diff --git a/admin.php b/admin.php
index 09310c1..d8b6e62 100644
--- a/admin.php
+++ b/admin.php
@@ -1,53 +1,65 @@
prepare("DELETE from members WHERE id=?")) {
- $insert_stmt->execute(array($username));
+if (login_check($pdo) == true) {
+ if ($action == 'del' && $username != '') {
+ if ($insert_stmt = $pdo->prepare('DELETE from members WHERE id=?')) {
+ $insert_stmt->execute([$username]);
// Esegui la query ottenuta.
- if($insert_stmt->rowCount() != "0") { exit("ok"); } else { exit("false"); };
- };
- };
-
- if ($action == "pass" && $username != "" && $password != "") {
-
+ if ($insert_stmt->rowCount() != '0') {
+ exit('ok');
+ } else {
+ exit('false');
+ }
+ }
+ }
+
+ if ($action == 'pass' && $username != '' && $password != '') {
+
// Crea una chiave casuale
$random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));
// Crea una password usando la chiave appena creata.
$password = hash('sha512', $password.$random_salt);
// Inserisci a questo punto il codice SQL per eseguire la INSERT nel tuo database
// Assicurati di usare statement SQL 'prepared'.
- if ($insert_stmt = $pdo->prepare("UPDATE members set password=?, salt=? WHERE id=?")) {
- $insert_stmt->execute(array($password, $random_salt, $username));
+ if ($insert_stmt = $pdo->prepare('UPDATE members set password=?, salt=? WHERE id=?')) {
+ $insert_stmt->execute([$password, $random_salt, $username]);
// Esegui la query ottenuta.
- if($insert_stmt->rowCount() != "0") { exit("ok"); } else { exit("false"); };
- };
- };
-
- if ($action == "type" && $username != "" && $type != "") {
- // Inserisci a questo punto il codice SQL per eseguire la INSERT nel tuo database
+ if ($insert_stmt->rowCount() != '0') {
+ exit('ok');
+ } else {
+ exit('false');
+ }
+ }
+ }
+
+ if ($action == 'type' && $username != '' && $type != '') {
+ // Inserisci a questo punto il codice SQL per eseguire la INSERT nel tuo database
// Assicurati di usare statement SQL 'prepared'.
- if ($insert_stmt = $pdo->prepare("UPDATE members set usertype=? WHERE id=?")) {
- $insert_stmt->execute(array($type, $username));
+ if ($insert_stmt = $pdo->prepare('UPDATE members set usertype=? WHERE id=?')) {
+ $insert_stmt->execute([$type, $username]);
// Esegui la query ottenuta.
- if($insert_stmt->rowCount() != "0") { exit("ok"); } else { exit("false"); };
- };
- };
+ if ($insert_stmt->rowCount() != '0') {
+ exit('ok');
+ } else {
+ exit('false');
+ }
+ }
+ }
header('Location: https://controllo.autocontrollo.ch/');
-} else exit("false");
+} else {
+ exit('false');
+}
?>
diff --git a/emailtext.php b/emailtext.php
index 9b42d29..9e16f3c 100644
--- a/emailtext.php
+++ b/emailtext.php
@@ -1,5 +1,6 @@
$name ($username) just signed up to autocontrollo.ch using your structure's id.
Please navigate to controllo.autocontrollo.ch and activate the user.
If you don't know this $username, you should delete him/her from the user list.
Bye!
";
-
-?>
diff --git a/functions.php b/functions.php
index f377d7e..d62331c 100644
--- a/functions.php
+++ b/functions.php
@@ -1,103 +1,112 @@
prepare("SELECT id, password, salt, usertype, sid FROM members WHERE username = ?")) {
- $stmt->execute(array($username));
- $row = $stmt->fetch(PDO::FETCH_ASSOC);
- $user_id = $row['id'];
- $usertype = $row['usertype'];
- $sid = $row['sid'];
- $db_password = $row['password'];
- $salt = $row['salt'];
- $count = $stmt->rowCount();
- $password = hash('sha512', $password.$salt); // codifica la password usando una chiave univoca.
- if($count == 1) {
- if(checkbrute($user_id, $pdo) == true) {
- return false;
- } else {
- if($db_password == $password) {
- $user_browser = $_SERVER['HTTP_USER_AGENT']; // Recupero il parametro 'user-agent' relativo all'utente corrente.
- $user_id = preg_replace("/[^0-9]+/", "", $user_id); // ci proteggiamo da un attacco XSS
- $_SESSION['user_id'] = $user_id;
- $username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username); // ci proteggiamo da un attacco XSS
+function login($username, $password, $pdo)
+{
+ if ($stmt = $pdo->prepare('SELECT id, password, salt, usertype, sid FROM members WHERE username = ?')) {
+ $stmt->execute([$username]);
+ $row = $stmt->fetch(PDO::FETCH_ASSOC);
+ $user_id = $row['id'];
+ $usertype = $row['usertype'];
+ $sid = $row['sid'];
+ $db_password = $row['password'];
+ $salt = $row['salt'];
+ $count = $stmt->rowCount();
+ $password = hash('sha512', $password.$salt); // codifica la password usando una chiave univoca.
+ if ($count == 1) {
+ if (checkbrute($user_id, $pdo) == true) {
+ return false;
+ } else {
+ if ($db_password == $password) {
+ $user_browser = $_SERVER['HTTP_USER_AGENT']; // Recupero il parametro 'user-agent' relativo all'utente corrente.
+ $user_id = preg_replace('/[^0-9]+/', '', $user_id); // ci proteggiamo da un attacco XSS
+ $_SESSION['user_id'] = $user_id;
+ $username = preg_replace("/[^a-zA-Z0-9_\-]+/", '', $username); // ci proteggiamo da un attacco XSS
$_SESSION['username'] = $username;
- $_SESSION['usertype'] = $usertype;
- $_SESSION['sid'] = $sid;
- $_SESSION['login_string'] = hash('sha512', $password.$user_browser);
+ $_SESSION['usertype'] = $usertype;
+ $_SESSION['sid'] = $sid;
+ $_SESSION['login_string'] = hash('sha512', $password.$user_browser);
// Login eseguito con successo.
- return true;
- } else {
- // Password incorretta.
+ return true;
+ } else {
+ // Password incorretta.
// Registriamo il tentativo fallito nel database.
$now = time();
- $pdo->query("INSERT INTO login_attempts (user_id, time) VALUES ('$user_id', '$now')");
- return false;
- }
- }
+ $pdo->query("INSERT INTO login_attempts (user_id, time) VALUES ('$user_id', '$now')");
+
+ return false;
+ }
+ }
} else {
- // L'utente inserito non esiste.
+ // L'utente inserito non esiste.
return false;
}
- }
+ }
}
-function checkbrute($user_id, $pdo) {
- // Recupero il timestamp
+function checkbrute($user_id, $pdo)
+{
+ // Recupero il timestamp
$now = time();
- $valid_attempts = $now - (2 * 60 * 60);
- if ($stmt = $pdo->prepare("SELECT time FROM login_attempts WHERE user_id = ? AND time > ?")) {
- $stmt->execute(array($user_id, $valid_attempts));
- if($stmt->rowCount() > 20) {
- return true;
- } else {
- return false;
- }
- }
-}
-
-function login_check($pdo) {
- // Verifica che tutte le variabili di sessione siano impostate correttamente
- if(isset($_SESSION['user_id'], $_SESSION['username'], $_SESSION['login_string'])) {
- $user_id = $_SESSION['user_id'];
- $login_string = $_SESSION['login_string'];
- $username = $_SESSION['username'];
- $user_browser = $_SERVER['HTTP_USER_AGENT']; // reperisce la stringa 'user-agent' dell'utente.
- if ($stmt = $pdo->prepare("SELECT password FROM members WHERE id = ? LIMIT 1")) {
- $stmt->execute(array($user_id)); // esegue il bind del parametro '$user_id'.
- $row = $stmt->fetch(PDO::FETCH_ASSOC);
- $count = $stmt->rowCount();
- if($count == 1) {
- $password = $row['password'];
- $login_check = hash('sha512', $password.$user_browser);
- if($login_check == $login_string) {
- // Login eseguito!!!!
- return true;
- } else {
- error_log("Wrong login string for $username");
- return false;
- }
+ $valid_attempts = $now - (2 * 60 * 60);
+ if ($stmt = $pdo->prepare('SELECT time FROM login_attempts WHERE user_id = ? AND time > ?')) {
+ $stmt->execute([$user_id, $valid_attempts]);
+ if ($stmt->rowCount() > 20) {
+ return true;
} else {
- error_log("Couldnt find $username");
return false;
}
+ }
+}
+
+function login_check($pdo)
+{
+ // Verifica che tutte le variabili di sessione siano impostate correttamente
+ if (isset($_SESSION['user_id'], $_SESSION['username'], $_SESSION['login_string'])) {
+ $user_id = $_SESSION['user_id'];
+ $login_string = $_SESSION['login_string'];
+ $username = $_SESSION['username'];
+ $user_browser = $_SERVER['HTTP_USER_AGENT']; // reperisce la stringa 'user-agent' dell'utente.
+ if ($stmt = $pdo->prepare('SELECT password FROM members WHERE id = ? LIMIT 1')) {
+ $stmt->execute([$user_id]); // esegue il bind del parametro '$user_id'.
+ $row = $stmt->fetch(PDO::FETCH_ASSOC);
+ $count = $stmt->rowCount();
+ if ($count == 1) {
+ $password = $row['password'];
+ $login_check = hash('sha512', $password.$user_browser);
+ if ($login_check == $login_string) {
+ // Login eseguito!!!!
+ return true;
+ } else {
+ error_log("Wrong login string for $username");
+
+ return false;
+ }
+ } else {
+ error_log("Couldnt find $username");
+
+ return false;
+ }
} else {
- error_log("Couldnt select pass $username");
- return false;
+ error_log("Couldnt select pass $username");
+
+ return false;
}
} else {
- error_log("Vars not set 4 $username");
- return false;
+ error_log("Vars not set 4 $username");
+
+ return false;
}
}
-?>
diff --git a/index.php b/index.php
index 547edfc..e268470 100644
--- a/index.php
+++ b/index.php
@@ -1,6 +1,6 @@
diff --git a/iscrizioni.php b/iscrizioni.php
index d8fd4c9..1ce008c 100644
--- a/iscrizioni.php
+++ b/iscrizioni.php
@@ -1,6 +1,6 @@
'6LfVZRITAAAAALN5A_Uq7E-cIraDyOtOazYJd9av',
- 'response' => "$response"
-);
+$fields = [
+ 'secret' => '6LfVZRITAAAAALN5A_Uq7E-cIraDyOtOazYJd9av',
+ 'response' => "$response",
+];
$ch = curl_init();
-curl_setopt($ch, CURLOPT_URL,"https://www.google.com/recaptcha/api/siteverify");
+curl_setopt($ch, CURLOPT_URL, 'https://www.google.com/recaptcha/api/siteverify');
curl_setopt($ch, CURLOPT_POST, 1);
-curl_setopt($ch, CURLOPT_POSTFIELDS,$fields);
+curl_setopt($ch, CURLOPT_POSTFIELDS, $fields);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
-$gresponse = curl_exec ($ch);
+$gresponse = curl_exec($ch);
-curl_close ($ch);
+curl_close($ch);
$obj = json_decode($gresponse);
$result = $obj->{'success'};
// Check for empty fields
-if($result != "true" || empty($_POST['name']) || empty($_POST['response']) || empty($_POST['sid']) || empty($_POST['email']) || empty($_POST['username'])|| !filter_var($_POST['email'],FILTER_VALIDATE_EMAIL) || empty($_POST['password'])){
- exit("false");
-};
+if ($result != 'true' || empty($_POST['name']) || empty($_POST['response']) || empty($_POST['sid']) || empty($_POST['email']) || empty($_POST['username']) || !filter_var($_POST['email'], FILTER_VALIDATE_EMAIL) || empty($_POST['password'])) {
+ exit('false');
+}
-$check_stmt = $pdotwo->prepare("SELECT Email, username FROM Strutture WHERE IdStruttura = ?;");
-$check_stmt->execute(array($sid));
+$check_stmt = $pdotwo->prepare('SELECT Email, username FROM Strutture WHERE IdStruttura = ?;');
+$check_stmt->execute([$sid]);
$count = $check_stmt->rowCount();
$adminemail = $check_stmt->fetchColumn();
$adminusername = $check_stmt->fetchColumn(1);
-$checktwo_stmt = $pdo->prepare("SELECT * FROM members WHERE username = ?;");
-$checktwo_stmt->execute(array($username));
+$checktwo_stmt = $pdo->prepare('SELECT * FROM members WHERE username = ?;');
+$checktwo_stmt->execute([$username]);
$counttwo = $checktwo_stmt->rowCount();
-if($count == "1" && $counttwo == "0") {
- // Crea una chiave casuale
+if ($count == '1' && $counttwo == '0') {
+ // Crea una chiave casuale
$random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));
// Crea una password usando la chiave appena creata.
$password = hash('sha512', $password.$random_salt);
- $email_sha512 = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));
- $insert_stmt = $pdo->prepare("INSERT INTO members (name, sid, email, username, password, salt, email_sha512, usertype, verifyemail) VALUES (?, ?, ?, ?, ?, ?, ?, '0', '0');");
- $insert_stmt->execute(array($name, $sid, $email, $username, $password, $random_salt, $email_sha512));
- $count = $insert_stmt->rowCount();
- if($count == "1") {
- include 'emailtext.php';
- sendmail($email, $usversubject, $usverbody, $usverhtmlbody, "");
- sendmail($adminemail, $adversubject, $adverbody, $adverhtmlbody, "");
+ $email_sha512 = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));
+ $insert_stmt = $pdo->prepare("INSERT INTO members (name, sid, email, username, password, salt, email_sha512, usertype, verifyemail) VALUES (?, ?, ?, ?, ?, ?, ?, '0', '0');");
+ $insert_stmt->execute([$name, $sid, $email, $username, $password, $random_salt, $email_sha512]);
+ $count = $insert_stmt->rowCount();
+ if ($count == '1') {
+ include 'emailtext.php';
+ sendmail($email, $usversubject, $usverbody, $usverhtmlbody, '');
+ sendmail($adminemail, $adversubject, $adverbody, $adverhtmlbody, '');
- exit("ok");
- } else exit("false");
+ exit('ok');
+ } else {
+ exit('false');
+ }
} else {
- exit("false");
+ exit('false');
}
-
-?>
diff --git a/logout.php b/logout.php
index ea7d1c8..492a4a9 100644
--- a/logout.php
+++ b/logout.php
@@ -1,19 +1,18 @@
query("UPDATE `members` SET `loggedin` = '0' where `members`.`username` = '$username'");
-$_SESSION = array();
+$_SESSION = [];
// Recupera i parametri di sessione.
$params = session_get_cookie_params();
// Cancella i cookie attuali.
-setcookie(session_name(), '', time() - 42000, $params["path"], $params["domain"], $params["secure"], $params["httponly"]);
+setcookie(session_name(), '', time() - 42000, $params['path'], $params['domain'], $params['secure'], $params['httponly']);
// Cancella la sessione.
session_destroy();
header('Location: https://autocontrollo.ch');
-
-?>
diff --git a/pages.php b/pages.php
index 754e5b4..bd8a6d4 100644
--- a/pages.php
+++ b/pages.php
@@ -7,4 +7,3 @@ include 'pages/baseindex.php';
include 'pages/basesignup.php';
include 'pages/baseusers.php';
include 'pages/baseadmin.php';
-?>
diff --git a/pages/base.php b/pages/base.php
index d8a0a86..2ce3b88 100644
--- a/pages/base.php
+++ b/pages/base.php
@@ -1,4 +1,5 @@
@@ -104,4 +105,3 @@ $footer = '