diff options
| -rw-r--r-- | web/html/account.php | 44 | ||||
| -rw-r--r-- | web/lib/acctfuncs.inc.php | 39 |
2 files changed, 49 insertions, 34 deletions
diff --git a/web/html/account.php b/web/html/account.php index 63c3ada..2a96845 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -44,17 +44,10 @@ if (isset($_COOKIE["AURSID"])) { } elseif ($action == "DisplayAccount") { # the user has clicked 'edit', display the account details in a form # - $q = "SELECT Users.*, AccountTypes.AccountType "; - $q.= "FROM Users, AccountTypes "; - $q.= "WHERE AccountTypes.ID = Users.AccountTypeID "; - $q.= "AND Users.ID = ".intval(in_request("ID")); - $result = db_query($q, $dbh); - if (!mysql_num_rows($result)) { + $row = account_details(in_request("ID"), in_request("U")); + if (empty($row)) { print __("Could not retrieve information for the specified user."); - } else { - $row = mysql_fetch_assoc($result); - # double check to make sure logged in user can edit this account # if ($atype == "User" || ($atype == "Trusted User" && $row["AccountType"] == "Developer")) { @@ -71,24 +64,15 @@ if (isset($_COOKIE["AURSID"])) { } elseif ($action == "AccountInfo") { # no editing, just looking up user info # - $q = "SELECT Users.*, AccountTypes.AccountType "; - $q.= "FROM Users, AccountTypes "; - $q.= "WHERE AccountTypes.ID = Users.AccountTypeID "; - if (isset($_REQUEST["ID"])) { - $q.= "AND Users.ID = ".intval(in_request("ID")); - } else { - $q.= "AND Users.Username = '".db_escape_string(in_request("U")) . "'"; - } - $result = db_query($q, $dbh); - if (!mysql_num_rows($result)) { + $row = account_details(in_request("ID"), in_request("U")); + if (empty($row)) { print __("Could not retrieve information for the specified user."); } else { - $row = mysql_fetch_assoc($result); - display_account_info($row["Username"], - $row["AccountType"], $row["Email"], $row["RealName"], - $row["IRCNick"], $row["PGPKey"], $row["LastVoted"]); + display_account_info($row["Username"], + $row["AccountType"], $row["Email"], $row["RealName"], + $row["IRCNick"], $row["PGPKey"], $row["LastVoted"]); } - + } elseif ($action == "UpdateAccount") { # user is submitting their modifications to an existing account # @@ -110,18 +94,10 @@ if (isset($_COOKIE["AURSID"])) { # A normal user, give them the ability to edit # their own account # - $q = "SELECT Users.*, AccountTypes.AccountType "; - $q.= "FROM Users, AccountTypes, Sessions "; - $q.= "WHERE AccountTypes.ID = Users.AccountTypeID "; - $q.= "AND Users.ID = Sessions.UsersID "; - $q.= "AND Sessions.SessionID = '"; - $q.= db_escape_string($_COOKIE["AURSID"])."'"; - $result = db_query($q, $dbh); - if (!mysql_num_rows($result)) { + $row = own_account_details($_COOKIE["AURSID"]); + if (empty($row)) { print __("Could not retrieve information for the specified user."); - } else { - $row = mysql_fetch_assoc($result); # don't need to check if they have permissions, this is a # normal user editing themselves. # diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 31c43db..7ea423e 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -740,3 +740,42 @@ function clear_expired_sessions($dbh=NULL) { return; } +function account_details($uid, $username, $dbh=NULL) { + if(!$dbh) { + $dbh = db_connect(); + } + $q = "SELECT Users.*, AccountTypes.AccountType "; + $q.= "FROM Users, AccountTypes "; + $q.= "WHERE AccountTypes.ID = Users.AccountTypeID "; + if (!empty($uid)) { + $q.= "AND Users.ID = ".intval($uid); + } else { + $q.= "AND Users.Username = '".db_escape_string($username) . "'"; + } + $result = db_query($q, $dbh); + + if ($result) { + $row = mysql_fetch_assoc($result); + } + + return $row; +} + +function own_account_details($sid, $dbh=NULL) { + if(!$dbh) { + $dbh = db_connect(); + } + $q = "SELECT Users.*, AccountTypes.AccountType "; + $q.= "FROM Users, AccountTypes, Sessions "; + $q.= "WHERE AccountTypes.ID = Users.AccountTypeID "; + $q.= "AND Users.ID = Sessions.UsersID "; + $q.= "AND Sessions.SessionID = '"; + $q.= db_escape_string($sid)."'"; + $result = db_query($q, $dbh); + + if ($result) { + $row = mysql_fetch_assoc($result); + } + + return $row; +} |