1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
<?php
include_once 'includes/init.php';
$error = "";
$updating_public = false;;
if ( $is_admin && ! empty ( $public ) && $public_access == "Y" ) {
$updating_public = true;
$prefuser = "__public__";
} elseif (($user != $login) && ($is_admin || $is_nonuser_admin)) {
$prefuser = "$user";
} else {
$prefuser = "$login";
}
while ( list ( $key, $value ) = each ( $HTTP_POST_VARS ) ) {
$setting = substr ( $key, 5 );
$prefix = substr ( $key, 0, 5 );
if ( $key == 'user' )
continue;
// validate key name. should start with "pref_" and not include
// any unusual characters that might cause SQL injection
if ( ! preg_match ( '/pref_[A-Za-z0-9_]+$/', $key ) ) {
die( 'Invalid admin setting name "' . $key . '"' );
}
//echo "Setting = $setting, key = $key, prefix = $prefix <br />\n";
if ( strlen ( $setting ) > 0 && $prefix == "pref_" ) {
$sql =
"DELETE FROM webcal_user_pref WHERE cal_login = '$prefuser' " .
"AND cal_setting = '$setting'";
dbi_query ( $sql );
if ( strlen ( $value ) > 0 ) {
$sql = "INSERT INTO webcal_user_pref " .
"( cal_login, cal_setting, cal_value ) VALUES " .
"( '$prefuser', '$setting', '$value' )";
if ( ! dbi_query ( $sql ) ) {
$error = "Unable to update preference: " . dbi_error () .
"<br /><br /><span style=\"font-weight:bold;\">SQL:</span> $sql";
break;
}
}
}
}
if ( empty ( $error ) ) {
if ( $updating_public ) {
do_redirect ( "pref.php?public=1" );
} elseif (($is_admin || $is_nonuser_admin) && $login != $user ) {
do_redirect ( "pref.php?user=$user" );
} else {
do_redirect ( "pref.php" );
}
}
print_header();
?>
<h2><?php etranslate("Error")?></h2>
<?php etranslate("The following error occurred")?>:
<blockquote>
<?php echo $error; ?>
</blockquote>
<?php print_trailer(); ?>
</body>
</html>
|
