location.href = 'manage_user.php'"); } $user = $_POST['uname']; $pass = $_POST['pword']; $grp = $_POST['group']; $pos = $_POST['position']; /*if(strlen($pass)>=11){ die(""); }*/ if($user == ''){ die(""); } $SQL = "SELECT * FROM info"; $result = mysql_query($SQL); while ($db_field = mysql_fetch_assoc($result)) { if ($user == $db_field['username']){ $exist = true; break; } } if ($exist){ $msg = 'User already exist!'; mysql_close($db_handle); } else{ $SQL = "SELECT * FROM info WHERE groups = '$grp' AND position = 'leader'"; $result = mysql_query($SQL); while($db_field = mysql_fetch_assoc($result)){ $led = $db_field['username']; if($led != ""){ $timailhan = true; } } $bui_pos = $pos; $bui_grp = $grp; $bui_user = $user; if($pos == "leader"){ if($timailhan){ die(""); } } //unwanted HTML (scripting attacks) $user = htmlspecialchars($user); $pass = htmlspecialchars($pass); $grp = htmlspecialchars($grp); $pos = htmlspecialchars($pos); //function $user = quote_smart($user, $db_handle); $pass = quote_smart($pass, $db_handle); $grp = quote_smart($grp, $db_handle); $pos = quote_smart($pos, $db_handle); $SQL = "INSERT INTO info (`username`, `password`, `groups`, `position`) VALUES ($user, $pass, $grp, $pos)"; mysql_query($SQL); if($bui_pos == "leader"){ $SQL = "UPDATE group_title SET group_leader = '$bui_user' WHERE group_name = '$bui_grp'"; mysql_query($SQL); } mysql_close($db_handle); $msg = 'User successfully added.'; } } ?>