X-Git-Url: http://git.euphorik.ch/?a=blobdiff_plain;f=php%2Fcontroller.php;h=41381ac913c97be33ce092037a8dd05b4b960597;hb=912c54815fb34d93de674af2bcf3acc85ce7421d;hp=b68834ec734951ded4ec9ff5b50eb51050f8c9bc;hpb=9c682b3ad5335bfeaff7f133bf1a2e0f0c9c0f82;p=cl7.git

diff --git a/php/controller.php b/php/controller.php
index b68834e..41381ac 100644
--- a/php/controller.php
+++ b/php/controller.php
@@ -1,7 +1,7 @@
 <?php # coding: utf-8
 
 /**
-  * Controller traite les données envoyées par le client.
+  * 'Controller' traite les données envoyées par le client.
   */  
 class Controller
 {
@@ -28,25 +28,39 @@ class Controller
             $_POST['accord'] == "on"
          )
          {
-            mysql_query("BEGIN TRANSACTION");
-            mysql_query("
+            pg_query("BEGIN");
+            
+            // Cherche un id libre.
+            // Pour des questions de sécurité, les ids ne sont pas générés sequentiellement
+            // car ils sont mémorisé dans un cookie et permette l'authentification.
+            $id = 0;
+            do
+            {
+               $id = rand(1, PHP_INT_MAX);
+               $row = pg_fetch_row(pg_query_params("SELECT count(*) FROM participants WHERE id = $1", array($id)));
+            } while ($row[0] != 0);
+            
+            pg_query_params("
                INSERT INTO participants 
-               (pseudo, password, clan_nom, clan_tag, nom, prenom, age, e_mail, remarques)
-               VALUES (
-                  '".addslashes($_POST['pseudo'])."',
-                  '".addslashes($_POST['pass1'])."',
-                  '".addslashes($_POST['clan_nom'])."',
-                  '".addslashes($_POST['clan_tag'])."',
-                  '".addslashes($_POST['nom'])."',
-                  '".addslashes($_POST['prenom'])."',
-                  '".addslashes($_POST['age'])."',
-                  '".addslashes($_POST['e_mail'])."',
-                  '".addslashes($_POST['remarques'])."'
-               )"
+               (id, pseudo, password, clan_nom, clan_tag, nom, prenom, age, e_mail, remarques)
+               VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)
+               ", 
+               array(
+                  $id,
+                  $_POST['pseudo'],
+                  sha1($_POST['pass1']),
+                  $_POST['clan_nom'],
+                  $_POST['clan_tag'],
+                  $_POST['nom'],
+                  $_POST['prenom'],
+                  $_POST['age'],
+                  $_POST['e_mail'],
+                  $_POST['remarques'],
+               )
             );
-            $id = mysql_insert_id();
+            
             $this->set_periodes($id);
-            mysql_query("COMMIT");
+            pg_query("COMMIT");
          
             $this->participant = new participant($_POST['pseudo'], $_POST['pass1']);
             setcookie("COOKIE_INFO_PARTICIPANT", $this->participant->info->id, time() + 31104000);
@@ -54,7 +68,7 @@ class Controller
          }
       }
       # un participant modifie ses infos
-      else if(isset($_POST['modification_participant']) && $this->participant->valide)
+      else if(isset($_POST['modification_participant']) && $this->participant->existe())
       {   
          if ($this->config->get("inscription_terminees"))
             return;
@@ -62,52 +76,66 @@ class Controller
          $this->traiter_donnees_inscription();
          if (!$this->login_deja_pris() && $this->donnees_inscription_valides())
          {
-            mysql_query("BEGIN TRANSACTION");
-            mysql_query("UPDATE participants SET pseudo = '".addslashes($_POST['pseudo'])."' WHERE id = " . $this->participant->info->id);
-            mysql_query("UPDATE participants SET password = '".addslashes($_POST['pass1'])."' WHERE id = " . $this->participant->info->id);
-            mysql_query("UPDATE participants SET clan_nom = '".addslashes($_POST['clan_nom'])."' WHERE id = " . $this->participant->info->id);
-            mysql_query("UPDATE participants SET clan_tag = '".addslashes($_POST['clan_tag'])."' WHERE id = " . $this->participant->info->id);
-            mysql_query("UPDATE participants SET nom = '".addslashes($_POST['nom'])."' WHERE id = " . $this->participant->info->id);
-            mysql_query("UPDATE participants SET prenom = '".addslashes($_POST['prenom'])."' WHERE id = " . $this->participant->info->id);
-            mysql_query("UPDATE participants SET age = '".addslashes($_POST['age'])."' WHERE id = " . $this->participant->info->id);
-            mysql_query("UPDATE participants SET e_mail = '".addslashes($_POST['e_mail'])."' WHERE id = " . $this->participant->info->id);
-            mysql_query("UPDATE participants SET remarques = '".addslashes($_POST['remarques'])."' WHERE id = " . $this->participant->info->id);
+            pg_query("BEGIN");
+            pg_query_params("UPDATE participants SET pseudo = $1 WHERE id = $2", array($_POST['pseudo'], $this->participant->info->id));
+            pg_query_params("UPDATE participants SET password = $1 WHERE id = $2", array(sha1($_POST['pass1']), $this->participant->info->id));
+            pg_query_params("UPDATE participants SET clan_nom = $1 WHERE id = $2", array($_POST['clan_nom'], $this->participant->info->id));
+            pg_query_params("UPDATE participants SET clan_tag = $1 WHERE id = $2", array($_POST['clan_tag'], $this->participant->info->id));
+            pg_query_params("UPDATE participants SET nom = $1 WHERE id = $2", array($_POST['nom'], $this->participant->info->id));
+            pg_query_params("UPDATE participants SET prenom = $1 WHERE id = $2", array($_POST['prenom'], $this->participant->info->id));
+            pg_query_params("UPDATE participants SET age = $1 WHERE id = $2", array($_POST['age'], $this->participant->info->id));
+            pg_query_params("UPDATE participants SET e_mail = $1 WHERE id = $2", array($_POST['e_mail'], $this->participant->info->id));
+            pg_query_params("UPDATE participants SET remarques = $1 WHERE id = $2", array($_POST['remarques'], $this->participant->info->id));
             $this->set_periodes($this->participant->info->id);
-            mysql_query("COMMIT");
+            pg_query("COMMIT");
             //header("Location: /inscrits.html");
             $this->message_utilisateur = "Les modifications ont été enregistrées";
-            $page = "inscrits"; // TODO : moche car la page ne va plus correspondre à l'url
+            
+            // Puisque les données du participant ont changés il faut les re-charger.
+            $this->participant->chargerInfos();
          }
       }
       # vote pour des jeux (autorisé même lorsque les inscriptions sont terminées)
-      else if (isset($_POST['set_jeux_joues']) && $this->participant->valide)
+      else if (isset($_POST['set_jeux_joues']) && $this->participant->existe() && !$config->get("inscription_terminees"))
       {
          $votes = $_POST['votes'];
          if (!$votes)
             $votes = array();
          
-         mysql_query("BEGIN TRANSACTION");
+         pg_query("BEGIN");
          
          # l'utilisateur peut proposer le nom d'un jeu qui ne se trouve pas dans la liste
          $jeu = trim($_POST['jeu']);
          if ($jeu !== '')
          {
-            mysql_query("INSERT INTO jeux (nom) VALUES ('".addslashes($jeu)."')");
-            $id = mysql_insert_id();
-            if ($id != 0) # si le jeu se trouve déjà dans la liste alors $id == 0
-               array_unshift($votes, $id);
+            if(@pg_query_params("INSERT INTO jeux (nom) VALUES ($1)", array($jeu)))
+            {                      
+               $row = pg_fetch_row(pg_query("SELECT LASTVAL()"));
+               $id = $row[0];
+               if ($id != 0) # si le jeu se trouve déjà dans la liste alors $id == 0
+                  array_unshift($votes, $id);
+            }
+            else # Puisque le jeu existe déjà, on le recherche
+            {
+               pg_query("ROLLBACK");
+               pg_query("BEGIN");
+               $res = pg_query_params("SELECT id FROM jeux WHERE nom = $1", array($jeu));
+               if ($id = pg_fetch_object($res))
+                  if (!in_array($id->id, $votes))
+                     array_unshift($votes, $id->id);  
+            }
          }
          
          # suppression des anciens votes (remplacement par les nouveaux)
-         mysql_query("DELETE FROM jeux_choisis WHERE participant_id = " . $this->participant->info->id);
+         pg_query_params("DELETE FROM jeux_choisis WHERE participant_id = $1", array($this->participant->info->id));
 
          # traite les trois premiers votes
          for ($i = 0; $i < count($votes) && $i < $this->config->get('nb_votes_jeux'); $i++)
          {
-            mysql_query("INSERT INTO jeux_choisis (participant_id, jeu_id) VALUES (".$this->participant->info->id.", ".(int)$votes[$i].")");
+            pg_query_params("INSERT INTO jeux_choisis (participant_id, jeu_id) VALUES ($1, $2)", array($this->participant->info->id, (int)$votes[$i]));
          }
          
-         mysql_query("COMMIT");
+         pg_query("COMMIT");
       }
    }
    
@@ -121,10 +149,10 @@ class Controller
 
    private function login_deja_pris()
    {
-      if ($this->participant->valide && strtolower($this->participant->info->pseudo) === strtolower($_POST['pseudo'])) // le pseudo n'a pas changé
+      if ($this->participant->existe() && strtolower($this->participant->info->pseudo) === strtolower($_POST['pseudo'])) // le pseudo n'a pas changé
          return FALSE;
          
-      $loginDejaPris = mysql_fetch_array(mysql_query("SELECT count(*) FROM participants WHERE pseudo = '".addslashes($_POST['pseudo'])."'"));
+      $loginDejaPris = pg_fetch_array(pg_query_params("SELECT count(*) FROM participants WHERE pseudo = $1", array($_POST['pseudo'])));
       if ($loginDejaPris[0] > 0)
       {
          $this->message_utilisateur = "Le pseudo '".$_POST["pseudo"]."' est déjà pris";
@@ -159,13 +187,13 @@ class Controller
       if (!$periodes)
          $periodes = array();
       
-      mysql_query("DELETE FROM participations WHERE participant_id = " . (int)$id);
+      pg_query_params("DELETE FROM participations WHERE participant_id = $1", array($id));
       for ($i = 0; $i < count($periodes); $i++)
       {
-         mysql_query("
+         pg_query_params("
             INSERT INTO participations (participant_id, periode_id)
-            VALUES (".$id.", ".(int)$periodes[$i].")
-         ");
+            VALUES ($1, $2)", array($id, $periodes[$i])
+         );
       }
    }
 }