lkddi/nexusphp
1
0
Fork 0
mirror of https://github.com/lkddi/nexusphp.git synced 2026-04-24 12:07:23 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix some security issues + change username min length to 3

Browse Source
This commit is contained in:
xiaomlove
2022-12-08 20:43:33 +08:00
parent a0fb2c61d0
commit a39067021c
14 changed files with 83 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files
public/nowarn.php
+25 -14
View File
@@ -19,23 +19,34 @@ if (empty($_POST["usernw"]) && empty($_POST["desact"]) && empty($_POST["delete"]
if (!empty($_POST["usernw"]))
{
$msg = sqlesc("Your Warning Has Been Removed By: " . $CURUSER['username'] . ".");
$added = sqlesc(date("Y-m-d H:i:s"));
$userid = implode(", ", $_POST['usernw']);
//sql_query("INSERT INTO messages (sender, receiver, msg, added) VALUES (0, $userid, $msg, $added)") or sqlerr(__FILE__, __LINE__);
//$msg = sqlesc("Your Warning Has Been Removed By: " . $CURUSER['username'] . ".");
//$added = sqlesc(date("Y-m-d H:i:s"));
//$userid = implode(", ", $_POST['usernw']);
////sql_query("INSERT INTO messages (sender, receiver, msg, added) VALUES (0, $userid, $msg, $added)") or sqlerr(__FILE__, __LINE__);
//
//$r = sql_query("SELECT modcomment FROM users WHERE id IN (" . implode(", ", $_POST['usernw']) . ")")or sqlerr(__FILE__, __LINE__);
//$user = mysql_fetch_array($r);
//$exmodcomment = $user["modcomment"];
//$modcomment = date("Y-m-d") . " - Warning Removed By " . $CURUSER['username'] . ".\n". $modcomment . $exmodcomment;
//sql_query("UPDATE users SET modcomment=" . sqlesc($modcomment) . " WHERE id IN (" . implode(", ", $_POST['usernw']) . ")") or sqlerr(__FILE__, __LINE__);
//
//$do="UPDATE users SET warned='no', warneduntil=null WHERE id IN (" . implode(", ", $_POST['usernw']) . ")";
//$res=sql_query($do);
$r = sql_query("SELECT modcomment FROM users WHERE id IN (" . implode(", ", $_POST['usernw']) . ")")or sqlerr(__FILE__, __LINE__);
$user = mysql_fetch_array($r);
$exmodcomment = $user["modcomment"];
$modcomment = date("Y-m-d") . " - Warning Removed By " . $CURUSER['username'] . ".\n". $modcomment . $exmodcomment;
sql_query("UPDATE users SET modcomment=" . sqlesc($modcomment) . " WHERE id IN (" . implode(", ", $_POST['usernw']) . ")") or sqlerr(__FILE__, __LINE__);
$do="UPDATE users SET warned='no', warneduntil=null WHERE id IN (" . implode(", ", $_POST['usernw']) . ")";
$res=sql_query($do);}
$modcomment = date("Y-m-d") . " - Warning Removed By " . $CURUSER['username'];
\App\Models\User::query()->whereIn('id', $_POST['usernw'])
->update([
'warned' => 'no',
'warneduntil' => null,
'modcomment' => \Nexus\Database\NexusDB::raw("if(modcomment = '', '$modcomment', concat_ws('\n', '$modcomment', modcomment))")
]);
}
if (!empty($_POST["desact"])){
$do="UPDATE users SET enabled='no' WHERE id IN (" . implode(", ", $_POST['desact']) . ")";
$res=sql_query($do);}
//$do="UPDATE users SET enabled='no' WHERE id IN (" . implode(", ", $_POST['desact']) . ")";
//$res=sql_query($do);
\App\Models\User::query()->whereIn('id', $_POST['desact'])->update(['enabled' => 'no']);
}
}
}
header("Refresh: 0; url=warned.php");