Location: PHPKode > projects > EBA-News > admin/adminpages.php
<?php

// -------------------------------------------------------------
//
// FILENAME		: adminpages.php
// COPYRIGHT	: © 2003, 2004, 2005, 2006 Espen Andersson
// WWW				: http://ebascripts.com/
//
// -------------------------------------------------------------

define('ADMIN_DIR', './');

include_once ADMIN_DIR . 'includes/page_start.php';
include_once ADMIN_DIR . 'includes/top.php';

if ($_SESSION['sess_user_level'] < 3) {
	$auth->not_authorized();
}

$id = isset($_GET['id']) ? number_input($_GET['id']) : 0;

$expectedVars->check_get(array('id', 'sort', 'act', 'page'));
$expectedVars->check_post(array('submit'));

/*
	Delete webpages
*/

if ( (isset($_POST['delete'])) && (is_array($_POST['delete'])) && (sizeof($_POST['delete']) > 0) ) {
	$query2 = 'DELETE FROM `' . WEBPAGES_TABLE . '` WHERE ';

	foreach ($_POST['delete'] as $id) {
		$query2 .= ' `id` = \'' . $id . '\' OR';

		$filename = $sql_db->result($sql_db->query('SELECT `filename`
		  FROM `' . WEBPAGES_TABLE . '`
		  WHERE `id` = \'' . $id . '\'', __FILE__, __LINE__));

		unlink(ADMIN_DIR . 'public/webpages/' . $filename . '.php');
	}

	$query2 = substr($query2, 0, -3);
	$result2 = $sql_db->query($query2, __FILE__, __LINE__);

	$hits = $sql_db->result($sql_db->query('SELECT COUNT(`id`) AS `hits`
	  FROM `' . WEBPAGES_TABLE . '`', __FILE__, __LINE__));

	// auto_increment = 0, this could replace the query above if $hits == 0
	if ($hits == 0) {
		$sql_db->truncate(WEBPAGES_TABLE);
	}

	redirect('adminpages.php');
}

/*
	Update webpage password
*/

if ( (isset($_GET['act'])) && ($_GET['act'] == 'update') ) {
	/*
		Get current info
	*/

	$result = $sql_db->query('SELECT `password`, `password_salt`
	  FROM `' . WEBPAGES_TABLE . '`
	  WHERE `id` = \'' . $id . '\'', __FILE__, __LINE__);

	$row = $sql_db->fetch_object($result);

	/*
		Use the saved salt to create an hopefully equal password hash by combining $_POST & $sql_db->result;
		No need to validate $_POST below because sha1() returns only a hash containing a-f & 0-9;
	*/

	$post_current_password = sha1($row->password_salt . sha1($_POST['current_pwd'] . $row->password_salt));
	$check = false;

	/*
		Compare entered password and saved hash against db info
	*/

	if ($row->password === $post_current_password) {
		$check = true;
	} else {
		/*
			If it's not a match, $row->password has to be NULL and the
			submitted current password has to be empty, meaning that
			the user is requesting a password for the first time;
		*/

		if ( (isset($_POST['current_pwd'])) && ($_POST['current_pwd'] == '') && ($row->password == NULL) ) {
			$check = true;
		}
	}

	/*
		OK: We only have to update the password and/or salt field if
		one of the valid cases matched. See if $check == true;
	*/

	if ($check == true) {
		/*
			Is a new password requested?
		*/

		$salt = $password = 'NULL';

		if ( (isset($_POST['new_pwd'])) && (strlen($_POST['new_pwd']) > 0) ) {
			$salt = gen_salt();
			$password = '\'' . sha1($salt . sha1($_POST['new_pwd'] . $salt)) . '\'';
			$salt = '\'' . $salt . '\'';
		}

		$sql_db->query('UPDATE `' . WEBPAGES_TABLE . '`
		  SET `password`= ' . $password . '
		  WHERE `id` = \'' . $id . '\'', __FILE__, __LINE__);

		$sql_db->query('UPDATE `' . WEBPAGES_TABLE . '`
		  SET `password_salt` = ' . $salt . '
		  WHERE `id`= \'' . $id . '\'', __FILE__, __LINE__);
	}
}

$header = GenImage(ADMIN_DIR . 'templates/images/lang_' . LANGUAGE . '/top_administrate_webpages.gif', lang('a_header_admin_webpages'));
echo '<div class="top"><div id="img">' . $header . '</div></div>';

if ( (isset($_GET['act'])) && ($_GET['act'] == 'create') ) {
	if ( (isset($_POST['webpage_title'])) && !empty($_POST['webpage_title']) && (isset($_POST['webpage_filename'])) && !empty($_POST['webpage_filename']) ) {
		$webpage_title = !isset($_POST['webpage_title']) || empty($_POST['webpage_title']) ? 'NULL' : '\'' . sql_input($_POST['webpage_title']) . '\'';
		$webpage_filename = !isset($_POST['webpage_filename']) || empty($_POST['webpage_filename']) ? 'NULL' : '\'' . sql_input($_POST['webpage_filename']) . '\'';
		$webpage_html = isset($_POST['webpage_html']) ? 1 : 0;

		$password = $salt = 'NULL';

		if ( (isset($_POST['webpage_password'])) && (strlen($_POST['webpage_password']) > 0) ) {
			$salt = gen_salt();

			$password = '\'' . sha1($salt . sha1($_POST['webpage_password'] . $salt)) . '\'';
			$salt = '\'' . $salt . '\'';
		}

		/*
			Create webpage
		*/

		$handle = fopen(ADMIN_DIR . 'public/webpages/' . sql_input($_POST['webpage_filename']) . '.php', 'w');
		chmod(ADMIN_DIR . 'public/webpages/' . sql_input($_POST['webpage_filename']) . '.php', 0744); // attempt to chmod

		/*
			Insert to DB
		*/

		$sql_db->query('INSERT INTO `' . WEBPAGES_TABLE . '`
		  (`title`, `filename`, `html`, `password`, `password_salt`)
		  VALUES(' . $webpage_title . ', ' . $webpage_filename . ', \'' . $webpage_html . '\',
		  ' . $password . ', ' . $salt . ')', __FILE__, __LINE__);
	}

	redirect('adminpages.php');
}

$start = $page_number = 1;
$order_by = 'id';

if ($id > 0) {
	if ( (isset($_GET['act'])) && ($_GET['act'] == 'update') ) {
		$webpage_title = isset($_POST['webpage_title']) ? '\'' . sql_input($_POST['webpage_title']) . '\'' : 'NULL';
		$webpage_content = isset($_POST['text']) ? $_POST['text'] : '';
		$webpage_html = isset($_POST['webpage_html']) ? 1 : 0;

		/*
			To prevent reload/outdated sessions problems causing files to be cleared
		*/

		if ( ($webpage_title != 'NULL') && (strlen($webpage_content) > 0) ) {
			$sql_db->query('UPDATE `' . WEBPAGES_TABLE . '`
			  SET `title` = ' . $webpage_title . ',
			  `html` = \'' . $webpage_html . '\'
			  WHERE `id` = \'' . $id . '\'', __FILE__, __LINE__);

			$result = $sql_db->query('SELECT *
			  FROM `' . WEBPAGES_TABLE . '`
			  WHERE `id` = \'' . $id . '\'', __FILE__, __LINE__);

			$row = $sql_db->fetch_object($result);

			$file = fopen(ADMIN_DIR . 'public/webpages/' . $row->filename . '.php', 'w');
			fwrite($file, $webpage_content);
			fclose($file);

		} else {
			redirect('adminpages.php?id=' . $id);
		}
	} else {
		$result = $sql_db->query('SELECT *
		  FROM `' . WEBPAGES_TABLE . '`
		  WHERE `id` = \'' . $id . '\'', __FILE__, __LINE__);

		$row = $sql_db->fetch_object($result);
	}

	$content = file_get_contents(ADMIN_DIR . 'public/webpages/' . $row->filename . '.php');

	$page = new Page(ADMIN_DIR . 'templates/webpages_admin.tpl');

	$page->replace_tags(array(
	  'INPUT_TEXT' => print_input_field($content),
	  'INPUT_TITLE' => $row->title,
	  'INPUT_HTML' => ($row->html == 0) ? '' : 'checked="checked"',
	  'MESSAGE' => '',
	  'ROW->id' => $row->id
	));

	$page->output_page();
} else {
	$numrows = $sql_db->result($sql_db->query('SELECT COUNT(`id`) 
	  AS `count`
	  FROM `' . WEBPAGES_TABLE . '`', __FILE__, __LINE__));

	if ($numrows == 0) {
		echo GenInfoBox('admininfo', lang('empty_table'));
	} else {
		$page_number = ceil($numrows / ROWS_PER_PAGE);
		$page = isset($_GET['page']) ? number_input($_GET['page'], 1) : 1;
		$start = ($page * ROWS_PER_PAGE) - ROWS_PER_PAGE;

		$page_url = isset($_GET['page']) ? '&amp;page=' . $page . '' : '';
	}
}

$page_url = isset($_GET['page']) ? '&amp;page=' . $_GET['page'] . '' : '';

if ( ($id == 0) && ($numrows > 0) ) {
	$page = new Page(ADMIN_DIR . 'templates/webpages_top.tpl');
	$page->replace_tags(array('PAGE' => $page_url));
	$page->output_page();

	$result = $sql_db->query('SELECT *
	  FROM `' . WEBPAGES_TABLE . '`
	  ORDER BY ' . $order_by . '
	  DESC', __FILE__, __LINE__);

	while ($row = $sql_db->fetch_object($result)) {
		$page = new Page(ADMIN_DIR . 'templates/webpages_middle.tpl');

		$page->replace_tags(array(
		  'ROW->id' => $row->id,
		  'ROW->title' => $row->title,
		  'ROW->filename' => $row->filename
		));

		$page->output_page();
	}

	$page = new Page(ADMIN_DIR . 'templates/webpages_bottom.tpl');
	$page->output_page();
}

if ($id == 0) {
	$page = new Page(ADMIN_DIR . 'templates/webpages_create.tpl');
	$page->output_page();
}

include_once ADMIN_DIR . 'includes/bottom.php';

?>
Return current item: EBA-News