$j){ $_POST[$i] = urldecode($j); } } switch($_GET['action']){ case "loadCustomer": loadCustomer($_GET['id']); break; case "loadOrders": loadOrders($_GET['id']); break; case "login": login(); break; case "register": register(); break; case "registerLoose": registerLoose(); break; case "save": update(); break; case "changePassword": changePassword(); break; case "lockEmail": lockEmail(); break; case "retrieveAccessData": retrieveAccessData(); break; case "checkRegistration": checkRegistration(); break; } /** loads customer data * @param id customer id */ ############################################ function loadCustomer($id){ ############################################ $query = sprintf("SELECT * FROM bruckm_ticketcustomer WHERE id = %d", $id); $result = dbQuery($query); $line = mysqli_fetch_array($result, MYSQLI_ASSOC); $xml = ''; $xml .= ''; header('Content-Type: text/xml'); echo $xml; } /** loads all orders of the customer * @param id customer id */ ############################################ function loadOrders($id){ ############################################ $query = sprintf("SELECT id, orderDate, dateId FROM bruckm_ticketorder WHERE customerId = %d ORDER BY orderDate DESC", $id); $result = dbQuery($query); $xml = ''; $xml .= ''; while($line = mysqli_fetch_array($result, MYSQLI_ASSOC)){ $xml .= ''; } $xml .= ''; header('Content-Type: text/xml'); echo $xml; } /** login */ ############################################ function login(){ ############################################ $query = sprintf("SELECT id,password,locked FROM bruckm_ticketcustomer WHERE id = %d AND loose = 'false'", sqlnum($_POST['id'])); $result = dbQuery($query); if($line = mysqli_fetch_array($result, MYSQLI_ASSOC)){ if($line['locked'] == "true"){ echo "&result=locked&"; return; } if(md5($_POST['password']) == $line['password']){ echo "&result=ok&"; return; } echo "&result=invalidPassword&"; return; } echo "&result=invalidId&"; } /** registers a new user */ ############################################ function register(){ ############################################ checkMagicQuotes(); // check if e-mail is locked $query = sprintf("SELECT * FROM bruckm_ticketlocked WHERE email = %s", sqlstring($_POST['email'])); $result = dbQuery($query); if(mysql_num_rows($result) > 0){ echo "&result=locked&"; return; } // check if customer exists $query = sprintf("SELECT id FROM bruckm_ticketcustomer WHERE email = %s AND surname = %s AND firstname = %s AND loose = 'false' LIMIT 1", sqlstring($_POST['email']), sqlstring($_POST['surname']), sqlstring($_POST['firstname'])); $result = dbQuery($query); if(mysql_num_rows($result) > 0){ echo "&result=exists&"; return; } // register new customer $query = sprintf("INSERT INTO bruckm_ticketcustomer (email, surname, firstname, address, zip, city, country, phone, acad, gender, newsletter, info, password, creationDate, changeDate) VALUES (%s, %s, %s, %s, %d, %s, %s, %s, %s, %s, %s, %s, %s, NOW(), NOW())", sqlstring($_POST['email']), sqlstring($_POST['surname']), sqlstring($_POST['firstname']), sqlstring($_POST['address']), sqlnum($_POST['zip']), sqlstring($_POST['city']), sqlstring($_POST['country']), sqlstring($_POST['phone']), sqlstring($_POST['acad']), sqlstring($_POST['gender']), sqlstring($_POST['newsletter']), sqlstring($_POST['newsletter']), sqlstring(md5($_POST['password']))); dbQuery($query); $id = mysql_insert_id(); // send registration mail $to = $_POST['email']; $subject = "Registrierung: Ticketbestellung Bruckmühle"; $from = "FROM: kulturhaus@bruckmuehle.at"; $message = ""; if($_POST['gender'] == "f"){ $message = "Sehr geehrte Frau " . $_POST['firstname'] . " " . $_POST['surname'] . ", \n\n"; } else if($_POST['gender'] == "m"){ $message = "Sehr geehrter Herr " . $_POST['firstname'] . " " . $_POST['surname'] . ", \n\n"; } else{ $message = "Sehr geehrte(r) " . $_POST['firstname'] . " " . $_POST['surname'] . ", \n\n"; } $message .= "um Ihre Registrierung für die Ticketbestellung Kulturhaus Bruckmühle zu bestätigen, "; $message .= "klicken Sie bitte auf folgenden Link (oder in den Browser kopieren):\n\n"; $message .= "http://www.bruckmuehle.at/tickets/register.php?action=confirm&email=" . urlencode($_POST['email']) . "&id=" . sprintf("%08d", $id) . "\n"; $message .= "(Sollte Ihr E-Mail Programm einen Zeilenumbruch in der URL gemacht haben, fügen Sie bitte beide Teile in der Adressleiste Ihres Browsers zusammen!)\n\n"; $message .= "In Zukunft können Sie sich mit Ihrer Kundennummer " . sprintf("%08d", $id) . " und dem von Ihnen gewählten Passwort einloggen und die Bestellung bequem vornehmen: \n\n"; $message .= "Sie können Ihre Daten jederzeit unter der URL http://www.bruckmuehle.at/tickets/edit.php ändern!\n\n"; $message .= "Mit freundlichen Grüßen,\n"; $message .= "Ihr Bruckmühle Team\n\n"; $message .= "__________________________________________\n\n"; $message .= "Kulturhaus Pregarten Bruckmühle\n"; $message .= "Bahnhofstraße 12\n"; $message .= "4230 Pregarten\n"; $message .= "E-mail: kulturhaus@bruckmuehle.at\n"; $message .= "http://www.kulturhaus-bruckmuehle.at\n\n"; $message .= "UID: ATU 49258501\n"; $message .= "FB: FN 190621a\n"; $message .= "DVR: 0550868\n"; $message .= "__________________________________________"; @mail($to, $subject, $message, $from); #$f = fopen("mail.txt", "w"); #fwrite($f, $message); #fclose($f); echo "&result=ok&id=$id&"; } /** registers a loose user (saves to database, but user cannot login himself - only for internal use) */ ############################################ function registerLoose(){ ############################################ checkMagicQuotes(); // build wquery from given fields $where = "surname = " . sqlstring($_POST['surname']) . " "; $where .= "AND firstname = " . sqlstring($_POST['firstname']) . " "; if(!empty($_POST['email'])){ $where .= "AND email = " . sqlstring($_POST['email']) . " "; } if(!empty($_POST['address'])){ $where .= "AND address = " . sqlstring($_POST['address']) . " "; } if(!empty($_POST['city'])){ $where .= "AND city = " . sqlstring($_POST['city']) ." "; } if(!empty($_POST['zip'])){ $where .= "AND zip = " . sqlnum($_POST['zip']) . " "; } // check if customer exists $query = "SELECT id FROM bruckm_ticketcustomer WHERE " . $where . "LIMIT 1"; $result = dbQuery($query); if($line = mysqli_fetch_array($result, MYSQLI_ASSOC)){ echo "&result=ok&id=" . $line['id'] . "&"; return; } // register new customer $query = sprintf("INSERT INTO bruckm_ticketcustomer (email, surname, firstname, address, zip, city, country, phone, acad, gender, newsletter, creationDate, loose, locked) VALUES (%s, %s, %s, %s, %d, %s, %s, %s, %s, %s, %s, NOW(), 'true', 'false')", sqlstring($_POST['email']), sqlstring($_POST['surname']), sqlstring($_POST['firstname']), sqlstring($_POST['address']), sqlnum($_POST['zip']), sqlstring($_POST['city']), sqlstring($_POST['country']), sqlstring($_POST['phone']), sqlstring($_POST['acad']), sqlstring($_POST['gender']), sqlstring($_POST['newsletter'])); dbQuery($query); $id = mysql_insert_id(); echo "&result=ok&id=$id&"; } /** checks if the customer has confirmed his registration */ ############################################ function checkRegistration(){ ############################################ // check if customer exists $query = sprintf("SELECT locked FROM bruckm_ticketcustomer WHERE id = %d", sqlnum($_POST['id'])); $result = dbQuery($query); $line = mysqli_fetch_array($result, MYSQLI_ASSOC); if($line['locked'] == "true"){ echo "&result=locked&"; return; } echo "&result=ok&"; } /** saves changes */ ############################################ function update(){ ############################################ checkMagicQuotes(); $query = sprintf("UPDATE bruckm_ticketcustomer SET email = %s, surname = %s, firstname = %s, address = %s, zip = %d, city = %s, country = %s, phone = %s, acad = %s, gender = %s, newsletter = %s, info = %s, locked = %s, changeDate = NOW() WHERE id = %s", sqlstring($_POST['email']), sqlstring($_POST['surname']), sqlstring($_POST['firstname']), sqlstring($_POST['address']), sqlnum($_POST['zip']), sqlstring($_POST['city']), sqlstring($_POST['country']), sqlstring($_POST['phone']), sqlstring($_POST['acad']), sqlstring($_POST['gender']), sqlstring($_POST['newsletter']), sqlstring($_POST['newsletter']), sqlstring($_POST['locked']), sqlnum($_POST['id'])); dbQuery($query); echo "&result=ok"; } /** changes the customer's password */ ############################################ function changePassword(){ ############################################ $query = sprintf("UPDATE bruckm_ticketcustomer SET password = %s WHERE id = %d", sqlstring(md5($_POST['password'])), sqlnum($_POST['id'])); dbQuery($query); echo "&result=ok&"; } /** locks the customer's email address */ ############################################ function lockEmail(){ ############################################ $query = sprintf("SELECT * FROM bruckm_ticketlocked WHERE email = %s", sqlstring($_POST['email'])); $result = dbQuery($query); if(mysql_num_rows($result) > 0){ echo "&result=ok&"; return; } $query = sprintf("INSERT INTO bruckm_ticketlocked (email) VALUES (%s)", sqlstring($_POST['email'])); dbQuery($query); echo "&result=ok"; } /** sends the access data to the customer's email when he has forgotton id or password */ ############################################ function retrieveAccessData(){ ############################################ checkMagicQuotes(); // search for customer $query = sprintf("SELECT id,gender FROM bruckm_ticketcustomer WHERE email = %s AND surname = %s AND firstname = %s AND loose = 'false'", sqlstring($_POST['email']), sqlstring($_POST['surname']), sqlstring($_POST['firstname'])); $result = dbQuery($query); if(mysql_num_rows($result) == 0){ echo "&result=notFound&"; return; } $line = mysqli_fetch_array($result, MYSQLI_ASSOC); // create new password $start = rand(0, 23); $length = rand(6, 10); $password = substr(md5(time()), $start, $length); $query = sprintf("UPDATE bruckm_ticketcustomer SET password = %s WHERE id = %d", sqlstring(md5($password)), sqlnum($line['id'])); dbQuery($query); // send mail with access data $to = $_POST['email']; $subject = "Zugangsdaten | Ticketbestellung Bruckmühle"; $from = "tickets@bruckmuehle.at"; $message = ""; if($line['gender'] == "m"){ $message .= "Sehr geehrter Herr " . $_POST['firstname'] . " " . $_POST['surname'] . ", \n\n"; } else if($line['gender'] == "f"){ $message .= "Sehr geehrte Frau " . ($_POST['firstname']) . " " . ($_POST['surname']) . ", \n\n"; } else{ $message .= "Sehr geehrte(r) " . ($_POST['firstname']) . " " . ($_POST['surname']) . ", \n\n"; } $message .= "untenstehend finden Sie die von Ihnen angeforderten Zugangsdaten für die Ticketbestellung im Kulturhaus Bruckmühle Pregarten. "; $message .= "Es wurde ein neues Passwort für Sie generiert.\n\n"; $message .= "Kundennr.: " . sprintf("%08d", $line['id']) . "\n"; $message .= "Passwort: " . $password . "\n\n"; $message .= "Bitte vergeben Sie nach dem Login ein neues Passwort!\n\n"; $message .= "Mit freundlichen Grüßen,\n"; $message .= "Ihr Bruckmühle Team\n\n"; $message .= "__________________________________________\n\n"; $message .= "Kulturhaus Pregarten Bruckmühle\n"; $message .= "Bahnhofstraße 12\n"; $message .= "4230 Pregarten\n"; $message .= "E-mail: kulturhaus@bruckmuehle.at\n"; $message .= "http://www.kulturhaus-bruckmuehle.at\n\n"; $message .= "UID: ATU 49258501\n"; $message .= "FB: FN 190621a\n"; $message .= "DVR: 0550868\n"; $message .= "__________________________________________"; @mail($to, $subject, $message, $from); #$f = fopen("mail.txt", "w"); #fwrite($f, $message); #fclose($f); echo "&result=ok"; } /** checks for magic quotes and strips slashes, if magic quotes are on */ ########################################## function checkMagicQuotes(){ ########################################## if (get_magic_quotes_gpc()) { foreach($_POST as $i=>$j){ $_POST[$i] = stripslashes($j); } } } ?>