diff options
| author | Horus3 | 2014-03-12 02:50:30 +0100 |
|---|---|---|
| committer | Horus3 | 2014-03-12 02:50:30 +0100 |
| commit | 8970954933ecf4b5c842027faa7c52f85cc25fe2 (patch) | |
| tree | e502119b624197871550d72d55c2e9a9f2a4f05b /www | |
| parent | 0148c370ea13ee0469bd67260cf8c9fe9c97677d (diff) | |
| download | files.iamfabulous.de-8970954933ecf4b5c842027faa7c52f85cc25fe2.tar.gz | |
Structure in functions. Stronger hash algorith for password safety, also pepper.
Diffstat (limited to 'www')
| -rw-r--r-- | www/functions.php | 333 | ||||
| -rw-r--r-- | www/functions/func_failure.php | 12 | ||||
| -rw-r--r-- | www/functions/func_interface.php | 5 | ||||
| -rw-r--r-- | www/functions/func_invite.php | 68 | ||||
| -rw-r--r-- | www/functions/func_login.php | 63 | ||||
| -rw-r--r-- | www/functions/func_register.php | 74 | ||||
| -rw-r--r-- | www/functions/func_rewrite.php | 31 | ||||
| -rw-r--r-- | www/functions/func_select.php | 79 | ||||
| -rw-r--r-- | www/functions/func_user.php | 13 | ||||
| -rw-r--r-- | www/httperror.php (renamed from www/404.php) | 2 | ||||
| -rw-r--r-- | www/index.php | 3 | ||||
| -rw-r--r-- | www/setup.php | 22 | ||||
| -rw-r--r-- | www/static/httperror.css (renamed from www/static/404.css) | 0 |
13 files changed, 369 insertions, 336 deletions
diff --git a/www/functions.php b/www/functions.php index 34e1a53..76b4ba1 100644 --- a/www/functions.php +++ b/www/functions.php @@ -1,325 +1,12 @@ <? -require_once("select_function.php"); - -/* --LOGIN-- */ - -function login($db){ - if($_SERVER['REQUEST_METHOD'] == 'POST') { - - /*___Database Query: Login___*/ - $unsafe_username = $_POST["username"]; - $unsafe_passwort = $_POST["password"]; - $username = SQLite3::escapeString("$unsafe_username"); - $passwort = SQLite3::escapeString("$unsafe_passwort"); - - $salt_db = $db->query("SELECT salt FROM user WHERE name='$username';"); - while($salt_array = $salt_db->fetchArray(SQLITE3_NUM)){ - foreach($salt_array as $firstelement){ - $salt=$firstelement; - } - } - - $password = "$salt"."$passwort"; - $hash_password = md5($password); - for($i=0;$i<15000;$i++) - $hash_password = md5($hash_password); - - $real_password_db = $db->query("SELECT password FROM user WHERE name='$username';"); - while($real_password_array = $real_password_db->fetchArray(SQLITE3_NUM)){ - foreach($real_password_array as $secondelement){ - $real_password=$secondelement; - } - } - - /*___Login___*/ - if ($real_password == $hash_password) { - - if($db->exec(" - BEGIN TRANSACTION; - INSERT INTO log (id, user, login) VALUES (NULL, (SELECT id FROM user WHERE name='$username'), (SELECT datetime()) ); - COMMIT; - ")){ - - $_SESSION["login"] = true; - $_SESSION["username"] = "$unsafe_username"; - - header("Refresh: 0; /"); - - } else { - header("Refresh: 0; login?reason=database&username=" . $unsafe_username); - } - } else { - header("Refresh: 0; login?reason=failure&username=" . $unsafe_username); - } - } else { - - /*Prints the GET version*/ - - if($_SESSION["login"]){ - header("Refresh: 0; /"); - } else { -/* foreach ($_GET as $argument => $value) { - if(preg_match("/success/",$argument)) - $logout="Log out was succesfull!"; - } - - if($logout){ - header("Refresh: 0; login?reason=logout&username=" . $unsafe_username); - } - - echo "<form method='post' action='/login'> - <p>Name: <input type='text' name='username'></p> - <p>Password: <input type='password' name='password'> - <p><input type='submit' name='submit' value='login'></p> - </form>"; -*/ - include("login.php"); - - } - } - exit; -} - -/* --LOGOUT-- */ - -function logout(){ - $username=$_SESSION["username"]; - session_destroy(); - header("Refresh: 0; login?reason=logout&username=" . $username); - exit; -} - -/* --INVITE-- */ - -function invite($db){ - if($_SERVER['REQUEST_METHOD'] == 'POST') { - - if(!$_SESSION["login"]){ - header("Refresh: 0; /login"); - } - - $name=$_SESSION["username"]; - $safe_name = SQLite3::escapeString("$name"); - - $email=$_POST["email"]; - $safe_email=SQLite3::escapeString("$email"); - - $invite_db = $db->query("SELECT invites FROM user WHERE name='$safe_name';"); - $invite_ar = $invite_db->fetchArray(SQLITE3_NUM); - $invite = $invite_ar[0]; - - if($invite > 0){ - - /*Generates the invite key => [-_0-9a-zA-Z]{11}*/ - - $key_array = array("a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z", "A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N", "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z", "_", "-", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9" ); - - $length = count($key_array); - $key = ""; - - for ($i=0;$i<11;$i++){ - $index = mt_rand(0,$length-1); - $key = "$key".$key_array[$index]; - } - - $id_db = $db->query("SELECT id FROM USER WHERE name='$safe_name';"); - $id_ar = $id_db->fetchArray(SQLITE3_NUM); - $id = $id_ar[0]; - - /*Generates the new user and decrease the invites*/ - - $invite = $invite - 1; - - echo "ID: '$id', KEY: '$key', SAFE_EMAIL: '$safe_email'"; - - if($db->exec(" - BEGIN TRANSACTION; - INSERT INTO user (id, name, email, senpai, key, status) VALUES (NULL, NULL, '$safe_email', '$id', '$key', 0); - UPDATE user SET invites='$invite' WHERE id='$id'; - COMMIT;") - ){ - $subject="Welcome, you were invited to the new virtual filesystem.\nYour key is" . $key . "\nVisit files.iamfabulous.de/register to complete your registration."; - mail($email, "Invite", $subject, "From: mail@iamfabulous.de"); - header("Refresh: 0; /invite?reason=success"); - } else { - header("Refresh: 0; /invite?reason=database"); - } - - } else { - header("Refresh: 0; /invite?reason=invites"); - } - } else { - - /*Prints the formular if requested with GET*/ - - foreach ($_GET as $name => $value) { - echo 'Name: ' . $name . ' Value: ' . $value . '<br />'; - } - - echo "Hallo $name - <form method='post' action='/invite'> - <p> E-Mail: <input type='text' name='email'></p> - <input type='hidden' name='username' value='$_SESSION[username]'> - <input type='submit' name='submit' value='invite'> - </form>"; - - echo "END"; - } - exit; -} - -/* --REGISTER-- */ - -function register($db){ - if($_SERVER['REQUEST_METHOD'] == 'POST') { - - $name = $_POST["username"]; - $cleartext_password = $_POST["pswd"]; - $second_password = $_POST["2ndpswd"]; - $email = $_POST["email"]; - - /* checking for empty password etc. */ - - if(($cleartext_password != $second_password) || !isset($_POST["pswd"]) || !isset($_POST["2ndpswd"]) || $cleartext_password == "" || empty($_POST["pswd"]) || empty($_POST["2ndpswd"])){ - header("Refresh: 0; register?reason=password"); - exit; - } - - /* TODO: allow full unicode */ - - if(preg_match("/[^-_0-9a-zA-Z]/", $name) || preg_match("/[^-_0-9a-zA-Z]/", $cleartext_password) || preg_match("/[^-_0-9a-zA-Z@.]/", $email)){ - header("Refresh: 0; register?reason=encoding"); - exit; - } - - $safe_name = SQLite3::escapeString("$name"); - $safe_email = SQLite3::escapeString("$email"); - - /*Checks the validation of the registration attempt*/ - - $test_status_db = $db->query("SELECT status FROM user WHERE email='$safe_email';"); - $test_status_arr = $test_status_db->fetchArray(SQLITE3_NUM); - $test_status_int = $test_status_arr[0]; - - $test_key_db = $db->query("SELECT key FROM user WHERE email='$safe_email';"); - $test_key_arr = $test_key_db->fetchArray(SQLITE3_NUM); - $test_key = $test_key_arr[0]; - - if (empty($test_status_db) || $test_status_int != 0 || $test_key != $_POST["key"] || $test_key == ""){ - header("Refresh: 0; /register?reason=prohibited"); - exit; - } else { - - $id_db = $db->query("SELECT id FROM user WHERE email='$safe_email';"); - $id_ar = $id_db->fetchArray(SQLITE3_NUM); - $id = $id_ar[0]; - - /*Generates the encrypted password and the database transactions*/ - - $salt = uniqid(mt_rand(), true); - $password = "$salt"."$cleartext_password"; - $hash_password = md5($password); - for($i=0;$i<15000;$i++) - $hash_password = md5($hash_password); - - if($db->exec(" - BEGIN TRANSACTION; - UPDATE user SET name='$safe_name', salt='$salt', password='$hash_password', invites=5, status=1, register=(SELECT datetime()) WHERE id=$id; - INSERT INTO files (id, parent, owner, name, folder, mime, size, share, size, hash) VALUES (NULL, 0, $id, '/', 'DIRECTORY', NULL, NULL, 'PUBLIC', 0, ''); - COMMIT;") - ){ - $_SESSION["login"] = true; - $_SESSION["username"] = $name; - header("Refresh: 0; /user?reason=welcome"); - } else { - header("Refresh: 0; /register?reason=database"); - } - } - } else { - /* foreach ($_GET as $name => $value) { - echo 'Name: ' . $name . ' Value: ' . $value . '<br />'; - } - - echo "<form method='post' action='register'> - <p>Name: <input type='text' name='name'></p> - <p>pswd: <input type='password' name='pswd'></p> - <p>2ndpsdw: <input type='password' name='2ndpswd'></p> - <p>key: <input type='text' name='key'></p> - <p>email: <input type='text' name='email'></p> - <p><input type='submit'></p> - </form> - ";*/ - - include("register.php"); - } - exit; -} - -/* --PAGE NOT FOUND - 404 -- */ - -function get_404($working_path, $wrong_folder){ - include("404.php"); - exit; -} - -//function select($db){ - - - -/* $i = 0; - foreach ($_GET as $name => $value) { //value leer? - $args[$i] = $name; - echo 'Name: ' . $name . ' Value: ' . $value . '<br />'; - $i++; - } - echo "Presented by func select()!"; -*/ -//} - -function rewrite($db){ - - /* test if first argument a username or folder */ - - $name = SQLite3::escapeString("$_GET[name]"); - - $name_id_db = $db->query("SELECT id FROM user WHERE name='$name';"); - $name_id_ar = $name_id_db->fetchArray(SQLITE3_NUM); - - if(empty($name_id_ar)){ - - /* if first argument wasn't valid, rewrite the URL to include the username */ - - if($_SESSION["login"]){ - header("Refresh: 0; /" . $_SESSION[username] . "/" . $_GET["name"] . "/" . $_GET["folder"] . ""); - exit; - } else { - - $wrong_folder = $_GET["name"]; - $working_path = $_GET["name"]; - - get_404($working_path, $wrong_folder); - } - return false; - } - - return true; -} - -function failure($reason){ - echo "A 404 error occurred. <br>"; - echo $reason; - exit; -} - - -function user($db){ - echo "loged in as: " . $_SESSION["username"]; - $safe_name=SQLite3::escapeString("$_SESSION[username]"); - $invite_db = $db->query("SELECT invites FROM user WHERE name='$safe_name';"); - $invite_ar = $invite_db->fetchArray(SQLITE3_NUM); - $invite = $invite_ar[0]; - - echo "<br><br>"; - echo "You have currently $invite invites. <br>"; -} +$func_dir = "functions/"; + +require_once($func_dir . "func_failure.php"); // 404 and other errors +require_once($func_dir . "func_interface.php"); // presents the vfs content +require_once($func_dir . "func_invite.php"); // handles the invite routine +require_once($func_dir . "func_login.php"); // handles also logout +require_once($func_dir . "func_register.php"); // processing the registration +require_once($func_dir . "func_rewrite.php"); // rewrites URL if user forgot to add the username while loged in +require_once($func_dir . "func_select.php"); // get the actual vfs content +require_once($func_dir . "func_user.php"); // account specific stuff diff --git a/www/functions/func_failure.php b/www/functions/func_failure.php new file mode 100644 index 0000000..682aced --- /dev/null +++ b/www/functions/func_failure.php @@ -0,0 +1,12 @@ +/* --PAGE NOT FOUND - 404 -- */ + +function get_404($working_path, $wrong_folder){ + include("404.php"); + exit; +} + +function failure($reason){ + echo "A 404 error occurred. <br>"; + echo $reason; + exit; +} diff --git a/www/functions/func_interface.php b/www/functions/func_interface.php new file mode 100644 index 0000000..0116fe6 --- /dev/null +++ b/www/functions/func_interface.php @@ -0,0 +1,5 @@ +<? + +function show($content){ + var_dump($content); +} diff --git a/www/functions/func_invite.php b/www/functions/func_invite.php new file mode 100644 index 0000000..864c1ad --- /dev/null +++ b/www/functions/func_invite.php @@ -0,0 +1,68 @@ +<? +function invite($db){ + if($_SERVER['REQUEST_METHOD'] == 'POST') { + + if(!$_SESSION["login"]){ + header("Refresh: 0; /login"); + return false; + } + + $name=$_SESSION["username"]; + $safe_name = SQLite3::escapeString("$name"); + + $email=$_POST["email"]; + $safe_email=SQLite3::escapeString("$email"); + + $invite_db = $db->query("SELECT invites FROM user WHERE name='" . $safe_name . "';"); + $invite_ar = $invite_db->fetchArray(SQLITE3_NUM); + $invite = $invite_ar[0]; + + if($invite > 0){ + + /*Generates the invite key => [-_0-9a-zA-Z]{11}*/ + + $key_array = array("a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z", "A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N", "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z", "_", "-", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9" ); + + $length = count($key_array); + $key = ""; + + for ($i=0;$i<11;$i++){ + $index = mt_rand(0,$length-1); + $key = "$key".$key_array[$index]; + } + + $id_db = $db->query("SELECT id FROM USER WHERE name=' " . $safe_name . "';"); + $id_ar = $id_db->fetchArray(SQLITE3_NUM); + $id = $id_ar[0]; + + /*Generates the new user and decrease the invites*/ + + $invite = $invite - 1; + + if($db->exec(" + BEGIN TRANSACTION; + INSERT INTO user (id, name, email, senpai, key, status) VALUES (NULL, NULL, '" . $safe_email . "', '" . $id . "', '" . $key . "', 0); + UPDATE user SET invites='" . $invite . "' WHERE id='" . $id . "'; + COMMIT;") + ){ + $subject="Welcome, you were invited to the new virtual filesystem.\nYour key is" . $key . "\nVisit files.iamfabulous.de/register to complete your registration."; + + mail($email, "Invite", $subject, "From: mail@iamfabulous.de"); + + header("Refresh: 0; /invite?reason=success"); + return true; + + } else { + header("Refresh: 0; /invite?reason=database"); + return false; + } + + } else { + header("Refresh: 0; /invite?reason=invites"); + return false; + } + } else { + echo "Formular"; + return false; + } +} diff --git a/www/functions/func_login.php b/www/functions/func_login.php new file mode 100644 index 0000000..f528076 --- /dev/null +++ b/www/functions/func_login.php @@ -0,0 +1,63 @@ +<? +function login($db){ + if($_SERVER['REQUEST_METHOD'] == 'POST') { + + /*___Database Query: Login___*/ + $username = $_POST["username"]; + $password = $_POST["password"]; + $safe_username = SQLite3::escapeString("$username"); + + //$hash = password_hash($_GET["password"], PASSWORD_DEFAULT); + + $pepper = file_get_contents("../database/pepper.txt"); + $password = $password . $pepper; + + $real_password_db = $db->query("SELECT password FROM user WHERE name='" . $safe_username . "';"); + while($real_password_array = $real_password_db->fetchArray(SQLITE3_NUM)){ + foreach($real_password_array as $secondelement){ + $real_password=$secondelement; + } + } + + /*___Login___*/ + if (password_verify($password, $real_password)) { + + if($db->exec(" + BEGIN TRANSACTION; + INSERT INTO log (id, user, login) VALUES (NULL, (SELECT id FROM user WHERE name='" . $username . "'), (SELECT datetime()) ); + COMMIT; + ")){ + + $_SESSION["login"] = true; + $_SESSION["username"] = $username; + + header("Refresh: 0; /"); + return true; + + } else { + header("Refresh: 0; login?reason=database&username=" . $username); + return false; + } + } else { + header("Refresh: 0; login?reason=failure&username=" . $username); + return false; + } + } else { + if($_SESSION["login"]){ + header("Refresh: 0; /"); + return false; + } + include("login.php"); + return false; + } +} + +function logout(){ + $username=$_SESSION["username"]; + if(session_destroy()){ + header("Refresh: 0; login?reason=logout&username=" . $username); + return true; + } else { + return false; + } +} diff --git a/www/functions/func_register.php b/www/functions/func_register.php new file mode 100644 index 0000000..3fc9949 --- /dev/null +++ b/www/functions/func_register.php @@ -0,0 +1,74 @@ +<? +function register($db){ + if($_SERVER['REQUEST_METHOD'] == 'POST') { + + $name = $_POST["username"]; + $cleartext_password = $_POST["pswd"]; + $second_password = $_POST["2ndpswd"]; + $email = $_POST["email"]; + + /* checking for empty password etc. */ + + if(($cleartext_password != $second_password) || !isset($_POST["pswd"]) || !isset($_POST["2ndpswd"]) || $cleartext_password == "" || empty($_POST["pswd"]) || empty($_POST["2ndpswd"])){ + header("Refresh: 0; register?reason=password"); + return false; + } + + /* TODO: allow full unicode */ + + if(preg_match("/[^-_0-9a-zA-Z]/", $name) || preg_match("/[^-_0-9a-zA-Z]/", $cleartext_password) || preg_match("/[^-_0-9a-zA-Z@.]/", $email)){ + header("Refresh: 0; register?reason=encoding"); + return false; + } + + $safe_name = SQLite3::escapeString("$name"); + $safe_email = SQLite3::escapeString("$email"); + + /*Checks the validation of the registration attempt*/ + + $test_status_db = $db->query("SELECT status FROM user WHERE email='" . $safe_email . "';"); + $test_status_arr = $test_status_db->fetchArray(SQLITE3_NUM); + $test_status_int = $test_status_arr[0]; + + $test_key_db = $db->query("SELECT key FROM user WHERE email='" . $safe_email . "';"); + $test_key_arr = $test_key_db->fetchArray(SQLITE3_NUM); + $test_key = $test_key_arr[0]; + + if (empty($test_status_db) || $test_status_int != 0 || $test_key != $_POST["key"] || $test_key == ""){ + header("Refresh: 0; /register?reason=prohibited"); + return false; + } else { + + $id_db = $db->query("SELECT id FROM user WHERE email='" . $safe_email . "';"); + $id_ar = $id_db->fetchArray(SQLITE3_NUM); + $id = $id_ar[0]; + + /*Generates the encrypted password and the database transactions*/ + + $pepper = file_get_contents("../database/pepper.txt"); + $password = $password . $pepper; + + $hash_password = password_hash($password, PASSWORD_DEFAULT); + + if($db->exec(" + BEGIN TRANSACTION; + UPDATE user SET name='" . $safe_name . "', password='" . $hash_password . "', invites=5, status=1, register=(SELECT datetime()) WHERE id=" . $id . "; + INSERT INTO files (id, parent, owner, name, folder, mime, size, share, size, hash) VALUES (NULL, 0, $id, '/', 'DIRECTORY', NULL, NULL, 'PUBLIC', 0, ''); + COMMIT;") + ){ + $_SESSION["login"] = true; + $_SESSION["username"] = $name; + + return true; + + } else { + header("Refresh: 0; /register?reason=database"); + return false; + } + } + + } else { + include("register.php"); + return false; + } +} diff --git a/www/functions/func_rewrite.php b/www/functions/func_rewrite.php new file mode 100644 index 0000000..5ca2171 --- /dev/null +++ b/www/functions/func_rewrite.php @@ -0,0 +1,31 @@ +<? +function rewrite($db){ + + /* test if first argument a username or folder */ + + $name = SQLite3::escapeString("$_GET[name]"); + + $name_id_db = $db->query("SELECT id FROM user WHERE name='" . $name . "';"); + $name_id_ar = $name_id_db->fetchArray(SQLITE3_NUM); + + if(empty($name_id_ar)){ + + /* if first argument wasn't valid, rewrite the URL to include the username */ + + if($_SESSION["login"]){ + header("Refresh: 0; /" . $_SESSION[username] . "/" . $_GET["name"] . "/" . $_GET["folder"] . ""); + exit; + } else { + + $wrong_folder = $_GET["name"]; + $working_path = $_GET["name"]; + + get_404($working_path, $wrong_folder); + return false; + } + return false; + } + + return true; +} + diff --git a/www/functions/func_select.php b/www/functions/func_select.php new file mode 100644 index 0000000..dc649f2 --- /dev/null +++ b/www/functions/func_select.php @@ -0,0 +1,79 @@ +<? +function select($db){ + if($_SESSION["login"]){ + $share=""; + } else { + $share ="AND share='PUBLIC'"; + } + + if(!empty($_GET["name"])){ + $user = $_GET["name"]; + } else { + failure("No user input."); + } + + $owner_db = $db->query("SELECT id FROM user WHERE name='" . SQLite3::escapeString($user) . "';"); + if(empty($owner_db)){ + failure("This user doesn't exist."); + } + + $owner_ar = $owner_db->fetchArray(SQLITE3_NUM); + $owner = $owner_ar[0]; + + $folder_array_unsafe = explode("/",$_GET["folder"]); + $length = count($folder_array_unsafe); + + $root_db = $db->query("SELECT id FROM files WHERE parent=0 AND owner=" . $owner . " AND folder='DIRECTORY' " . $share . ";"); + if(empty($root_db)){ + failure("There is something seriously wrong. If you are a human you should never read this. Mail the admin please."); + } + $root_ar = $root_db->fetchArray(SQLITE3_NUM); + $root_id = $root_ar[0]; + $parentdir = SQLite3::escapeString($root_id); + $temp_id = $root_id; + + for($i=0; $i<$length; $i++){ + + if(!empty($folder_array_unsafe[$i])){ + $parentdir_db = $db->query("SELECT id, parent FROM files WHERE owner=" . $owner . " AND folder='DIRECTORY' " . $share . " AND parent=" . $parentdir . " AND name='" . SQLite3::escapeString($folder_array_unsafe[$i]) . "';"); + if(empty($parentdir_db)){ + failure("Database error."); + } + $prim_id = $parentdir_db->fetchArray(SQLITE3_NUM); + if($parentdir != $prim_id[1]){ + + $wrong_folder = $folder_array_unsafe[$i]; + $working_path[0] = $wrong_folder; + + for($j=0; $j<$i; $j++){ + $working_path[$j] = $folder_array_unsafe[$j]; + } + + get_404($working_path, $wrong_folder); + return false; + } + + $parentdir = $prim_id[0]; + } + } + + $content_db = $db->query("SELECT * FROM files WHERE parent=" . $parentdir . " AND owner=" . $owner . ";"); + + $count=0; + while($row = $content_db->fetchArray(SQLITE3_NUM)){ + $content[$count][0] = $row[0]; + $content[$count][1] = $row[1]; + $content[$count][2] = $row[2]; + $content[$count][3] = $row[3]; + $content[$count][4] = $row[4]; + $content[$count][5] = $row[5]; + $content[$count][6] = $row[6]; + $content[$count][7] = $row[7]; + $content[$count][8] = $row[8]; + //echo "<a href='/". $user . "/" . $content[$count][3] . "'>" . $content[$count][3] . "</a><br>"; + $count++; + } + + return $content; + +} diff --git a/www/functions/func_user.php b/www/functions/func_user.php new file mode 100644 index 0000000..2e49651 --- /dev/null +++ b/www/functions/func_user.php @@ -0,0 +1,13 @@ +<? +function user($db){ + echo "loged in as: " . $_SESSION["username"]; + $safe_name=SQLite3::escapeString("$_SESSION[username]"); + $invite_db = $db->query("SELECT invites FROM user WHERE name='" . $safe_name . "';"); + $invite_ar = $invite_db->fetchArray(SQLITE3_NUM); + $invite = $invite_ar[0]; + + echo "<br><br>"; + echo "You have currently $invite invites. <br>"; + return true; +} + diff --git a/www/404.php b/www/httperror.php index 290f09a..1b06226 100644 --- a/www/404.php +++ b/www/httperror.php @@ -17,7 +17,7 @@ <?php include("static/header.html");?> - <link rel="stylesheet" type="text/css" href="static/404.css"> + <link rel="stylesheet" type="text/css" href="static/httperror.css"> <div id="Error-Page-content"> <h1 id="Error-Page-head" >404</h1> <h2 id="Error-Page-description" >Wow! I didn't see that coming...Well, I'm sorry...</h2> diff --git a/www/index.php b/www/index.php index 178e66d..0ce2d72 100644 --- a/www/index.php +++ b/www/index.php @@ -3,7 +3,6 @@ session_start(); require_once("functions.php"); -require_once("interface_functions.php"); $db = new SQLite3("../database/sqlite.db"); @@ -25,7 +24,7 @@ if(empty($_GET)){ if(empty($_GET["name"])){ switch($_GET["task"]){ case("login"): - login($db); + login($db) break; case("logout"): logout(); diff --git a/www/setup.php b/www/setup.php index 01867eb..1effda5 100644 --- a/www/setup.php +++ b/www/setup.php @@ -1,6 +1,9 @@ <? -/*Sets up the database with the necessary tables. Add ?drop to drop _everything_*/ +/* + Sets up the database with the necessary tables. Add ?drop to drop _everything_! + Don't forget to create a individual pepper in ../database/pepper.txt first! +*/ $db = new SQLite3("../database/sqlite.db"); @@ -26,25 +29,24 @@ if($bool){ } else { $cleartext_password="password"; $email="admin@iamfabulous.de"; - $salt = uniqid(mt_rand(), true); - $password = "$salt"."$cleartext_password"; - $hash_password = md5($password); - for($i=0;$i<15000;$i++) - $hash_password = md5($hash_password); - + $pepper = file_get_contents("../database/pepper.txt"); + $password = $cleartext_password . $pepper; + + $hash_password = password_hash($password, PASSWORD_DEFAULT); if($db->exec(" BEGIN TRANSACTION; - CREATE TABLE IF NOT EXISTS user (id INTEGER PRIMARY KEY, name TEXT UIQUE, salt TEXT, password TEXT, email TEXT UNIQUE, invites INTEGER, senpai INTEGER, key TEXT, status INTEGER, register TEXT); - INSERT INTO user (id, name, senpai, key, status, invites, salt, password, email, register) VALUES (NULL, 'admin', 0, '11111', 1, 5, '$salt', '$hash_password', '$email', (SELECT datetime()) ); + CREATE TABLE IF NOT EXISTS user (id INTEGER PRIMARY KEY, name TEXT UIQUE, password TEXT, email TEXT UNIQUE, invites INTEGER, senpai INTEGER, key TEXT, status INTEGER, register TEXT); + INSERT INTO user (id, name, senpai, key, status, invites, password, email, register) VALUES (NULL, 'admin', 0, '11111', 1, 5, '" . $hash_password . "', '" . $email . "', (SELECT datetime()) ); CREATE TABLE IF NOT EXISTS files (id INTEGER PRIMARY KEY, parent INTEGER, owner INTEGER, name TEXT, folder TEXT, mime TEXT, size INTEGER, share TEXT, hash TEXT, FOREIGN KEY(owner) REFERENCES user(id)); + INSERT INTO files (id, parent, owner, name, folder, size, share, hash) VALUES (NULL, 0, 1, '/', 'DIRECTORY', 0, 'HIDDEN', ''); CREATE TABLE IF NOT EXISTS log (id INTEGER PRIMARY KEY, user INTEGER, login TEXT, FOREIGN KEY(user) REFERENCES user(id)); COMMIT;") ) { echo "Success!"; } else { echo "Failure! :( <br>"; - echo "Salt: $salt, password: $hash_password"; + echo "Your password: $hash_password"; } } // INSERT INT0 user (id, name, salt, password, status, invites, email, senpai, key) VALUES (NULL, 'admin', '$salt', '$hash_password', 1, 5, 'admin@iamfabulous.de', 0, '11111'); diff --git a/www/static/404.css b/www/static/httperror.css index 3567ae4..3567ae4 100644 --- a/www/static/404.css +++ b/www/static/httperror.css |