Spellmate/admin.php at master · steveims/Spellmate · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
<?php

session_start();

require_once ('private/utils.inc');
require_once ('private/User.inc');

$user = new User();
$link = getDbConnection();

if(!$_SESSION['adminuser']) {
  $action = "login";
} else if(isset($_POST['action'])) {
  $action = $_POST['action'];
} else if(isset($_GET['action'])) {
  $action = $_GET['action'];
} else {
  $action = "login";
}

switch ($action) {
 case 'login' :
   if (!isset($_POST['password'])) {
     // If credentials not supplied, then return login form.
     require('private/adminLogin.inc');

   } else if ($_POST['password'] != 'un2Him') {
     $message = 'Invalid password.';
     require('private/adminLogin.inc');

   } else {
     $_SESSION['adminuser'] = true;
     require('private/adminHome.inc');
   }

   break;

 case 'logout' :
   session_destroy();

   require('private/adminLogin.inc');

   break;

 case 'adduser' :
   if (($_POST['username'] == '') || ($_POST['password'] == '')) {
     $message = "Username and Password are required.";

   } else {
     $iQuery = sprintf("INSERT INTO users (User, Password) VALUES ( '%s', '%s' )", mysql_real_escape_string($_POST['username']), mysql_real_escape_string($_POST['password']));
     $result = mysql_query($iQuery, $link);
     if (!$result) {
       $message = "Username must be unique (" . mysql_error() . ")";
     } else {
       $message = "Added user " . $_POST['username'];
     }
   }

   require('private/adminHome.inc');

   break;

 case 'setPassword' :
   if ($_POST['password'] == '') {
     $message = "Password cannot be blank.";

   } else {
     $iQuery = sprintf("UPDATE users SET Password='%s' WHERE User='%s'", mysql_real_escape_string($_POST['password']), mysql_real_escape_string($_POST['username']));
     $result = mysql_query($iQuery, $link);
     if (!$result) {
       $message = "Failed to set password (" . mysql_error() . ")";
     } else {
       $message = "Password updated for " . $_POST['username'];
     }
   }

   require('private/adminHome.inc');

   break;

 default :
   echo "Unknown action: " . $action;
 }
?>