-
Notifications
You must be signed in to change notification settings - Fork 0
/
challenges_admin.js
124 lines (109 loc) · 3.42 KB
/
challenges_admin.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
function getXHR(){
if( window.XMLHttpRequest ){
return new XMLHttpRequest();
}else{
return new ActiveXObject('Microsoft.XMLHTTP');
}
}
var QData = {
QBox: null,
PBox: null,
CBox: null,
ABox: null,
SetQuestion: function(q){
this.QBox.value = q;
},
SetPoints: function(p){
this.PBox.value = p;
},
SetCategory: function(c){
this.CBox.value = c;
},
SetAnswer: function(a){
this.ABox.value = a;
},
ShowQuestionDialog: function(){
Data.ShowDialog('Question');
},
ID: -1,
action: "modify"
};
function create_question(){
QData.SetQuestion("");
QData.SetPoints(0);
QData.SetCategory("");
QData.SetAnswer("");
QData.ID = -1;
QData.action = "create";
QData.ShowQuestionDialog();
}
function load_question(id){
var xhr = getXHR();
xhr.onreadystatechange = function(){
if( xhr.readyState == 4 && xhr.status == 200 ){
var data = JSON.parse(xhr.responseText);
QData.SetQuestion( data.qtext );
QData.SetPoints( data.points );
QData.SetCategory( data.category );
QData.SetAnswer( data.answer );
QData.ID = id;
QData.ShowQuestionDialog();
}else{
if( xhr.readyState == 4 && xhr.status != 200 ){
Data.SetFailureMessage( "A server error occurred." );
Data.ShowDialog('Failure');
}
}
};
QData.action="modify";
xhr.open( 'POST', 'php-bin/challenge_api.php' );
xhr.setRequestHeader( 'Content-type', 'application/x-www-form-urlencoded' );
xhr.send( 'action=fetch_full&id=' + encodeURIComponent(id) );
}
function set_question(evt){
if( evt.preventDefault ){
evt.preventDefault();
}else if( evt.stopPropagation ){
evt.stopPropagation();
}else{
evt.cancelBubble = true;
}
var xhr = getXHR();
xhr.onreadystatechange = function(){
if( xhr.readyState == 4 && xhr.status == 200 ){
if(xhr.responseText == 'OK'){
Data.SetSuccessMessage('Updated!');
Data.ShowDialog( 'Success' );
}else{
Data.SetFailureMessage( xhr.responseText );
Data.ShowDialog( 'Failure' );
}
}else{
if( xhr.readyState == 4 && xhr.status != 200 ){
Data.SetFailureMessage( "A server error occurred." );
Data.ShowDialog('Failure');
}
}
};
xhr.open( 'POST', 'php-bin/challenge_api.php' );
xhr.setRequestHeader( 'Content-type', 'application/x-www-form-urlencoded' );
var ans = document.forms[2].elements['answer'].value;
var datael = document.getElementById('question' + QData.ID);
if( isNaN(parseInt(QData.PBox.value)) ){
Data.SetFailureMessage('Points must be a number!');
Data.ShowDialog('Failure');
return;
}
//Even if QData.action is modified with malicious intent, it cannot do any harm.
//It is not injected into a SQL query, and even if it was, then it would still
//not do any harm, because every value injected into any query is escaped using
//mysqli::real_escape_string.
xhr.send( 'action=' + encodeURIComponent(QData.action) + '&id=' + encodeURIComponent(QData.ID) + '&a=' + encodeURIComponent(ans) + '&q=' + encodeURIComponent(QData.QBox.value) + '&cat=' + encodeURIComponent(QData.CBox.value) + '&points=' + encodeURIComponent(QData.PBox.value) );
}
function InitChallenges(){
QData.QBox = document.forms[2].elements['question'];
QData.PBox = document.forms[2].elements['points'];
QData.CBox = document.forms[2].elements['category'];
QData.ABox = document.forms[2].elements['answer'];
}
addEventListener('load', InitChallenges);