couche de sécu en plus

admin/enigma.php

@@ -9,32 +9,34 @@ $req = $db->query("SELECT * FROM enigma WHERE id = 1");
 $r = $req -> fetchAll(PDO::FETCH_ASSOC);
 
 if(isset($_POST['send'])) {
-	if(isset($_POST['answer']) AND !empty($_POST['answer'])) {
-		$ans = htmlspecialchars($_POST['answer']);
-		$req = $db->prepare("UPDATE enigma SET answer = ? WHERE id = 1");
-		$req->execute(array($ans));
-	}
-	if(isset($_POST['points']) AND !empty($_POST['points'])) {
-		$point = (int) htmlspecialchars($_POST['points']);
-		$req = $db->prepare("UPDATE enigma SET point = ? WHERE id = 1");
-		$req->execute(array($point));
-	}
-	if(isset($_POST['team']) AND !empty($_POST['team'])) {
-		switch (htmlspecialchars($_POST['team'])) {
-		case "t":
-			$t_int = NULL;
-			break;
-		case "t0":
-			$t_int = 0;
-			break;
-	    case "t1":
-	    	$t_int = 1;
-	        break;
+	if($user['perm'] >= 2) {
+		if(isset($_POST['answer']) AND !empty($_POST['answer'])) {
+			$ans = htmlspecialchars($_POST['answer']);
+			$req = $db->prepare("UPDATE enigma SET answer = ? WHERE id = 1");
+			$req->execute(array($ans));
 		}
-		$req = $db->prepare("UPDATE enigma SET team = ? WHERE id = 1");
-		$req->execute(array($t_int));
+		if(isset($_POST['points']) AND !empty($_POST['points'])) {
+			$point = (int) htmlspecialchars($_POST['points']);
+			$req = $db->prepare("UPDATE enigma SET point = ? WHERE id = 1");
+			$req->execute(array($point));
+		}
+		if(isset($_POST['team']) AND !empty($_POST['team'])) {
+			switch (htmlspecialchars($_POST['team'])) {
+			case "t":
+				$t_int = NULL;
+				break;
+			case "t0":
+				$t_int = 0;
+				break;
+		    case "t1":
+		    	$t_int = 1;
+		        break;
+			}
+			$req = $db->prepare("UPDATE enigma SET team = ? WHERE id = 1");
+			$req->execute(array($t_int));
+		}
+		header('Refresh:0');
 	}
-	header('Refresh:0');
 }
 ?>
 <!DOCTYPE html>

admin/gestion_des_acces.php

@@ -19,35 +19,38 @@ if(isset($_GET['del']) AND !empty(['del']))
 
 if(isset($_POST['send'])) {
 	if(isset($_POST['pseudo']) AND !empty($_POST['pseudo']) AND isset($_POST['mdp']) AND !empty($_POST['mdp']) AND isset($_POST['perm']) AND !empty($_POST['perm'])) {
-		$pseudo = htmlspecialchars($_POST['pseudo']);
-		$mdp = htmlspecialchars($_POST['mdp']);
-		$perm = htmlspecialchars($_POST['perm']);
 
-		switch ($perm) {
-		case "v0":
-			$perm_int = 0;
-			break;
-	    case "v1":
-	    	$perm_int = 1;
-	        break;
-	    case "v2":
-	    	$perm_int = 2;
-	        break;
-		}
+		if($user['perm'] >= 2) {
+			$pseudo = htmlspecialchars($_POST['pseudo']);
+			$mdp = htmlspecialchars($_POST['mdp']);
+			$perm = htmlspecialchars($_POST['perm']);
 
-		if(strlen($pseudo) <= 50) {
-			$req = $db->prepare("SELECT id FROM admin WHERE pseudo = ?");
-            $req->execute(array($pseudo));
-            $pseudo_exist = $req->rowCount();
-            if ($pseudo_exist == 0) {
-				$req = $db->prepare("INSERT INTO admin(pseudo, mdp, perm) VALUES(?, ?, ?)");
-				$req->execute(array($pseudo, password_hash($mdp, PASSWORD_DEFAULT), $perm_int));
-				header('refresh:0');
-			} else {
-				$error = "pseudo déja utilisé";
+			switch ($perm) {
+			case "v0":
+				$perm_int = 0;
+				break;
+		    case "v1":
+		    	$perm_int = 1;
+		        break;
+		    case "v2":
+		    	$perm_int = 2;
+		        break;
+			}
+
+			if(strlen($pseudo) <= 50) {
+				$req = $db->prepare("SELECT id FROM admin WHERE pseudo = ?");
+	            $req->execute(array($pseudo));
+	            $pseudo_exist = $req->rowCount();
+	            if ($pseudo_exist == 0) {
+					$req = $db->prepare("INSERT INTO admin(pseudo, mdp, perm) VALUES(?, ?, ?)");
+					$req->execute(array($pseudo, password_hash($mdp, PASSWORD_DEFAULT), $perm_int));
+					header('refresh:0');
+				} else {
+					$error = "pseudo déja utilisé";
+				}
+			} else {
+				$error = "le pseudo ne doit pas dépasser 50 char";
 			}
-		} else {
-			$error = "le pseudo ne doit pas dépasser 50 char";
 		}
 	} else {
 		$error = "Tout les champs doivent être complétés";