/[LeafOK_CVS]/fenglin/bbs/user_service_update_pref.php
ViewVC logotype

Annotation of /fenglin/bbs/user_service_update_pref.php

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1.6 - (hide annotations)
Thu Nov 6 03:19:46 2025 UTC (4 months, 1 week ago) by sysadm
Branch: MAIN
Changes since 1.5: +36 -42 lines 
Refine validation of input data
1 sysadm 1.1 <?php
2     require_once "../lib/db_open.inc.php";
3 sysadm 1.6 require_once "../lib/lml.inc.php";
4 sysadm 1.1 require_once "../lib/str_process.inc.php";
5     require_once "./session_init.inc.php";
6     require_once "./check_sub.inc.php";
7    
8     force_login();
9    
10 sysadm 1.6 function check_input_data(string $input_str, string $id_str, array & $result_set, int $max_line_cnt) : bool
11     {
12     $r_input_str = check_badwords($input_str, "****");
13     if ($input_str != $r_input_str)
14     {
15     $result_set["return"]["code"] = -1;
16     array_push($result_set["return"]["errorFields"], array(
17     "id" => $id_str,
18     "errMsg" => "非法内容已被过滤",
19     "updateValue" => $r_input_str,
20     ));
21    
22     return false;
23     }
24    
25     $r_input_str = LML($input_str, 80);
26     if (split_line($r_input_str, "", 256, $max_line_cnt) != $r_input_str)
27     {
28     $result_set["return"]["code"] = -1;
29     array_push($result_set["return"]["errorFields"], array(
30     "id" => $id_str,
31     "errMsg" => "内容超过长度限制",
32     "updateValue" => $input_str,
33     ));
34    
35     return false;
36     }
37    
38     return true;
39     }
40    
41 sysadm 1.1 $user_tz = (isset($_POST["user_tz"]) ? $_POST["user_tz"] : "");
42     $photo = (isset($_POST["photo"]) ? intval($_POST["photo"]) : 0);
43     $introduction = str_replace("\r\n", "\n", (isset($_POST["introduction"]) ? $_POST["introduction"] : ""));
44     $sign_1 = str_replace("\r\n", "\n", (isset($_POST["sign_1"]) ? $_POST["sign_1"] : ""));
45     $sign_2 = str_replace("\r\n", "\n", (isset($_POST["sign_2"]) ? $_POST["sign_2"] : ""));
46     $sign_3 = str_replace("\r\n", "\n", (isset($_POST["sign_3"]) ? $_POST["sign_3"] : ""));
47    
48     $result_set = array(
49     "return" => array(
50     "code" => 0,
51     "message" => "",
52     "errorFields" => array(),
53     )
54     );
55    
56     header("Content-Type:application/json; charset=utf-8");
57    
58     // Validate input data
59     $timezone_identifiers = DateTimeZone::listIdentifiers();
60     if (!in_array($user_tz, $timezone_identifiers, true))
61     {
62     $result_set["return"]["code"] = -1;
63     array_push($result_set["return"]["errorFields"], array(
64     "id" => "user_tz",
65     "errMsg" => "不存在的时区",
66     ));
67     }
68    
69 sysadm 1.6 check_input_data($introduction, "introduction", $result_set, 10);
70 sysadm 1.1
71 sysadm 1.6 check_input_data($sign_1, "sign_1", $result_set, 10);
72     check_input_data($sign_2, "sign_2", $result_set, 10);
73     check_input_data($sign_3, "sign_3", $result_set, 10);
74 sysadm 1.1
75     if ($result_set["return"]["code"] != 0)
76     {
77     mysqli_close($db_conn);
78     exit(json_encode($result_set));
79     }
80    
81     // Validate photo file
82     $photo_file_count = (isset($_FILES['photo_file']['error']) ? count($_FILES['photo_file']['error']) : 0);
83     if ($photo_file_count > 1)
84     {
85     $result_set["return"]["code"] = -1;
86     array_push($result_set["return"]["errorFields"], array(
87     "id" => "photo_file",
88     "errMsg" => "只能上传单个文件",
89     ));
90    
91     mysqli_close($db_conn);
92     exit(json_encode($result_set));
93     }
94    
95     // Store photo file
96     for ($i = 0; $i < $photo_file_count; $i++)
97     {
98     if (!isset($_FILES['photo_file']['error'][$i]) || $_FILES['photo_file']['error'][$i] != UPLOAD_ERR_OK)
99     {
100     $result_set["return"]["code"] = -1;
101     array_push($result_set["return"]["errorFields"], array(
102     "id" => "photo_file",
103     "errMsg" => "上传文件错误",
104     ));
105 sysadm 1.3
106 sysadm 1.1 mysqli_close($db_conn);
107     exit(json_encode($result_set));
108     }
109    
110     $filesize = $_FILES['photo_file']['size'][$i];
111     $filename = $_FILES['photo_file']['name'][$i];
112    
113     if ($filesize <= 0)
114     {
115     continue;
116     }
117    
118     if ($filesize > 1024 * 16)
119     {
120     $result_set["return"]["code"] = -1;
121     array_push($result_set["return"]["errorFields"], array(
122     "id" => "photo_file",
123     "errMsg" => "文件大小超过限制",
124     ));
125 sysadm 1.3
126 sysadm 1.1 mysqli_close($db_conn);
127     exit(json_encode($result_set));
128     }
129    
130 sysadm 1.2 $ext = strtolower(pathinfo($filename, PATHINFO_EXTENSION));
131 sysadm 1.1 switch ($ext)
132     {
133     case "bmp":
134     case "gif":
135     case "jpg":
136     case "jpeg":
137     case "png":
138     case "tif":
139     case "tiff":
140     break;
141     default:
142     $result_set["return"]["code"] = -1;
143     array_push($result_set["return"]["errorFields"], array(
144     "id" => "photo_file",
145     "errMsg" => "不支持的文件扩展名",
146     ));
147 sysadm 1.3
148 sysadm 1.1 mysqli_close($db_conn);
149     exit(json_encode($result_set));
150     }
151 sysadm 1.3
152 sysadm 1.1 $finfo = new finfo(FILEINFO_MIME_TYPE);
153     $mime_type = $finfo->file($_FILES['photo_file']['tmp_name'][$i]);
154     $real_ext = array_search($mime_type, array(
155     'bmp' => 'image/x-ms-bmp',
156     'jpg' => 'image/jpeg',
157     'png' => 'image/png',
158     'gif' => 'image/gif',
159     'tif' => 'image/tiff',
160     ), true);
161 sysadm 1.3
162 sysadm 1.1 if ($real_ext === false)
163     {
164     $result_set["return"]["code"] = -1;
165     array_push($result_set["return"]["errorFields"], array(
166     "id" => "photo_file",
167     "errMsg" => "不支持的文件格式",
168     ));
169 sysadm 1.3
170 sysadm 1.1 mysqli_close($db_conn);
171     exit(json_encode($result_set));
172     }
173    
174     if (($size = getimagesize($_FILES['photo_file']['tmp_name'][$i]))==NULL)
175     {
176     $result_set["return"]["code"] = -1;
177     array_push($result_set["return"]["errorFields"], array(
178     "id" => "photo_file",
179     "errMsg" => "分析文件出错",
180     ));
181 sysadm 1.3
182 sysadm 1.1 mysqli_close($db_conn);
183     exit(json_encode($result_set));
184     }
185 sysadm 1.3
186 sysadm 1.1 if ($size[0] > 120 || $size[1] > 120)
187     {
188     $result_set["return"]["code"] = -1;
189     array_push($result_set["return"]["errorFields"], array(
190     "id" => "photo_file",
191     "errMsg" => "图片尺寸超过限制",
192     ));
193 sysadm 1.3
194 sysadm 1.1 mysqli_close($db_conn);
195     exit(json_encode($result_set));
196     }
197    
198     $file_path = "images/face/upload_photo/face_" . $_SESSION["BBS_uid"] . "." . $ext;
199    
200     if(!move_uploaded_file($_FILES['photo_file']['tmp_name'][$i], $file_path))
201     {
202     $result_set["return"]["code"] = -2;
203     $result_set["return"]["message"] = "Copy file error";
204 sysadm 1.3
205 sysadm 1.1 mysqli_close($db_conn);
206     exit(json_encode($result_set));
207     }
208     }
209    
210     // Secure SQL statement
211     $introduction = mysqli_real_escape_string($db_conn, $introduction);
212     $sign_1 = mysqli_real_escape_string($db_conn, $sign_1);
213     $sign_2 = mysqli_real_escape_string($db_conn, $sign_2);
214     $sign_3 = mysqli_real_escape_string($db_conn, $sign_3);
215    
216     $sql = "UPDATE user_pubinfo SET user_timezone = '$user_tz', introduction = '$introduction', ".
217     "sign_1 = '$sign_1', sign_2 = '$sign_2', sign_3 = '$sign_3', ".
218     ($photo_file_count > 0 ? "photo = 999, photo_enable = 0, photo_ext='$ext'" : "photo = $photo") .
219     " WHERE UID=" . $_SESSION["BBS_uid"];
220    
221     $rs = mysqli_query($db_conn, $sql);
222     if ($rs == false)
223     {
224     $result_set["return"]["code"] = -2;
225     $result_set["return"]["message"] = "Update data error: " . mysqli_error($db_conn);
226    
227     mysqli_close($db_conn);
228     exit(json_encode($result_set));
229     }
230    
231     // Update user_tz in session data
232     $_SESSION["BBS_user_tz"] = new DateTimeZone($user_tz);
233    
234     mysqli_close($db_conn);
235     exit(json_encode($result_set));
webmaster@leafok.com
 ViewVC Help
Powered by ViewVC 1.3.0-beta1