--- fenglin/bbs/update_profile_service.php 2025/04/01 02:44:30 1.2 +++ fenglin/bbs/update_profile_service.php 2025/04/01 12:18:40 1.4 @@ -14,6 +14,7 @@ $realname = (isset($data["realname"]) ? trim($data["realname"]) : ""); $gender = (isset($data["gender"]) ? $data["gender"] : ""); $gender_public = (isset($data["gender_public"]) && $data["gender_public"] == "1" ? 1 : 0); + $email = (isset($data["email"]) ? $data["email"] : ""); $year = (isset($data["year"]) ? intval($data["year"]) : 0); $month = (isset($data["month"]) ? intval($data["month"]) : 0); $day = (isset($data["day"]) ? intval($data["day"]) : 0); @@ -48,6 +49,15 @@ )); } + if (!preg_match("/^[A-Za-z0-9_.-]+@([A-Za-z0-9-]+[.])+[A-Za-z0-9-]+$/", $email)) + { + $result_set["return"]["code"] = -1; + array_push($result_set["return"]["errorFields"], array( + "id" => "email", + "errMsg" => "不符合格式要求", + )); + } + if (!checkdate($month, $day, $year)) { $result_set["return"]["code"] = -1; @@ -80,6 +90,9 @@ exit(json_encode($result_set)); } + // Secure SQL statement + $realname = mysqli_real_escape_string($db_conn, $realname); + // Begin transaction $rs = mysqli_query($db_conn, "SET autocommit=0"); if ($rs == false) @@ -115,7 +128,7 @@ if($row = mysqli_fetch_array($rs)) { - $email = $row["email"]; + $old_email = $row["email"]; } else { @@ -128,8 +141,75 @@ mysqli_free_result($rs); - $sql = "UPDATE user_reginfo SET name = '" . mysqli_real_escape_string($db_conn, $realname) . - "', birthday = '$year-$month-$day', signup_ip='" . client_addr() . + // Update email + if ($old_email != $email) + { + $sql = "SELECT UID FROM user_pubinfo WHERE email = '$email'"; + + $rs = mysqli_query($db_conn, $sql); + if ($rs == false) + { + $result_set["return"]["code"] = -2; + $result_set["return"]["message"] = "Query user email error: " . mysqli_error($db_conn); + + mysqli_close($db_conn); + exit(json_encode($result_set)); + } + + if (mysqli_num_rows($rs) >= $BBS_max_user_per_email) + { + $result_set["return"]["code"] = -1; + array_push($result_set["return"]["errorFields"], array( + "id" => "email", + "errMsg" => "该邮箱的使用次数已超过限制", + )); + + mysqli_close($db_conn); + exit(json_encode($result_set)); + } + mysqli_free_result($rs); + + // Generate verify code + $verify_code = gen_passwd(10); + + $sql = "INSERT INTO user_modify_email_verify (UID, email, verify_code, dt, ip) VALUES(" . + $_SESSION["BBS_uid"] . ", '$email', '$verify_code', NOW(), '" . client_addr() . "')"; + + $rs = mysqli_query($db_conn, $sql); + if ($rs == false) + { + $result_set["return"]["code"] = -2; + $result_set["return"]["message"] = "Update email error: " . mysqli_error($db_conn); + + mysqli_close($db_conn); + exit(json_encode($result_set)); + } + + //Send mail + $from = ""; + $fromname = $BBS_name; + $to = $email; + $toname = $_SESSION["BBS_username"]; + $subject = $BBS_name . "修改邮件地址确认"; + $body = $_SESSION["BBS_username"] . ":\n 您好!\n" . + " 请访问以下链接确认更改注册邮件地址:\n" . + "https://$BBS_host_name/bbs/modify_email_verify.php?code=$verify_code\n\n" . + " 感谢您的大力支持!\n\n" . + $BBS_name . "\n" . date("Y年m月d日") . "\n"; + + $ret = send_mail($from, $fromname, $to, $toname, $subject, $body, $db_conn); + if ($ret == false) + { + $result_set["return"]["code"] = -2; + $result_set["return"]["message"] = "Add email error: " . mysqli_error($db_conn); + + mysqli_close($db_conn); + exit(json_encode($result_set)); + } + } + + $sql = "UPDATE user_reginfo SET name = '$realname', + birthday = '$year-$month-$day', signup_ip='" . client_addr() . "' WHERE UID = " . $_SESSION["BBS_uid"]; $rs = mysqli_query($db_conn, $sql); @@ -171,12 +251,12 @@ //Send mail $from = ""; $fromname = $BBS_name; - $to = $email; + $to = $old_email; $toname = $_SESSION["BBS_username"]; $subject = $BBS_name . "用户资料更改通知"; $body = $_SESSION["BBS_username"] . ":\n 您好!\n" . " 您在本站的注册资料已经于" . date("Y年m月d日 H:i:s") . "更改。\n" . - " 为了您的个人资料的安全,如果此情况与事实不符,请与我们联系。\n\n" . + " 为了您的个人资料的安全,如果此情况与事实不符,请立即与我们联系。\n\n" . $BBS_name . "\n" . date("Y年m月d日") . "\n"; $ret = send_mail($from, $fromname, $to, $toname, $subject, $body, $db_conn);