--- fenglin/bbs/update_profile_service.php 2025/03/31 14:15:24 1.1 +++ fenglin/bbs/update_profile_service.php 2025/04/23 04:51:55 1.8 @@ -1,23 +1,26 @@ - array( @@ -30,6 +33,23 @@ header("Content-Type:application/json; charset=utf-8"); // Validate input data + if ($nickname == "" || preg_match("/[[:space:]]/", $nickname) || str_length($nickname) > 20) + { + $result_set["return"]["code"] = -1; + array_push($result_set["return"]["errorFields"], array( + "id" => "nickname", + "errMsg" => "不符合格式要求", + )); + } + else if (!check_str($nickname) && !$_SESSION["BBS_priv"]->checklevel(P_ADMIN_M | P_ADMIN_S)) + { + $result_set["return"]["code"] = -1; + array_push($result_set["return"]["errorFields"], array( + "id" => "nickname", + "errMsg" => "昵称不可用", + )); + } + if ($realname == "" || preg_match("/[\t\r\n]/", $realname) || str_length($realname) > 10) { $result_set["return"]["code"] = -1; @@ -48,6 +68,15 @@ )); } + if (!preg_match("/^[A-Za-z0-9_.-]+@([A-Za-z0-9-]+[.])+[A-Za-z0-9-]+$/", $email)) + { + $result_set["return"]["code"] = -1; + array_push($result_set["return"]["errorFields"], array( + "id" => "email", + "errMsg" => "不符合格式要求", + )); + } + if (!checkdate($month, $day, $year)) { $result_set["return"]["code"] = -1; @@ -80,6 +109,10 @@ exit(json_encode($result_set)); } + // Secure SQL statement + $nickname = mysqli_real_escape_string($db_conn, $nickname); + $realname = mysqli_real_escape_string($db_conn, $realname); + // Begin transaction $rs = mysqli_query($db_conn, "SET autocommit=0"); if ($rs == false) @@ -101,7 +134,8 @@ exit(json_encode($result_set)); } - $sql = "SELECT email FROM user_pubinfo WHERE UID = " . $_SESSION["BBS_uid"]; + $sql = "SELECT nickname, email FROM user_pubinfo WHERE UID = " . $_SESSION["BBS_uid"] . + " FOR UPDATE"; $rs = mysqli_query($db_conn, $sql); if ($rs == false) @@ -113,9 +147,10 @@ exit(json_encode($result_set)); } - if($row = mysqli_fetch_array($rs)) + if ($row = mysqli_fetch_array($rs)) { - $email = $row["email"]; + $old_nickname = $row["nickname"]; + $old_email = $row["email"]; } else { @@ -128,8 +163,175 @@ mysqli_free_result($rs); - $sql = "UPDATE user_reginfo SET name = '" . mysqli_real_escape_string($db_conn, $realname) . - "', birthday = '$year-$month-$day', signup_ip='" . client_addr() . + // Update nickname + if ($old_nickname != $nickname) + { + $sql = "SELECT DISTINCT UID FROM user_nickname WHERE nickname = '$nickname'"; + + $rs = mysqli_query($db_conn, $sql); + if ($rs == false) + { + $result_set["return"]["code"] = -2; + $result_set["return"]["message"] = "Query nickname error: " . mysqli_error($db_conn); + + mysqli_close($db_conn); + exit(json_encode($result_set)); + } + + $free_change = false; + if ($row = mysqli_fetch_array($rs)) + { + if ($row["UID"] == $_SESSION["BBS_uid"]) // Re-use old nickname + { + $free_change = true; + } + else // Unavailable nickname + { + $result_set["return"]["code"] = -1; + array_push($result_set["return"]["errorFields"], array( + "id" => "nickname", + "errMsg" => "昵称已存在", + )); + + mysqli_close($db_conn); + exit(json_encode($result_set)); + } + } + mysqli_free_result($rs); + + if (!$free_change) + { + $ret = score_change($_SESSION["BBS_uid"], -abs($BBS_nickname_change_fee), "更改昵称", $db_conn); + if ($ret < 0) + { + $result_set["return"]["code"] = -2; + $result_set["return"]["message"] = "Query score error: " . mysqli_error($db_conn); + + mysqli_close($db_conn); + exit(json_encode($result_set)); + } + else if ($ret > 0) + { + $result_set["return"]["code"] = -1; + array_push($result_set["return"]["errorFields"], array( + "id" => "nickname", + "errMsg" => "积分不足", + )); + + mysqli_close($db_conn); + exit(json_encode($result_set)); + } + } + + $sql = "UPDATE user_nickname SET end_dt = NOW(), end_reason = 'C' + WHERE UID = " . $_SESSION["BBS_uid"] . " AND end_dt IS NULL"; + + $rs = mysqli_query($db_conn, $sql); + if ($rs == false) + { + $result_set["return"]["code"] = -2; + $result_set["return"]["message"] = "Update old nickname error: " . mysqli_error($db_conn); + + mysqli_close($db_conn); + exit(json_encode($result_set)); + } + + $sql = "INSERT INTO user_nickname(UID, nickname, begin_dt, begin_reason) + VALUES(" . $_SESSION["BBS_uid"] . ", '$nickname', NOW(), 'C')"; + + $rs = mysqli_query($db_conn, $sql); + if ($rs == false) + { + $result_set["return"]["code"] = -2; + $result_set["return"]["message"] = "Insert new nickname error: " . mysqli_error($db_conn); + + mysqli_close($db_conn); + exit(json_encode($result_set)); + } + + $sql = "UPDATE user_pubinfo SET nickname = '$nickname' WHERE UID = " . + $_SESSION["BBS_uid"]; + + $rs = mysqli_query($db_conn, $sql); + if ($rs == false) + { + $result_set["return"]["code"] = -2; + $result_set["return"]["message"] = "Update nickname error: " . mysqli_error($db_conn); + + mysqli_close($db_conn); + exit(json_encode($result_set)); + } + } + + // Update email + if ($old_email != $email) + { + $sql = "SELECT UID FROM user_pubinfo WHERE email = '$email' FOR SHARE"; + + $rs = mysqli_query($db_conn, $sql); + if ($rs == false) + { + $result_set["return"]["code"] = -2; + $result_set["return"]["message"] = "Query user email error: " . mysqli_error($db_conn); + + mysqli_close($db_conn); + exit(json_encode($result_set)); + } + + if (mysqli_num_rows($rs) >= $BBS_max_user_per_email) + { + $result_set["return"]["code"] = -1; + array_push($result_set["return"]["errorFields"], array( + "id" => "email", + "errMsg" => "该邮箱的使用次数已超过限制", + )); + + mysqli_close($db_conn); + exit(json_encode($result_set)); + } + mysqli_free_result($rs); + + // Generate verify code + $verify_code = gen_passwd(10); + + $sql = "INSERT INTO user_modify_email_verify (UID, email, verify_code, dt, ip) VALUES(" . + $_SESSION["BBS_uid"] . ", '$email', '$verify_code', NOW(), '" . client_addr() . "')"; + + $rs = mysqli_query($db_conn, $sql); + if ($rs == false) + { + $result_set["return"]["code"] = -2; + $result_set["return"]["message"] = "Update email error: " . mysqli_error($db_conn); + + mysqli_close($db_conn); + exit(json_encode($result_set)); + } + + //Send mail + $from = ""; + $fromname = $BBS_name; + $to = $email; + $toname = $_SESSION["BBS_username"]; + $subject = $BBS_name . "修改邮件地址确认"; + $body = $_SESSION["BBS_username"] . ":\n 您好!\n" . + " 请访问以下链接确认更改注册邮件地址:\n" . + "https://$BBS_host_name/bbs/modify_email_verify.php?code=$verify_code\n\n" . + " 感谢您的大力支持!\n\n" . + $BBS_name . "\n" . date("Y年m月d日") . "\n"; + + $ret = send_mail($from, $fromname, $to, $toname, $subject, $body, $db_conn); + if ($ret == false) + { + $result_set["return"]["code"] = -2; + $result_set["return"]["message"] = "Add email error: " . mysqli_error($db_conn); + + mysqli_close($db_conn); + exit(json_encode($result_set)); + } + } + + $sql = "UPDATE user_reginfo SET name = '$realname', + birthday = '$year-$month-$day', signup_ip='" . client_addr() . "' WHERE UID = " . $_SESSION["BBS_uid"]; $rs = mysqli_query($db_conn, $sql); @@ -171,12 +373,12 @@ //Send mail $from = ""; $fromname = $BBS_name; - $to = $email; + $to = $old_email; $toname = $_SESSION["BBS_username"]; $subject = $BBS_name . "用户资料更改通知"; - $body = $_SESSION["BBS_username"] . ":\n 您好!\n". - " 您在本站的注册资料已经于" . date("Y年m月d日 H:i:s") . "更改。\n". - " 为了您的个人资料的安全,如果此情况与事实不符,请与我们联系。\n\n". + $body = $_SESSION["BBS_username"] . ":\n 您好!\n" . + " 您在本站的注册资料已经于" . date("Y年m月d日 H:i:s") . "更改。\n" . + " 为了您的个人资料的安全,如果此情况与事实不符,请立即与我们联系。\n\n" . $BBS_name . "\n" . date("Y年m月d日") . "\n"; $ret = send_mail($from, $fromname, $to, $toname, $subject, $body, $db_conn);