Files
bm/public_html/public/tickets/customer.php
2025-09-24 13:26:28 +02:00

433 lines
14 KiB
PHP

<?php
/** loads and saves customer data
*
* @version 2.0.0
* @since 2008-02-13
* @author Martin Lenzelbauer
*/
define("ROOT", "../");
require_once(ROOT."include/config.inc.php");
require_once(ROOT."include/db.inc.php");
require_once(ROOT."include/xml.inc.php");
if(DEBUG){
foreach($_GET as $i=>$j){
$_POST[$i] = urldecode($j);
}
}
switch($_GET['action']){
case "loadCustomer": loadCustomer($_GET['id']);
break;
case "loadOrders": loadOrders($_GET['id']);
break;
case "login": login();
break;
case "register": register();
break;
case "registerLoose": registerLoose();
break;
case "save": update();
break;
case "changePassword": changePassword();
break;
case "lockEmail": lockEmail();
break;
case "retrieveAccessData": retrieveAccessData();
break;
case "checkRegistration": checkRegistration();
break;
}
/** loads customer data
* @param id customer id
*/
############################################
function loadCustomer($id){
############################################
$query = sprintf("SELECT * FROM bruckm_ticketcustomer WHERE id = %d", $id);
$result = dbQuery($query);
$line = mysqli_fetch_array($result, MYSQLI_ASSOC);
$xml = '<?xml version="1.0" encoding="utf-8"?>';
$xml .= '<customer id="' . $line['id'] . '" firstname="' . xmlstring($line['firstname']) . '" surname="' . xmlstring($line['surname']) . '" ';
$xml .= 'email="' . xmlstring($line['email']) . '" address="' . xmlstring($line['address']) . '" zip="' . xmlstring($line['zip']) . '" ';
$xml .= 'city="' . xmlstring($line['city']) . '" phone="' . xmlstring($line['phone']) . '" country="' . xmlstring($line['country']) . '" ';
$xml .= 'gender="' . $line['gender'] . '" acad="' . xmlstring($line['acad']) . '" locked="' . $line['locked'] . '" newsletter="' . $line['newsletter'] . '" ';
$xml .= 'loose="' . $line['loose'] .'" />';
header('Content-Type: text/xml');
echo $xml;
}
/** loads all orders of the customer
* @param id customer id
*/
############################################
function loadOrders($id){
############################################
$query = sprintf("SELECT id, orderDate, dateId FROM bruckm_ticketorder WHERE customerId = %d ORDER BY orderDate DESC", $id);
$result = dbQuery($query);
$xml = '<?xml version="1.0" encoding="utf-8"?>';
$xml .= '<orders>';
while($line = mysqli_fetch_array($result, MYSQLI_ASSOC)){
$xml .= '<order id="' . $line['id'] . '" dateid="' . $line['dateId'] . '" timestamp="' . strtotime($line['orderDate']) . '" />';
}
$xml .= '</orders>';
header('Content-Type: text/xml');
echo $xml;
}
/** login
*/
############################################
function login(){
############################################
$query = sprintf("SELECT id,password,locked FROM bruckm_ticketcustomer WHERE id = %d AND loose = 'false'", sqlnum($_POST['id']));
$result = dbQuery($query);
if($line = mysqli_fetch_array($result, MYSQLI_ASSOC)){
if($line['locked'] == "true"){
echo "&result=locked&";
return;
}
if(md5($_POST['password']) == $line['password']){
echo "&result=ok&";
return;
}
echo "&result=invalidPassword&";
return;
}
echo "&result=invalidId&";
}
/** registers a new user
*/
############################################
function register(){
############################################
checkMagicQuotes();
// check if e-mail is locked
$query = sprintf("SELECT * FROM bruckm_ticketlocked WHERE email = %s", sqlstring($_POST['email']));
$result = dbQuery($query);
if(mysql_num_rows($result) > 0){
echo "&result=locked&";
return;
}
// check if customer exists
$query = sprintf("SELECT id FROM bruckm_ticketcustomer WHERE email = %s AND surname = %s AND firstname = %s AND loose = 'false' LIMIT 1",
sqlstring($_POST['email']),
sqlstring($_POST['surname']),
sqlstring($_POST['firstname']));
$result = dbQuery($query);
if(mysql_num_rows($result) > 0){
echo "&result=exists&";
return;
}
// register new customer
$query = sprintf("INSERT INTO bruckm_ticketcustomer
(email, surname, firstname, address, zip, city, country, phone, acad, gender, newsletter, info, password, creationDate, changeDate)
VALUES (%s, %s, %s, %s, %d, %s, %s, %s, %s, %s, %s, %s, %s, NOW(), NOW())",
sqlstring($_POST['email']),
sqlstring($_POST['surname']),
sqlstring($_POST['firstname']),
sqlstring($_POST['address']),
sqlnum($_POST['zip']),
sqlstring($_POST['city']),
sqlstring($_POST['country']),
sqlstring($_POST['phone']),
sqlstring($_POST['acad']),
sqlstring($_POST['gender']),
sqlstring($_POST['newsletter']),
sqlstring($_POST['newsletter']),
sqlstring(md5($_POST['password'])));
dbQuery($query);
$id = mysql_insert_id();
// send registration mail
$to = $_POST['email'];
$subject = "Registrierung: Ticketbestellung Bruckmühle";
$from = "FROM: kulturhaus@bruckmuehle.at";
$message = "";
if($_POST['gender'] == "f"){
$message = "Sehr geehrte Frau " . $_POST['firstname'] . " " . $_POST['surname'] . ", \n\n";
}
else if($_POST['gender'] == "m"){
$message = "Sehr geehrter Herr " . $_POST['firstname'] . " " . $_POST['surname'] . ", \n\n";
}
else{
$message = "Sehr geehrte(r) " . $_POST['firstname'] . " " . $_POST['surname'] . ", \n\n";
}
$message .= "um Ihre Registrierung für die Ticketbestellung Kulturhaus Bruckmühle zu bestätigen, ";
$message .= "klicken Sie bitte auf folgenden Link (oder in den Browser kopieren):\n\n";
$message .= "http://www.bruckmuehle.at/tickets/register.php?action=confirm&email=" . urlencode($_POST['email']) . "&id=" . sprintf("%08d", $id) . "\n";
$message .= "(Sollte Ihr E-Mail Programm einen Zeilenumbruch in der URL gemacht haben, fügen Sie bitte beide Teile in der Adressleiste Ihres Browsers zusammen!)\n\n";
$message .= "In Zukunft können Sie sich mit Ihrer Kundennummer " . sprintf("%08d", $id) . " und dem von Ihnen gewählten Passwort einloggen und die Bestellung bequem vornehmen: \n\n";
$message .= "Sie können Ihre Daten jederzeit unter der URL http://www.bruckmuehle.at/tickets/edit.php ändern!\n\n";
$message .= "Mit freundlichen Grüßen,\n";
$message .= "Ihr Bruckmühle Team\n\n";
$message .= "__________________________________________\n\n";
$message .= "Kulturhaus Pregarten Bruckmühle\n";
$message .= "Bahnhofstraße 12\n";
$message .= "4230 Pregarten\n";
$message .= "E-mail: kulturhaus@bruckmuehle.at\n";
$message .= "http://www.kulturhaus-bruckmuehle.at\n\n";
$message .= "UID: ATU 49258501\n";
$message .= "FB: FN 190621a\n";
$message .= "DVR: 0550868\n";
$message .= "__________________________________________";
@mail($to, $subject, $message, $from);
#$f = fopen("mail.txt", "w");
#fwrite($f, $message);
#fclose($f);
echo "&result=ok&id=$id&";
}
/** registers a loose user (saves to database, but user cannot login himself - only for internal use)
*/
############################################
function registerLoose(){
############################################
checkMagicQuotes();
// build wquery from given fields
$where = "surname = " . sqlstring($_POST['surname']) . " ";
$where .= "AND firstname = " . sqlstring($_POST['firstname']) . " ";
if(!empty($_POST['email'])){
$where .= "AND email = " . sqlstring($_POST['email']) . " ";
}
if(!empty($_POST['address'])){
$where .= "AND address = " . sqlstring($_POST['address']) . " ";
}
if(!empty($_POST['city'])){
$where .= "AND city = " . sqlstring($_POST['city']) ." ";
}
if(!empty($_POST['zip'])){
$where .= "AND zip = " . sqlnum($_POST['zip']) . " ";
}
// check if customer exists
$query = "SELECT id FROM bruckm_ticketcustomer WHERE " . $where . "LIMIT 1";
$result = dbQuery($query);
if($line = mysqli_fetch_array($result, MYSQLI_ASSOC)){
echo "&result=ok&id=" . $line['id'] . "&";
return;
}
// register new customer
$query = sprintf("INSERT INTO bruckm_ticketcustomer
(email, surname, firstname, address, zip, city, country, phone, acad, gender, newsletter, creationDate, loose, locked)
VALUES (%s, %s, %s, %s, %d, %s, %s, %s, %s, %s, %s, NOW(), 'true', 'false')",
sqlstring($_POST['email']),
sqlstring($_POST['surname']),
sqlstring($_POST['firstname']),
sqlstring($_POST['address']),
sqlnum($_POST['zip']),
sqlstring($_POST['city']),
sqlstring($_POST['country']),
sqlstring($_POST['phone']),
sqlstring($_POST['acad']),
sqlstring($_POST['gender']),
sqlstring($_POST['newsletter']));
dbQuery($query);
$id = mysql_insert_id();
echo "&result=ok&id=$id&";
}
/** checks if the customer has confirmed his registration
*/
############################################
function checkRegistration(){
############################################
// check if customer exists
$query = sprintf("SELECT locked FROM bruckm_ticketcustomer WHERE id = %d", sqlnum($_POST['id']));
$result = dbQuery($query);
$line = mysqli_fetch_array($result, MYSQLI_ASSOC);
if($line['locked'] == "true"){
echo "&result=locked&";
return;
}
echo "&result=ok&";
}
/** saves changes
*/
############################################
function update(){
############################################
checkMagicQuotes();
$query = sprintf("UPDATE bruckm_ticketcustomer SET email = %s, surname = %s, firstname = %s, address = %s, zip = %d, city = %s,
country = %s, phone = %s, acad = %s, gender = %s, newsletter = %s, info = %s, locked = %s, changeDate = NOW()
WHERE id = %s",
sqlstring($_POST['email']),
sqlstring($_POST['surname']),
sqlstring($_POST['firstname']),
sqlstring($_POST['address']),
sqlnum($_POST['zip']),
sqlstring($_POST['city']),
sqlstring($_POST['country']),
sqlstring($_POST['phone']),
sqlstring($_POST['acad']),
sqlstring($_POST['gender']),
sqlstring($_POST['newsletter']),
sqlstring($_POST['newsletter']),
sqlstring($_POST['locked']),
sqlnum($_POST['id']));
dbQuery($query);
echo "&result=ok";
}
/** changes the customer's password
*/
############################################
function changePassword(){
############################################
$query = sprintf("UPDATE bruckm_ticketcustomer SET password = %s WHERE id = %d",
sqlstring(md5($_POST['password'])),
sqlnum($_POST['id']));
dbQuery($query);
echo "&result=ok&";
}
/** locks the customer's email address
*/
############################################
function lockEmail(){
############################################
$query = sprintf("SELECT * FROM bruckm_ticketlocked WHERE email = %s", sqlstring($_POST['email']));
$result = dbQuery($query);
if(mysql_num_rows($result) > 0){
echo "&result=ok&";
return;
}
$query = sprintf("INSERT INTO bruckm_ticketlocked (email) VALUES (%s)", sqlstring($_POST['email']));
dbQuery($query);
echo "&result=ok";
}
/** sends the access data to the customer's email when he has forgotton id or password
*/
############################################
function retrieveAccessData(){
############################################
checkMagicQuotes();
// search for customer
$query = sprintf("SELECT id,gender FROM bruckm_ticketcustomer WHERE email = %s AND surname = %s AND firstname = %s AND loose = 'false'",
sqlstring($_POST['email']),
sqlstring($_POST['surname']),
sqlstring($_POST['firstname']));
$result = dbQuery($query);
if(mysql_num_rows($result) == 0){
echo "&result=notFound&";
return;
}
$line = mysqli_fetch_array($result, MYSQLI_ASSOC);
// create new password
$start = rand(0, 23);
$length = rand(6, 10);
$password = substr(md5(time()), $start, $length);
$query = sprintf("UPDATE bruckm_ticketcustomer SET password = %s WHERE id = %d",
sqlstring(md5($password)),
sqlnum($line['id']));
dbQuery($query);
// send mail with access data
$to = $_POST['email'];
$subject = "Zugangsdaten | Ticketbestellung Bruckmühle";
$from = "tickets@bruckmuehle.at";
$message = "";
if($line['gender'] == "m"){
$message .= "Sehr geehrter Herr " . $_POST['firstname'] . " " . $_POST['surname'] . ", \n\n";
}
else if($line['gender'] == "f"){
$message .= "Sehr geehrte Frau " . ($_POST['firstname']) . " " . ($_POST['surname']) . ", \n\n";
}
else{
$message .= "Sehr geehrte(r) " . ($_POST['firstname']) . " " . ($_POST['surname']) . ", \n\n";
}
$message .= "untenstehend finden Sie die von Ihnen angeforderten Zugangsdaten für die Ticketbestellung im Kulturhaus Bruckmühle Pregarten. ";
$message .= "Es wurde ein neues Passwort für Sie generiert.\n\n";
$message .= "Kundennr.: " . sprintf("%08d", $line['id']) . "\n";
$message .= "Passwort: " . $password . "\n\n";
$message .= "Bitte vergeben Sie nach dem Login ein neues Passwort!\n\n";
$message .= "Mit freundlichen Grüßen,\n";
$message .= "Ihr Bruckmühle Team\n\n";
$message .= "__________________________________________\n\n";
$message .= "Kulturhaus Pregarten Bruckmühle\n";
$message .= "Bahnhofstraße 12\n";
$message .= "4230 Pregarten\n";
$message .= "E-mail: kulturhaus@bruckmuehle.at\n";
$message .= "http://www.kulturhaus-bruckmuehle.at\n\n";
$message .= "UID: ATU 49258501\n";
$message .= "FB: FN 190621a\n";
$message .= "DVR: 0550868\n";
$message .= "__________________________________________";
@mail($to, $subject, $message, $from);
#$f = fopen("mail.txt", "w");
#fwrite($f, $message);
#fclose($f);
echo "&result=ok";
}
/** checks for magic quotes and strips slashes, if magic quotes are on
*/
##########################################
function checkMagicQuotes(){
##########################################
if (get_magic_quotes_gpc()) {
foreach($_POST as $i=>$j){
$_POST[$i] = stripslashes($j);
}
}
}
?>