refresh("?m=user_admin"); return; } // Check _POST['user_role'] is what we expect it to be: either user or admin. // Without this it can be anything else. It's pointless being anything else - but why allow it to be anything else? if(in_array($_POST['user_role'], array('user', 'admin')) === false){ print_failure(get_lang('unexpected_role')); $view->refresh("?m=user_admin"); return; } if( empty($password) || empty($password2) ) { print_failure(get_lang('you_need_to_enter_both_passwords')); $view->refresh("?m=user_admin"); return; } if($password !== $password2) { print_failure(get_lang('passwords_did_not_match')); $view->refresh("?m=user_admin"); return; } if ( !$db->addUser($username,$password,$user_role) ) { print_failure(get_lang_f('could_not_add_user_because_user_already_exists', $username)); $view->refresh("?m=user_admin"); return; } print_success(get_lang_f('successfully_added_user', $username)); $db->logger(get_lang_f('successfully_added_user', $username)); $view->refresh("?m=user_admin"); } else { ?>