<?php
// -------------------------------------------------------------
//
// FILENAME : adminpages.php
// COPYRIGHT : © 2003, 2004, 2005, 2006 Espen Andersson
// WWW : http://ebascripts.com/
//
// -------------------------------------------------------------
define('ADMIN_DIR', './');
include_once ADMIN_DIR . 'includes/page_start.php';
include_once ADMIN_DIR . 'includes/top.php';
if ($_SESSION['sess_user_level'] < 3) {
$auth->not_authorized();
}
$id = isset($_GET['id']) ? number_input($_GET['id']) : 0;
$expectedVars->check_get(array('id', 'sort', 'act', 'page'));
$expectedVars->check_post(array('submit'));
/*
Delete webpages
*/
if ( (isset($_POST['delete'])) && (is_array($_POST['delete'])) && (sizeof($_POST['delete']) > 0) ) {
$query2 = 'DELETE FROM `' . WEBPAGES_TABLE . '` WHERE ';
foreach ($_POST['delete'] as $id) {
$query2 .= ' `id` = \'' . $id . '\' OR';
$filename = $sql_db->result($sql_db->query('SELECT `filename`
FROM `' . WEBPAGES_TABLE . '`
WHERE `id` = \'' . $id . '\'', __FILE__, __LINE__));
unlink(ADMIN_DIR . 'public/webpages/' . $filename . '.php');
}
$query2 = substr($query2, 0, -3);
$result2 = $sql_db->query($query2, __FILE__, __LINE__);
$hits = $sql_db->result($sql_db->query('SELECT COUNT(`id`) AS `hits`
FROM `' . WEBPAGES_TABLE . '`', __FILE__, __LINE__));
// auto_increment = 0, this could replace the query above if $hits == 0
if ($hits == 0) {
$sql_db->truncate(WEBPAGES_TABLE);
}
redirect('adminpages.php');
}
/*
Update webpage password
*/
if ( (isset($_GET['act'])) && ($_GET['act'] == 'update') ) {
/*
Get current info
*/
$result = $sql_db->query('SELECT `password`, `password_salt`
FROM `' . WEBPAGES_TABLE . '`
WHERE `id` = \'' . $id . '\'', __FILE__, __LINE__);
$row = $sql_db->fetch_object($result);
/*
Use the saved salt to create an hopefully equal password hash by combining $_POST & $sql_db->result;
No need to validate $_POST below because sha1() returns only a hash containing a-f & 0-9;
*/
$post_current_password = sha1($row->password_salt . sha1($_POST['current_pwd'] . $row->password_salt));
$check = false;
/*
Compare entered password and saved hash against db info
*/
if ($row->password === $post_current_password) {
$check = true;
} else {
/*
If it's not a match, $row->password has to be NULL and the
submitted current password has to be empty, meaning that
the user is requesting a password for the first time;
*/
if ( (isset($_POST['current_pwd'])) && ($_POST['current_pwd'] == '') && ($row->password == NULL) ) {
$check = true;
}
}
/*
OK: We only have to update the password and/or salt field if
one of the valid cases matched. See if $check == true;
*/
if ($check == true) {
/*
Is a new password requested?
*/
$salt = $password = 'NULL';
if ( (isset($_POST['new_pwd'])) && (strlen($_POST['new_pwd']) > 0) ) {
$salt = gen_salt();
$password = '\'' . sha1($salt . sha1($_POST['new_pwd'] . $salt)) . '\'';
$salt = '\'' . $salt . '\'';
}
$sql_db->query('UPDATE `' . WEBPAGES_TABLE . '`
SET `password`= ' . $password . '
WHERE `id` = \'' . $id . '\'', __FILE__, __LINE__);
$sql_db->query('UPDATE `' . WEBPAGES_TABLE . '`
SET `password_salt` = ' . $salt . '
WHERE `id`= \'' . $id . '\'', __FILE__, __LINE__);
}
}
$header = GenImage(ADMIN_DIR . 'templates/images/lang_' . LANGUAGE . '/top_administrate_webpages.gif', lang('a_header_admin_webpages'));
echo '<div class="top"><div id="img">' . $header . '</div></div>';
if ( (isset($_GET['act'])) && ($_GET['act'] == 'create') ) {
if ( (isset($_POST['webpage_title'])) && !empty($_POST['webpage_title']) && (isset($_POST['webpage_filename'])) && !empty($_POST['webpage_filename']) ) {
$webpage_title = !isset($_POST['webpage_title']) || empty($_POST['webpage_title']) ? 'NULL' : '\'' . sql_input($_POST['webpage_title']) . '\'';
$webpage_filename = !isset($_POST['webpage_filename']) || empty($_POST['webpage_filename']) ? 'NULL' : '\'' . sql_input($_POST['webpage_filename']) . '\'';
$webpage_html = isset($_POST['webpage_html']) ? 1 : 0;
$password = $salt = 'NULL';
if ( (isset($_POST['webpage_password'])) && (strlen($_POST['webpage_password']) > 0) ) {
$salt = gen_salt();
$password = '\'' . sha1($salt . sha1($_POST['webpage_password'] . $salt)) . '\'';
$salt = '\'' . $salt . '\'';
}
/*
Create webpage
*/
$handle = fopen(ADMIN_DIR . 'public/webpages/' . sql_input($_POST['webpage_filename']) . '.php', 'w');
chmod(ADMIN_DIR . 'public/webpages/' . sql_input($_POST['webpage_filename']) . '.php', 0744); // attempt to chmod
/*
Insert to DB
*/
$sql_db->query('INSERT INTO `' . WEBPAGES_TABLE . '`
(`title`, `filename`, `html`, `password`, `password_salt`)
VALUES(' . $webpage_title . ', ' . $webpage_filename . ', \'' . $webpage_html . '\',
' . $password . ', ' . $salt . ')', __FILE__, __LINE__);
}
redirect('adminpages.php');
}
$start = $page_number = 1;
$order_by = 'id';
if ($id > 0) {
if ( (isset($_GET['act'])) && ($_GET['act'] == 'update') ) {
$webpage_title = isset($_POST['webpage_title']) ? '\'' . sql_input($_POST['webpage_title']) . '\'' : 'NULL';
$webpage_content = isset($_POST['text']) ? $_POST['text'] : '';
$webpage_html = isset($_POST['webpage_html']) ? 1 : 0;
/*
To prevent reload/outdated sessions problems causing files to be cleared
*/
if ( ($webpage_title != 'NULL') && (strlen($webpage_content) > 0) ) {
$sql_db->query('UPDATE `' . WEBPAGES_TABLE . '`
SET `title` = ' . $webpage_title . ',
`html` = \'' . $webpage_html . '\'
WHERE `id` = \'' . $id . '\'', __FILE__, __LINE__);
$result = $sql_db->query('SELECT *
FROM `' . WEBPAGES_TABLE . '`
WHERE `id` = \'' . $id . '\'', __FILE__, __LINE__);
$row = $sql_db->fetch_object($result);
$file = fopen(ADMIN_DIR . 'public/webpages/' . $row->filename . '.php', 'w');
fwrite($file, $webpage_content);
fclose($file);
} else {
redirect('adminpages.php?id=' . $id);
}
} else {
$result = $sql_db->query('SELECT *
FROM `' . WEBPAGES_TABLE . '`
WHERE `id` = \'' . $id . '\'', __FILE__, __LINE__);
$row = $sql_db->fetch_object($result);
}
$content = file_get_contents(ADMIN_DIR . 'public/webpages/' . $row->filename . '.php');
$page = new Page(ADMIN_DIR . 'templates/webpages_admin.tpl');
$page->replace_tags(array(
'INPUT_TEXT' => print_input_field($content),
'INPUT_TITLE' => $row->title,
'INPUT_HTML' => ($row->html == 0) ? '' : 'checked="checked"',
'MESSAGE' => '',
'ROW->id' => $row->id
));
$page->output_page();
} else {
$numrows = $sql_db->result($sql_db->query('SELECT COUNT(`id`)
AS `count`
FROM `' . WEBPAGES_TABLE . '`', __FILE__, __LINE__));
if ($numrows == 0) {
echo GenInfoBox('admininfo', lang('empty_table'));
} else {
$page_number = ceil($numrows / ROWS_PER_PAGE);
$page = isset($_GET['page']) ? number_input($_GET['page'], 1) : 1;
$start = ($page * ROWS_PER_PAGE) - ROWS_PER_PAGE;
$page_url = isset($_GET['page']) ? '&page=' . $page . '' : '';
}
}
$page_url = isset($_GET['page']) ? '&page=' . $_GET['page'] . '' : '';
if ( ($id == 0) && ($numrows > 0) ) {
$page = new Page(ADMIN_DIR . 'templates/webpages_top.tpl');
$page->replace_tags(array('PAGE' => $page_url));
$page->output_page();
$result = $sql_db->query('SELECT *
FROM `' . WEBPAGES_TABLE . '`
ORDER BY ' . $order_by . '
DESC', __FILE__, __LINE__);
while ($row = $sql_db->fetch_object($result)) {
$page = new Page(ADMIN_DIR . 'templates/webpages_middle.tpl');
$page->replace_tags(array(
'ROW->id' => $row->id,
'ROW->title' => $row->title,
'ROW->filename' => $row->filename
));
$page->output_page();
}
$page = new Page(ADMIN_DIR . 'templates/webpages_bottom.tpl');
$page->output_page();
}
if ($id == 0) {
$page = new Page(ADMIN_DIR . 'templates/webpages_create.tpl');
$page->output_page();
}
include_once ADMIN_DIR . 'includes/bottom.php';
?>