433 lines
14 KiB
PHP
433 lines
14 KiB
PHP
<?php
|
|
/** loads and saves customer data
|
|
*
|
|
* @version 2.0.0
|
|
* @since 2008-02-13
|
|
* @author Martin Lenzelbauer
|
|
*/
|
|
|
|
define("ROOT", "../");
|
|
require_once(ROOT."include/config.inc.php");
|
|
require_once(ROOT."include/db.inc.php");
|
|
require_once(ROOT."include/xml.inc.php");
|
|
|
|
if(DEBUG){
|
|
foreach($_GET as $i=>$j){
|
|
$_POST[$i] = urldecode($j);
|
|
}
|
|
}
|
|
|
|
|
|
switch($_GET['action']){
|
|
case "loadCustomer": loadCustomer($_GET['id']);
|
|
break;
|
|
case "loadOrders": loadOrders($_GET['id']);
|
|
break;
|
|
case "login": login();
|
|
break;
|
|
case "register": register();
|
|
break;
|
|
case "registerLoose": registerLoose();
|
|
break;
|
|
case "save": update();
|
|
break;
|
|
case "changePassword": changePassword();
|
|
break;
|
|
case "lockEmail": lockEmail();
|
|
break;
|
|
case "retrieveAccessData": retrieveAccessData();
|
|
break;
|
|
case "checkRegistration": checkRegistration();
|
|
break;
|
|
}
|
|
|
|
|
|
/** loads customer data
|
|
* @param id customer id
|
|
*/
|
|
############################################
|
|
function loadCustomer($id){
|
|
############################################
|
|
|
|
$query = sprintf("SELECT * FROM bruckm_ticketcustomer WHERE id = %d", $id);
|
|
$result = dbQuery($query);
|
|
$line = mysqli_fetch_array($result, MYSQLI_ASSOC);
|
|
|
|
$xml = '<?xml version="1.0" encoding="utf-8"?>';
|
|
$xml .= '<customer id="' . $line['id'] . '" firstname="' . xmlstring($line['firstname']) . '" surname="' . xmlstring($line['surname']) . '" ';
|
|
$xml .= 'email="' . xmlstring($line['email']) . '" address="' . xmlstring($line['address']) . '" zip="' . xmlstring($line['zip']) . '" ';
|
|
$xml .= 'city="' . xmlstring($line['city']) . '" phone="' . xmlstring($line['phone']) . '" country="' . xmlstring($line['country']) . '" ';
|
|
$xml .= 'gender="' . $line['gender'] . '" acad="' . xmlstring($line['acad']) . '" locked="' . $line['locked'] . '" newsletter="' . $line['newsletter'] . '" ';
|
|
$xml .= 'loose="' . $line['loose'] .'" />';
|
|
|
|
header('Content-Type: text/xml');
|
|
echo $xml;
|
|
|
|
}
|
|
|
|
|
|
/** loads all orders of the customer
|
|
* @param id customer id
|
|
*/
|
|
############################################
|
|
function loadOrders($id){
|
|
############################################
|
|
|
|
$query = sprintf("SELECT id, orderDate, dateId FROM bruckm_ticketorder WHERE customerId = %d ORDER BY orderDate DESC", $id);
|
|
$result = dbQuery($query);
|
|
|
|
$xml = '<?xml version="1.0" encoding="utf-8"?>';
|
|
$xml .= '<orders>';
|
|
|
|
while($line = mysqli_fetch_array($result, MYSQLI_ASSOC)){
|
|
$xml .= '<order id="' . $line['id'] . '" dateid="' . $line['dateId'] . '" timestamp="' . strtotime($line['orderDate']) . '" />';
|
|
}
|
|
|
|
$xml .= '</orders>';
|
|
|
|
header('Content-Type: text/xml');
|
|
echo $xml;
|
|
|
|
}
|
|
|
|
|
|
/** login
|
|
*/
|
|
############################################
|
|
function login(){
|
|
############################################
|
|
|
|
$query = sprintf("SELECT id,password,locked FROM bruckm_ticketcustomer WHERE id = %d AND loose = 'false'", sqlnum($_POST['id']));
|
|
$result = dbQuery($query);
|
|
if($line = mysqli_fetch_array($result, MYSQLI_ASSOC)){
|
|
if($line['locked'] == "true"){
|
|
echo "&result=locked&";
|
|
return;
|
|
}
|
|
if(md5($_POST['password']) == $line['password']){
|
|
echo "&result=ok&";
|
|
return;
|
|
}
|
|
echo "&result=invalidPassword&";
|
|
return;
|
|
}
|
|
echo "&result=invalidId&";
|
|
|
|
}
|
|
|
|
|
|
/** registers a new user
|
|
*/
|
|
############################################
|
|
function register(){
|
|
############################################
|
|
|
|
checkMagicQuotes();
|
|
|
|
// check if e-mail is locked
|
|
$query = sprintf("SELECT * FROM bruckm_ticketlocked WHERE email = %s", sqlstring($_POST['email']));
|
|
$result = dbQuery($query);
|
|
if(mysql_num_rows($result) > 0){
|
|
echo "&result=locked&";
|
|
return;
|
|
}
|
|
|
|
// check if customer exists
|
|
$query = sprintf("SELECT id FROM bruckm_ticketcustomer WHERE email = %s AND surname = %s AND firstname = %s AND loose = 'false' LIMIT 1",
|
|
sqlstring($_POST['email']),
|
|
sqlstring($_POST['surname']),
|
|
sqlstring($_POST['firstname']));
|
|
$result = dbQuery($query);
|
|
if(mysql_num_rows($result) > 0){
|
|
echo "&result=exists&";
|
|
return;
|
|
}
|
|
|
|
// register new customer
|
|
$query = sprintf("INSERT INTO bruckm_ticketcustomer
|
|
(email, surname, firstname, address, zip, city, country, phone, acad, gender, newsletter, info, password, creationDate, changeDate)
|
|
VALUES (%s, %s, %s, %s, %d, %s, %s, %s, %s, %s, %s, %s, %s, NOW(), NOW())",
|
|
sqlstring($_POST['email']),
|
|
sqlstring($_POST['surname']),
|
|
sqlstring($_POST['firstname']),
|
|
sqlstring($_POST['address']),
|
|
sqlnum($_POST['zip']),
|
|
sqlstring($_POST['city']),
|
|
sqlstring($_POST['country']),
|
|
sqlstring($_POST['phone']),
|
|
sqlstring($_POST['acad']),
|
|
sqlstring($_POST['gender']),
|
|
sqlstring($_POST['newsletter']),
|
|
sqlstring($_POST['newsletter']),
|
|
sqlstring(md5($_POST['password'])));
|
|
dbQuery($query);
|
|
$id = mysql_insert_id();
|
|
|
|
// send registration mail
|
|
$to = $_POST['email'];
|
|
$subject = "Registrierung: Ticketbestellung Bruckmühle";
|
|
$from = "FROM: kulturhaus@bruckmuehle.at";
|
|
$message = "";
|
|
if($_POST['gender'] == "f"){
|
|
$message = "Sehr geehrte Frau " . $_POST['firstname'] . " " . $_POST['surname'] . ", \n\n";
|
|
}
|
|
else if($_POST['gender'] == "m"){
|
|
$message = "Sehr geehrter Herr " . $_POST['firstname'] . " " . $_POST['surname'] . ", \n\n";
|
|
}
|
|
else{
|
|
$message = "Sehr geehrte(r) " . $_POST['firstname'] . " " . $_POST['surname'] . ", \n\n";
|
|
}
|
|
$message .= "um Ihre Registrierung für die Ticketbestellung Kulturhaus Bruckmühle zu bestätigen, ";
|
|
$message .= "klicken Sie bitte auf folgenden Link (oder in den Browser kopieren):\n\n";
|
|
$message .= "http://www.bruckmuehle.at/tickets/register.php?action=confirm&email=" . urlencode($_POST['email']) . "&id=" . sprintf("%08d", $id) . "\n";
|
|
$message .= "(Sollte Ihr E-Mail Programm einen Zeilenumbruch in der URL gemacht haben, fügen Sie bitte beide Teile in der Adressleiste Ihres Browsers zusammen!)\n\n";
|
|
$message .= "In Zukunft können Sie sich mit Ihrer Kundennummer " . sprintf("%08d", $id) . " und dem von Ihnen gewählten Passwort einloggen und die Bestellung bequem vornehmen: \n\n";
|
|
$message .= "Sie können Ihre Daten jederzeit unter der URL http://www.bruckmuehle.at/tickets/edit.php ändern!\n\n";
|
|
$message .= "Mit freundlichen Grüßen,\n";
|
|
$message .= "Ihr Bruckmühle Team\n\n";
|
|
|
|
$message .= "__________________________________________\n\n";
|
|
$message .= "Kulturhaus Pregarten Bruckmühle\n";
|
|
$message .= "Bahnhofstraße 12\n";
|
|
$message .= "4230 Pregarten\n";
|
|
$message .= "E-mail: kulturhaus@bruckmuehle.at\n";
|
|
$message .= "http://www.kulturhaus-bruckmuehle.at\n\n";
|
|
$message .= "UID: ATU 49258501\n";
|
|
$message .= "FB: FN 190621a\n";
|
|
$message .= "DVR: 0550868\n";
|
|
$message .= "__________________________________________";
|
|
|
|
@mail($to, $subject, $message, $from);
|
|
#$f = fopen("mail.txt", "w");
|
|
#fwrite($f, $message);
|
|
#fclose($f);
|
|
|
|
echo "&result=ok&id=$id&";
|
|
}
|
|
|
|
|
|
/** registers a loose user (saves to database, but user cannot login himself - only for internal use)
|
|
*/
|
|
############################################
|
|
function registerLoose(){
|
|
############################################
|
|
|
|
checkMagicQuotes();
|
|
|
|
// build wquery from given fields
|
|
$where = "surname = " . sqlstring($_POST['surname']) . " ";
|
|
$where .= "AND firstname = " . sqlstring($_POST['firstname']) . " ";
|
|
if(!empty($_POST['email'])){
|
|
$where .= "AND email = " . sqlstring($_POST['email']) . " ";
|
|
}
|
|
if(!empty($_POST['address'])){
|
|
$where .= "AND address = " . sqlstring($_POST['address']) . " ";
|
|
}
|
|
if(!empty($_POST['city'])){
|
|
$where .= "AND city = " . sqlstring($_POST['city']) ." ";
|
|
}
|
|
if(!empty($_POST['zip'])){
|
|
$where .= "AND zip = " . sqlnum($_POST['zip']) . " ";
|
|
}
|
|
|
|
// check if customer exists
|
|
$query = "SELECT id FROM bruckm_ticketcustomer WHERE " . $where . "LIMIT 1";
|
|
$result = dbQuery($query);
|
|
if($line = mysqli_fetch_array($result, MYSQLI_ASSOC)){
|
|
echo "&result=ok&id=" . $line['id'] . "&";
|
|
return;
|
|
}
|
|
|
|
// register new customer
|
|
$query = sprintf("INSERT INTO bruckm_ticketcustomer
|
|
(email, surname, firstname, address, zip, city, country, phone, acad, gender, newsletter, creationDate, loose, locked)
|
|
VALUES (%s, %s, %s, %s, %d, %s, %s, %s, %s, %s, %s, NOW(), 'true', 'false')",
|
|
sqlstring($_POST['email']),
|
|
sqlstring($_POST['surname']),
|
|
sqlstring($_POST['firstname']),
|
|
sqlstring($_POST['address']),
|
|
sqlnum($_POST['zip']),
|
|
sqlstring($_POST['city']),
|
|
sqlstring($_POST['country']),
|
|
sqlstring($_POST['phone']),
|
|
sqlstring($_POST['acad']),
|
|
sqlstring($_POST['gender']),
|
|
sqlstring($_POST['newsletter']));
|
|
dbQuery($query);
|
|
$id = mysql_insert_id();
|
|
echo "&result=ok&id=$id&";
|
|
|
|
}
|
|
|
|
|
|
/** checks if the customer has confirmed his registration
|
|
*/
|
|
############################################
|
|
function checkRegistration(){
|
|
############################################
|
|
|
|
// check if customer exists
|
|
$query = sprintf("SELECT locked FROM bruckm_ticketcustomer WHERE id = %d", sqlnum($_POST['id']));
|
|
$result = dbQuery($query);
|
|
$line = mysqli_fetch_array($result, MYSQLI_ASSOC);
|
|
if($line['locked'] == "true"){
|
|
echo "&result=locked&";
|
|
return;
|
|
}
|
|
echo "&result=ok&";
|
|
|
|
}
|
|
|
|
|
|
/** saves changes
|
|
*/
|
|
############################################
|
|
function update(){
|
|
############################################
|
|
|
|
checkMagicQuotes();
|
|
|
|
$query = sprintf("UPDATE bruckm_ticketcustomer SET email = %s, surname = %s, firstname = %s, address = %s, zip = %d, city = %s,
|
|
country = %s, phone = %s, acad = %s, gender = %s, newsletter = %s, info = %s, locked = %s, changeDate = NOW()
|
|
WHERE id = %s",
|
|
sqlstring($_POST['email']),
|
|
sqlstring($_POST['surname']),
|
|
sqlstring($_POST['firstname']),
|
|
sqlstring($_POST['address']),
|
|
sqlnum($_POST['zip']),
|
|
sqlstring($_POST['city']),
|
|
sqlstring($_POST['country']),
|
|
sqlstring($_POST['phone']),
|
|
sqlstring($_POST['acad']),
|
|
sqlstring($_POST['gender']),
|
|
sqlstring($_POST['newsletter']),
|
|
sqlstring($_POST['newsletter']),
|
|
sqlstring($_POST['locked']),
|
|
sqlnum($_POST['id']));
|
|
dbQuery($query);
|
|
echo "&result=ok";
|
|
|
|
}
|
|
|
|
|
|
/** changes the customer's password
|
|
*/
|
|
############################################
|
|
function changePassword(){
|
|
############################################
|
|
|
|
$query = sprintf("UPDATE bruckm_ticketcustomer SET password = %s WHERE id = %d",
|
|
sqlstring(md5($_POST['password'])),
|
|
sqlnum($_POST['id']));
|
|
dbQuery($query);
|
|
echo "&result=ok&";
|
|
|
|
}
|
|
|
|
|
|
/** locks the customer's email address
|
|
*/
|
|
############################################
|
|
function lockEmail(){
|
|
############################################
|
|
|
|
$query = sprintf("SELECT * FROM bruckm_ticketlocked WHERE email = %s", sqlstring($_POST['email']));
|
|
$result = dbQuery($query);
|
|
if(mysql_num_rows($result) > 0){
|
|
echo "&result=ok&";
|
|
return;
|
|
}
|
|
|
|
$query = sprintf("INSERT INTO bruckm_ticketlocked (email) VALUES (%s)", sqlstring($_POST['email']));
|
|
dbQuery($query);
|
|
echo "&result=ok";
|
|
|
|
}
|
|
|
|
|
|
/** sends the access data to the customer's email when he has forgotton id or password
|
|
*/
|
|
############################################
|
|
function retrieveAccessData(){
|
|
############################################
|
|
|
|
checkMagicQuotes();
|
|
|
|
// search for customer
|
|
$query = sprintf("SELECT id,gender FROM bruckm_ticketcustomer WHERE email = %s AND surname = %s AND firstname = %s AND loose = 'false'",
|
|
sqlstring($_POST['email']),
|
|
sqlstring($_POST['surname']),
|
|
sqlstring($_POST['firstname']));
|
|
$result = dbQuery($query);
|
|
if(mysql_num_rows($result) == 0){
|
|
echo "&result=notFound&";
|
|
return;
|
|
}
|
|
$line = mysqli_fetch_array($result, MYSQLI_ASSOC);
|
|
|
|
// create new password
|
|
$start = rand(0, 23);
|
|
$length = rand(6, 10);
|
|
$password = substr(md5(time()), $start, $length);
|
|
|
|
$query = sprintf("UPDATE bruckm_ticketcustomer SET password = %s WHERE id = %d",
|
|
sqlstring(md5($password)),
|
|
sqlnum($line['id']));
|
|
dbQuery($query);
|
|
|
|
// send mail with access data
|
|
$to = $_POST['email'];
|
|
$subject = "Zugangsdaten | Ticketbestellung Bruckmühle";
|
|
$from = "tickets@bruckmuehle.at";
|
|
$message = "";
|
|
if($line['gender'] == "m"){
|
|
$message .= "Sehr geehrter Herr " . $_POST['firstname'] . " " . $_POST['surname'] . ", \n\n";
|
|
}
|
|
else if($line['gender'] == "f"){
|
|
$message .= "Sehr geehrte Frau " . ($_POST['firstname']) . " " . ($_POST['surname']) . ", \n\n";
|
|
}
|
|
else{
|
|
$message .= "Sehr geehrte(r) " . ($_POST['firstname']) . " " . ($_POST['surname']) . ", \n\n";
|
|
}
|
|
$message .= "untenstehend finden Sie die von Ihnen angeforderten Zugangsdaten für die Ticketbestellung im Kulturhaus Bruckmühle Pregarten. ";
|
|
$message .= "Es wurde ein neues Passwort für Sie generiert.\n\n";
|
|
$message .= "Kundennr.: " . sprintf("%08d", $line['id']) . "\n";
|
|
$message .= "Passwort: " . $password . "\n\n";
|
|
$message .= "Bitte vergeben Sie nach dem Login ein neues Passwort!\n\n";
|
|
$message .= "Mit freundlichen Grüßen,\n";
|
|
$message .= "Ihr Bruckmühle Team\n\n";
|
|
|
|
$message .= "__________________________________________\n\n";
|
|
$message .= "Kulturhaus Pregarten Bruckmühle\n";
|
|
$message .= "Bahnhofstraße 12\n";
|
|
$message .= "4230 Pregarten\n";
|
|
$message .= "E-mail: kulturhaus@bruckmuehle.at\n";
|
|
$message .= "http://www.kulturhaus-bruckmuehle.at\n\n";
|
|
$message .= "UID: ATU 49258501\n";
|
|
$message .= "FB: FN 190621a\n";
|
|
$message .= "DVR: 0550868\n";
|
|
$message .= "__________________________________________";
|
|
|
|
@mail($to, $subject, $message, $from);
|
|
#$f = fopen("mail.txt", "w");
|
|
#fwrite($f, $message);
|
|
#fclose($f);
|
|
echo "&result=ok";
|
|
|
|
}
|
|
|
|
|
|
/** checks for magic quotes and strips slashes, if magic quotes are on
|
|
*/
|
|
##########################################
|
|
function checkMagicQuotes(){
|
|
##########################################
|
|
if (get_magic_quotes_gpc()) {
|
|
foreach($_POST as $i=>$j){
|
|
$_POST[$i] = stripslashes($j);
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
?>
|