Mercurial > hg > fapweb
changeset 646:2eeca16e9c96
Improve attendee adding/updating data validation.
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Mon, 03 Nov 2014 03:13:40 +0200 |
parents | cb06f048ec34 |
children | 60b51ab059da |
files | admajax.php msite.inc.php pages/register.inc.php |
diffstat | 3 files changed, 42 insertions(+), 18 deletions(-) [+] |
line wrap: on
line diff
--- a/admajax.php Mon Nov 03 02:15:36 2014 +0200 +++ b/admajax.php Mon Nov 03 03:13:40 2014 +0200 @@ -1448,7 +1448,7 @@ stExecSQLCond($sql, "OK, compo added."); } else - if ($type == "attendees" && stValidateRequestUserData(TRUE)) + if ($type == "attendees" && stValidateRequestUserData(TRUE, FALSE)) { $sql = stPrepareSQL( "INSERT INTO attendees (regtime,name,groups,oneliner,email) VALUES (%d,%S,%S,%S,%S)", @@ -1492,7 +1492,7 @@ stDBCommitTransaction(); } else - if ($type == "attendees" && stValidateRequestUserData(TRUE)) + if ($type == "attendees" && stValidateRequestUserData(TRUE, $id)) { $sql = stPrepareSQLUpdate("attendees", "WHERE id=".$id,
--- a/msite.inc.php Mon Nov 03 02:15:36 2014 +0200 +++ b/msite.inc.php Mon Nov 03 03:13:40 2014 +0200 @@ -291,41 +291,65 @@ } -function stValidateRequestUserData($admin) +function stValidateRequestUserData($admin, $id = FALSE) { - if (!stChkRequestItem("name", $fake, - array(CHK_ISGT, VT_STR, 0, "Handle / name not given."), - array(CHK_LTEQ, VT_STR, SET_LEN_USERNAME, "Handle / name is too long, should be less than ".SET_LEN_USERNAME." characters.") - )) return FALSE; + $res = TRUE; + $chk = 0; - if (!stChkRequestItem("groups", $fake, - array(CHK_LTEQ, VT_STR, SET_LEN_GROUPS, "Groups are too long, should be less than ".SET_LEN_GROUPS." characters.") - )) return FALSE; + if (stChkRequestItem("name", $name, + array(CHK_ISGT, VT_STR, 0, "Handle / name not given."), + array(CHK_LTEQ, VT_STR, SET_LEN_USERNAME, "Handle / name is too long, should be less than ".SET_LEN_USERNAME." characters."))) + $chk++; + else + $res = FALSE; - if (!stChkRequestItem("oneliner", $fake, - array(CHK_LTEQ, VT_STR, SET_LEN_ONELINER, "Oneliner is too long, should be less than ".SET_LEN_ONELINER." characters.") - )) return FALSE; + if (stChkRequestItem("groups", $groups, + array(CHK_LTEQ, VT_STR, SET_LEN_GROUPS, "Groups are too long, should be less than ".SET_LEN_GROUPS." characters."))) + $chk++; + else + $res = FALSE; + + if (!stChkRequestItem("oneliner", $oneliner, + array(CHK_LTEQ, VT_STR, SET_LEN_ONELINER, "Oneliner is too long, should be less than ".SET_LEN_ONELINER." characters."))) + $res = FALSE; $email = stGetRequestItem("email"); if (!$admin && stGetSetting("requireEMail") && strlen($email) < 4) { stError("E-mail address not given, or it is too short."); - return FALSE; + $res = FALSE; } if (strlen($email) > 0 && preg_match("/^[a-z0-9][a-z0-9\+\-\.\%_]*@[a-z0-9.-]+\.[a-z]{2,4}$/i", $email) != 1) { stError("E-mail address not in proper format."); - return FALSE; + $res = FALSE; } if (strlen($email) > SET_LEN_EMAIL) { stError("E-mail address too long, max ".SET_LEN_EMAIL." characters."); - return FALSE; + $res = FALSE; + } + + // Check if another user already exists + if ($chk >= 2) + { + if ($id !== false) + // By another ID, if we are updating an entry + $sql = stPrepareSQL("SELECT * FROM attendees WHERE id<>%d name=%s AND groups=%s", $id, $name, $groups); + else + // Or just exists, if adding + $sql = stPrepareSQL("SELECT * FROM attendees WHERE name=%s AND groups=%s", $name, $groups); + + if (($res = stFetchSQL($sql)) !== false) + { + stError("Someone with the same name and groups is already registered."); + $res = FALSE; + } } - return TRUE; + return $res; }
--- a/pages/register.inc.php Mon Nov 03 02:15:36 2014 +0200 +++ b/pages/register.inc.php Mon Nov 03 03:13:40 2014 +0200 @@ -160,7 +160,7 @@ stChkRequestItem("hash", $hash, array(CHK_GTEQ, VT_STR, 0, "Invalid data.")); - stValidateRequestUserData(FALSE); + stValidateRequestUserData(FALSE, FALSE); $answer = stGetRequestItem("botcheck"); if (hashToAnswer($hash) != intval($answer))