diff options
| author | Horus3 | 2014-03-12 02:50:30 +0100 |
|---|---|---|
| committer | Horus3 | 2014-03-12 02:50:30 +0100 |
| commit | 8970954933ecf4b5c842027faa7c52f85cc25fe2 (patch) | |
| tree | e502119b624197871550d72d55c2e9a9f2a4f05b /www/functions/func_register.php | |
| parent | 0148c370ea13ee0469bd67260cf8c9fe9c97677d (diff) | |
| download | files.iamfabulous.de-8970954933ecf4b5c842027faa7c52f85cc25fe2.tar.gz | |
Structure in functions. Stronger hash algorith for password safety, also pepper.
Diffstat (limited to 'www/functions/func_register.php')
| -rw-r--r-- | www/functions/func_register.php | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/www/functions/func_register.php b/www/functions/func_register.php new file mode 100644 index 0000000..3fc9949 --- /dev/null +++ b/www/functions/func_register.php @@ -0,0 +1,74 @@ +<? +function register($db){ + if($_SERVER['REQUEST_METHOD'] == 'POST') { + + $name = $_POST["username"]; + $cleartext_password = $_POST["pswd"]; + $second_password = $_POST["2ndpswd"]; + $email = $_POST["email"]; + + /* checking for empty password etc. */ + + if(($cleartext_password != $second_password) || !isset($_POST["pswd"]) || !isset($_POST["2ndpswd"]) || $cleartext_password == "" || empty($_POST["pswd"]) || empty($_POST["2ndpswd"])){ + header("Refresh: 0; register?reason=password"); + return false; + } + + /* TODO: allow full unicode */ + + if(preg_match("/[^-_0-9a-zA-Z]/", $name) || preg_match("/[^-_0-9a-zA-Z]/", $cleartext_password) || preg_match("/[^-_0-9a-zA-Z@.]/", $email)){ + header("Refresh: 0; register?reason=encoding"); + return false; + } + + $safe_name = SQLite3::escapeString("$name"); + $safe_email = SQLite3::escapeString("$email"); + + /*Checks the validation of the registration attempt*/ + + $test_status_db = $db->query("SELECT status FROM user WHERE email='" . $safe_email . "';"); + $test_status_arr = $test_status_db->fetchArray(SQLITE3_NUM); + $test_status_int = $test_status_arr[0]; + + $test_key_db = $db->query("SELECT key FROM user WHERE email='" . $safe_email . "';"); + $test_key_arr = $test_key_db->fetchArray(SQLITE3_NUM); + $test_key = $test_key_arr[0]; + + if (empty($test_status_db) || $test_status_int != 0 || $test_key != $_POST["key"] || $test_key == ""){ + header("Refresh: 0; /register?reason=prohibited"); + return false; + } else { + + $id_db = $db->query("SELECT id FROM user WHERE email='" . $safe_email . "';"); + $id_ar = $id_db->fetchArray(SQLITE3_NUM); + $id = $id_ar[0]; + + /*Generates the encrypted password and the database transactions*/ + + $pepper = file_get_contents("../database/pepper.txt"); + $password = $password . $pepper; + + $hash_password = password_hash($password, PASSWORD_DEFAULT); + + if($db->exec(" + BEGIN TRANSACTION; + UPDATE user SET name='" . $safe_name . "', password='" . $hash_password . "', invites=5, status=1, register=(SELECT datetime()) WHERE id=" . $id . "; + INSERT INTO files (id, parent, owner, name, folder, mime, size, share, size, hash) VALUES (NULL, 0, $id, '/', 'DIRECTORY', NULL, NULL, 'PUBLIC', 0, ''); + COMMIT;") + ){ + $_SESSION["login"] = true; + $_SESSION["username"] = $name; + + return true; + + } else { + header("Refresh: 0; /register?reason=database"); + return false; + } + } + + } else { + include("register.php"); + return false; + } +} |