banananetwork
/
postfixadmin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

create_admin() cleanup

Browse Source 
functions.inc.php:
- create_admin(): use db_insert instead of INSERT queries
  (this includes automatic escaping of all values)

create-admin.php:
- use safepost instead of isset($_POST[...])
- don't escape_string post values - it's done inside create_admin now
- remove superfluous emptying of empty $tDomains for GET
- allow htmlentities-escaping for pAdminCreate_admin_username_text
- some whitespace / linebreak changes

setup.php:
- load config.inc.php only once (loading it twice will break if custom
  hook functions exist in config.*.php - "can't redefine function ...")
- use safepost instead of isset($_POST[...])
- don't escape_string post values - it's done inside create_admin now
- escape $tUsername with htmlentities() instead of escape_string



git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1190 a1433add-5e2c-0410-b055-b7f2511e0802
pull/2/head
Christian Boltz 13 years ago
parent dc54de1657
commit 9f2a0db106
3 changed files with 25 additions and 27 deletions
Show Stats Download Patch File Download Diff File

27
create-admin.php
Unescape Escape View File

@ -38,34 +38,25 @@ $tDomains = array();
$pAdminCreate_admin_username_text_error = ""; $pAdminCreate_admin_username_text_error = "";
$pAdminCreate_admin_password_text_error = ""; $pAdminCreate_admin_password_text_error = "";
if ($_SERVER['REQUEST_METHOD'] == "GET") if ($_SERVER['REQUEST_METHOD'] == "POST") {
{ $fUsername = safepost('fUsername');
$tDomains = array (); $fPassword = safepost('fPassword');
} $fPassword2 = safepost('fPassword2');
$fDomains = safepost('fDomains', array());
if ($_SERVER['REQUEST_METHOD'] == "POST")
{
if (isset ($_POST['fUsername'])) $fUsername = escape_string ($_POST['fUsername']);
if (isset ($_POST['fPassword'])) $fPassword = escape_string ($_POST['fPassword']);
if (isset ($_POST['fPassword2'])) $fPassword2 = escape_string ($_POST['fPassword2']);
$fDomains = array();
if (!empty ($_POST['fDomains'])) $fDomains = escape_string($_POST['fDomains']);
# TODO: work with non-escaped values here and do the escaping in create_admin()
list ($error, $infoMessage, $pAdminCreate_admin_username_text_error, $pAdminCreate_admin_password_text_error) = create_admin($fUsername, $fPassword, $fPassword2, $fDomains); list ($error, $infoMessage, $pAdminCreate_admin_username_text_error, $pAdminCreate_admin_password_text_error) = create_admin($fUsername, $fPassword, $fPassword2, $fDomains);
if ($error != 0) { if ($error != 0) {
if (isset ($_POST['fUsername'])) $tUsername = escape_string ($_POST['fUsername']); $tUsername = $fUsername;
if (isset ($_POST['fDomains'])) $tDomains = $_POST['fDomains']; $tDomains = $fDomains;
} }
if(!empty($infoMessage)) if(!empty($infoMessage)) flash_info($infoMessage);
flash_info($infoMessage);
} }
$smarty->assign ('mode', 'create'); $smarty->assign ('mode', 'create');
$smarty->assign ('tUsername', $tUsername); $smarty->assign ('tUsername', $tUsername);
$smarty->assign ('pAdminCreate_admin_username_text', $PALANG['pAdminCreate_admin_username_text'], false); $smarty->assign ('pAdminCreate_admin_username_text', $PALANG['pAdminCreate_admin_username_text']);
$smarty->assign ('pAdminCreate_admin_username_text_error', $pAdminCreate_admin_username_text_error, false); $smarty->assign ('pAdminCreate_admin_username_text_error', $pAdminCreate_admin_username_text_error, false);
$smarty->assign ('admin_password_text_error', $pAdminCreate_admin_password_text_error, false); $smarty->assign ('admin_password_text_error', $pAdminCreate_admin_password_text_error, false);
$smarty->assign ('select_options', select_options ($list_domains, $tDomains), false); $smarty->assign ('select_options', select_options ($list_domains, $tDomains), false);

14
functions.inc.php
Unescape Escape View File

@ -2264,14 +2264,22 @@ function create_admin($fUsername, $fPassword, $fPassword2, $fDomains, $no_genera
$password = pacrypt($fPassword); $password = pacrypt($fPassword);
// $pAdminCreate_admin_username_text = $PALANG['pAdminCreate_admin_username_text']; // $pAdminCreate_admin_username_text = $PALANG['pAdminCreate_admin_username_text'];
$result = db_query ("INSERT INTO " . table_by_key('admin') . " (username,password,created,modified) VALUES ('$fUsername','$password',NOW(),NOW())"); $db_values = array(
if ($result['rows'] != 1) { 'username' => $fUsername,
'password' => $password,
);
$result = db_insert('admin', $db_values);
if ($result != 1) {
$pAdminCreate_admin_message = $PALANG['pAdminCreate_admin_result_error'] . "<br />($fUsername)<br />"; $pAdminCreate_admin_message = $PALANG['pAdminCreate_admin_result_error'] . "<br />($fUsername)<br />";
} else { } else {
if (!empty ($fDomains[0])) { if (!empty ($fDomains[0])) {
for ($i = 0; $i < sizeof ($fDomains); $i++) { for ($i = 0; $i < sizeof ($fDomains); $i++) {
$domain = $fDomains[$i]; $domain = $fDomains[$i];
$result = db_query ("INSERT INTO " . table_by_key ('domain_admins') . " (username,domain,created) VALUES ('$fUsername','$domain',NOW())"); $db_values = array(
'username' => $fUsername,
'domain' => $domain,
);
$result = db_insert('domain_admins', $db_values, array('created'));
} }
} }
$pAdminCreate_admin_message = $PALANG['pAdminCreate_admin_result_success'] . "<br />($fUsername"; $pAdminCreate_admin_message = $PALANG['pAdminCreate_admin_result_success'] . "<br />($fUsername";

9
setup.php
Unescape Escape View File

@ -123,7 +123,6 @@ if ($file_config == 1)
require_once($incpath.'/config.inc.php'); require_once($incpath.'/config.inc.php');
$config_loaded = 1; $config_loaded = 1;
require($incpath.'/config.inc.php');
if(isset($CONF['configured'])) { if(isset($CONF['configured'])) {
if($CONF['configured'] === TRUE) { if($CONF['configured'] === TRUE) {
print "<li>Checking \$CONF['configured'] - OK\n"; print "<li>Checking \$CONF['configured'] - OK\n";
@ -341,9 +340,9 @@ else
} }
if($error == 0 && $pw_check_result == 'pass_OK') { if($error == 0 && $pw_check_result == 'pass_OK') {
if (isset ($_POST['fUsername'])) $fUsername = escape_string ($_POST['fUsername']); $fUsername = safepost('fUsername');
if (isset ($_POST['fPassword'])) $fPassword = escape_string ($_POST['fPassword']); $fPassword = safepost('fPassword');
if (isset ($_POST['fPassword2'])) $fPassword2 = escape_string ($_POST['fPassword2']); $fPassword2 = safepost('fPassword2');
// XXX need to ensure domains table includes an 'ALL' entry. // XXX need to ensure domains table includes an 'ALL' entry.
$table_domain = table_by_key('domain'); $table_domain = table_by_key('domain');
@ -354,7 +353,7 @@ else
list ($error, $setupMessage, $pAdminCreate_admin_username_text, $pAdminCreate_admin_password_text) = create_admin($fUsername, $fPassword, $fPassword2, array('ALL'), TRUE); list ($error, $setupMessage, $pAdminCreate_admin_username_text, $pAdminCreate_admin_password_text) = create_admin($fUsername, $fPassword, $fPassword2, array('ALL'), TRUE);
if ($error != 0) { if ($error != 0) {
if (isset ($_POST['fUsername'])) $tUsername = escape_string ($_POST['fUsername']); $tUsername = htmlentities($fUsername);
} }
} }
} }

Write Preview
Loading…
Cancel
Save