backend_myalliance.php

/backend/backend_myalliance.php

https://gitlab.com/Toldierone/ReClop · PHP · 246 lines · 245 code · 0 blank · 1 comment · 55 complexity · 569a022036d8a9c1b75eb9bb773c4e67 MD5 · raw file

<?php
include("allfunctions.php");
$sql=<<<EOSQL
SELECT alliance_id
FROM users
WHERE user_id = '{$_SESSION['user_id']}'
EOSQL;
$rs = onelinequery($sql);
if (!$rs['alliance_id']) {
    header("Location: overview.php");
    exit;
} else {
	$allianceid = $rs['alliance_id'];
}
foreach ($_POST as $key => $value) {
    $mysql[$key] = $GLOBALS['mysqli']->real_escape_string($value);
    $display[$key] = htmlentities($value);
}
$sql=<<<EOSQL
SELECT a.*, u.donator
FROM alliances a
LEFT JOIN users u ON a.owner_id = u.user_id
WHERE a.alliance_id = '{$rs['alliance_id']}'
EOSQL;
$allianceinfo = onelinequery($sql);
$displayeditpubdescription = htmlentities($allianceinfo['public_description'], ENT_SUBSTITUTE, "UTF-8");
$displayeditdescription = htmlentities($allianceinfo['description'], ENT_SUBSTITUTE, "UTF-8");
if ($allianceinfo['donator']) {
    $displaydescription = nl2br($allianceinfo['description']);
} else {
    $displaydescription = nl2br(htmlentities($allianceinfo['description'], ENT_SUBSTITUTE, "UTF-8"));
}
if ($_POST && (($_POST['token_myalliance'] == "") || ($_POST['token_myalliance'] != $_SESSION['token_myalliance']))) {
    $errors[] = "Try again.";
}
if ($_POST || ($_SESSION['token_myalliance'] == "")) {
    $_SESSION['token_myalliance'] = sha1(rand() . $_SESSION['token_myalliance']);
}
if ($_SESSION['user_id'] == $allianceinfo['owner_id']) {
    $owner = true;
}
if (!$errors) {
    if ($owner) {
    if ($_POST['updatedescription']) {
        $sql=<<<EOSQL
    UPDATE alliances SET description = '{$mysql['alliancedescription']}' WHERE alliance_id = '{$allianceinfo['alliance_id']}'
EOSQL;
        $GLOBALS['mysqli']->query($sql);
        $displayeditdescription = htmlentities($_POST['alliancedescription'], ENT_SUBSTITUTE, "UTF-8");
        if ($allianceinfo['donator']) {
            $displaydescription = nl2br($_POST['alliancedescription']);
        } else {
            $displaydescription = nl2br(htmlentities($_POST['alliancedescription'], ENT_SUBSTITUTE, "UTF-8"));
        }
    }
    if ($_POST['updatepubdescription']) {
        $sql=<<<EOSQL
    UPDATE alliances SET public_description = '{$mysql['alliancepubdescription']}' WHERE alliance_id = '{$allianceinfo['alliance_id']}'
EOSQL;
        $GLOBALS['mysqli']->query($sql);
        $displayeditpubdescription = htmlentities($_POST['alliancepubdescription']);
    }
    if ($_POST['action'] == "Accept User") {
        $sql=<<<EOSQL
    SELECT * FROM alliance_requests WHERE user_id = '{$mysql['user_id']}' AND alliance_id = '{$allianceinfo['alliance_id']}'
EOSQL;
        $rs = onelinequery($sql);
        if ($rs) {
            $sql=<<<EOSQL
    DELETE FROM alliance_requests WHERE user_id = '{$mysql['user_id']}'
EOSQL;
            $GLOBALS['mysqli']->query($sql);
            $sql=<<<EOSQL
    UPDATE users SET alliance_id = {$allianceinfo['alliance_id']} WHERE user_id = '{$mysql['user_id']}'
EOSQL;
            $GLOBALS['mysqli']->query($sql);
            $message = $GLOBALS['mysqli']->real_escape_string("Your application to {$allianceinfo['name']} was accepted.");
            $sql=<<<EOSQL
    INSERT INTO messages (fromuser, touser, fromdeleted, message, sent) VALUES (0, {$mysql['user_id']}, 1, '{$message}', NOW())
EOSQL;
            $GLOBALS['mysqli']->query($sql);
        } else {
            $errors[] = "The user disappeared before you could accept!";
        }
    }
    if ($_POST['action'] == "Reject User") {
        $sql=<<<EOSQL
    SELECT * FROM alliance_requests WHERE user_id = '{$mysql['user_id']}' AND alliance_id = '{$allianceinfo['alliance_id']}'
EOSQL;
        $GLOBALS['mysqli']->query($sql);
        if ($rs) {
            $sql=<<<EOSQL
    DELETE FROM alliance_requests WHERE user_id = '{$mysql['user_id']}' AND alliance_id = '{$allianceinfo['alliance_id']}'
EOSQL;
            $GLOBALS['mysqli']->query($sql);
            $message = $GLOBALS['mysqli']->real_escape_string("Your application to {$allianceinfo['name']} was rejected.");
            $sql=<<<EOSQL
    INSERT INTO messages (fromuser, touser, fromdeleted, message, sent) VALUES (0, {$mysql['user_id']}, 1, '{$message}', NOW())
EOSQL;
            $GLOBALS['mysqli']->query($sql);
        } else {
            $errors[] = "The member disappeared before you could reject!";
        }
    }
    if ($_POST['action'] == "Eject User") {
        $sql=<<<EOSQL
    UPDATE users SET alliance_id = 0 WHERE user_id = '{$mysql['user_id']}' AND alliance_id = '{$allianceinfo['alliance_id']}'
EOSQL;
        $GLOBALS['mysqli']->query($sql);
        $message = $GLOBALS['mysqli']->real_escape_string("You were thrown out of {$allianceinfo['name']}!");
        $sql=<<<EOSQL
    INSERT INTO messages (fromuser, touser, fromdeleted, message, sent) VALUES (0, {$mysql['user_id']}, 1, '{$message}', NOW())
EOSQL;
        $GLOBALS['mysqli']->query($sql);
    }
    if ($_POST['givealliance']) {
        $sql = "SELECT user_id, alliance_id FROM users WHERE username = '{$mysql['giveto']}'";
        $rs = onelinequery($sql);
        if (!$rs) {
            $errors[] = "User not found.";
        } else if ($rs['alliance_id'] != $allianceinfo['alliance_id']) {
            $errors[] = "That user is not in your alliance!";
        } else if ($rs['user_id'] == $_SESSION['user_id']) {
            $errors[] = "Silly.";
        } else if ($rs) {
            $givetoid = $rs['user_id'];
            $sql=<<<EOSQL
UPDATE alliances SET owner_id = '{$rs['user_id']}' WHERE alliance_id = '{$allianceinfo['alliance_id']}'
EOSQL;
            $GLOBALS['mysqli']->query($sql);
            $owner = false;
        }
    }
    if ($_POST['action'] == "Disband Alliance") {
        $sql=<<<EOSQL
    UPDATE users SET alliance_id = 0 WHERE alliance_id = '{$allianceinfo['alliance_id']}'
EOSQL;
        $GLOBALS['mysqli']->query($sql);
        $sql=<<<EOSQL
    DELETE FROM alliance_requests WHERE alliance_id = '{$allianceinfo['alliance_id']}'
EOSQL;
        $GLOBALS['mysqli']->query($sql);
        $sql=<<<EOSQL
    DELETE FROM alliances WHERE alliance_id = '{$allianceinfo['alliance_id']}'
EOSQL;
        $GLOBALS['mysqli']->query($sql);
	//if alliance is older than a week (604 800 seconds)
	if ((time() - strtotime($allianceinfo['creationdate'])) > 604800) {
	$rawmessage = "The ".$allianceinfo['name']." Alliance has been disbanded!";
	$message = $GLOBALS['mysqli']->real_escape_string($rawmessage);
	$sql = "INSERT INTO news VALUES ('', '".$message."', NOW())";
	$GLOBALS['mysqli']->query($sql);
	}
    header("Location: overview.php");
    exit;
    }
    if ($_POST['bulkdelete']) {
	if (!ctype_digit($_POST['deletedays']) || $_POST['deletedays'] === "") {
        $errors[] = "Enter a number of days.";
    }
	if (!$errors) {
	$mysql['deletedays'] = (int)$_POST['deletedays'];
    $sql=<<<EOSQL
DELETE FROM alliance_messages WHERE alliance_id = '{$allianceinfo['alliance_id']}' AND posted < DATE_SUB(NOW(), INTERVAL {$mysql['deletedays']} DAY)
EOSQL;
	$GLOBALS['mysqli']->query($sql);
   }
   }
   }
if ($_POST['action'] == "Leave Alliance") {
    $sql=<<<EOSQL
    UPDATE users SET alliance_id = 0, alliance_lastread = '0' WHERE user_id = '{$_SESSION['user_id']}'
EOSQL;
    $GLOBALS['mysqli']->query($sql);
    header("Location: overview.php");
    exit;
}
if ($_POST['sendmessage']) {
    $sql=<<<EOSQL
    INSERT INTO alliance_messages SET alliance_id = '{$allianceinfo['alliance_id']}', user_id = '{$_SESSION['user_id']}', posted = NOW(), message = '{$mysql['message']}'
EOSQL;
    $GLOBALS['mysqli']->query($sql);
}
if ($_POST['deletemessage']) {
    if ($owner) {
        $sql=<<<EOSQL
        SELECT user_id FROM alliance_messages WHERE alliance_id = '{$allianceinfo['alliance_id']}' AND message_id = '{$mysql['message_id']}'
EOSQL;
    } else {
        $sql=<<<EOSQL
        SELECT user_id FROM alliance_messages WHERE user_id = '{$_SESSION['user_id']}' AND alliance_id = '{$allianceinfo['alliance_id']}' AND message_id = '{$mysql['message_id']}'
EOSQL;
    }
    $rs = onelinequery($sql);
    if ($rs['user_id']) {
        $sql=<<<EOSQL
        DELETE FROM alliance_messages WHERE message_id = '{$mysql['message_id']}'
EOSQL;
        $GLOBALS['mysqli']->query($sql);
    } else {
        $errors[] = "You can't delete that message.";
    }
}
}
$alliancemembers = array();
$requestingmembers = array();
$sql=<<<EOSQL
SELECT username, user_id, stasismode FROM users WHERE alliance_id = '{$allianceinfo['alliance_id']}' ORDER BY username
EOSQL;
$sth = $GLOBALS['mysqli']->query($sql);
while ($rs = mysqli_fetch_array($sth)) {
    $alliancemembers[] = $rs;
    $sql=<<<EOSQL
	SELECT nation_id, name FROM nations WHERE user_id = {$rs['user_id']} ORDER BY name
EOSQL;
	$sth2 = $GLOBALS['mysqli']->query($sql);
	while ($rs2 = mysqli_fetch_array($sth2)) {
		$nations[$rs['user_id']][] = $rs2;
	}
}
$sql=<<<EOSQL
SELECT u.username, u.user_id FROM alliance_requests ar INNER JOIN users u ON ar.user_id = u.user_id WHERE ar.alliance_id = '{$allianceinfo['alliance_id']}' ORDER BY u.username
EOSQL;
$sth = $GLOBALS['mysqli']->query($sql);
if ($sth) {
    while ($rs = mysqli_fetch_array($sth)) {
        $requestingmembers[] = $rs;
    }
}
$sql=<<<EOSQL
SELECT u.username, u.user_id, am.message, am.posted, am.message_id FROM alliance_messages am INNER JOIN users u ON am.user_id = u.user_id WHERE am.alliance_id = '{$allianceinfo['alliance_id']}'
ORDER BY am.posted DESC
EOSQL;
$sth = $GLOBALS['mysqli']->query($sql);
if ($sth) {
    while ($rs = mysqli_fetch_array($sth)) {
        $rs['displaymessage'] = nl2br(htmlentities($rs['message'], ENT_SUBSTITUTE, "UTF-8"));
        $messages[] = $rs;
    }
}
$sql = <<<EOSQL
UPDATE users SET alliance_lastread = (SELECT MAX(message_id) FROM alliance_messages WHERE alliance_id = '{$allianceid}') WHERE user_id = '{$_SESSION['user_id']}'
EOSQL;
$GLOBALS['mysqli']->query($sql) or die($mysqli->error);

?>
Alerts (24)

'include(' Dynamic include detected; use static paths (e.g., include '/path/file.php') to prevent code injection
2
Complexity hotspot; line 33 (total complexity: 5)
33
'$_POST[' Unbounded request input detected; limit size (e.g., check Content-Length or use max input vars) to prevent memory exhaustion
33 44 49 51 53 56 61 63 86 105 116 134 157 158 162 170 178 184
'sha1(' Weak hashing detected; use password_hash() with PASSWORD_DEFAULT for secure password storage
37
'SELECT * FROM' Avoid SELECT *; specify columns for better performance and maintainability
65 88
'die(' Abrupt termination detected; use try-catch or custom error handlers for better control
244