create_admin() cleanup

functions.inc.php:
- create_admin(): use db_insert instead of INSERT queries
  (this includes automatic escaping of all values)

create-admin.php:
- use safepost instead of isset($_POST[...])
- don't escape_string post values - it's done inside create_admin now
- remove superfluous emptying of empty $tDomains for GET
- allow htmlentities-escaping for pAdminCreate_admin_username_text
- some whitespace / linebreak changes

setup.php:
- load config.inc.php only once (loading it twice will break if custom
  hook functions exist in config.*.php - "can't redefine function ...")
- use safepost instead of isset($_POST[...])
- don't escape_string post values - it's done inside create_admin now
- escape $tUsername with htmlentities() instead of escape_string



git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1190 a1433add-5e2c-0410-b055-b7f2511e0802

create-admin.php

@@ -38,34 +38,25 @@ $tDomains = array();
 $pAdminCreate_admin_username_text_error = "";
 $pAdminCreate_admin_password_text_error = "";
 
-if ($_SERVER['REQUEST_METHOD'] == "GET")
-{
-   $tDomains = array ();
-}
+if ($_SERVER['REQUEST_METHOD'] == "POST") {
+   $fUsername  = safepost('fUsername');
+   $fPassword  = safepost('fPassword');
+   $fPassword2 = safepost('fPassword2');
+   $fDomains   = safepost('fDomains', array());
 
-if ($_SERVER['REQUEST_METHOD'] == "POST")
-{
-   if (isset ($_POST['fUsername'])) $fUsername = escape_string ($_POST['fUsername']);
-   if (isset ($_POST['fPassword'])) $fPassword = escape_string ($_POST['fPassword']);
-   if (isset ($_POST['fPassword2'])) $fPassword2 = escape_string ($_POST['fPassword2']);
-   $fDomains = array();
-   if (!empty ($_POST['fDomains'])) $fDomains = escape_string($_POST['fDomains']);
-# TODO: work with non-escaped values here and do the escaping in create_admin()
    list ($error, $infoMessage, $pAdminCreate_admin_username_text_error, $pAdminCreate_admin_password_text_error) = create_admin($fUsername, $fPassword, $fPassword2, $fDomains);
 
    if ($error != 0) {
-      if (isset ($_POST['fUsername'])) $tUsername = escape_string ($_POST['fUsername']);
-      if (isset ($_POST['fDomains'])) $tDomains = $_POST['fDomains'];
+      $tUsername = $fUsername;
+      $tDomains = $fDomains;
    }
-   
-   if(!empty($infoMessage))
-	flash_info($infoMessage);
-   
+
+   if(!empty($infoMessage)) flash_info($infoMessage);
 }
 
 $smarty->assign ('mode', 'create');
 $smarty->assign ('tUsername', $tUsername);
-$smarty->assign ('pAdminCreate_admin_username_text', $PALANG['pAdminCreate_admin_username_text'], false);
+$smarty->assign ('pAdminCreate_admin_username_text', $PALANG['pAdminCreate_admin_username_text']);
 $smarty->assign ('pAdminCreate_admin_username_text_error', $pAdminCreate_admin_username_text_error, false);
 $smarty->assign ('admin_password_text_error', $pAdminCreate_admin_password_text_error, false);
 $smarty->assign ('select_options', select_options ($list_domains, $tDomains), false);

functions.inc.php

@@ -2264,14 +2264,22 @@ function create_admin($fUsername, $fPassword, $fPassword2, $fDomains, $no_genera
         $password = pacrypt($fPassword);
         // $pAdminCreate_admin_username_text = $PALANG['pAdminCreate_admin_username_text'];
 
-        $result = db_query ("INSERT INTO " . table_by_key('admin') . " (username,password,created,modified) VALUES ('$fUsername','$password',NOW(),NOW())");
-        if ($result['rows'] != 1) {
+        $db_values = array(
+            'username'  => $fUsername,
+            'password'  => $password,
+        );
+        $result = db_insert('admin', $db_values);
+        if ($result != 1) {
             $pAdminCreate_admin_message = $PALANG['pAdminCreate_admin_result_error'] . "<br />($fUsername)<br />";
         } else {
             if (!empty ($fDomains[0])) {
                 for ($i = 0; $i < sizeof ($fDomains); $i++) {
                     $domain = $fDomains[$i];
-                    $result = db_query ("INSERT INTO " . table_by_key ('domain_admins') . " (username,domain,created) VALUES ('$fUsername','$domain',NOW())");
+                    $db_values = array(
+                        'username'  => $fUsername,
+                        'domain'    => $domain,
+                    );
+                    $result = db_insert('domain_admins', $db_values, array('created'));
                 }
             }
             $pAdminCreate_admin_message = $PALANG['pAdminCreate_admin_result_success'] . "<br />($fUsername";

setup.php

@@ -123,7 +123,6 @@ if ($file_config == 1)
     require_once($incpath.'/config.inc.php');
     $config_loaded = 1;
 
-    require($incpath.'/config.inc.php');
     if(isset($CONF['configured'])) {
         if($CONF['configured'] === TRUE) {
             print "<li>Checking \$CONF['configured'] - OK\n";
@@ -341,9 +340,9 @@ else
         }
 
         if($error == 0 && $pw_check_result == 'pass_OK') {
-            if (isset ($_POST['fUsername'])) $fUsername = escape_string ($_POST['fUsername']);
-            if (isset ($_POST['fPassword'])) $fPassword = escape_string ($_POST['fPassword']);
-            if (isset ($_POST['fPassword2'])) $fPassword2 = escape_string ($_POST['fPassword2']);
+            $fUsername  = safepost('fUsername');
+            $fPassword  = safepost('fPassword');
+            $fPassword2 = safepost('fPassword2');
 
             // XXX need to ensure domains table includes an 'ALL' entry.
             $table_domain = table_by_key('domain');
@@ -354,7 +353,7 @@ else
 
             list ($error, $setupMessage, $pAdminCreate_admin_username_text, $pAdminCreate_admin_password_text) = create_admin($fUsername, $fPassword, $fPassword2, array('ALL'), TRUE);
             if ($error != 0) {
-                if (isset ($_POST['fUsername'])) $tUsername = escape_string ($_POST['fUsername']);
+                $tUsername = htmlentities($fUsername);
             }
         }
     }