/[LeafOK_CVS]/fenglin/bbs/reg_user_service.php

Diff of /fenglin/bbs/reg_user_service.php

Parent Directory | Revision Log | View Patch Patch

- Revision 1.1 by sysadm,
 Mon Mar 31 14:13:22 2025 UTC
+ Revision 1.7 by sysadm,
 Wed Apr 23 05:13:56 2025 UTC
  Line 1
- <?
+ <?php
          require_once "../lib/common.inc.php";
          require_once "../lib/str_process.inc.php";
          require_once "../lib/vn_gif.inc.php";
  Line 10
          $data = json_decode(file_get_contents("php://input"), true);
-         $username = (isset($data["username"]) ? $data["username"] : "");
+         $username = (isset($data["username"]) ? trim($data["username"]) : "");
-         $nickname = (isset($data["nickname"]) ? $data["nickname"] : "");
+         $nickname = (isset($data["nickname"]) ? trim($data["nickname"]) : "");
          $realname = (isset($data["realname"]) ? trim($data["realname"]) : "");
          $gender = (isset($data["gender"]) ? $data["gender"] : "");
          $gender_public = (isset($data["gender_public"]) && $data["gender_public"] == "1" ? 1 : 0);
-         $email = (isset($data["email"]) ? $data["email"] : "");
+         $email = (isset($data["email"]) ? trim($data["email"]) : "");
          $year = (isset($data["year"]) ? intval($data["year"]) : 0);
          $month = (isset($data["month"]) ? intval($data["month"]) : 0);
          $day = (isset($data["day"]) ? intval($data["day"]) : 0);
-         $qq = (isset($data["qq"]) ? $data["qq"] : "");
+         $qq = (isset($data["qq"]) ? trim($data["qq"]) : "");
          $agreement = (isset($data["agreement"]) && $data["agreement"] == "1");
-         $vn_str = (isset($data["vn_str"]) ? $data["vn_str"] : "");
+         $vn_str = (isset($data["vn_str"]) ? trim($data["vn_str"]) : "");
          $result_set = array(
                  "return" => array(
  Line 130
                  ));
          }
-         if ((!isset($_SESSION["BBS_reg_vn_str"])) || $_SESSION["BBS_reg_vn_str"] == "" || VN_check($_SESSION["BBS_reg_vn_str"], $vn_str) != 0)
+         if ((!isset($_SESSION["BBS_vn_str"])) || $_SESSION["BBS_vn_str"] == "" || strcasecmp($_SESSION["BBS_vn_str"], $vn_str) != 0)
          {
                  $result_set["return"]["code"] = -1;
                  array_push($result_set["return"]["errorFields"], array(
  Line 145
                  exit(json_encode($result_set));
          }
+         // Secure SQL statement
+         $nickname = mysqli_real_escape_string($db_conn, $nickname);
+         $realname = mysqli_real_escape_string($db_conn, $realname);
          // Begin transaction
          $rs = mysqli_query($db_conn, "SET autocommit=0");
          if ($rs == false)
- Line 167
+ Line 171
          }
          // Check availability of username and nickname
-         $sql = "SELECT UID FROM user_list WHERE username = '" .
+         $sql = "SELECT UID FROM user_list WHERE username = '$username' FOR UPDATE";
-                         mysqli_real_escape_string($db_conn, $username) . "'";
          $rs = mysqli_query($db_conn, $sql);
          if ($rs == false)
- Line 190
+ Line 193
          }
          mysqli_free_result($rs);
-         $sql = "SELECT UID FROM user_nickname WHERE nickname = '" .
+         $sql = "SELECT UID FROM user_nickname WHERE nickname = '$nickname' FOR UPDATE";
-                         mysqli_real_escape_string($db_conn, $nickname) . "'";
          $rs = mysqli_query($db_conn, $sql);
          if ($rs == false)
- Line 213
+ Line 215
          }
          mysqli_free_result($rs);
-         $sql = "SELECT UID FROM user_pubinfo WHERE email = '" .
+         $sql = "SELECT UID FROM user_pubinfo WHERE email = '$email' FOR UPDATE";
-                         mysqli_real_escape_string($db_conn, $email) . "'";
          $rs = mysqli_query($db_conn, $sql);
          if ($rs == false)
- Line 259
+ Line 260
          $uid = mysqli_insert_id($db_conn);
-         $sql = "INSERT INTO user_reginfo(UID, name, birthday, signup_dt, signup_ip) VALUES($uid, '" .
+         $sql = "INSERT INTO user_reginfo(UID, name, birthday, signup_dt, signup_ip)
-                         mysqli_real_escape_string($db_conn, $realname) . "', '$year-$month-$day', NOW(), '".
+                         VALUES($uid, '$realname', '$year-$month-$day', NOW(), '".
                          client_addr() . "')";
          $rs = mysqli_query($db_conn, $sql);
- Line 273
+ Line 274
                  exit(json_encode($result_set));
          }
-         $sql = "INSERT INTO user_pubinfo(UID, nickname, email, gender, gender_pub, qq, last_login_dt) VALUES($uid, '" .
+         $sql = "INSERT INTO user_pubinfo(UID, nickname, email, gender, gender_pub, qq, last_login_dt)
-                         mysqli_real_escape_string($db_conn, $nickname) . "', '$email', '$gender', $gender_public, '$qq', NOW())";
+                         VALUES($uid, '$nickname', '$email', '$gender', $gender_public, '$qq', NOW())";
          $rs = mysqli_query($db_conn, $sql);
          if ($rs == false)
- Line 286
+ Line 287
                  exit(json_encode($result_set));
          }
-         $sql = "INSERT INTO user_nickname(UID, nickname, begin_dt, begin_reason) VALUES($uid, '" .
+         $sql = "INSERT INTO user_nickname(UID, nickname, begin_dt, begin_reason)
-                         mysqli_real_escape_string($db_conn, $nickname) . "', NOW(), 'R')";
+                         VALUES($uid, '$nickname', NOW(), 'R')";
          $rs = mysqli_query($db_conn, $sql);
          if ($rs == false)
- Line 333
+ Line 334
                  exit(json_encode($result_set));
          }
-         $_SESSION["BBS_reg_vn_str"] == "";
+         $_SESSION["BBS_vn_str"] = "";
          mysqli_close($db_conn);
          exit(json_encode($result_set));

  Legend:

 
 
 Removed lines/characters
  
 
 
 Changed lines/characters
 
 
  
 Added lines/characters
 Legend:

 
 
 Removed lines/characters
  
 
 
 Changed lines/characters
 
 
  
 Added lines/characters
-Removed lines/characters
+Added lines/characters

webmaster@leafok.com	ViewVC Help
Powered by ViewVC 1.3.0-beta1