Context Navigation

myaccount.php

Revision 704, 5.4 KB (checked in by brieb, 2 years ago)
Fixed several SQL injection vulnerabilities Fixed several XSS vulnerabilities due to PHP_SELF and REQUREST_URI Fixed severa path disclosure errors

Line
1	<?php
2	/*
3	$Rev: 186 $ \| $LastChangedBy: brieb $
4	$LastChangedDate: 2007-02-16 11:59:50 -0700 (Fri, 16 Feb 2007) $
5	+-------------------------------------------------------------------------+
6	\| Copyright (c) 2004 - 2010, Kreotek LLC \|
7	\| All rights reserved. \|
8	+-------------------------------------------------------------------------+
9	\| \|
10	\| Redistribution and use in source and binary forms, with or without \|
11	\| modification, are permitted provided that the following conditions are \|
12	\| met: \|
13	\| \|
14	\| - Redistributions of source code must retain the above copyright \|
15	\| notice, this list of conditions and the following disclaimer. \|
16	\| \|
17	\| - Redistributions in binary form must reproduce the above copyright \|
18	\| notice, this list of conditions and the following disclaimer in the \|
19	\| documentation and/or other materials provided with the distribution. \|
20	\| \|
21	\| - Neither the name of Kreotek LLC nor the names of its contributore may \|
22	\| be used to endorse or promote products derived from this software \|
23	\| without specific prior written permission. \|
24	\| \|
25	\| THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \|
26	\| "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT \|
27	\| LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A \|
28	\| PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT \|
29	\| OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, \|
30	\| SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT \|
31	\| LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, \|
32	\| DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \|
33	\| THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT \|
34	\| (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE \|
35	\| OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. \|
36	\| \|
37	+-------------------------------------------------------------------------+
38	*/
39
40	require_once("../../include/session.php");
41
42	require_once("../../include/fields.php");
43	require_once("include/myaccount.php");
44
45	$user = new myAccount($db, $_SESSION["userinfo"]["uuid"]);
46
47	if(isset($_POST["command"])){
48
49	switch($_POST["command"]){
50
51	case "Change Password":
52
53	if($_POST["newPass"] === $_POST["confirmPass"])
54	$statusmessage = $user->changePassword($_POST["curPass"], $_POST["newPass"]);
55	else
56	$statusmessage = "New password not confirmed";
57	break;
58
59	case "Update Contact":
60
61	$statusmessage = $user->update($_POST);
62	break;
63
64	}//endswitch
65
66	}//endif
67
68	$pageTitle="My Account";
69
70	$phpbms->cssIncludes[] = "pages/myaccount.css";
71	$phpbms->jsIncludes[] = "modules/base/javascript/myaccount.js";
72
73	//Form Elements
74	//==============================================================
75	$theform = new phpbmsForm();
76
77	$theinput = new inputField("email",$_SESSION["userinfo"]["email"],"e-mail address",false,"email",32,64);
78	$theform->addField($theinput);
79
80	$theinput = new inputField("phone",$_SESSION["userinfo"]["phone"],"phone/extension",false,"phone",32,64);
81	$theform->addField($theinput);
82
83	$theform->jsMerge();
84	//==============================================================
85	//End Form Elements
86
87	include("header.php");
88	?><div class="bodyline">
89	<form action="<?php echo htmlentities($_SERVER["PHP_SELF"])?>" method="post" name="record" id="record" onsubmit="return false">
90	<input type="hidden" id="command" name="command" value=""/>
91
92	<h1><span><?php echo $pageTitle ?></span></h1>
93
94	<fieldset>
95	<legend>Name</legend>
96	<p id="nameP"><?php echo htmlQuotes($_SESSION["userinfo"]["firstname"]." ".$_SESSION["userinfo"]["lastname"])?></p>
97	</fieldset>
98
99	<fieldset>
100	<legend>Change Password</legend>
101	<p>
102	<label for="curPass">current password</label><br />
103	<input type="password" id="curPass" name="curPass" maxlength="32"/>
104	</p>
105
106	<p>
107	<label for="newPass">new password</label><br />
108	<input type="password" id="newPass" name="newPass" maxlength="32"/>
109	</p>
110	<p>
111	<label for="confirmPass">re-type new password</label><br />
112	<input type="password" id="confirmPass" name="confirmPass" maxlength="32"/>
113	</p>
114	</fieldset>
115	<p>
116	<button type="button" class="Buttons" onclick="changePass()">Change Password</button>
117	</p>
118
119	<fieldset>
120	<legend>Contact Information</legend>
121
122	<p><?php $theform->showField("email")?></p>
123
124	<p><?php $theform->showField("phone")?></p>
125
126	</fieldset>
127	<p><button type="button" class="Buttons" onclick="changeContact()">Update Contact Information</button></p>
128
129	<fieldset>
130	<legend>Access / Assigned Roles</legend>
131	<ul>
132	<?php
133	if($_SESSION["userinfo"]["admin"]) {?><li><strong>Administrator</strong></li><?php }
134	$user->displayRoles();
135	?></ul>
136	</fieldset>
137	</form>
138	</div>
139
140	<?php include("footer.php"); ?>

Note: See TracBrowser for help on using the browser.

phpBMS

Context Navigation

root/trunk/phpbms/modules/base/myaccount.php

Download in other formats: