Index: admin/paneladmina.php
===================================================================
--- admin/paneladmina.php (revision 1055)
+++ admin/paneladmina.php (working copy)
@@ -31,141 +31,164 @@
define('INSIDE' , true);
define('INSTALL' , false);
define('IN_ADMIN', true);
+
require_once dirname(dirname(__FILE__)) .'/common.php';
- if ($user['authlevel'] >= "1") {
- includeLang('admin/adminpanel');
+if ($user['authlevel'] >= "1") {
- $PanelMainTPL = gettemplate('admin/admin_panel_main');
+ includeLang('admin/adminpanel');
- $parse = $lang;
- $parse['adm_sub_form1'] = "";
- $parse['adm_sub_form2'] = "";
- $parse['adm_sub_form3'] = "";
+ $PanelMainTPL = gettemplate('admin/admin_panel_main');
- // Afficher les templates
- if (isset($_GET['result'])) {
- switch ($_GET['result']){
- case 'usr_search':
- $Pattern = $_GET['player'];
- $SelUser = doquery("SELECT * FROM {{table}} WHERE `username` LIKE '%". $Pattern ."%' LIMIT 1;", 'users', true);
- $UsrMain = doquery("SELECT `name` FROM {{table}} WHERE `id` = '". $SelUser['id_planet'] ."';", 'planets', true);
+ $parse = $lang;
+ $parse['adm_sub_form1'] = "";
+ $parse['adm_sub_form2'] = "";
+ $parse['adm_sub_form3'] = "";
- $bloc = $lang;
- $bloc['answer1'] = $SelUser['id'];
- $bloc['answer2'] = $SelUser['username'];
- $bloc['answer3'] = $SelUser['user_lastip'];
- $bloc['answer4'] = $SelUser['email'];
- $bloc['answer5'] = $lang['adm_usr_level'][ $SelUser['authlevel'] ];
- $bloc['answer6'] = $lang['adm_usr_genre'][ $SelUser['sex'] ];
- $bloc['answer7'] = "[".$SelUser['id_planet']."] ".$UsrMain['name'];
- $bloc['answer8'] = "[".$SelUser['galaxy'].":".$SelUser['system'].":".$SelUser['planet']."] ";
- $SubPanelTPL = gettemplate('admin/admin_panel_asw1');
- $parse['adm_sub_form2'] = parsetemplate( $SubPanelTPL, $bloc );
- break;
+ // Afficher les templates
+ if (isset($_GET['result'])) {
- case 'usr_data':
- $Pattern = $_GET['player'];
- $SelUser = doquery("SELECT * FROM {{table}} WHERE `username` LIKE '%". $Pattern ."%' LIMIT 1;", 'users', true);
- $UsrMain = doquery("SELECT `name` FROM {{table}} WHERE `id` = '". $SelUser['id_planet'] ."';", 'planets', true);
+ switch ($_GET['result']){
+ case 'usr_search':
+ $pattern = mysql_real_escape_string($_GET['player']);
+ $SelUser = doquery("SELECT * FROM {{table}} WHERE `username` LIKE '%". $pattern ."%' LIMIT 1;", 'users', true);
+ $UsrMain = doquery("SELECT `name` FROM {{table}} WHERE `id` = '". $SelUser['id_planet'] ."';", 'planets', true);
- $bloc = $lang;
- $bloc['answer1'] = $SelUser['id'];
- $bloc['answer2'] = $SelUser['username'];
- $bloc['answer3'] = $SelUser['user_lastip'];
- $bloc['answer4'] = $SelUser['email'];
- $bloc['answer5'] = $lang['adm_usr_level'][ $SelUser['authlevel'] ];
- $bloc['answer6'] = $lang['adm_usr_genre'][ $SelUser['sex'] ];
- $bloc['answer7'] = "[".$SelUser['id_planet']."] ".$UsrMain['name'];
- $bloc['answer8'] = "[".$SelUser['galaxy'].":".$SelUser['system'].":".$SelUser['planet']."] ";
- $SubPanelTPL = gettemplate('admin/admin_panel_asw1');
- $parse['adm_sub_form1'] = parsetemplate( $SubPanelTPL, $bloc );
+ $bloc = $lang;
+ $bloc['answer1'] = $SelUser['id'];
+ $bloc['answer2'] = $SelUser['username'];
+ $bloc['answer3'] = $SelUser['user_lastip'];
+ $bloc['answer4'] = $SelUser['email'];
+ $bloc['answer5'] = $lang['adm_usr_level'][ $SelUser['authlevel'] ];
+ $bloc['answer6'] = $lang['adm_usr_genre'][ $SelUser['sex'] ];
+ $bloc['answer7'] = "[".$SelUser['id_planet']."] ".$UsrMain['name'];
+ $bloc['answer8'] = "[".$SelUser['galaxy'].":".$SelUser['system'].":".$SelUser['planet']."] ";
+ $SubPanelTPL = gettemplate('admin/admin_panel_asw1');
+ $parse['adm_sub_form2'] = parsetemplate( $SubPanelTPL, $bloc );
+ break;
- $parse['adm_sub_form2'] = "";
- $parse['adm_sub_form2'] .= "| ".$lang['adm_colony']." |
";
- $UsrColo = doquery("SELECT * FROM {{table}} WHERE `id_owner` = '". $SelUser['id'] ." ORDER BY `galaxy` ASC, `planet` ASC, `system` ASC, `planet_type` ASC';", 'planets');
- while ( $Colo = mysql_fetch_assoc($UsrColo) ) {
- if ($Colo['id'] != $SelUser['id_planet']) {
- $parse['adm_sub_form2'] .= "| ".$Colo['id']." | ";
- $parse['adm_sub_form2'] .= "". (($Colo['planet_type'] == 1) ? $lang['adm_planet'] : $lang['adm_moon'] ) ." | ";
- $parse['adm_sub_form2'] .= "[".$Colo['galaxy'].":".$Colo['system'].":".$Colo['planet']."] | ";
- $parse['adm_sub_form2'] .= "".$Colo['name']." |
|---|
";
- }
- }
- $parse['adm_sub_form2'] .= "
";
+ case 'usr_data':
+ $pattern = mysql_real_escape_string($_GET['player']);
+ $SelUser = doquery("SELECT * FROM {{table}} WHERE `username` LIKE '%". $pattern ."%' LIMIT 1;", 'users', true);
+ $UsrMain = doquery("SELECT `name` FROM {{table}} WHERE `id` = '". $SelUser['id_planet'] ."';", 'planets', true);
- $parse['adm_sub_form3'] = "";
- $parse['adm_sub_form3'] .= "| ".$lang['adm_technos']." |
";
- for ($Item = 100; $Item <= 199; $Item++) {
- if ($resource[$Item] != "") {
- $parse['adm_sub_form3'] .= "| ".$lang['tech'][$Item]." | ";
- $parse['adm_sub_form3'] .= "".$SelUser[$resource[$Item]]." |
|---|
";
- }
- }
- $parse['adm_sub_form3'] .= "
";
- break;
+ $bloc = $lang;
+ $bloc['answer1'] = $SelUser['id'];
+ $bloc['answer2'] = $SelUser['username'];
+ $bloc['answer3'] = $SelUser['user_lastip'];
+ $bloc['answer4'] = $SelUser['email'];
+ $bloc['answer5'] = $lang['adm_usr_level'][ $SelUser['authlevel'] ];
+ $bloc['answer6'] = $lang['adm_usr_genre'][ $SelUser['sex'] ];
+ $bloc['answer7'] = "[".$SelUser['id_planet']."] ".$UsrMain['name'];
+ $bloc['answer8'] = "[".$SelUser['galaxy'].":".$SelUser['system'].":".$SelUser['planet']."] ";
+ $SubPanelTPL = gettemplate('admin/admin_panel_asw1');
+ $parse['adm_sub_form1'] = parsetemplate( $SubPanelTPL, $bloc );
- case 'usr_level':
- $Player = $_GET['player'];
- $NewLvl = $_GET['authlvl'];
+ $parse['adm_sub_form2'] = "";
+ $parse['adm_sub_form2'] .= "| ".$lang['adm_colony']." |
";
+ $UsrColo = doquery("SELECT * FROM {{table}} WHERE `id_owner` = '". $SelUser['id'] ." ORDER BY `galaxy` ASC, `planet` ASC, `system` ASC, `planet_type` ASC';", 'planets');
+ while ( $Colo = mysql_fetch_assoc($UsrColo) ) {
+ if ($Colo['id'] != $SelUser['id_planet']) {
+ $parse['adm_sub_form2'] .= "| ".$Colo['id']." | ";
+ $parse['adm_sub_form2'] .= "". (($Colo['planet_type'] == 1) ? $lang['adm_planet'] : $lang['adm_moon'] ) ." | ";
+ $parse['adm_sub_form2'] .= "[".$Colo['galaxy'].":".$Colo['system'].":".$Colo['planet']."] | ";
+ $parse['adm_sub_form2'] .= "".$Colo['name']." |
|---|
";
+ }
+ }
+ $parse['adm_sub_form2'] .= "
";
- $QryUpdate = doquery("UPDATE {{table}} SET `authlevel` = '".$NewLvl."' WHERE `username` = '".$Player."';", 'users');
- $Message = $lang['adm_mess_lvl1']. " ". $Player ." ".$lang['adm_mess_lvl2'];
- $Message .= "".$lang['adm_usr_level'][ $NewLvl ]."!";
+ $parse['adm_sub_form3'] = "";
+ $parse['adm_sub_form3'] .= "| ".$lang['adm_technos']." |
";
+ for ($Item = 100; $Item <= 199; $Item++) {
+ if ($resource[$Item] != "") {
+ $parse['adm_sub_form3'] .= "| ".$lang['tech'][$Item]." | ";
+ $parse['adm_sub_form3'] .= "".$SelUser[$resource[$Item]]." |
|---|
";
+ }
+ }
+ $parse['adm_sub_form3'] .= "
";
+ break;
- AdminMessage ( $Message, $lang['adm_mod_level'] );
- break;
+ case 'usr_level':
+ if (!isset($_GET['s']) || !isset($_SESSION['CSRF']) || $_GET['s'] !== $_SESSION['CSRF']) {
+ AdminMessage(
+ 'One have tried to overcome administration privilleges.',
+ 'Hacking attempt');
+ break;
+ }
- case 'ip_search':
- $Pattern = $_GET['ip'];
- $SelUser = doquery("SELECT * FROM {{table}} WHERE `user_lastip` = '". $ip ."' LIMIT 10;", 'users');
- $bloc = $lang;
- $bloc['adm_this_ip'] = $Pattern;
- while ( $Usr = mysql_fetch_assoc($SelUser) ) {
- $UsrMain = doquery("SELECT `name` FROM {{table}} WHERE `id` = '". $Usr['id_planet'] ."';", 'planets', true);
- $bloc['adm_plyer_lst'] .= "| ".$Usr['username']." | [".$Usr['galaxy'].":".$Usr['system'].":".$Usr['planet']."] ".$UsrMain['name']." |
|---|
";
- }
- $SubPanelTPL = gettemplate('admin/admin_panel_asw2');
- $parse['adm_sub_form2'] = parsetemplate( $SubPanelTPL, $bloc );
- break;
- default:
- break;
- }
- }
+ $player = isset($_GET['player']) ? mysql_real_escape_string($_GET['player']) : '';
+ $level = isset($_GET['authlvl']) ? mysql_real_escape_string($_GET['authlvl']) : '';
- // Traiter les reponses aux formulaires
- if (isset($_GET['action'])) {
- $bloc = $lang;
- switch ($_GET['action']){
- case 'usr_search':
- $SubPanelTPL = gettemplate('admin/admin_panel_frm1');
- break;
+ if ($level >= $user['authlevel'] && $user['authlevel'] < 3) {
+ AdminMessage('Not enough privilleges to promote user.', $lang['adm_mod_level']);
+ break;
+ }
- case 'usr_data':
- $SubPanelTPL = gettemplate('admin/admin_panel_frm4');
- break;
+ $userData = doquery("SELECT id FROM {{table}} WHERE `username` = '".$player."';", 'users', true);
+ if (empty($user)) {
+ AdminMessage('No such user.', $lang['adm_mod_level']);
+ break;
+ }
- case 'usr_level':
- for ($Lvl = 0; $Lvl < 4; $Lvl++) {
- $bloc['adm_level_lst'] .= "";
- }
- $SubPanelTPL = gettemplate('admin/admin_panel_frm3');
- break;
+ doquery("UPDATE {{table}} SET `authlevel` = '{$level}' WHERE id={$userData['id']}", 'users');
+ $message = $lang['adm_mess_lvl1']. " ". $player ." ".$lang['adm_mess_lvl2'];
+ $message .= "".$lang['adm_usr_level'][$level]."!";
- case 'ip_search':
- $SubPanelTPL = gettemplate('admin/admin_panel_frm2');
- break;
+ AdminMessage($message, $lang['adm_mod_level']);
+ break;
- default:
- break;
- }
- $parse['adm_sub_form2'] = parsetemplate( $SubPanelTPL, $bloc );
- }
+ case 'ip_search':
+ $pattern = isset($_GET['ip']) ? mysql_real_escape_string($_GET['ip']) : '';
+ $SelUser = doquery("SELECT * FROM {{table}} WHERE `user_lastip` = '". $pattern ."' LIMIT 10;", 'users');
+ $bloc = $lang;
+ $bloc['adm_this_ip'] = $pattern;
+ while ( $Usr = mysql_fetch_assoc($SelUser) ) {
+ $UsrMain = doquery("SELECT `name` FROM {{table}} WHERE `id` = '". $Usr['id_planet'] ."';", 'planets', true);
+ $bloc['adm_plyer_lst'] .= "| ".$Usr['username']." | [".$Usr['galaxy'].":".$Usr['system'].":".$Usr['planet']."] ".$UsrMain['name']." |
|---|
";
+ }
+ $SubPanelTPL = gettemplate('admin/admin_panel_asw2');
+ $parse['adm_sub_form2'] = parsetemplate( $SubPanelTPL, $bloc );
+ break;
+ default:
+ break;
+ }
+ }
- $page = parsetemplate( $PanelMainTPL, $parse );
- display( $page, $lang['panel_mainttl'], false, '', true );
- } else {
- message( $lang['sys_noalloaw'], $lang['sys_noaccess'] );
- }
+ // Traiter les reponses aux formulaires
+ if (isset($_GET['action'])) {
+ $bloc = $lang;
-?>
\ No newline at end of file
+ $_SESSION['CSRF'] = sha1(uniqid(null, true));
+ $bloc['csrf_hack'] = $_SESSION['CSRF'];
+
+ switch ($_GET['action']){
+ case 'usr_search':
+ $SubPanelTPL = gettemplate('admin/admin_panel_frm1');
+ break;
+
+ case 'usr_data':
+ $SubPanelTPL = gettemplate('admin/admin_panel_frm4');
+ break;
+
+ case 'usr_level':
+ for ($Lvl = 0; $Lvl < 4; $Lvl++) {
+ $bloc['adm_level_lst'] .= "";
+ }
+ $SubPanelTPL = gettemplate('admin/admin_panel_frm3');
+ break;
+
+ case 'ip_search':
+ $SubPanelTPL = gettemplate('admin/admin_panel_frm2');
+ break;
+
+ default:
+ break;
+ }
+ $parse['adm_sub_form2'] = parsetemplate( $SubPanelTPL, $bloc );
+ }
+
+ $page = parsetemplate( $PanelMainTPL, $parse );
+ display( $page, $lang['panel_mainttl'], false, '', true );
+} else {
+ message( $lang['sys_noalloaw'], $lang['sys_noaccess'] );
+}
Index: templates/OpenGame/admin/admin_panel_frm3.tpl
===================================================================
--- templates/OpenGame/admin/admin_panel_frm3.tpl (revision 1055)
+++ templates/OpenGame/admin/admin_panel_frm3.tpl (working copy)
@@ -2,6 +2,7 @@