Location: PHPKode > projects > NovaBoard > includes/pages/admin/members.php
<?php
/*
+--------------------------------------------------------------------------
|  NovaBoard
|  ========================================
|  By The NovaBoard team
|  Released under the Artistic License 2.0
|  http://www.novaboard.net
|  ========================================
|+--------------------------------------------------------------------------
|   members.php - edit members
 
*/

if (!defined('NOVA_RUN')){
	echo "<h1>ACCESS DENIED</h1>You cannot access this file directly.";
	exit();
}

if (isset($_GET['idemail'])){
	$_GET['id'] = $_GET['idemail'];
}

template_hook("pages/admin/members.template.php", "start");

$query2 = "select CAN_EDIT_MEMBERS from {$db_prefix}moderators WHERE MEMBER_ID='$my_id' AND CAN_EDIT_MEMBERS='1'" ;
$result2 = mysql_query($query2) or die("preview.php - Error in query: $query2") ;                                  
$can_edit_members_count=mysql_num_rows($result2);

$query2 = "select CAN_BAN_MEMBERS from {$db_prefix}moderators WHERE MEMBER_ID='$my_id' AND CAN_BAN_MEMBERS='1'" ;
$result2 = mysql_query($query2) or die("preview.php - Error in query: $query2") ;  
$can_ban_members_count=mysql_num_rows($result2);


if ($can_edit_members_count!='0'){
$can_edit_members="1";
}

if ($can_ban_members_count!='0'){
$can_ban_members="1";
}

if ($can_edit_members=='0'){

	nova_redirect("index.php?page=error&error=18","error/18");

}

else{

if($_GET['func']=='delete'){

	$del_id		= (int) $_POST['id'];
	$token_id	= escape_string($_POST['token_id']);
	$token_name	= 'token_members_' . $del_id . $token_id;

	if (isset($_POST[$token_name]) && isset($_SESSION[$token_name]) && $_SESSION[$token_name] == $_POST[$token_name])
	{
		$query2121 = "select ROLE from {$db_prefix}members WHERE ID='$del_id'" ;
		$result2121 = mysql_query($query2121) or die("delete.php - Error in query: $query2121") ; 
		
		$their_role = mysql_result($result2121, 0);
		
		if ($their_role!='1')
		{
			mysql_query("DELETE FROM {$db_prefix}members WHERE id='$del_id'")or die (mysql_error());
			
			$sql="SELECT ID, NAME FROM {$db_prefix}members ORDER BY ID desc LIMIT 1";
			$sql_result = mysql_query($sql) or die ("download.php - Error in query: $sql");
			
			while($row = mysql_fetch_array($sql_result))
			{
				$new_name = strip_slashes($row['NAME']);
				$new_id = $row['ID'];
			}
			
			mysql_query("UPDATE {$db_prefix}settings SET stats_member_id='$new_id', stats_member_name='$new_name', stats_members=stats_members-1");
			
			# Remove settings cache
			$Cache->delete('settings');
		}
		
		// perform auto-cache
		include "scripts/php/auto_cache.php";	
		
		template_hook("pages/admin/members.template.php", "form_1");
		
		nova_redirect("index.php?page=admin&act=members","admin/members");
	}
	else
	{
		nova_redirect('index.php?page=error&error=28', 'error/28');
	}
}
elseif($_GET['func']=='ban'){

	$member_id	= (int) $_POST['id'];
	$token_id	= escape_string($_POST['token_id']);
	$token_name	= 'token_members_' . $member_id . $token_id;

	if (isset($_POST[$token_name]) && isset($_SESSION[$token_name]) && $_SESSION[$token_name] == $_POST[$token_name])
	{
		// check if they have been banned already...
		$query2121 = "select BANNED, ROLE from {$db_prefix}members WHERE ID='$member_id'" ;
		$result2121 = mysql_query($query2121) or die("delete.php - Error in query: $query2121") ;                                  
		while ($results2121 = mysql_fetch_array($result2121))
		{
			$banned = $results2121['BANNED'];
			$banned_role = $results2121['ROLE'];
		}
		
		if ($banned=='0' && $banned_role!='1')
		{
			mysql_query("UPDATE {$db_prefix}members SET banned='1' WHERE id='$member_id'");
		}
		else
		{
			mysql_query("UPDATE {$db_prefix}members SET banned='0' WHERE id='$member_id'");
		}

		template_hook("pages/admin/members.template.php", "form_2");

		nova_redirect(
			'index.php?page=admin&act=members&func=edit&id=' . $member_id,
			'admin/members/edit/' . $member_id
		);
	}
	else
	{
		nova_redirect('index.php?page=error&error=28', 'error/28');
	}
}
elseif ($_POST['post_edit']!=''){

$id = escape_string($_POST['id']);

$token_id = escape_string($_POST['token_id']);

$token_name = "token_members_$id$token_id";

 if (isset($_POST[$token_name]) && isset($_SESSION[$token_name]) && $_SESSION[$token_name] == $_POST[$token_name]){

if ($_POST['suspend']!=''){

// convert days to time...
$suspend_until  = escape_string($_POST['suspend']);
$suspend_until  = time() + ($suspend_until * 24 * 60 * 60);

mysql_query("UPDATE {$db_prefix}members SET suspend_date='$suspend_until' WHERE id='$id'");
}

$name		= escape_string($_POST['name']);
$role		= escape_string($_POST['role']);
$location	= escape_string($_POST['location']);
$nationality= escape_string($_POST['nationality']);
$email		= escape_string($_POST['email']);
$msn		= escape_string($_POST['msn']);
$aol		= escape_string($_POST['aol']);
$yahoo		= escape_string($_POST['yahoo']);
$skype		= escape_string($_POST['skype']);
$usertitle	= escape_string($_POST['usertitle']);
$xbox		= escape_string($_POST['xbox']);
$wii		= escape_string($_POST['wii']);
$ps3		= escape_string($_POST['ps3']);
$verify		= escape_string($_POST['verify']);
$moderate	= escape_string($_POST['moderate']);
$never_spam	= escape_string($_POST['never_spam']);

$query2 = "select NAME from {$db_prefix}members WHERE NAME='$name'" ;
$result2 = mysql_query($query2) or die("username.php - Error in query: $query2") ;                                  
$count_names = mysql_num_rows($result2);

$query2 = "select NAME from {$db_prefix}members WHERE ID='$id'" ;
$result2 = mysql_query($query2) or die("username.php - Error in query: $query2") ;                                  
$current_name = mysql_result($result2, 0);

if ($count_names!='0' && $current_name!=$name){

	nova_redirect("index.php?page=error&error=37","error/37");

}

if ($_POST['change_password']!=''){

$password=escape_string($_POST['password']);


// Generate salt...
$salt = substr(md5(uniqid(rand(), true)), 0, 9);

// Salt the password
$password= md5($password . $salt);

$new_password_time=time();

if ($show_gamer_tags=='1'){

mysql_query("UPDATE {$db_prefix}members SET name='$name', role='$role', password='$password', pass_salt='$salt', password_time='$new_password_time', location='$location', nationality='$nationality', email='$email', msn='$msn', aol='$aol', yahoo='$yahoo', skype='$skype', usertitle='$usertitle', xbox='$xbox', wii='$wii', ps3='$ps3', verified='$verify', moderate='$moderate', never_spam='$never_spam' WHERE id='$id'");

}
else{

mysql_query("UPDATE {$db_prefix}members SET name='$name', role='$role', password='$password', pass_salt='$salt', password_time='$new_password_time', location='$location', nationality='$nationality', email='$email', msn='$msn', aol='$aol', yahoo='$yahoo', skype='$skype', usertitle='$usertitle', verified='$verify', moderate='$moderate', never_spam='$never_spam' WHERE id='$id'");

}

	$lang['email_newpost_title'] = str_replace("<%forumname>", $forum_name, $lang['email_newpost_title']);
	
	$lang['email_newpost_content'] = str_replace("<%subscriber>", $subscriber_name, $lang['email_newpost_content']);

// Let the user know their password has been changed...

	$lang['email_members_pass_title'] = str_replace("<%sitename>", $site_name, $lang['email_members_pass_title']);
	
	$lang['email_members_pass_content'] = str_replace("<%subscriber>", $_POST['name'], $lang['email_members_pass_content']);
	$lang['email_members_pass_content'] = str_replace("<%sitename>", $site_name, $lang['email_members_pass_content']);
	$lang['email_members_pass_content'] = str_replace("<%password>", $_POST['password'], $lang['email_members_pass_content']);
	$lang['email_members_pass_content'] = str_replace("<%site>", $nova_domain, $lang['email_members_pass_content']);
	
$message=$lang['email_members_pass_content'];

$outgoing=$_POST['email'];
$from="From: $site_name <$board_email>\r\n";
$subject=$lang['email_members_pass_title'];


mail($outgoing, $subject, $message, $from);

}
else{

mysql_query("UPDATE {$db_prefix}members SET name='$name', role='$role', location='$location', nationality='$nationality', email='$email', msn='$msn', aol='$aol', yahoo='$yahoo', skype='$skype', usertitle='$usertitle', xbox='$xbox', wii='$wii', ps3='$ps3', verified='$verify', moderate='$moderate', never_spam='$never_spam' WHERE id='$id'");
}

if ($_POST['remove_avatar']==''){
}
else{

$query2121 = "select FILENAME from {$db_prefix}attachments WHERE POSTID='0' AND MEMBER='$id'" ;
$result2121 = mysql_query($query2121) or die("delete.php - Error in query: $query2121") ;                                  
while ($results2121 = mysql_fetch_array($result2121)){
$filename = strip_slashes($results2121['FILENAME']);

foreach (glob("uploads/avatar/$filename") as $filename_original) {
   unlink($filename_original);
}

foreach (glob("uploads/avatar/t_$filename") as $filename_thumb) {
   unlink($filename_thumb);
}


mysql_query("DELETE FROM {$db_prefix}attachments WHERE filename ='$filename'");

}

mysql_query("UPDATE {$db_prefix}members SET avatar='', remote_avatar='1' WHERE id='$id'");
}

if ($_POST['remove_signature']=='1'){
mysql_query("UPDATE {$db_prefix}members SET signature='' WHERE id='$id'");
}

// If the username has changed, email them to let them know...

	$lang['email_members_name_title'] = str_replace("<%sitename>", $site_name, $lang['email_members_name_title']);

	$lang['email_members_name_content'] = str_replace("<%oldname>", $_POST['original_name'], $lang['email_members_name_content']);	
	$lang['email_members_name_content'] = str_replace("<%subscriber>", $_POST['name'], $lang['email_members_name_content']);
	$lang['email_members_name_content'] = str_replace("<%sitename>", $site_name, $lang['email_members_name_content']);
	$lang['email_members_name_content'] = str_replace("<%site>", $nova_domain, $lang['email_members_name_content']);

if ($_POST['original_name']!=$_POST['name']){

$message=$lang['email_members_name_content'];
$outgoing=$_POST['email'];
$from="From: $site_name <$board_email>\r\n";
$subject=$lang['email_members_name_title'];
mail($outgoing, $subject, $message, $from);
}

// if the group has been changed, PM them to let them know...
if($_POST['original_role']!=$_POST['role']){

$query2167 = "select TOPIC_ID from {$db_prefix}messages ORDER BY TOPIC_ID desc LIMIT 1" ;
$result2167 = mysql_query($query2167) or die("members.php - Error in query: $query2167") ;                                  
while ($results2167 = mysql_fetch_array($result2167)){
$topic_id = $results2167['TOPIC_ID'];
$topic_id=$topic_id+1;
}

$time=time();


$query21 = "select GROUP_NAME from {$db_prefix}groups WHERE GROUP_ID='$role'" ;
$result21 = mysql_query($query21) or die("members.php - Error in query: $query21");                                  
$group_name = strip_slashes(mysql_result($result21, 0));

$message_name=escape_string($_POST['name']);

	$lang['email_members_group_content'] = str_replace("<%subscriber>", $message_name, $lang['email_members_group_content']);
	$lang['email_members_group_content'] = str_replace("<%group>", $group_name, $lang['email_members_group_content']);

$title=$lang['email_members_group_title'];
$member_to_from=escape_string($_POST['id']);

$content=$lang['email_members_group_content'];
$time=time();
mysql_query("INSERT INTO {$db_prefix}messages (topic_id, member_from, member_to, title, content, sent_time, last_post_time, hidden_from) VALUES ('$topic_id', '$my_id', '$member_to_from', '$title', '$content' ,'$time', '0', '1')");

}

// update custom profile fields...

// custom field update

$query4321 = "select ID from {$db_prefix}custom_fields ORDER BY ID desc";
$result4321 = mysql_query($query4321) or die("custom.php - Error in query: $query4321") ;
while ($results4321 = mysql_fetch_array($result4321)){
$field_id_field = $results4321['ID'];

$query432 = "select FIELD_ID from {$db_prefix}custom_members WHERE MEMBER_ID='$id' AND FIELD_ID='$field_id_field'";
$result432 = mysql_query($query432) or die("information.php - Error in query: $query432") ;

$number_of_fields=mysql_num_rows($result432);

$field_content_id="custom"."$field_id_field";

$field_content_field=escape_string($_POST[$field_content_id]);

if ($number_of_fields=='0' && $field_content_field!=''){
mysql_query("INSERT INTO {$db_prefix}custom_members (field_id, content, member_id) VALUES ('$field_id_field', '$field_content_field', '$id')");
}

elseif($number_of_fields!='0' && $field_content_field==''){

mysql_query("DELETE FROM {$db_prefix}custom_members WHERE MEMBER_ID='$id' AND FIELD_ID='$field_id_field'");

}

elseif($number_of_fields!='0' && $field_content_field!=''){

while ($results432 = mysql_fetch_array($result432)){
$field_id = $results432['FIELD_ID'];


mysql_query("UPDATE {$db_prefix}custom_members SET content='$field_content_field' WHERE MEMBER_ID='$id' AND FIELD_ID='$field_id_field'");

}

}
}

	template_hook("pages/admin/members.template.php", "form_3");

	nova_redirect("index.php?page=admin&act=members","admin/members");

}
else{

	nova_redirect("index.php?page=error&error=28","error/28");

}
}

elseif ($_GET['func']=='edit'){


$token_id = md5(microtime());
$token = md5(uniqid(rand(),true));

if (isset($_GET['idemail'])){
$id = escape_string($_GET['idemail']);
}
elseif(isset($_GET['id'])){
$id = escape_string($_GET['id']);
}
elseif (isset($_GET['inputname'])){
$id = escape_string($_GET['inputname']);
};

// check they exist, if not return an error...
$query2167 = "select NAME from {$db_prefix}members WHERE ID='$id' OR NAME='$id'" ;
$result2167 = mysql_query($query2167) or die("messages.php - Error in query: $query2167") ;                                  
$members_result = mysql_num_rows($result2167);

if ($members_result!='1'){

	nova_redirect("index.php?page=error&error=31","error/31");

}

$token_name = "token_members_$id$token_id";

$_SESSION[$token_name] = $token;

$query2 = "select ID, NAME, EMAIL, ROLE, PASSWORD, AVATAR, SIGNATURE, USERTITLE, LOCATION, NATIONALITY, MSN, AOL, YAHOO, SKYPE, XBOX, WII, PS3, BANNED, VERIFIED, MODERATE, NEVER_SPAM from {$db_prefix}members WHERE ID='$id' OR NAME='$id'" ;
$result2 = mysql_query($query2) or die("members.php - Error in query: $query2") ;                                  
while ($results2 = mysql_fetch_array($result2)){
$id = $results2['ID'];
$name = strip_slashes($results2['NAME']);
$email = strip_slashes($results2['EMAIL']);
$their_role = $results2['ROLE'];
$password = $results2['PASSWORD'];
$avatar = strip_slashes($results2['AVATAR']);
$signature = strip_slashes($results2['SIGNATURE']);
$location = strip_slashes($results2['LOCATION']);
$nationality = strip_slashes($results2['NATIONALITY']);
$msn = strip_slashes($results2['MSN']);
$aol = strip_slashes($results2['AOL']);
$yahoo = strip_slashes($results2['YAHOO']);
$skype = strip_slashes($results2['SKYPE']);
$xbox = strip_slashes($results2['XBOX']);
$wii = strip_slashes($results2['WII']);
$ps3 = strip_slashes($results2['PS3']);
$usertitle = strip_slashes($results2['USERTITLE']);
$banned = $results2['BANNED'];
$verify_member = $results2['VERIFIED'];
$moderate = $results2['MODERATE'];
$never_spam = $results2['NEVER_SPAM'];

template_hook("pages/admin/members.template.php", "3");

$query3 = "select GROUP_ID, GROUP_NAME from {$db_prefix}groups WHERE GROUP_ID!='4' ORDER BY GROUP_NAME" ;
$result3 = mysql_query($query3) or die("members.php - Error in query: $query3") ;                                  
while ($results3 = mysql_fetch_array($result3)){
$group_id = $results3['GROUP_ID'];
$group_name = strip_slashes($results3['GROUP_NAME']);

// Don't allow mods to demote admins or upgrade themselves to admin!

template_hook("pages/admin/members.template.php", "4");

}

template_hook("pages/admin/members.template.php", "5");

$query21 = "select NATION_NAME, NATION_SHORT from {$db_prefix}nations ORDER BY NATION_NAME asc" ;
$result21 = mysql_query($query21) or die("members.php - Error in query: $query21") ;                                  
while ($results21 = mysql_fetch_array($result21)){
$nationname = $results21['NATION_NAME'];
$nationshort = $results21['NATION_SHORT'];

template_hook("pages/admin/members.template.php", "6");

}

template_hook("pages/admin/members.template.php", "7");

$query432 = "select ID, NAME, DESCRIPTION, ORDER_FIELD from {$db_prefix}custom_fields ORDER BY ID desc";
$result432 = mysql_query($query432) or die("custom.php - Error in query: $query432") ;
while ($results432 = mysql_fetch_array($result432)){
$field_id = $results432['ID'];
$field_name = strip_slashes($results432['NAME']);
$field_description = strip_slashes($results432['DESCRIPTION']);
$order_field = $results432['ORDER_FIELD'];

$query433 = "select CONTENT from {$db_prefix}custom_members WHERE MEMBER_ID='$id' AND FIELD_ID='$field_id'";
$result433 = mysql_query($query433) or die("custom.php - Error in query: $query433") ;
$field_content = strip_slashes(mysql_result($result433, 0));

template_hook("pages/admin/members.template.php", "8");

}

template_hook("pages/admin/members.template.php", "9");


}


}
else{

template_hook("pages/admin/members.template.php", "10");

}
}

template_hook("pages/admin/members.template.php", "end");
?>
Return current item: NovaBoard