getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
die('Access Denied: You are not Admin!
');
}
// ---------------------------------------------------------------------------
// Câmpuri
// ---------------------------------------------------------------------------
$email_raw = trim($_POST['email'] ?? '');
$email = filter_var($email_raw, FILTER_VALIDATE_EMAIL) ? $email_raw : '';
$email = $database->escape($email);
$tribe = max(1, min(5, (int)($_POST['tribe'] ?? 1)));
// BUG-3: store location/descriptions raw. escape() keeps the interpolated UPDATE
// SQL-safe and strip_tags() drops markup; every display site (player.tpl,
// playerinfo.tpl, editUser.tpl) escapes with htmlspecialchars(), so the extra
// RemoveXSS() here only double-escaped the stored value (literal " entities).
$location_raw = trim($_POST['location'] ?? '');
$location = $database->escape(mb_substr(strip_tags($location_raw), 0, 50));
$desc1_raw = $_POST['desc1'] ?? '';
$desc1 = $database->escape(mb_substr(strip_tags($desc1_raw, '
'), 0, 5000));
$desc2_raw = $_POST['desc2'] ?? '';
$desc2 = $database->escape(mb_substr(strip_tags($desc2_raw, '
'), 0, 5000));
$quest_raw = trim($_POST['quest'] ?? '');
$quest = $database->escape(mb_substr(strip_tags($quest_raw), 0, 200));
// ---------------------------------------------------------------------------
// Update
// ---------------------------------------------------------------------------
$database->query(
"UPDATE " . TB_PREFIX . "users SET
email = '$email',
tribe = $tribe,
location = '$location',
desc1 = '$desc1',
desc2 = '$desc2',
quest = '$quest'
WHERE id = $id"
);
// ---------------------------------------------------------------------------
// Log admin
// ---------------------------------------------------------------------------
$adminId = (int)$_SESSION['id'];
$time = time();
// FIX: username + ID formatat
$targetName = $database->getUserField($id, 'username', 0) ?: 'UID '.$id;
$targetNameSafe = htmlspecialchars($targetName, ENT_QUOTES, 'UTF-8');
$logText = "Edited profile for user $targetNameSafe";
$logEsc = $database->escape($logText);
$database->query(
"INSERT INTO " . TB_PREFIX . "admin_log (`id`, `user`, `log`, `time`) " .
"VALUES (0, '$adminId', '$logEsc', $time)"
);
header("Location: ../../../Admin/admin.php?p=player&uid=" . $id);
exit;
?>