firstgarden/firstgarden-web-gnu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

마크업:관리자>회원추가 및 form 에 관리자 패스워드 검사

Browse Source
This commit is contained in:
whitedot
2012-11-14 18:14:53 +09:00
parent 9d88639ec1
commit f386386b44
3 changed files with 148 additions and 164 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
adm/board_form.php
View File

@ -668,7 +668,7 @@ include_once ('./admin.head.php');
</table>
</section>
<fieldset>
<fieldset id="admin_confirm">
<legend><span></span>XSS 혹은 CSRF 방지</legend>
<p>관리자 권한을 탈취당하는 경우를 대비하여 패스워드를 다시 한번 확인합니다.</p>
<label for="admin_password">관리자 패스워드</label>

2
adm/config_form.php
View File

@ -463,7 +463,7 @@ include_once ('./admin.head.php');
</table>
</section>
<fieldset>
<fieldset id="admin_confirm">
<legend><span></span>XSS 혹은 CSRF 방지</legend>
<p>관리자 권한을 탈취당하는 경우를 대비하여 패스워드를 다시 한번 확인합니다.</p>
<label for="admin_password">관리자 패스워드</label>

308
adm/member_form.php
View File

@ -8,12 +8,12 @@ $token = get_token();
if ($w == '')
{
$required_mb_id = 'required minlength=3 alphanumericunderline itemid="회원아이디" name="회원아이디"';
$required_mb_password = 'required itemid="패스워드" name="패스워드"';
$required_mb_id = 'required minlength=3 alphanumericunderline';
$required_mb_password = 'required';
$mb['mb_mailling'] = 1;
$mb['mb_open'] = 1;
$mb['mb_level'] = $config['cf_register_level'];
$mb[mb_mailling] = 1;
$mb[mb_open] = 1;
$mb[mb_level] = $config[cf_register_level];
$html_title = '등록';
}
else if ($w == 'u')
@ -22,218 +22,202 @@ else if ($w == 'u')
if (!$mb['mb_id'])
alert('존재하지 않는 회원자료입니다.');
if ($is_admin != 'super' && $mb['mb_level'] >= $member['mb_level'])
if ($is_admin != 'super' && $mb[mb_level] >= $member[mb_level])
alert('자신보다 권한이 높거나 같은 회원은 수정할 수 없습니다.');
$required_mb_id = 'readonly style="background-color:#dddddd;"';
$required_mb_id = 'readonly';
$required_mb_password = '';
$html_title = '수정';
$mb['mb_email'] = get_text($mb['mb_email']);
$mb['mb_homepage'] = get_text($mb['mb_homepage']);
$mb['mb_password_q'] = get_text($mb['mb_password_q']);
$mb['mb_password_a'] = get_text($mb['mb_password_a']);
$mb['mb_birth'] = get_text($mb['mb_birth']);
$mb['mb_tel'] = get_text($mb['mb_tel']);
$mb['mb_hp'] = get_text($mb['mb_hp']);
$mb['mb_addr1'] = get_text($mb['mb_addr1']);
$mb['mb_addr2'] = get_text($mb['mb_addr2']);
$mb['mb_signature'] = get_text($mb['mb_signature']);
$mb['mb_recommend'] = get_text($mb['mb_recommend']);
$mb['mb_profile'] = get_text($mb['mb_profile']);
$mb['mb_1'] = get_text($mb['mb_1']);
$mb['mb_2'] = get_text($mb['mb_2']);
$mb['mb_3'] = get_text($mb['mb_3']);
$mb['mb_4'] = get_text($mb['mb_4']);
$mb['mb_5'] = get_text($mb['mb_5']);
$mb['mb_6'] = get_text($mb['mb_6']);
$mb['mb_7'] = get_text($mb['mb_7']);
$mb['mb_8'] = get_text($mb['mb_8']);
$mb['mb_9'] = get_text($mb['mb_9']);
$mb['mb_10'] = get_text($mb['mb_10']);
$mb['mb_email'] = get_text($mb['mb_email']);
$mb['mb_homepage'] = get_text($mb['mb_homepage']);
$mb['mb_password_q'] = get_text($mb['mb_password_q']);
$mb['mb_password_a'] = get_text($mb['mb_password_a']);
$mb['mb_birth'] = get_text($mb['mb_birth']);
$mb['mb_tel'] = get_text($mb['mb_tel']);
$mb['mb_hp'] = get_text($mb['mb_hp']);
$mb['mb_addr1'] = get_text($mb['mb_addr1']);
$mb['mb_addr2'] = get_text($mb['mb_addr2']);
$mb['mb_signature'] = get_text($mb['mb_signature']);
$mb['mb_recommend'] = get_text($mb['mb_recommend']);
$mb['mb_profile'] = get_text($mb['mb_profile']);
$mb['mb_1'] = get_text($mb['mb_1']);
$mb['mb_2'] = get_text($mb['mb_2']);
$mb['mb_3'] = get_text($mb['mb_3']);
$mb['mb_4'] = get_text($mb['mb_4']);
$mb['mb_5'] = get_text($mb['mb_5']);
$mb['mb_6'] = get_text($mb['mb_6']);
$mb['mb_7'] = get_text($mb['mb_7']);
$mb['mb_8'] = get_text($mb['mb_8']);
$mb['mb_9'] = get_text($mb['mb_9']);
$mb['mb_10'] = get_text($mb['mb_10']);
}
else
alert('제대로 된 값이 넘어오지 않았습니다.');
if ($mb['mb_mailling']) $mailling_checked = 'checked'; // 메일 수신
if ($mb['mb_sms']) $sms_checked = 'checked'; // SMS 수신
if ($mb['mb_open']) $open_checked = 'checked'; // 정보 공개
if ($mb[mb_mailling]) $mailling_checked = 'checked'; // 메일 수신
if ($mb[mb_sms]) $sms_checked = 'checked'; // SMS 수신
if ($mb[mb_open]) $open_checked = 'checked'; // 정보 공개
$g4['title'] = '회원정보 ' . $html_title;
$g4['title'] = '회원정보 '.$html_title;
include_once('./admin.head.php');
?>
<table width=100% align=center cellpadding=0 cellspacing=0>
<form id="fmember" name="fmember" method=post onsubmit="return fmember_submit(this);" enctype="multipart/form-data" autocomplete="off">
<input type="hidden" id="w" name="w" value='<?=$w?>'>
<input type="hidden" id="sfl" name="sfl" value='<?=$sfl?>'>
<input type="hidden" id="stx" name="stx" value='<?=$stx?>'>
<input type="hidden" id="sst" name="sst" value='<?=$sst?>'>
<input type="hidden" id="sod" name="sod" value='<?=$sod?>'>
<input type="hidden" id="page" name="page" value='<?=$page?>'>
<input type="hidden" id="token" name="token" value='<?=$token?>'>
<colgroup width=20% class='col1 pad1 bold right'>
<colgroup width=30% class='col2 pad2'>
<colgroup width=20% class='col1 pad1 bold right'>
<colgroup width=30% class='col2 pad2'>
<form id="fmember" name="fmember" method="post" onsubmit="return fmember_submit(this);" enctype="multipart/form-data" autocomplete="off">
<input type="hidden" name="w" value="<?=$w?>">
<input type="hidden" name="sfl" value="<?=$sfl?>">
<input type="hidden" name="stx" value="<?=$stx?>">
<input type="hidden" name="sst" value="<?=$sst?>">
<input type="hidden" name="sod" value="<?=$sod?>">
<input type="hidden" name="page" value="<?=$page?>">
<input type="hidden" name="token" value="<?=$token?>">
<table>
<caption></caption>
<tbody>
<tr>
<td colspan=4 class=title align=left><img src='<?=$g4['admin_path']?>/img/icon_title.gif'> <?=$g4['title']?></td>
</tr>
<tr><td colspan=4 class=line1></td></tr>
<tr class='ht'>
<td>아이디</td>
<th scope="row"><label for="mb_id">아이디</label></th>
<td>
<input type="text" id="mb_id" name="mb_id" size=20 maxlength=20 minlength=2 <?=$required_mb_id?> itemname='아이디' value='<? echo $mb['mb_id'] ?>'>
<?if ($w=='u'){?><a href='./boardgroupmember_form.php?mb_id=<?=$mb['mb_id']?>'>접근가능그룹보기</a><?}?>
<input type="text" id="mb_id" name="mb_id" maxlength="20" minlength="2" <?=$required_mb_id?> value="<?=$mb['mb_id']?>">
<?if ($w=='u'){?><a href="./boardgroupmember_form.php?mb_id=<?=$mb['mb_id']?>">접근가능그룹보기</a><?}?>
</td>
<td>패스워드</td>
<td><input type=password id="mb_password" name="mb_password" size=20 maxlength=20 <?=$required_mb_password?> itemname='암호'></td>
<th scope="row"><label for="mb_password">패스워드</label></th>
<td><input type="password" id="mb_password" name="mb_password" maxlength="20" <?=$required_mb_password?>></td>
</tr>
<tr class='ht'>
<td>이름(실명)</td>
<td><input type="text" id="mb_name" name="mb_name" maxlength=20 minlength=2 required itemname='이름(실명)' value='<? echo $mb['mb_name'] ?>'></td>
<td>별명</td>
<td><input type="text" id="mb_nick" name="mb_nick" maxlength=20 minlength=2 required itemname='별명' value='<? echo $mb['mb_nick'] ?>'></td>
<tr>
<th scope="row"><label for="mb_name">이름(실명)</label></th>
<td><input type="text" id="mb_name" name="mb_name" maxlength="20" minlength="2" required value="<?=$mb['mb_name']?>"></td>
<th scope="row"><label for="mb_nick">별명</label></th>
<td><input type="text" id="mb_nick" name="mb_nick" maxlength="20" minlength="2" required value="<?=$mb['mb_nick']?>"></td>
</tr>
<tr class='ht'>
<td>회원 권한</td>
<tr>
<th scope="row"><label for="mb_level">회원 권한</label></th>
<td><?=get_member_level_select('mb_level', 1, $member['mb_level'], $mb['mb_level'])?></td>
<td>포인트</td>
<td><a href='./point_list.php?sfl=mb_id&stx=<?=$mb['mb_id']?>' class='bold'><?=number_format($mb['mb_point'])?></a> 점</td>
<th scope="row">포인트</th>
<td><a href="./point_list.php?sfl=mb_id&amp;stx=<?=$mb['mb_id']?>" target="_blank"><?=number_format($mb['mb_point'])?></a> 점</td>
</tr>
<tr class='ht'>
<td>E-mail</td>
<td><input type="text" id="mb_email" name="mb_email" size=40 maxlength=100 required email itemid="e-mail" name="e-mail" value='<? echo $mb['mb_email'] ?>'></td>
<td>홈페이지</td>
<td><input type="text" id="mb_homepage" name="mb_homepage" size=40 maxlength=255 itemname='홈페이지' value='<? echo $mb['mb_homepage'] ?>'></td>
<tr>
<th scope="row"><label for="mb_email">E-mail</label></th>
<td><input type="text" id="mb_email" name="mb_email" maxlength="100" required email value="<?=$mb['mb_email']?>"></td>
<th scope="row"><label for="mb_homepage">홈페이지</label></th>
<td><input type="text" id="mb_homepage" name="mb_homepage" maxlength="255" value="<?=$mb['mb_homepage']?>"></td>
</tr>
<tr class='ht'>
<td>전화번호</td>
<td><input type="text" id="mb_tel" name="mb_tel" maxlength=20 itemname='전화번호' value='<? echo $mb['mb_tel'] ?>'></td>
<td>핸드폰번호</td>
<td><input type="text" id="mb_hp" name="mb_hp" maxlength=20 itemname='핸드폰번호' value='<? echo $mb['mb_hp'] ?>'></td>
<tr>
<th scope="row"><label for="mb_tel">전화번호</label></th>
<td><input type="text" id="mb_tel" name="mb_tel" maxlength="20" value="<?=$mb['mb_tel']?>"></td>
<th scope="row"><label for="mb_hp">핸드폰번호</label></th>
<td><input type="text" id="mb_hp" name="mb_hp" maxlength="20" value="<?=$mb['mb_hp']?>"></td>
</tr>
<tr class='ht'>
<td>주소</td>
<td>
<input type="text" id="mb_zip1" name="mb_zip1" size=4 maxlength=3 readonly itemname='우편번호 앞자리' value='<? echo $mb['mb_zip1'] ?>'> -
<input type="text" id="mb_zip2" name="mb_zip2" size=4 maxlength=3 readonly itemname='우편번호 뒷자리' value='<? echo $mb['mb_zip2'] ?>'>
<a href="javascript:;" onclick="win_zip('fmember', 'mb_zip1', 'mb_zip2', 'mb_addr1', 'mb_addr2');"><img src='<?=$g4['bbs_img_path']?>/btn_zip.gif' align=absmiddle border=0></a>
<br><input type="text" id="mb_addr1" name="mb_addr1" size=40 readonly value='<? echo $mb['mb_addr1'] ?>'>
<br><input type="text" id="mb_addr2" name="mb_addr2" size=25 itemname='상세주소' value='<? echo $mb['mb_addr2'] ?>'> 상세주소 입력</td>
<td>회원아이콘</td>
<td colspan=3>
<input type=file id="mb_icon" name="mb_icon"><br>이미지 크기는 <?=$config['cf_member_icon_width']?>x<?=$config['cf_member_icon_height']?>으로 해주세요.
<tr>
<th scope="row"><label for="mb_zip1">주소</label></th>
<td colspan="3">
<input type="text" id="mb_zip1" name="mb_zip1" maxlength="3" readonly value="<?=$mb['mb_zip1']?>" title="우편번호 앞자리"> -
<input type="text" id="mb_zip2" name="mb_zip2" maxlength="3" readonly value="<?=$mb['mb_zip2']?>" title="우편번호 뒷자리">
<a href="javascript:;" onclick="win_zip('fmember', 'mb_zip1', 'mb_zip2', 'mb_addr1', 'mb_addr2');">우편번호 검색</a>
<input type="text" id="mb_addr1" name="mb_addr1" readonly value='<?=$mb['mb_addr1']?>' title="행정기본주소">
<input type="text" id="mb_addr2" name="mb_addr2" value='<?=$mb['mb_addr2']?>' title="상세주소"> 상세주소 입력
</td>
</tr>
<tr>
<th scope="row"><label for="mb_icon">회원아이콘</label></th>
<td colspan="3">
<?=help('이미지 크기는 넓이 '.$config['cf_member_icon_width'].'픽셀 높이 '.$config['cf_member_icon_height'].'픽셀로 해주세요.')?>
<input type="file" id="mb_icon" name="mb_icon">
<?
$mb_dir = substr($mb['mb_id'],0,2);
$icon_file = $g4['path'].'/data/member/'.$mb_dir.'/'.$mb['mb_id'].'.gif';
if (file_exists($icon_file)) {
echo '<br><img src="'.$icon_file.'" align=absmiddle>';
echo ' <input type=checkbox id="del_mb_icon" name="del_mb_icon" value="1" class="csscheck">삭제';
echo '<img src="'.$icon_file.'">';
echo '<input type="checkbox" id="del_mb_icon" name="del_mb_icon" value="1">삭제';
}
?>
</td>
</tr>
<tr class='ht'>
<td>생년월일</td>
<td><input type="text" id="mb_birth" name="mb_birth" size=9 maxlength=8 value='<? echo $mb['mb_birth'] ?>'></td>
<td>남녀</td>
<td>
<select id="mb_sex" name="mb_sex"><option value=''>----<option value='F'>여자<option value='M'>남자</select>
<script type="text/javascript"> document.fmember.mb_sex.value = "<?=$mb['mb_sex']?>"; </script></td>
<tr>
<th scope="row"><label for="mb_mailling">메일 수신</label></th>
<td><input type="checkbox" id="mb_mailling" name="mb_mailling" value="1" <?=$mailling_checked?>> 정보 메일을 받음</td>
<th scope="row"><label for="mb_sms">SMS 수신</label></th>
<td><input type="checkbox" id="mb_sms" name="mb_sms" value="1" <?=$sms_checked?>> 문자메세지를 받음</td>
</tr>
<tr class='ht'>
<td>메일 수신</td>
<td><input type=checkbox id="mb_mailling" name="mb_mailling" value='1' <?=$mailling_checked?>> 정보 메일을 받음</td>
<td>SMS 수신</td>
<td><input type=checkbox id="mb_sms" name="mb_sms" value='1' <?=$sms_checked?>> 문자메세지를 받음</td>
<tr>
<th scope="row"><label for="mb_open">정보 공개</label></th>
<td colspan="3"><input type="checkbox" id="mb_open" name="mb_open" value='1' <?=$open_checked?>> 타인에게 자신의 정보를 공개</td>
</tr>
<tr class='ht'>
<td>정보 공개</td>
<td colspan=3><input type=checkbox id="mb_open" name="mb_open" value='1' <?=$open_checked?>> 타인에게 자신의 정보를 공개</td>
<tr>
<th scope="row"><label for="mb_signature">서명</label></th>
<td><textarea id="mb_signature" name="mb_signature"><?=$mb['mb_signature']?></textarea></td>
<th scope="row"><label for="mb_profile">자기 소개</label></th>
<td><textarea id="mb_profile" name="mb_profile"><?=$mb['mb_profile']?></textarea></td>
</tr>
<tr class='ht'>
<td>서명</td>
<td><textarea id="mb_signature" name="mb_signature" rows=5 style='width:99%; word-break:break-all;'><? echo $mb['mb_signature'] ?></textarea></td>
<td>자기 소개</td>
<td><textarea id="mb_profile" name="mb_profile" rows=5 style='width:99%; word-break:break-all;'><? echo $mb['mb_profile'] ?></textarea></td>
</tr>
<tr class='ht'>
<td>메모</td>
<td colspan=3><textarea id="mb_memo" name="mb_memo" rows=5 style='width:99%; word-break:break-all;'><? echo $mb['mb_memo'] ?></textarea></td>
<tr>
<th scope="row"><label for="mb_memo">메모</label></th>
<td colspan="3"><textarea id="mb_memo" name="mb_memo"><?=$mb['mb_memo']?></textarea></td>
</tr>
<? if ($w == 'u') { ?>
<tr class='ht'>
<td>회원가입일</td>
<tr>
<th scope="row">회원가입일</th>
<td><?=$mb['mb_datetime']?></td>
<td>최근접속일</td>
<th scope="row">최근접속일</th>
<td><?=$mb['mb_today_login']?></td>
</tr>
<tr class='ht'>
<td>IP</td>
<td><?=$mb['mb_ip']?></td>
<? if ($config['cf_use_email_certify']) { ?>
<td>인증일시</td>
<td><?=$mb['mb_email_certify']?>
<? if ($mb['mb_email_certify'] == '0000-00-00 00:00:00') { echo '<input type=checkbox id="passive_certify" name="passive_certify">수동인증'; } ?></td>
<? } else { ?>
<td></td>
<td></td>
<? } ?>
<tr>
<th scope="row">IP</th>
<td colspan="3"><?=$mb['mb_ip']?></td>
</tr>
<? if ($config['cf_use_email_certify']) { ?>
<tr>
<th scope="row">인증일시</th>
<td colspan="3">
<?=$mb['mb_email_certify']?>
<? if ($mb['mb_email_certify'] == '0000-00-00 00:00:00') { ?>
<input type="checkbox" id="passive_certify" name="passive_certify">
<label>수동인증</label>
<? } ?>
</td>
</tr>
<? } ?>
<? } ?>
<? if ($config['cf_use_recommend']) { // 추천인 사용 ?>
<tr class='ht'>
<td>추천인</td>
<td colspan=3><?=($mb['mb_recommend'] ? get_text($mb['mb_recommend']) : '없음'); // 081022 : CSRF 보안 결함으로 인한 코드 수정 ?></td>
<tr>
<th scope="row">추천인></th>
<td colspan="3"><?=($mb['mb_recommend'] ? get_text($mb['mb_recommend']) : '없음'); // 081022 : CSRF 보안 결함으로 인한 코드 수정 ?></td>
</tr>
<? } ?>
<tr class='ht'>
<td>탈퇴일자</td>
<td><input type="text" id="mb_leave_date" name="mb_leave_date" size=9 maxlength=8 value='<? echo $mb['mb_leave_date'] ?>'></td>
<td>접근차단일자</td>
<td><input type="text" id="mb_intercept_date" name="mb_intercept_date" size=9 maxlength=8 value='<? echo $mb['mb_intercept_date'] ?>'> <input type=checkbox value='<? echo date("Ymd"); ?>' onclick='if (this.form.mb_intercept_date.value==this.form.mb_intercept_date.defaultValue) { this.form.mb_intercept_date.value=this.value; } else { this.form.mb_intercept_date.value=this.form.mb_intercept_date.defaultValue; } '>오늘</td>
<tr>
<th scope="row"><label for="mb_leave_date">탈퇴일자</label></th>
<td><input type="text" id="mb_leave_date" name="mb_leave_date" maxlength="8" value="<?=$mb['mb_leave_date']?>"></td>
<th scope="row"><label for="mb_intercept_date">접근차단일자</label></th>
<td><input type="text" id="mb_intercept_date" name="mb_intercept_date" maxlength="8" value="<?=$mb['mb_intercept_date']?>"> <input type="checkbox" value="<?=date("Ymd"); ?>" onclick="if (this.form.mb_intercept_date.value==this.form.mb_intercept_date.defaultValue) { this.form.mb_intercept_date.value=this.value; } else { this.form.mb_intercept_date.value=this.form.mb_intercept_date.defaultValue; }">오늘</td>
</tr>
<? for ($i=1; $i<=10; $i=$i+2) { $k=$i+1; ?>
<tr class='ht'>
<td>여분 필드 <?=$i?></td>
<td><input type="text" style='width:99%;' name='mb_<?=$i?>' maxlength=255 value='<?=$mb["mb_$i"]?>'></td>
<td>여분 필드 <?=$k?></td>
<td><input type="text" style='width:99%;' name='mb_<?=$k?>' maxlength=255 value='<?=$mb["mb_$k"]?>'></td>
<? for ($i=1; $i<=10; $i++) { ?>
<tr>
<th scope="row"><label for="mb_<?=$i?>">여분 필드 <?=$i?></label></th>
<td><input type="text" id="mb_<?=$i?>" name="mb_<?=$i?>" maxlength="255" value="<?=$mb['mb_'.$i]?>"></td>
</tr>
<? } ?>
<tr class='ht'>
<td colspan=4 align=left>
<?//=subtitle("XSS / CSRF 방지")?>
</td>
</tr>
<tr><td colspan=4 class=line1></td></tr>
<tr class='ht'>
<td>
관리자 패스워드
</td>
<td colspan=3>
<input class='ed' type='password' id="admin_password" name="admin_password" itemid="관리자 패스워드" name="관리자 패스워드" required>
<?=help('관리자 권한을 빼앗길 것에 대비하여 로그인한 관리자의 패스워드를 한번 더 묻는것 입니다.');?>
</td>
</tr>
<tr><td colspan=4 class=line2></td></tr>
</tbody>
</table>
<p align=center>
<input type=submit class=btn1 accesskey='s' value=' 확 인 '>&nbsp;
<input type=button class=btn1 value=' 목 록 ' onclick="document.location.href='./member_list.php?<?=$qstr?>';">&nbsp;
<fieldset id="admin_confirm">
<legend><span></span>XSS 혹은 CSRF 방지</legend>
<p>관리자 권한을 탈취당하는 경우를 대비하여 패스워드를 다시 한번 확인합니다.</p>
<label for="admin_password">관리자 패스워드</label>
<input type="password" id="admin_password" name="admin_password" required title="관리자 패스워드">
</fieldset>
<? if ($w != '') { ?>
<input type=button class=btn1 value=' 삭 제 ' onclick="del('./member_delete.php?<?=$qstr?>&w=d&mb_id=<?=$mb['mb_id']?>&url=<?=$_SERVER['PHP_SELF']?>');">&nbsp;
<div class="btn_confirm">
<input type="submit" accesskey='s' value="확인">
<input type="button" value="목록" onclick="document.location.href='./member_list.php?<?=$qstr?>';">
<? if ($w != '') { ?><!-- -->
<input type="button" value="삭제" onclick="del('./member_delete.php?<?=$qstr?>&amp;w=d&amp;mb_id=<?=$mb['mb_id']?>&amp;url=<?=$_SERVER['PHP_SELF']?>');">
<? } ?>
</div>
</form>
<script type='text/javascript'>