST['group_id'],
$_POST['users_group_comment'],
$_POST['users_group_disabled'],
diff --git a/webui/user-groups-delete.php b/webui/user-groups-delete.php
index 004e15c8..e0e99abb 100644
--- a/webui/user-groups-delete.php
+++ b/webui/user-groups-delete.php
@@ -36,12 +36,13 @@ printHeader(array(
));
-
# Display delete confirm screen
-if ($_POST['frmaction'] == "delete") {
+if (isset($_POST['frmaction']) && $_POST['frmaction'] == "delete") {
# Check a user was selected
if (isset($_POST['group_id'])) {
+
?>
+
<p class="pageheader">Remove Group Assignment</p>
<form action="user-groups-delete.php" method="post">
@@ -55,50 +56,76 @@ if ($_POST['frmaction'] == "delete") {
<input type="submit" name="confirm" value="no" />
</div>
</form>
+
<?php
+
} else {
+
?>
+
<div class="warning">No group assignment selected</div>
-<?php
- }
+<?php
+ }
# SQL Updates
-} elseif ($_POST['frmaction'] == "delete2") {
+} elseif (isset($_POST['frmaction']) && $_POST['frmaction'] == "delete2") {
+
?>
+
<p class="pageheader">Group Assignment Removal Results</p>
+
<?php
- if (isset($_POST['group_id'])) {
- if ($_POST['confirm'] == "yes") {
- $res = $db->exec("DELETE FROM ${DB_TABLE_PREFIX}users_to_groups WHERE UserID = ".$_SESSION['groups_user_id']." AND GroupID = ".$_POST['group_id']);
- if ($res !== FALSE) {
+
+ if (isset($_POST['group_id']) && isset($_SESSION['groups_user_id'])) {
+ if (isset($_POST['confirm']) && $_POST['confirm'] == "yes") {
+ $res = $db->exec("
+ DELETE FROM
+ ${DB_TABLE_PREFIX}users_to_groups
+ WHERE
+ UserID = ".$db->quote($_SESSION['groups_user_id'])."
+ AND
+ GroupID = ".$db->quote($_POST['group_id'])
+ );
+
+ if ($res) {
+
?>
+
<div class="notice">Group with ID: <?php print_r($_POST['group_id']);?> deleted from user with ID: <?php print_r($_SESSION['groups_user_id']);?></div>
+
<?php
+
session_destroy();
} else {
+
?>
+
<div class="warning">Error removing group assignment</div>
- <div class="warning"><?php print_r($db->errorInfo()) ?></div>
-<?php
- }
-?>
+ <div class="warning"><?php print_r($db->errorInfo()); ?></div>
<?php
+
+ }
# Warn
} else {
+
?>
+
<div class="warning">Remove Group Assignment aborted</div>
+
<?php
+
}
-?>
-<?php
} else {
+
?>
+
<div class="warning">Invocation error, no group ID selected</div>
+
<?php
- }
+ }
}
printFooter();
diff --git a/webui/user-groups.php b/webui/user-groups.php
index 74a94750..3b67642f 100644
--- a/webui/user-groups.php
+++ b/webui/user-groups.php
@@ -76,17 +76,15 @@ printHeader(array(
<?php
if (isset($_POST['user_id'])) {
- $sql = "SELECT GroupID FROM ${DB_TABLE_PREFIX}users_to_groups WHERE UserID = ".$_POST['user_id'];
+
+ # Store user_id for later use
+ $_SESSION['groups_user_id'] = $_POST['user_id'];
+
+ $sql = "SELECT GroupID FROM ${DB_TABLE_PREFIX}users_to_groups WHERE UserID = ".$db->quote($_POST['user_id']);
$res = $db->query($sql);
- $rownums = 0;
while ($row = $res->fetchObject()) {
- if ($row->groupid != NULL) {
- $rownums = $rownums + 1;
- } else {
- $rownums = $rownums - 1;
- }
- $sql = "SELECT ID, Name, Priority, Disabled, Comment FROM ${DB_TABLE_PREFIX}groups WHERE ID = ".$row->groupid;
+ $sql = "SELECT ID, Name, Priority, Disabled, Comment FROM ${DB_TABLE_PREFIX}groups WHERE ID = ".$db->quote($row->groupid);
$result = $db->query($sql);
while ($row = $result->fetchObject()) {
@@ -94,11 +92,11 @@ printHeader(array(
?>
<tr class="resultsitem">
- <td><input type="radio" name="group_id" value="<?php echo $row->id ?>"/></td>
- <td><?php echo $row->name ?></td>
- <td><?php echo $row->priority ?></td>
- <td class="textcenter"><?php echo $row->disabled ? 'yes' : 'no' ?></td>
- <td><?php echo $row->comment ?></td>
+ <td><input type="radio" name="group_id" value="<?php echo $row->id; ?>"/></td>
+ <td><?php echo $row->name; ?></td>
+ <td><?php echo $row->priority; ?></td>
+ <td class="textcenter"><?php echo $row->disabled ? 'yes' : 'no'; ?></td>
+ <td><?php echo $row->comment; ?></td>
</tr>
<?php
@@ -107,8 +105,7 @@ printHeader(array(
$result->closeCursor();
}
- $res->closeCursor();
- if ($rownums <= 0) {
+ if ($res->rowCount() == 0) {
?>
@@ -120,7 +117,7 @@ printHeader(array(
<?php
}
- unset($rownums);
+ $res->closeCursor();
} else {
?>
@@ -138,7 +135,6 @@ printHeader(array(
<?php
-$_SESSION['groups_user_id'] = $_POST['user_id'];
printFooter();
diff --git a/webui/user-logs.php b/webui/user-logs.php
index 32f72fc9..cb9d5d91 100644
--- a/webui/user-logs.php
+++ b/webui/user-logs.php
@@ -150,7 +150,7 @@ if (isset($_POST['user_id'])) {
FROM
${DB_TABLE_PREFIX}accounting
WHERE
- Username = '$getuser'
+ Username = ".$db->quote($getuser)."
$extraSQL
ORDER BY
EventTimestamp
@@ -269,7 +269,7 @@ if (isset($_POST['user_id'])) {
}
$res->closeCursor();
?>
- </table>
+ </table>
<?php
} else {
@@ -280,11 +280,6 @@ if (isset($_POST['user_id'])) {
}
-?>
-
-
-<?php
-
printFooter();
diff --git a/webui/user-main.php b/webui/user-main.php
index 066302c4..f8b031a7 100644
--- a/webui/user-main.php
+++ b/webui/user-main.php
@@ -73,13 +73,17 @@ if (!isset($_POST['frmaction']))
<td class="textcenter">Username</td>
<td class="textcenter">Disabled</td>
</tr>
+
<?php
+
$sql = "SELECT ID, Username, Disabled FROM ${DB_TABLE_PREFIX}users ORDER BY ID ASC";
$res = $db->query($sql);
# List users
while ($row = $res->fetchObject()) {
+
?>
+
<tr class="resultsitem">
<td><input type="radio" name="user_id" value="<?php echo $row->id; ?>"/><?php echo $row->id; ?></td>
<td><?php echo $row->username; ?></td>
diff --git a/webui/wisp-multiuser-add.php b/webui/wisp-multiuser-add.php
index 00b74a79..08526f3a 100644
--- a/webui/wisp-multiuser-add.php
+++ b/webui/wisp-multiuser-add.php
@@ -84,7 +84,7 @@ if (isset($_POST['frmaction']) && $_POST['frmaction'] == "insert") {
<p class="pageheader">Add WiSP Users</p>
<?php
-
+ #FIXME
# Perform checks on input
if (isset($_POST['num_users']) && isset($_POST['session_timeout']) && isset($_POST['data_limit']) && isset($_POST['time_limit'])) {
$db->beginTransaction();
@@ -116,10 +116,9 @@ if (isset($_POST['frmaction']) && $_POST['frmaction'] == "insert") {
$userName = $randomString;
$lookForUser = $db->query("SELECT ID FROM ${DB_TABLE_PREFIX}users WHERE Username LIKE '%$userName%'");
- $lookForUserRow = $lookForUser->fetchObject();
# If the user was found
- if ($lookForUserRow) {
+ if ($lookForUser->rowCount() > 0) {
$checkUsernameDuplicates = 1;
} else {
$checkUsernameDuplicates = 0;
@@ -130,15 +129,13 @@ if (isset($_POST['frmaction']) && $_POST['frmaction'] == "insert") {
$userName = $loginNamePrefix."_".$randomString;
$lookForUser = $db->query("SELECT ID FROM ${DB_TABLE_PREFIX}users WHERE Username LIKE '%$userName%'");
- $lookForUserRow = $lookForUser->fetchObject();
# If the user was found
- if ($lookForUserRow) {
+ if ($lookForUser->rowCount() > 0) {
$checkUsernameDuplicates = 1;
} else {
$checkUsernameDuplicates = 0;
}
-
}
} while ($checkUsernameDuplicates > 0);
diff --git a/webui/wisp-user-delete.php b/webui/wisp-user-delete.php
index 75ac1b4c..2c23734a 100644
--- a/webui/wisp-user-delete.php
+++ b/webui/wisp-user-delete.php
@@ -77,14 +77,14 @@ if (isset($_POST['frmaction']) && $_POST['frmaction'] == "delete") {
<?php
if (isset($_POST['user_id'])) {
- if ($_POST['confirm'] == "yes") {
+ if (isset($_POST['confirm']) && $_POST['confirm'] == "yes") {
$db->beginTransaction();
# Delete user data
- $userDataDeleteResult = $db->exec("DELETE FROM userdata WHERE UserID = ".$_POST['user_id']);
+ $userDataDeleteResult = $db->exec("DELETE FROM userdata WHERE UserID = ".$db->quote($_POST['user_id']));
# Delete user attributes
- $attrDeleteResult = $db->exec("DELETE FROM user_attributes WHERE UserID = ".$_POST['user_id']);
+ $attrDeleteResult = $db->exec("DELETE FROM user_attributes WHERE UserID = ".$db->quote($_POST['user_id']));
# Delete from users
- $userDeleteResult = $db->exec("DELETE FROM users WHERE ID = ".$_POST['user_id']);
+ $userDeleteResult = $db->exec("DELETE FROM users WHERE ID = ".$db->quote($_POST['user_id']));
if ($userDataDeleteResult && $attrDeleteResult && $userDeleteResult) {
?>
diff --git a/webui/wisp-user-edit.php b/webui/wisp-user-edit.php
index b2447176..1f641acb 100644
--- a/webui/wisp-user-edit.php
+++ b/webui/wisp-user-edit.php
@@ -35,7 +35,6 @@ if (isset($_POST['frmaction']) && $_POST['frmaction'] == "edit") {
# Check a user was selected
if (isset($_POST['user_id'])) {
- # Prepare statements
$userID = $_POST['user_id'];
$sql = "SELECT
FirstName,
@@ -46,7 +45,7 @@ if (isset($_POST['frmaction']) && $_POST['frmaction'] == "edit") {
FROM
userdata
WHERE
- UserID = '$userID'
+ UserID = ".$db->quote($userID)."
";
$userDataResult = $db->query($sql);
@@ -57,7 +56,7 @@ if (isset($_POST['frmaction']) && $_POST['frmaction'] == "edit") {
FROM
user_attributes
WHERE
- UserID = '$userID'
+ UserID = ".$db->quote($userID)."
AND
Name = 'Framed-IP-Address'
";
@@ -70,7 +69,7 @@ if (isset($_POST['frmaction']) && $_POST['frmaction'] == "edit") {
FROM
user_attributes
WHERE
- UserID = '$userID'
+ UserID = ".$db->quote($userID)."
AND
Name = 'Calling-Station-Id'
";
@@ -84,7 +83,7 @@ if (isset($_POST['frmaction']) && $_POST['frmaction'] == "edit") {
FROM
user_attributes
WHERE
- UserID = '$userID'
+ UserID = ".$db->quote($userID)."
AND
Name = 'User-Password'
";
@@ -98,7 +97,7 @@ if (isset($_POST['frmaction']) && $_POST['frmaction'] == "edit") {
FROM
user_attributes
WHERE
- UserID = '$userID'
+ UserID = ".$db->quote($userID)."
AND
Name = 'SMRadius-Capping-Traffic-Limit'
";
@@ -112,7 +111,7 @@ if (isset($_POST['frmaction']) && $_POST['frmaction'] == "edit") {
FROM
user_attributes
WHERE
- UserID = '$userID'
+ UserID = ".$db->quote($userID)."
AND
Name = 'SMRadius-Capping-Time-Limit'
";
diff --git a/webui/wisp-user-list.php b/webui/wisp-user-list.php
index 10d1f792..735bcf4f 100644
--- a/webui/wisp-user-list.php
+++ b/webui/wisp-user-list.php
@@ -233,16 +233,16 @@ if (isset($_POST['frmaction']) && $_POST['frmaction'] == "dofilter") {
?>
<tr class="resultsitem">
- <td><input type="radio" name="user_id" value="<?php echo $row->id ?>"/><?php echo $row->id ?></td>
- <td><?php echo $row->username ?></td>
- <td><?php echo $row->firstname ?></td>
- <td><?php echo $row->lastname ?></td>
- <td><?php echo $row->email ?></td>
- <td><?php echo $row->phone ?></td>
- <td><?php echo $row->location ?></td>
- <td><?php echo $dataCap ?> MB</td>
- <td><?php echo $timeCap ?> Min</td>
- <td><?php echo $userIP ?></td>
+ <td><input type="radio" name="user_id" value="<?php echo $row->id; ?>"/><?php echo $row->id; ?></td>
+ <td><?php echo $row->username; ?></td>
+ <td><?php echo $row->firstname; ?></td>
+ <td><?php echo $row->lastname; ?></td>
+ <td><?php echo $row->email; ?></td>
+ <td><?php echo $row->phone; ?></td>
+ <td><?php echo $row->location; ?></td>
+ <td><?php echo $dataCap; ?> MB</td>
+ <td><?php echo $timeCap; ?> Min</td>
+ <td><?php echo $userIP; ?></td>
</tr>
<?php
diff --git a/webui/wisp-user-logs.php b/webui/wisp-user-logs.php
index 39e9b75b..f3ef623b 100644
--- a/webui/wisp-user-logs.php
+++ b/webui/wisp-user-logs.php
@@ -33,7 +33,6 @@ printHeader(array(
));
-
?>
<p class="pageheader">WiSP User Log</p>
@@ -233,7 +232,7 @@ if (isset($_POST['user_id'])) {
?>
<tr>
- <td colspan="23" class="textcenter">No logs found for user: <?php echo $getuser ?></td>
+ <td colspan="23" class="textcenter">No logs found for user: <?php echo $getuser; ?></td>
</tr>
<?php
--
GitLab