// Comment (to be romeved): dunno the difference between stripslashes and stripcslashes
// manual is iunclear too, please make sure there are no decoding issues
// Ted: I just used it here because I saw it elsewhere and it seems to work. Would you prefer stripslashes?
if(get_magic_quotes_gpc()){
$serial=stripcslashes($_POST['serial']);
$root=stripcslashes($_POST['root']);
$type=stripcslashes($_POST['type']);
$variant=stripcslashes($_POST['variant']);
$date=stripcslashes($_POST['date']);
}else{
$serial=$_POST['serial'];
$root=$_POST['root'];
$type=$_POST['type'];
$variant=$_POST['variant'];
$date=$_POST['date'];
}
// Explicitly select all those IDs so I can insert new rows if needed.
$query=mysql_query('SELECT `id` FROM `cats_type` WHERE `type_text` = \''.mysql_real_escape_string($type).'\';');
if(!$query){
echo'Invalid query'."\r\n";
trigger_error('Invalid query',E_USER_ERROR);
exit();
}
if(mysql_num_rows($query)>0){
$result=mysql_fetch_array($query);
$typeID=$result['0'];
}else{
$query=mysql_query('INSERT INTO `cats_type` (`type_text`) VALUES (\''.mysql_real_escape_string($type).'\');');
if(!$query){
echo'Invalid query'."\r\n";
trigger_error('Invalid query',E_USER_ERROR);
exit();
}
$typeID=mysql_insert_id();
}
$query=mysql_query('SELECT `id` FROM `cats_variant` WHERE `type_id` = \''.(int)intval($typeID).'\' AND `test_text` = \''.mysql_real_escape_string($variant).'\';');
if(!$query){
echo'Invalid query'."\r\n";
trigger_error('Invalid query',E_USER_ERROR);
exit();
}
if(mysql_num_rows($query)>0){
$result=mysql_fetch_array($query);
$variantID=$result['0'];
}else{
$query=mysql_query('INSERT INTO `cats_variant` (`type_id`, `test_text`) VALUES (\''.(int)intval($typeID).'\', \''.mysql_real_escape_string($variant).'\');');
if(!$query){
echo'Invalid query'."\r\n";
trigger_error('Invalid query',E_USER_ERROR);
exit();
}
$variantID=mysql_insert_id();
}
// Now find the userid from cert serial
$query=mysql_query('SELECT `ec`.`memid` FROM `emailcerts` AS `ec`, `root_certs` AS `rc` WHERE `ec`.`rootcert` = `rc`.`id` AND `ec`.`serial` = \''.mysql_real_escape_string($serial).'\' AND `rc`.`cert_text` = \''.mysql_real_escape_string($root).'\';');
// The unique constraint on cats_passed assures that records are not stored multiply
$query=mysql_query('INSERT INTO `cats_passed` (`user_id`, `variant_id`, `pass_date`) VALUES (\''.(int)intval($userID).'\', \''.(int)intval($variantID).'\', \''.mysql_real_escape_string($date).'\');');
if(!$query){
if(mysql_errno()!=1062){// Duplicate Entry is considered success
echo'Invalid query'."\r\n";
trigger_error('Invalid query',E_USER_ERROR);
exit();
}
}
// Update Assurer-Flag on users table if 100 points. Should the number of points be SUM(points) or SUM(awarded)?
$query=mysql_query('UPDATE`users`AS`u`SET`assurer`=1WHERE`u`.`id`=\''.(int)intval($userID).'\' AND EXISTS(SELECT 1 FROM `cats_passed` AS `tp` WHERE `tp`.`user_id` = `u`.`id`) AND (SELECT SUM(`points`) FROM `notary` AS `n` WHERE `n`.`to` = `u`.`id` AND `expire` < now()) >= 100;');// Challenge has been passed and non-expired points >= 100