OwlCyberSecurity - MANAGER
Edit File: edit_admin.php
<?php // edit_admin.php // Ensure session_start() is NOT called here if content.php is the front controller. // // session_start(); // Keep this commented out or remove. require_once './config/config.php'; require_once 'includes/auth_validate.php'; //User ID for which we are performing operation $admin_user_id = filter_input(INPUT_GET, 'admin_user_id', FILTER_VALIDATE_INT); // Add FILTER_VALIDATE_INT for ID $operation = filter_input(INPUT_GET, 'operation'); // FIX: Removed FILTER_SANITIZE_STRING (Deprecated) ($operation == 'edit') ? $edit = true : $edit = false; //Serve POST request. if ($_SERVER['REQUEST_METHOD'] == 'POST') { // If non-super user accesses this script via url. Stop the exexution if ($_SESSION['admin_type'] !== 'super') { // Use flash message and redirect instead of echo $_SESSION['failure'] = "Permission Denied"; // FIX: Redirect to admin_users page via content.php header('location: content.php?page=admin_users'); exit(); } // Sanitize input post if we want $data_to_update = filter_input_array(INPUT_POST); // Basic sanitization for user_name, crucial for security if (isset($data_to_update['user_name'])) { $data_to_update['user_name'] = htmlspecialchars(trim($data_to_update['user_name']), ENT_QUOTES, 'UTF-8'); } else { // Handle case where username might be missing from POST $_SESSION['failure'] = "User name is required."; header('location: content.php?page=edit_admin&admin_user_id=' . $admin_user_id . '&operation=' . $operation); exit(); } // Handle password update conditionally. Only update if a new password is provided. if (isset($data_to_update['password']) && !empty($data_to_update['password'])) { $data_to_update['password'] = password_hash($data_to_update['password'], PASSWORD_DEFAULT); } else { // If password field is empty, remove it from data_to_update so it's not updated to an empty hash unset($data_to_update['password']); } //Check whether the user name already exists ; $db = getDbInstance(); $db->where('user_name', $data_to_update['user_name']); $db->where('id', $admin_user_id, '!='); // Exclude current user from check $row = $db->getOne('admin_accounts'); if (!empty($row['user_name'])) { $_SESSION['failure'] = "User name already exists"; $query_string = http_build_query(array( 'admin_user_id' => $admin_user_id, 'operation' => $operation, )); // FIX: Redirect to edit_admin page via content.php header('location: content.php?page=edit_admin&'.$query_string ); exit; } // If password was unset (not provided), ensure it's not used in the update query // The conditional handling above (unset) handles this. $db = getDbInstance(); // Re-get DB instance if it was used before for consistency $db->where('id', $admin_user_id); $stat = $db->update('admin_accounts', $data_to_update); if ($stat) { $_SESSION['success'] = "Admin user has been updated successfully"; } else { $_SESSION['failure'] = "Failed to update Admin user : " . $db->getLastError(); } // FIX: Redirect to admin_users page via content.php header('location: content.php?page=admin_users'); exit; } //Select where clause $db = getDbInstance(); $db->where('id', $admin_user_id); $admin_account = $db->getOne("admin_accounts"); // Set values to $row (assuming admin_users_form.php uses $row) $row = $admin_account; // import header require_once 'includes/header.php'; ?> <div id="page-wrapper"> <div class="row"> <div class="col-lg-12"> <h2 class="page-header">Update User</h2> </div> </div> <?php include_once 'includes/flash_messages.php';?> <form class="well form-horizontal" action="" method="post" id="contact_form" enctype="multipart/form-data"> <?php include_once './forms/admin_users_form.php';?> </form> </div> <?php include_once 'includes/footer.php';?>