be accessed by normal users (not administrators).
* Move a few elements in the CSS file from the body tag. Suggestion by Gary McKinney
* Update FAQ about using php with no sql support.
* Allow the user to select between viewing FAQ,HOWTO or README in the help page.
* Use $_SERVER instead of $HTTP_SERVER_VARS
+Ver 1.75:
+* A LOT of security related fixes. Now dialupadmin should hopefully be secure enough to
+ be accessed by normal users (not administrators).
+* Move a few elements in the CSS file from the body tag. Suggestion by Gary McKinney
+* Update FAQ about using php with no sql support.
+* Allow the user to select between viewing FAQ,HOWTO or README in the help page.
+* Use $_SERVER instead of $HTTP_SERVER_VARS
Ver 1.72:
* Move the xlat function to a separate file in lib/xlat.php3
* Add a lib/sql/nas_list.php3 to also get the nas list from sql (naslist.conf still works)
* Set general_restrict_nasadmin_access to no by default. It causes confusion.
* Set the general_username_mappings_file variable
* Fix a small error in lib/sql/find.php3. This closes bug #103
+* Add a small note in the FAQ about checking for sql/ldap driver availability in PHP if the user get's
+ a blank white page back.
Ver 1.70:
* Add the /bin postgresql compatibility patch from Guy Fraser
* Add ldap_userdn as a configuration directive. If set we use that for
# If using sessions set use_session to 1 to also cache the config file
#
$use_session = 0;
+unset($config);
+unset($nas_list);
if ($use_session){
// Start session
@session_start();
+ if (isset($_SESSION['config']))
+ $config = $_SESSION['config'];
+ if (isset($_SESSION['nas_list']))
+ $nas_list = $_SESSION['nas_list'];
}
if (!isset($config)){
- unset($nas_list);
$ARR=file("../conf/admin.conf");
$EXTRA_ARR = array();
foreach($ARR as $val) {
if ($use_session == 0 && $config[general_use_session] == 'yes'){
// Start session
@session_start();
+ if (isset($nas_list))
+ session_register('nas_list');
}
//Make sure we are only passed allowed strings in username
if ($login != '')
- $login = preg_replace("/[^\w\s\.\/\@\:]\-i\=/",'',$login);
+ $login = preg_replace("/[^\w\s\.\/\@\:]/",'',$login);
if ($login != '' && $config[general_strip_realms] == 'yes'){
$realm_del = ($config[general_realm_delimiter] != '') ? $config[general_realm_delimiter] : '@';
if (count($new) == 2)
$login = ($realm_for == 'suffix') ? $new[0] : $new[1];
}
+unset($mappings);
+if (isset($_SESSION['mappings']))
+ $mappings = $_SESSION['mappings'];
if (!isset($mappings) && $config[general_username_mappings_file] != ''){
$ARR = file($config[general_username_mappings_file]);
foreach($ARR as $val){
If you are using sessions then remember to use the 'Clear Cache' page after making any changes
+>
+> When i try to access a dynamic web page it only shows a blank white page
+>
+
+You may have not enabled support for the corresponding sql driver in PHP. If you are also using ldap, check for
+php ldap support.
+
>
> It is still not working
>
<title>About page</title>
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<table border=0 width=550 cellpadding=0 cellspacing=0>
<tr valign=top>
<meta http-equiv="Content-Type" content="text/html; charset=$config[general_charset]">
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<b>Could not include SQL library functions. Aborting</b>
</body>
$fields = @da_sql_list_fields($config[sql_accounting_table],$link,$config);
$no_fields = @da_sql_num_fields($fields,$config);
+unset($items);
+
for($i=0;$i<$no_fields;$i++){
$key = strtolower(@da_sql_field_name($fields,$i,$config));
$val = $sql_attrs[$key][desc];
<meta http-equiv="Content-Type" content="text/html; charset=<?php echo $config[general_charset]?>">
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<?php
if(!$queryflag) {
$order = ($order_by != '') ? "$order_by" : 'username';
+if (preg_match("/[\s;]/",$order))
+ die("ORDER BY pattern is illegal. Exiting abnornally.");
+
+if (!is_numeric($maxresults))
+ die("Max Results is not in numeric form. Exiting abnormally.");
+
+unset($query_view);
foreach ($accounting_show_attrs as $val)
$query_view .= $val . ',';
$query_view = ereg_replace(',$','',$query_view);
-$sql_extra_query = '';
+unset($sql_extra_query);
if ($config[sql_accounting_extra_query] != '')
$sql_extra_query = xlat($config[sql_accounting_extra_query],$login,$config);
+ $sql_extra_query = da_sql_escape_string($sql_extra_query);
$query="SELECT $query_view FROM $config[sql_accounting_table] $where $sql_extra_query ORDER BY $order LIMIT $maxresults;";
echo <<<EOM
<head>
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<br>
<table border=0 width=940 cellpadding=1 cellspacing=1>
<tr valign=top>
<meta http-equiv="Content-Type" content="text/html; charset=$config[general_charset]">
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<b>Could not include SQL library functions. Aborting</b>
</body>
<meta http-equiv="Content-Type" content="text/html; charset=$config[general_charset]">
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<table border=0 width=550 cellpadding=0 cellspacing=0>
<tr valign=top>
$row = @da_sql_fetch_array($search,$config);
if ($row[id] == $row_id){
$admin = "$row[Admin]";
- if (($admin != '-' && $HTTP_SERVER_VARS["PHP_AUTH_USER"] == $admin) || $admin == '-'){
+ if (($admin != '-' && $_SERVER["PHP_AUTH_USER"] == $admin) || $admin == '-'){
$sql_servers = array();
if ($config[sql_extra_servers] != '')
$sql_servers = explode(' ',$config[sql_extra_servers]);
</tr>
<?php
-$auth_user = $HTTP_SERVER_VARS["PHP_AUTH_USER"];
+$auth_user = $_SERVER["PHP_AUTH_USER"];
if ($config[general_restrict_badusers_access] == 'yes'){
$auth_user = da_sql_escape_string($auth_user);
$extra_query = "AND Admin == '$auth_user'";
<?php
-$auth_user = $HTTP_SERVER_VARS["PHP_AUTH_USER"];
+$auth_user = $_SERVER["PHP_AUTH_USER"];
if ($auth_user){
if (is_file("../html/buttons/$auth_user/buttons.html.php3"))
include("../html/buttons/$auth_user/buttons.html.php3");
<meta http-equiv="Content-Type" content="text/html; charset=$config[general_charset]">
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<b>Could not include SQL library functions. Aborting</b>
</body>
<meta http-equiv="Content-Type" content="text/html; charset=$config[general_charset]">
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<table border=0 width=550 cellpadding=0 cellspacing=0>
<tr valign=top>
$open_sessions = 0;
$sql_extra_query = '';
-if ($config[sql_accounting_extra_query] != '')
+if ($config[sql_accounting_extra_query] != ''){
$sql_extra_query = xlat($config[sql_accounting_extra_query],$login,$config);
+ $sql_extra_query = da_sql_escape_string($sql_extra_query);
+}
print <<<EOM
</table>
<html>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center><img src="images/title2.gif">
<br><font size=+1><br>
<b>A web based administration interface for the freeradius radius server</b>
<meta http-equiv="Content-Type" content="text/html; charset=$config[general_charset]">
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<b>Could not include SQL library functions. Aborting</b>
</body>
}
$now = time();
-if ($last == 0)
+if (!isset($last))
$last = ($config[general_most_recent_fl]) ? $config[general_most_recent_fl] : 5;
+if (!is_numeric($last))
+ $last = 5;
$start = $now - ($last*60);
$now_str = date($config[sql_full_date_format],$now);
$prev_str = date($config[sql_full_date_format],$start);
$server_str = "AND nasipaddress = '$server'";
}
+unset($da_name_cache);
+if (isset($_SESSION['da_name_cache']))
+ $da_name_cache = $_SESSION['da_name_cache'];
+
?>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=<?php echo $config[general_charset]?>">
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<table border=0 width=550 cellpadding=0 cellspacing=0>
<tr valign=top>
if ($acct_attrs['fl'][7] != '') echo "<th>" . $acct_attrs['fl'][7] . "</th>\n";
if ($acct_attrs['fl'][8] != '') echo "<th>" . $acct_attrs['fl'][8] . "</th>\n";
if ($acct_attrs['fl'][9] != '') echo "<th>" . $acct_attrs['fl'][9] . "</th>\n";
-$sql_extra_query = '';
-if ($config[sql_accounting_extra_query] != '')
+unset($sql_extra_query);
+if ($config[sql_accounting_extra_query] != ''){
$sql_extra_query = xlat($config[sql_accounting_extra_query],$login,$config);
+ $sql_extra_query = da_sql_escape_string($sql_extra_query);
+}
?>
</tr>
<meta http-equiv="Content-Type" content="text/html; charset=<?php echo $config[general_charset]?>">
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<table border=0 width=550 cellpadding=0 cellspacing=0>
<tr valign=top>
<?php
if ($find_user == 1){
+ unset($found_users);
if (is_file("../lib/$config[general_lib_type]/find.php3"))
include("../lib/$config[general_lib_type]/find.php3");
if (isset($found_users)){
<meta http-equiv="Content-Type" content="text/html; charset=$config[general_charset]">
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<b>This page is only available if you are using sql as general library type</b>
</body>
exit();
}
+unset($group_members);
if (is_file("../lib/$config[general_lib_type]/group_info.php3")){
include("../lib/$config[general_lib_type]/group_info.php3");
if ($group_exists == 'no'){
<meta http-equiv="Content-Type" content="text/html; charset=$config[general_charset]">
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<form action="group_admin.php3" method=get>
<b>Group Name </b>
<meta http-equiv="Content-Type" content="text/html; charset=<?php echo $config[general_charset]?>">
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<table border=0 width=550 cellpadding=0 cellspacing=0>
<tr valign=top>
<meta http-equiv="Content-Type" content="text/html; charset=$config[general_charset]">
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<b>This page is only available if you are using sql as general library type</b>
</body>
<meta http-equiv="Content-Type" content="text/html; charset=<?php echo $config[general_charset]?>">
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<table border=0 width=550 cellpadding=0 cellspacing=0>
<tr valign=top>
<table border=0 width=100% cellpadding=12 cellspacing=0 bgcolor="#ffffd0" valign=top>
<tr><td>
<br>
-<pre>
-
-<b>For now we just include the README file</b><br>
+<b>Please choose which file you wish to read:</b><br><br>
+<form name="readhelp" method=post>
+<select name=help_file>
<?php
-readfile('../../README');
+$selected[$help_file] = 'selected';
+
+echo <<<EOM
+<option $selected[readme] value="readme">README File
+<option $selected[howto] value="howto">HOWTO File
+<option $selected[faq] value="faq">FAQ File
+EOM;
?>
+</select>
+<br><br>
+<input type=submit class=button value="Read File">
+</form>
+<pre>
+<?php
+$in_file = '';
+if ($help_file == 'readme')
+ $in_file = '../../README';
+else if ($help_file == 'howto')
+ $in_file = '../../doc/HOWTO';
+else if ($help_file == 'faq')
+ $in_file = '../../doc/FAQ';
+if ($in_file != '')
+ readfile("$in_file");
+?>
</pre>
<br>
</td></tr>
<meta http-equiv="Content-Type" content="text/html; charset=<?php echo $config[general_charset]?>">
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<?php
function check_day($day){
<title>NAS Administration Page</title>
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<b>Could not include SQL library functions. Aborting</b>
</body>
exit();
}
if ($config[general_restrict_nasadmin_access] == 'yes'){
- $auth_user = $HTTP_SERVER_VARS["PHP_AUTH_USER"];
+ $auth_user = $_SERVER["PHP_AUTH_USER"];
if ($auth_user == '' || $mappings[$auth_user][nasadmin] != 'yes'){
echo <<<EOM
<title>NAS Administration Page</title>
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<b>Access is not allowed to this username.</b>
</body>
if ($nasname == '' || $nassecret == '' || $nasshortname == '')
$msg = "<b>Error. Required fields are not set</b><br>\n";
else{
+ $nasshortname = da_sql_escape_string($nasshortname);
+ $nastype = da_sql_escape_string($nastype);
+ $nasportnum = da_sql_escape_string($nasportnum);
+ $nassecret = da_sql_escape_string($nassecret);
+ $nascommunity = da_sql_escape_string($nascommunity);
+ $nasdescription = da_sql_escape_string($nasdescription);
+ $nasname = da_sql_escape_string($nasname);
+
$res = @da_sql_query($link,$config,
"INSERT INTO $config[sql_nas_table]
(nasname,shortname,type,ports,secret,community,description)
if ($nassecret == '' || $nasshortname == '')
$msg = "<b>Error. Required fields are not set</b><br>\n";
else{
+ $nasshortname = da_sql_escape_string($nasshortname);
+ $nastype = da_sql_escape_string($nastype);
+ $nasportnum = da_sql_escape_string($nasportnum);
+ $nassecret = da_sql_escape_string($nassecret);
+ $nascommunity = da_sql_escape_string($nascommunity);
+ $nasdescription = da_sql_escape_string($nasdescription);
+ $nasname = da_sql_escape_string($nasname);
+
$res = @da_sql_query($link,$config,
"UPDATE $config[sql_nas_table] SET
shortname = '$nasshortname',
<title>NAS Administration Page</title>
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<table border=0 width=550 cellpadding=0 cellspacing=0>
<tr valign=top>
<title>Session Cache Destroy Page</title>
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<b>Session Cache Destroyed</b>
</body>
<meta http-equiv="Content-Type" content="text/html; charset=$config[general_charset]">
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<b>Could not include SQL library functions. Aborting</b>
</body>
<meta http-equiv="Content-Type" content="text/html; charset=<?php echo $config[general_charset]?>">
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<table border=0 width=550 cellpadding=0 cellspacing=0>
<tr valign=top>
<meta http-equiv="Content-Type" content="text/html; charset=<?php echo $config[general_charset]?>">
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<?php
scrollbar-highlight-color:#fffff0;
scrollbar-3dlight-color:#000000;
scrollbar-darkshadow-color:#000000;
+ bgcolor:#80a040;
+ background-image: url(images/greenlines1.gif);
+}
+a:link {
+ color: #000000;
+}
+a:visited {
+ color:#000000;
+}
+a:hover {
+ color:#000000;
+}
+a:active {
+ color:#000000;
}
<meta http-equiv="Content-Type" content="text/html; charset=$config[general_charset]">
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<b>Could not include SQL library functions. Aborting</b>
</body>
$now_str = da_sql_escape_string($now_str);
$prev_str = da_sql_escape_string($prev_str);
+unset($da_name_cache);
+if (isset($_SESSION['da_name_cache']))
+ $da_name_cache = $_SESSION['da_name_cache'];
+
echo <<<EOM
<head>
<meta http-equiv="Content-Type" content="text/html; charset=$config[general_charset]">
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<table border=0 width=550 cellpadding=0 cellspacing=0>
<tr valign=top>
<meta http-equiv="Content-Type" content="text/html; charset=$config[general_charset]">
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<form action="user_admin.php3" method=get>
<b>User Name </b>
<meta http-equiv="Content-Type" content="text/html; charset=$config[general_charset]">
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<b>Could not include SQL library functions. Aborting</b>
</body>
<meta http-equiv="Content-Type" content="text/html; charset=$config[general_charset]">
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<table border=0 width=550 cellpadding=0 cellspacing=0>
<tr valign=top>
<meta http-equiv="Content-Type" content="text/html; charset=<?php echo $config[general_charset]?>">
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<table border=0 width=550 cellpadding=0 cellspacing=0>
<tr valign=top>
include_once("../lib/sql/drivers/$config[sql_type]/functions.php3");
else{
echo <<<EOM
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<b>Could not include SQL library functions. Aborting</b>
</body>
$date = strftime('%A, %e %B %Y, %T %Z');
$sql_extra_query = '';
-if ($config[sql_accounting_extra_query] != '')
+if ($config[sql_accounting_extra_query] != ''){
$sql_extra_query = xlat($config[sql_accounting_extra_query],$login,$config);
+ $sql_extra_query = da_sql_escape_string($sql_extra_query);
+}
$link = @da_sql_pconnect($config);
$link2 = connect2db($config);
}
?>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<table border=0 width=550 cellpadding=0 cellspacing=0>
<tr valign=top>
<title>Personal information page</title>
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<table border=0 width=550 cellpadding=0 cellspacing=0>
<meta http-equiv="Content-Type" content="text/html; charset=<?php echo $config[general_charset]?>">
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<?php
include("password_generator.jsc");
<meta http-equiv="Content-Type" content="text/html; charset=$config[general_charset]">
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<b>Could not include SQL library functions. Aborting</b>
</body>
$pagesize = ($pagesize) ? $pagesize : 10;
if (!is_numeric($pagesize))
$pagezise = 10;
-$limit = ($pagesize == 'all') ? '' : "LIMIT $pagesize";
+if ($pagesize > 100)
+ $pagesize = 100;
+$limit = ($pagesize == 'all') ? 'LIMIT 100' : "LIMIT $pagesize";
$selected[$pagesize] = 'selected';
$order = ($order) ? $order : $config[general_accounting_info_order];
if ($order != 'desc' && $order != 'asc')
$selected[$sortby] = 'selected';
$sql_extra_query = '';
-if ($config[sql_accounting_extra_query] != '')
+if ($config[sql_accounting_extra_query] != ''){
$sql_extra_query = xlat($config[sql_accounting_extra_query],$login,$config);
+ $sql_extra_query = da_sql_escape_string($sql_extra_query);
+}
+
+unset($da_name_cache);
+if (isset($_SESSION['da_name_cache']))
+ $da_name_cache = $_SESSION['da_name_cache'];
?>
<title>User Statistics</title>
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<table border=0 width=550 cellpadding=0 cellspacing=0>
<tr valign=top>
<meta http-equiv="Content-Type" content="text/html; charset=$config[general_charset]">
<link rel="stylesheet" href="style.css">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<center>
<table border=0 width=550 cellpadding=0 cellspacing=0>
<tr valign=top>
}
</script>
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<form action="user_admin.php3" method=get target="content">
<table border=0 width=100 cellpadding=1 cellspacing=1>
<tr><td align=center>
<img src="images/logo2.gif" vspace=2>
</td></tr>
<?php
-if ($HTTP_SERVER_VARS["PHP_AUTH_USER"])
- echo "<tr valign=top><td align=center><b>Logged in as " . $HTTP_SERVER_VARS["PHP_AUTH_USER"] . "...</b><br><br></td></tr>\n";
+if ($_SERVER["PHP_AUTH_USER"])
+ echo "<tr valign=top><td align=center><b>Logged in as " . $_SERVER["PHP_AUTH_USER"] . "...</b><br><br></td></tr>\n";
?>
<tr bgcolor="black" valign=top><td>
<table border=0 width=100% cellpadding=2 cellspacing=0>
<title>user information for $cn</title>
<meta http-equiv="Content-Type" content="text/html; charset=$config[general_charset]">
</head>
-<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<body>
<link rel="stylesheet" href="style.css">
EOM;
if ($logged_now)
<?php
#Read sql attribute map
+unset($sql_attrs);
+if (isset($_SESSION['sql_attrs']))
+ $sql_attrs = $_SESSION["sql_attrs"];
if (!isset($sql_attrs)){
$ARR = file($config[general_sql_attrs_file]);
foreach($ARR as $val){
$lockmsg_name = $attrmap['Dialup-Lock-Msg'] . '0';
$msg = $$lockmsg_name;
$admin = '-';
-if ($HTTP_SERVER_VARS["PHP_AUTH_USER"] != '')
- $admin = $HTTP_SERVER_VARS["PHP_AUTH_USER"];
+if ($_SERVER["PHP_AUTH_USER"] != '')
+ $admin = $_SERVER["PHP_AUTH_USER"];
if ($msg == '')
echo "<b>Lock Message should not be empty</b><br>\n";
else{
<?php
include_once('../lib/xlat.php3');
#Read user_edit attribute map
+unset($show_attrs);
+if (isset($_SESSION['show_attrs']))
+ $show_attrs = $_SESSION['show_attrs'];
if (!isset($show_attrs)){
$infile = xlat($config[general_user_edit_attrs_file],$login,$config);
$ARR = file($infile);
if ($config[general_use_session] == 'yes')
session_register('show_attrs');
}
+unset($acct_attrs);
+if (isset($_SESSION['acct_attrs']))
+ $acct_attrs = $_SESSION['acct_attrs'];
if (!isset($acct_attrs) && isset($config[general_accounting_attrs_file])){
$infile = xlat($config[general_accounting_attrs_file],$login,$config);
$ARR = file($infile);
<?php
+unset($text_default_vals);
+unset($default_vals);
+if (isset($_SESSION['text_default_vals']))
+ $text_default_vals = $_SESSION['text_default_vals'];
if (!isset($text_default_vals)){
$ARR=file("$config[general_default_file]");
foreach($ARR as $val) {
<?php
#Read ldap attribute map
+unset($attrmap);
+if (isset($_SESSION['attrmap']))
+ $attrmap = $_SESSION['attrmap'];
if (!isset($attrmap)){
$ARR = file("$config[general_ldap_attrmap]");
foreach($ARR as $val){
{
if ($ds){
if ($config[ldap_use_http_credentials] == 'yes'){
- global $HTTP_SERVER_VARS;
- $din = $HTTP_SERVER_VARS["PHP_AUTH_USER"];
- $pass = $HTTP_SERVER_VARS["PHP_AUTH_PW"];
+ $din = $_SERVER["PHP_AUTH_USER"];
+ $pass = $_SERVER["PHP_AUTH_PW"];
if ($config[ldap_map_to_directory_manager] != '' &&
$din == $config[ldap_map_to_directory_manager] &&
$config[ldap_directory_manager] != '')
$mobile = '-';
$mail = '-';
$mailalt = '-';
+$dn = '';
+$user_exists = 'no';
+unset($item_vals);
if ($config[general_decode_normal_attributes] == 'yes')
$decode_normal = 1;
else{
$user_exists = 'yes';
$user_info = 1;
- unset($item_vals);
$k = init_decoder();
$cn = ($info[0]['cn'][0]) ? $info[0]['cn'][0] : '-';
if ($decode_normal)
<?php
#Read sql attribute map
+unset($attrmap);
+unset($rev_attrmap);
+unset($attr_type);
+if (isset($_SESSION['attrmap'])){
+ #If attrmap is set then the rest will also be set
+ $attrmap = $_SESSION['attrmap'];
+ $rev_attrmap =$_SESSION['rev_attrmap'];
+ $attr_type = $_SESSION['attr_type'];
+}
$ARR = file("$config[general_sql_attrmap]");
foreach($ARR as $val){
$val=chop($val);
$attrmap["$key"]=$v;
$rev_attrmap["$v"] = $key;
$attr_type["$key"]=$type;
+ if ($config[general_use_session] == 'yes'){
+ session_register('attrmap');
+ session_register('rev_attrmap');
+ session_register('attr_type');
+ }
}
echo "<b>Invalid operator ($op_val) for attribute $key</b><br>\n";
continue;
}
- $op_val1 = "'$op_val'";
$op_val2 = ",'$op_val'";
}
}
+ $op_val = da_sql_escape_string($op_val);
+ $sql_attr = da_sql_escape_string($sql_attr);
+ $val = da_sql_escape_string($val);
+ $op_val2 = da_sql_escape_string($op_val2);
// if we have operators, the operator has changed and the corresponding value exists then update
if ($use_ops && isset($item_vals["$key"][operator][$j]) &&
$op_val != $item_vals["$key"][operator][$j] ){
else{
if (isset($item_vals["$key"][$j])){
$old_val = $item_vals["$key"][$j];
+ $old_val = da_sql_escape_string($old_val);
$res = @da_sql_query($link,$config,
"UPDATE $table SET value = '$val' WHERE $query_key = '$login' AND
attribute = '$sql_attr' AND value = '$old_val';");
if (is_file("../lib/crypt/$config[general_encryption_method].php3")){
include("../lib/crypt/$config[general_encryption_method].php3");
$passwd = da_encrypt($passwd);
+ $passwd = da_sql_escape_string($passwd);
$res = @da_sql_query($link,$config,
"SELECT value FROM $config[sql_check_table] WHERE username = '$login'
AND attribute = '$config[sql_password_attribute]';");
$passwd_op = ",':='";
}
$da_abort=0;
+$op_val2 = '';
$link = @da_sql_pconnect($config);
if ($link){
$Members = preg_split("/[\n\s]+/",$members,-1,PREG_SPLIT_NO_EMPTY);
$op_name = $attrmap["$key"] . '_op';
$op_val = $$op_name;
if ($op_val != ''){
+ $op_val = da_sql_escape_string($op_val);
if (check_operator($op_val,$type) == -1){
echo "<b>Invalid operator ($op_val) for attribute $key</b><br>\n";
coninue;
$passwd_op = ",':='";
}
$da_abort=0;
+$op_val2 = '';
$link = @da_sql_pconnect($config);
if ($link){
if (is_file("../lib/crypt/$config[general_encryption_method].php3")){
include("../lib/crypt/$config[general_encryption_method].php3");
$passwd = da_encrypt($passwd);
+ $passwd = da_sql_escape_string($passwd);
$res = @da_sql_query($link,$config,
"INSERT INTO $config[sql_check_table] (attribute,value,username $text)
VALUES ('$config[sql_password_attribute]','$passwd','$login' $passwd_op);");
$op_name = $attrmap["$key"] . '_op';
$op_val = $$op_name;
if ($op_val != ''){
+ $op_val = da_sql_escape_string($op_val);
if (check_operator($op_val,$type) == -1){
echo "<b>Invalid operator ($op_val) for attribute $key</b><br>\n";
coninue;
exit();
}
+unset($found_users);
+
$link = @da_sql_pconnect($config);
if ($link){
$search = da_sql_escape_string($search);
if (!is_numeric($max_results))
$max_results = 10;
+ if ($max_results > 500)
+ $max_results = 10;
if (($search_IN == 'name' || $search_IN == 'department' || $search_IN == 'username') &&
$config[sql_use_user_info_table] == 'true'){
$res = @da_sql_query($link,$config,
}
$table = ($attr_type[$radius_attr] == 'checkItem') ? $config[sql_check_table] : $config[sql_reply_table];
$attr = $attrmap[$radius_attr];
+ $attr = da_sql_escape_string($attr);
$res = @da_sql_query($link,$config,
"SELECT username FROM $table WHERE attribute = '$attr' AND value LIKE '%$search%' LIMIT $max_results;");
if ($res){
<?php
require('../conf/config.php3');
+unset($da_name_cache);
+if (isset($_SESSION['da_name_cache']))
+ $da_name_cache = $_SESSION['da_name_cache'];
if ($config[sql_nas_table] != ''){
if (is_file("../lib/sql/drivers/$config[sql_type]/functions.php3"))
}
$link = @da_sql_pconnect($config);
if ($link){
- $auth_user = $HTTP_SERVER_VARS["PHP_AUTH_USER"];
+ $auth_user = $_SERVER["PHP_AUTH_USER"];
$extra = '';
if (isset($mappings[$auth_user][nasdb])){
$NAS_ARR = array();
$string = $filter;
if ($filter != ''){
$string = preg_replace('/%u/',$login,$string);
- $string = preg_replace('/%U/',$HTTP_SERVER_VARS["PHP_AUTH_USER"],$string);
+ $string = preg_replace('/%U/',$_SERVER["PHP_AUTH_USER"],$string);
$string = preg_replace('/%ma/',$mappings[$http_user][accounting],$string);
$string = preg_replace('/%mu/',$mappings[$http_user][userdb],$string);
$string = preg_replace('/%mn/',$mappings[$http_user][nasdb],$string);
projects / freeradius-dialup-admin.git / commitdiff