From 8970954933ecf4b5c842027faa7c52f85cc25fe2 Mon Sep 17 00:00:00 2001
From: Horus3
Date: Wed, 12 Mar 2014 02:50:30 +0100
Subject: Structure in functions. Stronger hash algorith for password safety,
 also pepper.

---
 www/functions/func_register.php | 74 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 74 insertions(+)
 create mode 100644 www/functions/func_register.php

(limited to 'www/functions/func_register.php')

diff --git a/www/functions/func_register.php b/www/functions/func_register.php
new file mode 100644
index 0000000..3fc9949
--- /dev/null
+++ b/www/functions/func_register.php
@@ -0,0 +1,74 @@
+<?
+function register($db){
+        if($_SERVER['REQUEST_METHOD'] == 'POST') {
+
+                $name = $_POST["username"];
+                $cleartext_password = $_POST["pswd"];
+                $second_password = $_POST["2ndpswd"];
+                $email = $_POST["email"];
+
+        /* checking for empty password etc. */
+
+                if(($cleartext_password != $second_password) || !isset($_POST["pswd"]) || !isset($_POST["2ndpswd"]) || $cleartext_password == "" || empty($_POST["pswd"]) || empty($_POST["2ndpswd"])){
+                        header("Refresh: 0; register?reason=password");
+			return false;
+                }   
+
+        /* TODO: allow full unicode */
+
+                if(preg_match("/[^-_0-9a-zA-Z]/", $name) || preg_match("/[^-_0-9a-zA-Z]/", $cleartext_password) || preg_match("/[^-_0-9a-zA-Z@.]/", $email)){
+                        header("Refresh: 0; register?reason=encoding");
+			return false;
+                }   
+
+                $safe_name =  SQLite3::escapeString("$name");
+                $safe_email =  SQLite3::escapeString("$email");
+
+        /*Checks the validation of the registration attempt*/
+
+                $test_status_db = $db->query("SELECT status FROM user WHERE email='" . $safe_email . "';");
+                $test_status_arr = $test_status_db->fetchArray(SQLITE3_NUM);
+                $test_status_int = $test_status_arr[0];
+
+                $test_key_db = $db->query("SELECT key FROM user WHERE email='" . $safe_email . "';");
+                $test_key_arr = $test_key_db->fetchArray(SQLITE3_NUM);
+                $test_key = $test_key_arr[0];
+
+                if (empty($test_status_db) || $test_status_int != 0 || $test_key != $_POST["key"] || $test_key == ""){
+                        header("Refresh: 0; /register?reason=prohibited");
+			return false;
+                } else {
+
+                        $id_db = $db->query("SELECT id FROM user WHERE email='" . $safe_email . "';");
+                        $id_ar = $id_db->fetchArray(SQLITE3_NUM);
+                        $id = $id_ar[0];
+
+        /*Generates the encrypted password and the database transactions*/
+
+			$pepper = file_get_contents("../database/pepper.txt");
+			$password = $password . $pepper;
+
+			$hash_password = password_hash($password, PASSWORD_DEFAULT);
+
+                        if($db->exec("
+				BEGIN TRANSACTION;
+                                UPDATE user SET name='" . $safe_name . "', password='" . $hash_password . "', invites=5, status=1, register=(SELECT datetime()) WHERE id=" . $id . ";
+                                INSERT INTO files (id, parent, owner, name, folder, mime, size, share, size, hash) VALUES (NULL, 0, $id, '/', 'DIRECTORY', NULL, NULL, 'PUBLIC', 0, '');
+                                COMMIT;")
+                        ){
+                                $_SESSION["login"] = true;
+                                $_SESSION["username"] = $name;
+
+				return true;
+
+                        } else {
+                                header("Refresh: 0; /register?reason=database");
+				return false;
+                        }
+                }
+
+        } else {
+		include("register.php");
+		return false;
+	}
+}
-- 
cgit v1.2.3