Location: PHPKode > projects > Athena Research Assistant > athena-dev-0.1pre-alpha/modules/adduser.php
<?php
//BEGIN - CHECK IF THE USER IS ALLOWED TO DO THIS IN CASE OF A $_GET HACK
//THIS ENSURES THAT THE USER DOES NOT ATTEMPT ON SLIPPING VARIABLES IN THE URL
//IN ORDER TO OBTAIN ACCESS TO ADMIN PRIVILIDGES

$thisUSERGROUP = $_SESSION["userGROUPID"];

$getUSERperm =	mysql_query("SELECT * FROM ath_groups WHERE " . //obtain permission values
				"ath_groups_id=$thisUSERGROUP");
				
$checkUSER = mysql_fetch_array($getUSERperm);				
//END - CHECK FOR $_GET HACK

if ($checkUSER["ath_groups_addUSERS"] == 1){ //IF PERMISSION EXISTS ALLOW TO ADD
	
	if ($_POST["adduser"] == "Add User"){ //IF FORM SUBMITTED
		$username = $_POST["username"];
	
		$checkUSERNAMEexists = 	mysql_query("SELECT count(*) from ath_users WHERE " .
								"ath_users_username='$username'");
	
		if (!$checkUSERNAMEexists){ //REPORT QUERY FAILURE
			echo("checkUSERNAMEexists failed in modules/adduser.php");
			echo(mysql_error());
			exit();
		}						
	
		$count = mysql_result($checkUSERNAMEexists, 0, 0);
		
		require("../includes/verify_no_special_chars.inc.php"); //THIS FILE CONTAINS A FUNCTION FOR VERYFYING THAT NO SPECIAL CHARS ARE USED
		
		if (!verifyCHARS($_POST["username"])){ //VERIFY SPECIAL NO CHARS
			echo("<p class=\"red\">Please remove special characters like: ' @ # \$ etc. from the username.</p>");
			include("../objects/adduserFORM.php");
		}
		elseif (!verifyCHARS($_POST["password"])){ //VERIFY SPECIAL NO CHARS
			echo("<p class=\"red\">Please remove special characters like: ' @ # \$ etc. from the password.</p>");
			include("../objects/adduserFORM.php");
		}
		elseif ($count > 0){ //
			echo("<p class=\"red\">Username '" . $_POST["username"] . "' already exists.</p>");
			include("../objects/adduserFORM.php");
		}
		elseif ($_POST["username"] == ""){
			echo("<p class=\"red\">Username cannot be left blank.</p>");
			include("../objects/adduserFORM.php");
		}
		elseif ($_POST["password"] != $_POST["passwordconfirm"]){
			echo("<p class=\"red\">Password and Password Confirmation do not match.</p>");
			include("../objects/adduserFORM.php");
		}
		else{
			//ADD TO DATABASE
			$username = addslashes(strip_tags($_POST["username"]));
			$password = addslashes(strip_tags($_POST["password"]));
			$datecreated = date("Y-m-d");
			$groupID = $_POST["group"];
			$realname = addslashes(strip_tags($_POST["name"]));
			$email = addslashes(strip_tags($_POST["email"]));
			$studentNUM = addslashes(strip_tags($_POST["studentnum"]));
			$address = addslashes(strip_tags($_POST["address"]));
			$phone = addslashes(strip_tags($_POST["phone"]));
			$loginsNUM = 0;
			$active = $_POST["activate"];
			//$addtoGROUP = $_POST["canaddtogroup"];
			$locked = 0;
			
			$INSERTuser = 	mysql_query("INSERT INTO ath_users SET ". 
										"ath_users_username='$username', " .
										"ath_users_password=PASSWORD('$password'), " .
										"ath_users_datecreated='$datecreated', " .
										"ath_users_groupID='$groupID', " .
										"ath_users_realname='$realname', " .
										"ath_users_email='$email', " .
										"ath_users_studentNUM='$studentNUM', " .
										"ath_users_address='$address', " .
										"ath_users_phone='$phone', " .
										"ath_users_loginsNUM='$loginsNUM', " .
										"ath_users_active='$active', " .
										//"ath_users_addtoGROUP='$addtoGROUP', " .
										"ath_users_LOCKED='$locked'");
										
			if (!$INSERTuser){
				echo("<p class=\"red\">INSTERTuser failed in adduser.php</p>");
				echo(mysql_error());
				exit();
			}
			
			include("../objects/userADDEDconfirm.php");
		}
	}
	else{ //ENTER DATA
		include("../objects/adduserFORM.php");
	}
}
else{
	echo("<p class=\"red\">You do not have permission to add new users!</p>");
}
?>

Return current item: Athena Research Assistant