Location: PHPKode > scripts > PHP Link Directory Script > linkdirectory/www/admin_user.php
<?php
/* PHP Link Directory Copyright 2011 Robert Rook */
require('dblogon.php');
require('userhead.php');
if($userinf['badmin']<9) { header("Location: {$site_url}/admin.php?cmd=lowaccess"); die(); }

require('lib/validstr.php');
require('tpl/boxes.php');

$msg = "";
$err = "";

/* Delete an existing account */
if(isset($_POST['delete_user']) && is_numeric($_POST['delete_user'])) {
	mysql_query("DELETE FROM {$prefix}users WHERE userid='{$_POST['delete_user']}' AND badmin<{$userinf['badmin']}", $db);
	if(mysql_affected_rows()) {
		$msg.= "<li>The requested account has been removed.</li>\n";
	} else {
		$err.= "<li>There was an error attempting to remove the selected account.</li>\n";
	}
}

$header_code = "<script language=\"Javascript\" type=\"text/Javascript\"";
$header_code.= " src=\"{$site_url}/js/floatbox.js\"></script>\n";

$page_title = "Administrator Accounts";
require('admin_l.php');

/* Create a new account / edit an existing account */
if(isset($_GET['cmd']) && ($_GET['cmd']=="new" || ($_GET['cmd']=="edit" && isset($_GET['userid']) && is_numeric($_GET['userid'])))) {
	$show_form = true;
	
	if($_GET['cmd']=="new") {
		show_header("Create Account", "Use this form to create a new Administrator account.  Administrators will be able to assist in management of the directory; what they will be able to do depends on the access you give them.");
		$u = array("username"=>"", "password"=>substr(md5(time()),0,8), "fullname"=>"", "email"=>"", "badmin"=>0, "bstatus"=>0, "bverified"=>0, "pquestion"=>"", "panswer"=>"");
	} else {
		show_header("Edit Account", "Update the details for the selected account as you wish to, and click \"Save Changes\" when you are ready to put the modifications in to effect.");
		$res = mysql_query("SELECT * FROM {$prefix}users WHERE userid='{$_GET['userid']}' AND badmin<{$userinf['badmin']}", $db);
		if(!mysql_num_rows($res)) {
			$show_form = false;
			show_error("Cannot edit account", "The selected account cannot be modified as it either does not exist or has too high access.\n<ul><li><a href=\"admin_user.php\">Return to account list</a></li></ul>");
		} else {
			$u = mysql_fetch_array($res);
		}
	}
	
	/* Create or update a user account */
	if($show_form && isset($_POST['username'])) {
		$username = preg_replace('/[^a-zA-Z\-_\s0-9]/',"",$_POST['username']);
		$password = preg_replace('/[^a-zA-Z\-_\s0-9]/',"",$_POST['password']);
		if(!validate_email($_POST['email'])) {
			$err.= "<li>Please provide a valid email address for the account.</li>\n";
		}
		if($username!=$_POST['username'] || strlen($username)<5 || strlen($username)>30) {
			$err.= "<li>A username must be between 5 and 30 characters and ";
			$err.= "include only numbers, letters, dashes, underscores or blank spaces.</li>\n";
		}
		if($password!=$_POST['password'] || strlen($password)<5 || strlen($password)>30) {
			$err.= "<li>A password must be between 5 and 30 characters and ";
			$err.= "include only numbers, letters, dashes, underscores or blank spaces.</li>\n";
		}
		if(htmlspecialchars($_POST['fullname'])!=$_POST['fullname']) {
			$err.= "<li>The Full name should not contain any special characters.</li>\n";
		}
		if(strip_tags($_POST['pquestion'])!=$_POST['pquestion'] || strlen($_POST['pquestion'])<5 || strlen($_POST['pquestion'])>100) {
			$err.= "<li>The special question should be between 5 and 100 characters ";
			$err.= "and should not contain any special characters.</li>\n";
		}
		if(strip_tags($_POST['panswer'])!=$_POST['panswer'] || strlen($_POST['panswer'])<5 || strlen($_POST['panswer'])>200) {
			$err.= "<li>The special answer should be between 5 and 200 characters ";
			$err.= "and should not contain any special characters.</li>\n";
		}
		$_POST['bstatus'] = ($_POST['bstatus']?1:0);
		$_POST['bverified'] = ($_POST['bverified']?1:0);
		if($_POST['badmin']!=6 && $_POST['badmin']!=3 && $_POST['badmin']!=0) {
			$err.= "<li>Please select an access level for this user.</li>\n";
		}
		
		if(!strlen($err)) {
			/* Check if the username or email are already in use */
			$res = mysql_query("SELECT userid FROM {$prefix}users WHERE email='{$_POST['email']}'".($_GET['cmd']=="edit"?" AND userid!={$_GET['userid']}":""), $db);
			if(mysql_num_rows($res)) {
				$err.= "<li>The email address you have provided is in use by another ";
				$err.= "account.  Please provide another.</li>\n";
			}
			
			$res = mysql_query("SELECT userid FROM {$prefix}users WHERE username='{$_POST['username']}'".($_GET['cmd']=="edit"?" AND userid!={$_GET['userid']}":""), $db);
			if(mysql_num_rows($res)) {
				$err.= "<li>The username you have provided is in use by another ";
				$err.= "account.  Please provide another.</li>\n";
			}
		}
		
		if(!strlen($err)) {
			if(!get_magic_quotes_gpc()) {
				$_POST['pquestion'] = addslashes($_POST['pquestion']);
				$_POST['panswer'] = addslashes($_POST['panswer']);
				$_POST['fullname'] = addslashes($_POST['fullname']);
			}
			if($_GET['cmd']=="new") {
				mysql_query("INSERT INTO {$prefix}users(username, password, email, fullname, bstatus, badmin, bverified, pquestion, panswer) VALUES ('{$_POST['username']}', '{$_POST['password']}', '{$_POST['email']}', '{$_POST['fullname']}', '{$_POST['bstatus']}', '{$_POST['badmin']}', '{$_POST['bverified']}', '{$_POST['pquestion']}', '{$_POST['panswer']}')", $db);
				show_result("Account created", "The requested account has been successfully created.\n<ul><li><a href=\"admin_user.php\">Return to account list.</a></li></ul>");
				$show_form = false;
			} else {
				mysql_query("UPDATE {$prefix}users SET username='{$_POST['username']}', password='{$_POST['password']}', email='{$_POST['email']}', fullname='{$_POST['fullname']}', bstatus='{$_POST['bstatus']}', badmin='{$_POST['badmin']}', bverified='{$_POST['bverified']}', pquestion='{$_POST['pquestion']}', panswer='{$_POST['panswer']}' WHERE userid='{$_GET['userid']}'", $db);
				show_result("Account updated", "The requested changes to this user account have been applied.\n<ul><li><a href=\"admin_user.php\">Return to account list.</a></li></ul>");
				$show_form = false;
			}
		}
	}
	
	if($show_form) {
		$htmbactive = ($u['bstatus']?" selected=\"selected\"":"");
		$htmbverified = ($u['bverified']?" selected=\"selected\"":"");
echo <<<ENDHTML
	<form method="post" action="admin_user.php?{$_SERVER['QUERY_STRING']}">
	<table border="0" cellpadding="2px" cellspacing="0" width="100%" class="adminform">
	<tr><td>Username &nbsp; <a href="{$site_url}/js/help_users.html#username" target="_new">
	<img src="imgs/ico_help.gif" width="12px" height="12px" alt="Help" border="0" id="id_help_username" onmouseover='FB_Show("id_help_username", "<h2>Username</h2><p>The Username with which this account will be logged in to, and which will personally identify this account.</p>");' onmouseout='FB_Hide();'>
	</a></td>
		<td align="right"><input type="text" class="stdinput" name="username" value="{$u['username']}" maxlength="30"></td></tr>
	<tr><td>Password &nbsp; <a href="{$site_url}/js/help_users.html#password" target="_new">
	<img src="imgs/ico_help.gif" width="12px" height="12px" alt="Help" border="0" id="id_help_password" onmouseover='FB_Show("id_help_password", "<h2>Password</h2><p>The Password for the user account.  Used in tandem with the Username to allow an Administrator access to the Administration area.</p>");' onmouseout='FB_Hide();'>
	</a></td>
		<td align="right"><input type="text" class="stdinput" name="password" value="{$u['password']}" maxlength="30"></td></tr>
	<tr><td>Full name &nbsp; <a href="{$site_url}/js/help_users.html#fullname" target="_new">
	<img src="imgs/ico_help.gif" width="12px" height="12px" alt="Help" border="0" id="id_help_fullname" onmouseover='FB_Show("id_help_fullname", "<h2>Full Name</h2><p>The name by which the user will be addressed when accessing the Administration area, or receiving emails from the website.</p>");' onmouseout='FB_Hide();'>
	</a></td>
		<td align="right"><input type="text" class="stdinput" name="fullname" value="{$u['fullname']}" maxlength="100"></td></tr>
	<tr><td>Email address &nbsp; <a href="{$site_url}/js/help_users.html#email" target="_new">
	<img src="imgs/ico_help.gif" width="12px" height="12px" alt="Help" border="0" id="id_help_email" onmouseover='FB_Show("id_help_email", "<h2>Email Address</h2><p>The contact Email address for the user.  This should be a valid email address as it may be required to reset the accounts password, should it be lost.</p>");' onmouseout='FB_Hide();'>
	</a></td>
		<td align="right"><input type="text" class="stdinput" name="email" value="{$u['email']}" maxlength="250"></td></tr>
	<tr><td>Secret Question &nbsp; <a href="{$site_url}/js/help_users.html#pquestion" target="_new">
	<img src="imgs/ico_help.gif" width="12px" height="12px" alt="Help" border="0" id="id_help_pquestion" onmouseover='FB_Show("id_help_pquestion", "<h2>Secret Question</h2><p>A question to which only the account holder should know the answer, and others should not be able to guess.  Used to reset the accounts password if it is lost.</p>");' onmouseout='FB_Hide();'>
	</a></td>
		<td align="right"><input type="text" class="stdinput" name="pquestion" value="{$u['pquestion']}" maxlength="100"></td></tr>
	<tr><td>Secret Answer &nbsp; <a href="{$site_url}/js/help_users.html#panswer" target="_new">
	<img src="imgs/ico_help.gif" width="12px" height="12px" alt="Help" border="0" id="id_help_panswer" onmouseover='FB_Show("id_help_panswer", "<h2>Secret Answer</h2><p>Used in tandem with the Secret Question for resetting a forgotten password.</p>");' onmouseout='FB_Hide();'>
	</a></td>
		<td align="right"><input type="text" class="stdinput" name="panswer" value="{$u['panswer']}" maxlength="200"></td></tr>
	<tr><td>Access Level &nbsp; <a href="{$site_url}/js/help_users.html#badmin" target="_new">
	<img src="imgs/ico_help.gif" width="12px" height="12px" alt="Help" border="0" id="id_help_badmin" onmouseover='FB_Show("id_help_badmin", "<h2>Access Level</h2><p>Specifies what areas of this website the account holder can modify and manage.</p>");' onmouseout='FB_Hide();'>
	</a></td>
		<td align="right"><select class="stdinput" name="badmin">
ENDHTML;
			echo "<option value=\"0\">No Access</option>\n";
			echo "<option value=\"3\"".($u['badmin']==3?" selected=\"selected\"":"").">Link Management</option>\n";
			echo "<option value=\"6\"".($u['badmin']==6?" selected=\"selected\"":"").">Category &amp; Links Management</option>\n";
echo <<<ENDHTML
			</select></td></tr>
	<tr><td>Account status &nbsp; <a href="{$site_url}/js/help_users.html#bstatus" target="_new">
	<img src="imgs/ico_help.gif" width="12px" height="12px" alt="Help" border="0" id="id_help_bstatus" onmouseover='FB_Show("id_help_bstatus", "<h2>Account Status</h2><p>Whether or not this account is active and can be accessed by the account owner.</p>");' onmouseout='FB_Hide();'>
	</a></td>
		<td align="right"><select class="stdinput" name="bstatus">
			<option value="0">Inactivate</option>
			<option value="1"{$htmbactive}>Active</option>
			</select></td></tr>
	<tr><td>Email verified &nbsp; <a href="{$site_url}/js/help_users.html#bverified" target="_new">
	<img src="imgs/ico_help.gif" width="12px" height="12px" alt="Help" border="0" id="id_help_bverified" onmouseover='FB_Show("id_help_bverified", "<h2>Email Verified</h2><p>Used as a marker to determine whether or not the email address is correct and belongs to the account holder.</p>");' onmouseout='FB_Hide();'>
	</a></td>
		<td align="right"><select class="stdinput" name="bverified">
			<option value="0">Not verified</option>
			<option value="1"{$htmbverified}>Verified</option>
			</select></td></tr>
	<tr><td>&nbsp;</td>
		<td align="right"><input type="submit" class="stdbutton" value="Save Changes"></td></tr>
	</table>
	</form>
ENDHTML;
	}
}
/* View account details */
else if(isset($_GET['cmd']) && $_GET['cmd']=="view" && isset($_GET['userid']) && is_numeric($_GET['userid'])) {
	show_header("View Account", "If found, the details for the selected account will be displayed below.\n<ul><li><a href=\"admin_user.php?cmd=edit&userid={$_GET['userid']}\">Edit the account details</a></li></ul>");
	
	$res = mysql_query("SELECT * FROM {$prefix}users WHERE userid='{$_GET['userid']}' AND badmin<{$userinf['badmin']}", $db);
	if(!mysql_num_rows($res)) {
		show_error("Cannot view account", "The requested account either does not exist, or has too high access for you to be able to view its details.\n<ul><li><a href=\"admin_user.php\">Return to user account list</a></li></ul>");
	} else {
		$u = mysql_fetch_array($res);
		$u['bverified'] = ($u['bverified']?"Yes":"No");
		$u['bstatus'] = ($u['bstatus']?"Active":"Disabled");
		$u['ltime'] = ($u['ltime']>0?date('d/m/Y h:i:sa', $u['ltime']):"Never");
		if($u['badmin']>=9) { $u['badmin'] = "Site Owner"; }
		else if($u['badmin']>=6) { $u['badmin'] = "Category &amp; Link manager"; }
		else if($u['badmin']>=3) { $u['badmin'] = "Link Manager"; }
		else { $u['badmin'] = "No Access"; }

echo <<<ENDHTML
	<table border="0" cellpadding="2px" cellspacing="0" width="100%" class="adminform">
	<tr><td class="titlecell">Username</td>
		<td align="right">{$u['username']}</td></tr>
	<tr><td class="titlecell">Password</td>
		<td align="right">{$u['password']}</td></tr>
	<tr><td class="titlecell">Email address</td>
		<td align="right">{$u['email']}</td></tr>
	<tr><td class="titlecell">Email verified?</td>
		<td align="right">{$u['bverified']}</td></tr>
	<tr><td class="titlecell">Full name</td>
		<td align="right">{$u['fullname']}</td></tr>
	<tr><td class="titlecell">Secret Question</td>
		<td align="right">{$u['pquestion']}</td></tr>
	<tr><td class="titlecell">Secret Answer</td>
		<td align="right">{$u['panswer']}</td></tr>
	<tr><td class="titlecell">Account status</td>
		<td align="right">{$u['bstatus']}</td></tr>
	<tr><td class="titlecell">Access level</td>
		<td align="right">{$u['badmin']}</td></tr>
	<tr><td class="titlecell">Last login</td>
		<td align="right">{$u['ltime']}</td></tr>
	<tr><td class="titlecell">Last IP address</td>
		<td align="right">{$u['lip']}</td></tr>
	</table>
ENDHTML;
	}
}
/* Delete a user account */
else if(isset($_GET['cmd']) && $_GET['cmd']=="delete" && isset($_GET['userid']) && is_numeric($_GET['userid'])) {
	show_header("Delete account", "The requested account will be permanently removed from the Administrative account list.  Click the \"Delete Account\" button if you are sure you wish to continue.");
	$show_form = true;
	$res = mysql_query("SELECT * FROM {$prefix}users WHERE userid='{$_GET['userid']}' AND badmin<{$userinf['badmin']}", $db);
	if(!mysql_num_rows($res)) {
		show_error("Account not found", "The account you have requested to remove either does not exist or has too high access for you to remove.\n<ul><li><a href=\"admin_user.php\">Return to accounts list</a></li></ul>");
		$show_form = false;
	} else {
		$u = mysql_fetch_array($res);
	}
	
	if($show_form) {
echo <<<ENDHTML
	<form method="post" action="admin_user.php">
	<input type="hidden" name="delete_user" value="{$u['userid']}">
	<table border="0" cellpadding="2px" cellspacing="0" width="100%" class="adminform">
	<tr><td class="titlecell">Username</td>
		<td align="right">{$u['username']}</td></tr>
	<tr><td class="titlecell">Email address</td>
		<td align="right">{$u['email']}</td></tr>
	<tr><td class="titlecell">Full name</td>
		<td align="right">{$u['fullname']}</td></tr>
	<tr><td><a href="admin_user.php">Cancel deletion</a></td>
		<td align="right"><input type="submit" value="Delete Account" class="stdbutton"></td></tr>
	</table>
	</form>
ENDHTML;
	}
}
/* View all user accounts of a lower level */
else {
	show_header("Manage Accounts", "You can manage the accounts of administrators for this directory via the list below.  Your own account will not be shown in this list.\n<ul><li><a href=\"admin_user.php?cmd=new\">Create a new User Account</a></li></ul>");
	
	$sql = "";
	$validfields = array("username"=>"Username", "email"=>"Email address", "fullname"=>"Full name");
	if(isset($_GET['searchby']) && isset($validfields[$_GET['searchby']]) && strlen($_GET['search'])) {
		if(!get_magic_quotes_gpc()) { $_GET['search'] = addslashes(urldecode($_GET['search'])); }
		$sql.= " AND {$_GET['searchby']} LIKE '".preg_replace('/\*/', "%", $_GET['search'])."'";
	}
	$res = mysql_query("SELECT username, email, bstatus, userid FROM {$prefix}users WHERE badmin<{$userinf['badmin']}{$sql} ORDER BY username ASC", $db);
	
	if(!mysql_num_rows($res)) {
		echo "<center>(No user accounts found)</center>\n";
	} else {
		$htmsearch = (isset($_GET['search'])?htmlspecialchars($_GET['search']):"");
		$sb = (isset($_GET['searchby'])?$_GET['searchby']:"");
		
echo <<<ENDHTML
	<form method="get" action="admin_user.php">
	<table border="0" cellpadding="2px" cellspacing="0" width="100%" class="adminsearch">
	<tr><td>Search for accounts where </td>
		<td><select class="stdinput" name="searchby">
			<option value="0">Please select</option>
ENDHTML;
		echo "<option value=\"username\"".($sb=="username"?" selected=\"selected\"":"").">Username</option>\n";
		echo "<option value=\"email\"".($sb=="email"?" selected=\"selected\"":"").">Email address</option>\n";
		echo "<option value=\"fullname\"".($sb=="fullname"?" selected=\"selected\"":"").">Full name</option>\n";
echo <<<ENDHTML
		</select></td>
		<td> is </td>
		<td><input type="text" maxlength="250" class="stdinput" name="search" value="{$htmsearch}"></td>
		<td align="right"><input type="submit" class="stdbutton" value="Search"></td></tr>
	</table>
	</form>
	
	<table border="0" cellpadding="2px" cellspacing="0" width="100%" class="adminform">
	<tr><th>#</th>
		<th>Username</th>
		<th>Email</th>
		<th>&nbsp;</th>
		<th>&nbsp;</th></tr>
ENDHTML;
		while($row = mysql_fetch_array($res)) {
			echo "<tr".($row['bstatus']?"":" class=\"inactive_user\"");
			echo "><td>{$row['userid']}</td>";
			echo "<td><a href=\"admin_user.php?cmd=view&userid={$row['userid']}\">";
			echo "{$row['username']}</td><td>{$row['email']}</td>\n";
			echo "<td><a href=\"admin_user.php?cmd=edit&userid={$row['userid']}\">";
			echo "<img src=\"imgs/ico_edit.gif\" width=\"20px\" height=\"20px\" border=\"0\" alt=\"Edit\">";
			echo "</a></td>\n<td><a href=\"admin_user.php?cmd=delete&userid={$row['userid']}\">";
			echo "<img src=\"imgs/ico_delete.gif\" width=\"20px\" height=\"20px\" border=\"0\" alt=\"Delete\">";
			echo "</a></td></tr>\n";
		}
echo <<<ENDHTML
	</table>
ENDHTML;
	}
}

require('admin_r.php');
?>
Return current item: PHP Link Directory Script