/admin/includes/user_mod.php
PHP | 77 lines | 57 code | 11 blank | 9 comment | 17 complexity | 44bc3d1b9a53e2ee78b20a398090e169 MD5 | raw file
Possible License(s): LGPL-2.1, BSD-2-Clause
- <?php
- defined( '_INDM' ) or die( 'POSSIBLE HACK ATTEMPT!' );
- /*===========================================================================
- Check user priviledges
- ===========================================================================*/
- require VALIDATE;
- if ($user != 'ADMIN') header("Location: " . $default_url . "index.php");
- switch ($action) {
- case 'find_user';
- $find_name = mysql_escape_string(stripslashes($_GET['find_name']));
- $popup = '<body onBlur="window.close()">';
- $popup .= $lan['matching_user_names'] . '<br><hr>';
- $sql_query = mysql_query("SELECT * FROM `" . $db_table_prefix . "core_users` WHERE `user_name` LIKE '%" . $find_name . "%'");
- while($sql_result = mysql_fetch_array($sql_query)) {
- $popup .= '<span style="float:right">[' . $sql_result[user_level] . ']</span><a href="' . $admin_dir . 'index.php?action=user_mod" onClick="window.close(); formSubmit()" target="main_window">' . $sql_result[user_name] . '</a><br>';
- }
- $popup .= '</body">';
- echo $popup;
- exit;
- break;
- case 'save_user';
- //get data from form
- $user_name = mysql_escape_string(stripslashes($_REQUEST['user_name']));
- $user_level = mysql_escape_string(stripslashes($_REQUEST['user_level']));
- $password_1 = mysql_escape_string(stripslashes($_REQUEST['password_1']));
- $password_2 = mysql_escape_string(stripslashes($_REQUEST['password_2']));
- //check if user exists
- $sql_result = mysql_query("select * from `" . $db_table_prefix . "_users` WHERE `user_name` = '$user_name' LIMIT 1");
- if (!@mysql_result($sql_result,0)) {
- //if password present, check it matches confirmation then create user
- if (($password_1 != '' && $password_2 != '') && ($password_1 == $password_2)){
- $password_md5 = md5($password_1);
- mysql_query("INSERT INTO `" . $db_table_prefix . "core_users` VALUES('$user_name',
- '$password_md5',
- '',
- '$user_level',
- '',
- '',
- '',
- '',
- (now()),
- (now()),
- '',
- '')") or die ("<b>A fatal MySQL error occured</b>.\n<br />\nError: (" . mysql_errno() . ") " . mysql_error());;
- $page = 'messagebox';
- $warning_message = $lan['user_added'] . '"' . $user_name . '"';
- }
- }
- break;
- case 'delete_user';
- //delete user from database
- $user_name = mysql_escape_string(stripslashes($_REQUEST['user_name']));
- if ($user_name == 'Admin' || ($user == 'ADMIN' && !$user_name == 'Admin')){
- //cannot delete user 'Admin'
- $page = 'messagebox';
- $warning_message = $lan['cannot_delete_user'] . '"' . $user_name . '"';
- } else {
- mysql_query("DELETE FROM `" . $db_table_prefix . "core_users` WHERE `user_name` = '$user_name'");
- $page = 'messagebox';
- $warning_message = $lan['user_deleted'] . '"' . $user_name . '"';
- }
- break;
- }
- //display user moderation page if no message to be displayed
- $main = read_file("templates/edit_users.tpl");
- ?>