1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
<?php
$formid="NoPermission";
require_once "inc/configure.php";
//vdump($_REQUEST);
$refid = (int) filter_var($_REQUEST['refid'], FILTER_SANITIZE_STRING);
$userid = filter_var($_REQUEST['userid'], FILTER_SANITIZE_STRING);
//vdump($_REQUEST);
if( $_POST['action']=="master_useredit_modifyform" && !empty($refid) ){
$username = filter_var($_REQUEST['username'], FILTER_SANITIZE_STRING);
$lastupby = filter_var($_SESSION['user'], FILTER_SANITIZE_STRING);
// check confirm password
if($_REQUEST['userpwd'] != $_REQUEST['userpwd_confirm']){
$msg = "Passwords do not match";
header("Location: master_useredit_modifyform.php?refid=$refid&error=$msg");
exit;
}
if( ($refid!=$_SESSION['refid']) || ($userid!=$_SESSION['user']) ){
myerror("Invalid Request");
//echo "bad request";
exit;
}
// check old password is correct
$sql = "SELECT count(*) as counter
FROM master_user
WHERE refid=:refid and userid=:userid and userpwd=:oldpwd";
$sth = $dbh->prepare($sql);
$q= $sth->execute( array(':refid'=>$_SESSION['refid'],
':userid'=>$_SESSION['user'],
':oldpwd' => md5salt($_REQUEST['oldpwd'])) );
/* echo $sth->getSQL( array(':refid'=>$_SESSION['refid'],
':userid'=>$_SESSION['user'],
':oldpwd' => md5salt($_REQUEST['oldpwd'])) );*/
$row = $sth->fetch();
if($row['counter']!=1){
$msg = "Incorrect Password";
header("Location: master_useredit_modifyform.php?refid=$refid&error=$msg");
exit;
}
$sql_param = array(':refid'=>$_SESSION['refid'],
':userid'=>$_SESSION['user'],
':username'=>$username,
':oldpwd' => md5salt($_REQUEST['oldpwd']),
':lastupby' => $lastupby);
if(!empty($_REQUEST['userpwd'])){
$sql_PPu_field="userpwd = :userpwd,";
$sql_param[':userpwd'] = md5salt($_REQUEST['userpwd']);
}
unset($pwd);
$sql = "UPDATE master_user SET
username = :username,
$sql_PPu_field
lastupby = :lastupby,
lastupdate = getdate()
WHERE refid=:refid and userid=:userid and userpwd=:oldpwd";
$sth = $dbh->prepare($sql);
$q= $sth->execute( $sql_param );
pdo_showerror($sth, $q);
//echo $sth->getSQL( $sql_param ) . HTML_EOL;
if(!$sth->rowCount()){
$msg = "Fail to modify User";
header("Location: master_useredit_modifyform.php?error=$msg");
exit;
}
//logout
$_SESSION = array();
if(ini_get("session.use_cookies")){
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000, $params["path"], $params["domain"], $params["secure"], $params["httponly"]);
}
session_destroy();
//header("Location: logout.php");
print 'Saved. Please Login again
<br/><br/>
<form><input type="button" name="'.CLOSE.'" value="'.CLOSE.'" onclick="javascript:top.location.reload();"></form>';
exit;
}
myerror("Invalid Request");
|