From 6927b7f51ac880503db15e783869fc46449c745c Mon Sep 17 00:00:00 2001 From: Daniil Gentili Date: Thu, 7 Jul 2016 18:39:33 -0400 Subject: [PATCH] Applied fixes from StyleCI --- admin.php | 72 +++++++++++-------- emailtext.php | 5 +- functions.php | 161 +++++++++++++++++++++++-------------------- index.php | 62 +++++++++-------- iscrizioni.php | 62 ++++++++--------- logout.php | 11 ++- pages.php | 1 - pages/base.php | 2 +- pages/baseadmin.php | 77 +++++++++++---------- pages/baseindex.php | 20 +++--- pages/baselogin.php | 16 ++--- pages/basenav.php | 29 ++++---- pages/basesignup.php | 17 +++-- pages/baseusers.php | 111 ++++++++++++++--------------- pages/old.php | 7 +- process_login.php | 26 +++---- verify.php | 35 ++++++---- 17 files changed, 373 insertions(+), 341 deletions(-) diff --git a/admin.php b/admin.php index 09310c1..d8b6e62 100644 --- a/admin.php +++ b/admin.php @@ -1,53 +1,65 @@ prepare("DELETE from members WHERE id=?")) { - $insert_stmt->execute(array($username)); +if (login_check($pdo) == true) { + if ($action == 'del' && $username != '') { + if ($insert_stmt = $pdo->prepare('DELETE from members WHERE id=?')) { + $insert_stmt->execute([$username]); // Esegui la query ottenuta. - if($insert_stmt->rowCount() != "0") { exit("ok"); } else { exit("false"); }; - }; - }; - - if ($action == "pass" && $username != "" && $password != "") { - + if ($insert_stmt->rowCount() != '0') { + exit('ok'); + } else { + exit('false'); + } + } + } + + if ($action == 'pass' && $username != '' && $password != '') { + // Crea una chiave casuale $random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true)); // Crea una password usando la chiave appena creata. $password = hash('sha512', $password.$random_salt); // Inserisci a questo punto il codice SQL per eseguire la INSERT nel tuo database // Assicurati di usare statement SQL 'prepared'. - if ($insert_stmt = $pdo->prepare("UPDATE members set password=?, salt=? WHERE id=?")) { - $insert_stmt->execute(array($password, $random_salt, $username)); + if ($insert_stmt = $pdo->prepare('UPDATE members set password=?, salt=? WHERE id=?')) { + $insert_stmt->execute([$password, $random_salt, $username]); // Esegui la query ottenuta. - if($insert_stmt->rowCount() != "0") { exit("ok"); } else { exit("false"); }; - }; - }; - - if ($action == "type" && $username != "" && $type != "") { - // Inserisci a questo punto il codice SQL per eseguire la INSERT nel tuo database + if ($insert_stmt->rowCount() != '0') { + exit('ok'); + } else { + exit('false'); + } + } + } + + if ($action == 'type' && $username != '' && $type != '') { + // Inserisci a questo punto il codice SQL per eseguire la INSERT nel tuo database // Assicurati di usare statement SQL 'prepared'. - if ($insert_stmt = $pdo->prepare("UPDATE members set usertype=? WHERE id=?")) { - $insert_stmt->execute(array($type, $username)); + if ($insert_stmt = $pdo->prepare('UPDATE members set usertype=? WHERE id=?')) { + $insert_stmt->execute([$type, $username]); // Esegui la query ottenuta. - if($insert_stmt->rowCount() != "0") { exit("ok"); } else { exit("false"); }; - }; - }; + if ($insert_stmt->rowCount() != '0') { + exit('ok'); + } else { + exit('false'); + } + } + } header('Location: https://controllo.autocontrollo.ch/'); -} else exit("false"); +} else { + exit('false'); +} ?> diff --git a/emailtext.php b/emailtext.php index 9b42d29..9e16f3c 100644 --- a/emailtext.php +++ b/emailtext.php @@ -1,5 +1,6 @@ $name ($username) just signed up to autocontrollo.ch using your structure's id.
Please navigate to controllo.autocontrollo.ch and activate the user.
If you don't know this $username, you should delete him/her from the user list.
Bye! "; - -?> diff --git a/functions.php b/functions.php index f377d7e..d62331c 100644 --- a/functions.php +++ b/functions.php @@ -1,103 +1,112 @@ prepare("SELECT id, password, salt, usertype, sid FROM members WHERE username = ?")) { - $stmt->execute(array($username)); - $row = $stmt->fetch(PDO::FETCH_ASSOC); - $user_id = $row['id']; - $usertype = $row['usertype']; - $sid = $row['sid']; - $db_password = $row['password']; - $salt = $row['salt']; - $count = $stmt->rowCount(); - $password = hash('sha512', $password.$salt); // codifica la password usando una chiave univoca. - if($count == 1) { - if(checkbrute($user_id, $pdo) == true) { - return false; - } else { - if($db_password == $password) { - $user_browser = $_SERVER['HTTP_USER_AGENT']; // Recupero il parametro 'user-agent' relativo all'utente corrente. - $user_id = preg_replace("/[^0-9]+/", "", $user_id); // ci proteggiamo da un attacco XSS - $_SESSION['user_id'] = $user_id; - $username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username); // ci proteggiamo da un attacco XSS +function login($username, $password, $pdo) +{ + if ($stmt = $pdo->prepare('SELECT id, password, salt, usertype, sid FROM members WHERE username = ?')) { + $stmt->execute([$username]); + $row = $stmt->fetch(PDO::FETCH_ASSOC); + $user_id = $row['id']; + $usertype = $row['usertype']; + $sid = $row['sid']; + $db_password = $row['password']; + $salt = $row['salt']; + $count = $stmt->rowCount(); + $password = hash('sha512', $password.$salt); // codifica la password usando una chiave univoca. + if ($count == 1) { + if (checkbrute($user_id, $pdo) == true) { + return false; + } else { + if ($db_password == $password) { + $user_browser = $_SERVER['HTTP_USER_AGENT']; // Recupero il parametro 'user-agent' relativo all'utente corrente. + $user_id = preg_replace('/[^0-9]+/', '', $user_id); // ci proteggiamo da un attacco XSS + $_SESSION['user_id'] = $user_id; + $username = preg_replace("/[^a-zA-Z0-9_\-]+/", '', $username); // ci proteggiamo da un attacco XSS $_SESSION['username'] = $username; - $_SESSION['usertype'] = $usertype; - $_SESSION['sid'] = $sid; - $_SESSION['login_string'] = hash('sha512', $password.$user_browser); + $_SESSION['usertype'] = $usertype; + $_SESSION['sid'] = $sid; + $_SESSION['login_string'] = hash('sha512', $password.$user_browser); // Login eseguito con successo. - return true; - } else { - // Password incorretta. + return true; + } else { + // Password incorretta. // Registriamo il tentativo fallito nel database. $now = time(); - $pdo->query("INSERT INTO login_attempts (user_id, time) VALUES ('$user_id', '$now')"); - return false; - } - } + $pdo->query("INSERT INTO login_attempts (user_id, time) VALUES ('$user_id', '$now')"); + + return false; + } + } } else { - // L'utente inserito non esiste. + // L'utente inserito non esiste. return false; } - } + } } -function checkbrute($user_id, $pdo) { - // Recupero il timestamp +function checkbrute($user_id, $pdo) +{ + // Recupero il timestamp $now = time(); - $valid_attempts = $now - (2 * 60 * 60); - if ($stmt = $pdo->prepare("SELECT time FROM login_attempts WHERE user_id = ? AND time > ?")) { - $stmt->execute(array($user_id, $valid_attempts)); - if($stmt->rowCount() > 20) { - return true; - } else { - return false; - } - } -} - -function login_check($pdo) { - // Verifica che tutte le variabili di sessione siano impostate correttamente - if(isset($_SESSION['user_id'], $_SESSION['username'], $_SESSION['login_string'])) { - $user_id = $_SESSION['user_id']; - $login_string = $_SESSION['login_string']; - $username = $_SESSION['username']; - $user_browser = $_SERVER['HTTP_USER_AGENT']; // reperisce la stringa 'user-agent' dell'utente. - if ($stmt = $pdo->prepare("SELECT password FROM members WHERE id = ? LIMIT 1")) { - $stmt->execute(array($user_id)); // esegue il bind del parametro '$user_id'. - $row = $stmt->fetch(PDO::FETCH_ASSOC); - $count = $stmt->rowCount(); - if($count == 1) { - $password = $row['password']; - $login_check = hash('sha512', $password.$user_browser); - if($login_check == $login_string) { - // Login eseguito!!!! - return true; - } else { - error_log("Wrong login string for $username"); - return false; - } + $valid_attempts = $now - (2 * 60 * 60); + if ($stmt = $pdo->prepare('SELECT time FROM login_attempts WHERE user_id = ? AND time > ?')) { + $stmt->execute([$user_id, $valid_attempts]); + if ($stmt->rowCount() > 20) { + return true; } else { - error_log("Couldnt find $username"); return false; } + } +} + +function login_check($pdo) +{ + // Verifica che tutte le variabili di sessione siano impostate correttamente + if (isset($_SESSION['user_id'], $_SESSION['username'], $_SESSION['login_string'])) { + $user_id = $_SESSION['user_id']; + $login_string = $_SESSION['login_string']; + $username = $_SESSION['username']; + $user_browser = $_SERVER['HTTP_USER_AGENT']; // reperisce la stringa 'user-agent' dell'utente. + if ($stmt = $pdo->prepare('SELECT password FROM members WHERE id = ? LIMIT 1')) { + $stmt->execute([$user_id]); // esegue il bind del parametro '$user_id'. + $row = $stmt->fetch(PDO::FETCH_ASSOC); + $count = $stmt->rowCount(); + if ($count == 1) { + $password = $row['password']; + $login_check = hash('sha512', $password.$user_browser); + if ($login_check == $login_string) { + // Login eseguito!!!! + return true; + } else { + error_log("Wrong login string for $username"); + + return false; + } + } else { + error_log("Couldnt find $username"); + + return false; + } } else { - error_log("Couldnt select pass $username"); - return false; + error_log("Couldnt select pass $username"); + + return false; } } else { - error_log("Vars not set 4 $username"); - return false; + error_log("Vars not set 4 $username"); + + return false; } } -?> diff --git a/index.php b/index.php index 547edfc..e268470 100644 --- a/index.php +++ b/index.php @@ -1,6 +1,6 @@ diff --git a/iscrizioni.php b/iscrizioni.php index d8fd4c9..1ce008c 100644 --- a/iscrizioni.php +++ b/iscrizioni.php @@ -1,6 +1,6 @@ '6LfVZRITAAAAALN5A_Uq7E-cIraDyOtOazYJd9av', - 'response' => "$response" -); +$fields = [ + 'secret' => '6LfVZRITAAAAALN5A_Uq7E-cIraDyOtOazYJd9av', + 'response' => "$response", +]; $ch = curl_init(); -curl_setopt($ch, CURLOPT_URL,"https://www.google.com/recaptcha/api/siteverify"); +curl_setopt($ch, CURLOPT_URL, 'https://www.google.com/recaptcha/api/siteverify'); curl_setopt($ch, CURLOPT_POST, 1); -curl_setopt($ch, CURLOPT_POSTFIELDS,$fields); +curl_setopt($ch, CURLOPT_POSTFIELDS, $fields); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); -$gresponse = curl_exec ($ch); +$gresponse = curl_exec($ch); -curl_close ($ch); +curl_close($ch); $obj = json_decode($gresponse); $result = $obj->{'success'}; // Check for empty fields -if($result != "true" || empty($_POST['name']) || empty($_POST['response']) || empty($_POST['sid']) || empty($_POST['email']) || empty($_POST['username'])|| !filter_var($_POST['email'],FILTER_VALIDATE_EMAIL) || empty($_POST['password'])){ - exit("false"); -}; +if ($result != 'true' || empty($_POST['name']) || empty($_POST['response']) || empty($_POST['sid']) || empty($_POST['email']) || empty($_POST['username']) || !filter_var($_POST['email'], FILTER_VALIDATE_EMAIL) || empty($_POST['password'])) { + exit('false'); +} -$check_stmt = $pdotwo->prepare("SELECT Email, username FROM Strutture WHERE IdStruttura = ?;"); -$check_stmt->execute(array($sid)); +$check_stmt = $pdotwo->prepare('SELECT Email, username FROM Strutture WHERE IdStruttura = ?;'); +$check_stmt->execute([$sid]); $count = $check_stmt->rowCount(); $adminemail = $check_stmt->fetchColumn(); $adminusername = $check_stmt->fetchColumn(1); -$checktwo_stmt = $pdo->prepare("SELECT * FROM members WHERE username = ?;"); -$checktwo_stmt->execute(array($username)); +$checktwo_stmt = $pdo->prepare('SELECT * FROM members WHERE username = ?;'); +$checktwo_stmt->execute([$username]); $counttwo = $checktwo_stmt->rowCount(); -if($count == "1" && $counttwo == "0") { - // Crea una chiave casuale +if ($count == '1' && $counttwo == '0') { + // Crea una chiave casuale $random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true)); // Crea una password usando la chiave appena creata. $password = hash('sha512', $password.$random_salt); - $email_sha512 = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true)); - $insert_stmt = $pdo->prepare("INSERT INTO members (name, sid, email, username, password, salt, email_sha512, usertype, verifyemail) VALUES (?, ?, ?, ?, ?, ?, ?, '0', '0');"); - $insert_stmt->execute(array($name, $sid, $email, $username, $password, $random_salt, $email_sha512)); - $count = $insert_stmt->rowCount(); - if($count == "1") { - include 'emailtext.php'; - sendmail($email, $usversubject, $usverbody, $usverhtmlbody, ""); - sendmail($adminemail, $adversubject, $adverbody, $adverhtmlbody, ""); + $email_sha512 = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true)); + $insert_stmt = $pdo->prepare("INSERT INTO members (name, sid, email, username, password, salt, email_sha512, usertype, verifyemail) VALUES (?, ?, ?, ?, ?, ?, ?, '0', '0');"); + $insert_stmt->execute([$name, $sid, $email, $username, $password, $random_salt, $email_sha512]); + $count = $insert_stmt->rowCount(); + if ($count == '1') { + include 'emailtext.php'; + sendmail($email, $usversubject, $usverbody, $usverhtmlbody, ''); + sendmail($adminemail, $adversubject, $adverbody, $adverhtmlbody, ''); - exit("ok"); - } else exit("false"); + exit('ok'); + } else { + exit('false'); + } } else { - exit("false"); + exit('false'); } - -?> diff --git a/logout.php b/logout.php index ea7d1c8..492a4a9 100644 --- a/logout.php +++ b/logout.php @@ -1,19 +1,18 @@ query("UPDATE `members` SET `loggedin` = '0' where `members`.`username` = '$username'"); -$_SESSION = array(); +$_SESSION = []; // Recupera i parametri di sessione. $params = session_get_cookie_params(); // Cancella i cookie attuali. -setcookie(session_name(), '', time() - 42000, $params["path"], $params["domain"], $params["secure"], $params["httponly"]); +setcookie(session_name(), '', time() - 42000, $params['path'], $params['domain'], $params['secure'], $params['httponly']); // Cancella la sessione. session_destroy(); header('Location: https://autocontrollo.ch'); - -?> diff --git a/pages.php b/pages.php index 754e5b4..bd8a6d4 100644 --- a/pages.php +++ b/pages.php @@ -7,4 +7,3 @@ include 'pages/baseindex.php'; include 'pages/basesignup.php'; include 'pages/baseusers.php'; include 'pages/baseadmin.php'; -?> diff --git a/pages/base.php b/pages/base.php index d8a0a86..2ce3b88 100644 --- a/pages/base.php +++ b/pages/base.php @@ -1,4 +1,5 @@ @@ -104,4 +105,3 @@ $footer = ' '; -?> diff --git a/pages/baseadmin.php b/pages/baseadmin.php index eea07cb..26bf875 100644 --- a/pages/baseadmin.php +++ b/pages/baseadmin.php @@ -1,40 +1,47 @@ query("SELECT * FROM members"); - $rows = $user_stmt->fetchAll(PDO::FETCH_BOTH); - $types = [ - ["Non enabled user", "0"], - ["Superadmin", "1"], - ["Admin", "2"], - ["Common user", "3"], + +function declareusermgmt() +{ + global $pdo; + $user_stmt = $pdo->query('SELECT * FROM members'); + $rows = $user_stmt->fetchAll(PDO::FETCH_BOTH); + $types = [ + ['Non enabled user', '0'], + ['Superadmin', '1'], + ['Admin', '2'], + ['Common user', '3'], ]; - while ($row = array_shift($rows)) { - if($_SESSION["usertype"] == 1 || (($row["usertype"] > $_SESSION["usertype"] || $row["usertype"] == "0") && $row["sid"] == $_SESSION["sid"])){ + while ($row = array_shift($rows)) { + if ($_SESSION['usertype'] == 1 || (($row['usertype'] > $_SESSION['usertype'] || $row['usertype'] == '0') && $row['sid'] == $_SESSION['sid'])) { + if ($row['verifyemail'] == 1) { + $vemail = 'yes'; + } else { + $vemail = 'no'; + } - if($row['verifyemail'] == 1) { $vemail = "yes"; } else { $vemail = "no"; }; - - foreach($types as list($text, $ut)){ - if($_SESSION["usertype"] == 1 || ($ut > $_SESSION["usertype"] || $ut == "0")){ - - if($ut == $row["usertype"]) { $sel = "selected"; } else { $sel = ""; }; - $options = "$options + foreach ($types as list($text, $ut)) { + if ($_SESSION['usertype'] == 1 || ($ut > $_SESSION['usertype'] || $ut == '0')) { + if ($ut == $row['usertype']) { + $sel = 'selected'; + } else { + $sel = ''; + } + $options = "$options "; - }; - - }; - $tr = " + } + } + $tr = " $tr - ".$row['id']." - ".$row['username']." - ".$row['name']." - ".$row['sid']." - ".$row['email']." - ".$vemail." + ".$row['id'].' + '.$row['username'].' + '.$row['name'].' + '.$row['sid'].' + '.$row['email'].' + '.$vemail.' - ".$options." @@ -42,10 +49,10 @@ $tr "; - $options = ""; - }; - }; - echo " + $options = ''; + } + } + echo "
@@ -79,6 +86,4 @@ $tr
"; - -}; -?> +} diff --git a/pages/baseindex.php b/pages/baseindex.php index ec0a731..c5c8f94 100644 --- a/pages/baseindex.php +++ b/pages/baseindex.php @@ -1,13 +1,14 @@ $menu
"; - }; +function declareindex($array) +{ + $username = $_SESSION['username']; - $content = ' + foreach ($array as $menu) { + $list = "$list$menu
"; + } + + $content = '
@@ -26,6 +27,5 @@ function declareindex($array) {
'; - echo $content; -}; -?> + echo $content; +} diff --git a/pages/baselogin.php b/pages/baselogin.php index 377c39b..db0bfe7 100644 --- a/pages/baselogin.php +++ b/pages/baselogin.php @@ -1,12 +1,13 @@ AN ERROR OCCURRED: PLEASE CHECK YOUR LOGIN CREDENTIALS AND TRY AGAIN. '; - }; - $content = ' + } + $content = '
@@ -44,6 +45,5 @@ function declarelogin() {
'; - echo $content; -}; -?> + echo $content; +} diff --git a/pages/basenav.php b/pages/basenav.php index ebe9914..0435759 100644 --- a/pages/basenav.php +++ b/pages/basenav.php @@ -1,7 +1,8 @@
Dido System
@@ -40,23 +41,24 @@ function declarenavbase() { '; - echo $nav; + echo $nav; } -function declarenav($array) { - $username = $_SESSION['username']; +function declarenav($array) +{ + $username = $_SESSION['username']; - foreach ($array as list($name, $page)) { - if($page != "none") { - $navbar = " + foreach ($array as list($name, $page)) { + if ($page != 'none') { + $navbar = " $navbar
  • $name
  • "; - }; - }; + } + } - $nav = ' + $nav = '
    Dido System
    999 Campo Marzio | BELLINZONA, TI 6500, SWITZERLAND | Tél: +41 (0)78 848-92-94 | Fax: (887) 123-4567
    @@ -98,6 +100,5 @@ $navbar '; - echo $nav; + echo $nav; } -?> diff --git a/pages/basesignup.php b/pages/basesignup.php index fb216fa..ce84a07 100644 --- a/pages/basesignup.php +++ b/pages/basesignup.php @@ -1,13 +1,13 @@ AN ERROR OCCURRED: PLEASE CHECK YOUR LOGIN CREDENTIALS AND TRY AGAIN. '; - }; - $content = ' + } + $content = '
    @@ -106,6 +106,5 @@ function declaresignup() {
    '; - echo $content; -}; -?> + echo $content; +} diff --git a/pages/baseusers.php b/pages/baseusers.php index 8ea43b4..f455dc5 100644 --- a/pages/baseusers.php +++ b/pages/baseusers.php @@ -1,41 +1,45 @@ "; - foreach ($pages as list($name, $page)) { - if($page != "none") { - $text = "$text$name
    "; - }; - }; - }; - if($error == "y") { $errortxt = "You have requested an invalid page. Please contact your structure admin.

    "; }; +function declarenone() +{ + global $pdo; + global $error; + global $pages; - $u = 0; + if ($_SESSION['usertype'] == '0') { + $text = 'When your structure admin enables you, you will be able to do lots of intresting things on this website!'; + } else { + $text = 'ACTIONS:
    '; + foreach ($pages as list($name, $page)) { + if ($page != 'none') { + $text = "$text$name
    "; + } + } + } + if ($error == 'y') { + $errortxt = 'You have requested an invalid page. Please contact your structure admin.

    '; + } + + $u = 0; // Prepare pdo - $online = $pdo->prepare("SELECT loggedin FROM members WHERE sid = ?;"); - - // Exec - $online->execute(array($_SESSION['sid'])); - $rows = $online->fetchAll(PDO::FETCH_BOTH); + $online = $pdo->prepare('SELECT loggedin FROM members WHERE sid = ?;'); - while ($row = array_shift($rows)) { - $u = $u + $row["loggedin"]; - }; - if($u == "1"){ - $u = "Currently there's 1 user online."; - } elseif($u == ""){ - $u = "Currently there are 0 users online."; - } else { - $u = "Currently there are $u users online."; - }; - echo ' + // Exec + $online->execute([$_SESSION['sid']]); + $rows = $online->fetchAll(PDO::FETCH_BOTH); + + while ($row = array_shift($rows)) { + $u = $u + $row['loggedin']; + } + if ($u == '1') { + $u = 'Currently there's 1 user online.'; + } elseif ($u == '') { + $u = 'Currently there are 0 users online.'; + } else { + $u = "Currently there are $u users online."; + } + echo '
    @@ -53,27 +57,27 @@ function declarenone() {
    '; -}; -function declareuser() { - - if ($st = $pdo->prepare("SELECT regolamento FROM members WHERE username=?")) { - $st->bind_param('s', $curuser); +} +function declareuser() +{ + if ($st = $pdo->prepare('SELECT regolamento FROM members WHERE username=?')) { + $st->bind_param('s', $curuser); // Esegui la query ottenuta. $st->execute(); - $st->bind_result($regol); - $st->fetch(); - }; - error_log("regol for $curuser is $regol", 0); - if($regol == "0") { - $top = "$itop"; - $desc = "$idesc"; - $section = "$isection"; - } else { - $top = "$normtop"; - $desc = "$normdesc"; - $section = "$normsection"; - }; - echo ' + $st->bind_result($regol); + $st->fetch(); + } + error_log("regol for $curuser is $regol", 0); + if ($regol == '0') { + $top = "$itop"; + $desc = "$idesc"; + $section = "$isection"; + } else { + $top = "$normtop"; + $desc = "$normdesc"; + $section = "$normsection"; + } + echo '