Mini Shell Moded By TiGER HeX

//var/www/ridazz/admin/userSearch.php

<?
include_once('../includes/static/configure.php');
include_once('../includes/static/util.php');
include_once('../includes/static/dbcon2.php');
include_once('../includes/static/gdimg.php');
include_once('../includes/static/sessions.php');
include_once('includes/static/util.php');
include_once('includes/appTop2.php');

if(isset($_REQUEST['action']) &&  isset($_REQUEST['userId'])){
    $userId = $db->sanitize_input($_REQUEST['userId']);
   if($_REQUEST['action']=="ban"){
	  $sql = "UPDATE 50mm_users SET banned = 1 WHERE user_id='".$userId."'";
   }elseif($_REQUEST['action']=="ban_ip") {
	   $userIp = $db->sanitize_input($_REQUEST['userIp']);
	   $sql = "UPDATE 50mm_users SET banned = 1 WHERE ip='".$userIp."'";
   }elseif($_REQUEST['action']=="unban"){
      $sql = "UPDATE 50mm_users SET banned = 0 WHERE user_id='".$userId."'";
   }
   if( !($result = $db->sql_query($sql)) ){
	  $sql_error = $db->sql_error();
	  die($sql_error['message']);
   }
   echo "<div class=\"hilite\">operation successful</div>";
}
$page_id = str_replace(".php","",basename($_SERVER['PHP_SELF']));
if(!has_permission($page_id)){
   die("You don't have permission to view this page!");
}
include_once('includes/header.php');
?>

<table border="0" cellspacing="0" cellpadding="0">
  <tr>
  	<?
	if(isset($_SESSION['admin_id'])){
	?>
    <td nowrap width="200">
	<form method="POST" action="<?echo $_SERVER['PHP_SELF']?>" enctype="application/x-www-form-urlencoded">
	Search By User Type:<br>
	<select name="userType">
	   <option value="WEB">WEB</option>
	   <option value="EDITOR">EDITOR</option>
	   <option value="ADMIN">ADMIN</option>
	</select>
	<br>
	<input type="submit" class="button" value="search" name="search">
  </form>
	</td>
    <td width="20">&nbsp;</td>
	<?}?>
    <td width="200">
	<form method="POST" action="<?echo $_SERVER['PHP_SELF']?>" enctype="application/x-www-form-urlencoded">
	 Search By Username:<br>
	 <input type="text" class="field" name="username">
		<br>
	<input type="submit" class="button" value="search" name="search">
     </form>
  </td>
    <td width="20">&nbsp;</td>
    <td width="200">
	<form method="POST" action="<?echo $_SERVER['PHP_SELF']?>" enctype="application/x-www-form-urlencoded">
	  Search By Email:<br>
	  <input type="text" class="field" name="email">
	  <br>
	 <input type="submit" class="button" value="search" name="search">
    </form>
  </td>
		<td width="200">
			<form method="POST" action="<?echo $_SERVER['PHP_SELF']?>" enctype="application/x-www-form-urlencoded">
				Search By IP:<br>
				<input type="text" class="field" name="ip"><br>
				<input type="submit" class="button" value="search" name="ip">
			</form>
		</td>
	</tr>
</table>

<?
if(isset($_REQUEST['search'])){
	if(isset($_SESSION['admin_id'])){
		if(isset($_REQUEST['username'])){
            $username = $db->sanitize_input(sanitize_title($_REQUEST['username']));
		   $sql = "SELECT user_id,user_type,email,username,password,banned,ip FROM 50mm_users WHERE username LIKE '".$username."%'";
		}elseif(isset($_REQUEST['email'])){
            $email = $db->sanitize_input(addslashes($_REQUEST['email']));
		   $sql = "SELECT user_id,user_type,email,username,password,banned,ip FROM 50mm_users WHERE email LIKE '".$email."%'";
		}elseif(isset($_REQUEST['userType'])){
            $userType = $db->sanitize_input(sanitize_title($_REQUEST['userType']));
		   $sql = "SELECT user_id,user_type,email,username,password,banned,ip FROM 50mm_users WHERE user_type = '".$userType."'";
		   }elseif(isset($_REQUEST['ip'])){
               $ip = $db->sanitize_input(sanitize_title($_REQUEST['ip']));
		   $sql = "SELECT user_id,user_type,email,username,password,banned,ip FROM 50mm_users WHERE ip = '".$ip."'";
		}
	}else{//this is an editor
		if(isset($_REQUEST['username'])){
            $username = $db->sanitize_input(sanitize_title($_REQUEST['username']));
		   $sql = "SELECT user_id,username,banned,ip FROM 50mm_users WHERE username LIKE '".$username."%' AND user_type='WEB'";
		}elseif(isset($_REQUEST['email'])){
            $email = $db->sanitize_input(addslashes($_REQUEST['email']));            
		   $sql = "SELECT user_id,username,banned,ip FROM 50mm_users WHERE email LIKE '".$email."%' AND user_type='WEB'";
		   
		}
	}

if( !($result = $db->sql_query($sql)) ){
	   $sql_error = $db->sql_error();
	   die($sql_error['message']);
	}
	$modrows = Array();
	while ($row = $db->sql_fetchrow($result)){
	   $id = $row['user_id'];
	   $ip = $row['ip'];

$xtras = Array();
	   if(has_permission("userEmail")){
		   $xtras['email'] = "<a href=\"userEmail.php?userId=$id\">email</a>";
	   }
	   if(isset($_SESSION['admin_id'])){
		   if(has_permission("userEdit")){
			   $xtras['edit'] = "<a href=\"userEdit.php?userId=$id\">edit</a>";
		   }
		   if($row['banned']){
			   $xtras['ban'] = "<a href=\"".$_SERVER['PHP_SELF']."?userId=$id&action=unban\">un-ban</a>";
		   }else{
			   $xtras['ban'] = "<a href=\"".$_SERVER['PHP_SELF']."?userId=$id&action=ban\">ban</a>";
		   }
	   }else{//this is an editor so don't show all options
		   if($row['banned']){
			   $xtras['ban'] = "<a href=\"".$_SERVER['PHP_SELF']."?userId=$id&action=unban\">un-ban</a>";
		   }else{
               $xtras['ban'] = "<a href=\"".$_SERVER['PHP_SELF']."?userId=$id&action=ban\">ban</a>";
		   }
	   }
	   if(has_permission("userDelete")){
		   $xtras['delete'] = "<a href=\"userDelete.php?userId=$id\">delete</a>";
		   $xtras['delete_by_ip'] = "<a href=\"ipUserDelete.php?userIp=$ip\">delete by ip</a>";
	   }
	   unset($row['user_id']);
	   $all = array_merge($row,$xtras);
	   array_push($modrows, $all);
	}
	echo(get_table($modrows));
}
?>
<?
include_once('includes/footer.php');
include_once('includes/appBottom.php');
?>