From 8970954933ecf4b5c842027faa7c52f85cc25fe2 Mon Sep 17 00:00:00 2001
From: Horus3
Date: Wed, 12 Mar 2014 02:50:30 +0100
Subject: Structure in functions. Stronger hash algorith for password safety,
also pepper.
---
www/functions/func_failure.php | 12 ++++++
www/functions/func_interface.php | 5 +++
www/functions/func_invite.php | 68 ++++++++++++++++++++++++++++++++++
www/functions/func_login.php | 63 ++++++++++++++++++++++++++++++++
www/functions/func_register.php | 74 +++++++++++++++++++++++++++++++++++++
www/functions/func_rewrite.php | 31 ++++++++++++++++
www/functions/func_select.php | 79 ++++++++++++++++++++++++++++++++++++++++
www/functions/func_user.php | 13 +++++++
8 files changed, 345 insertions(+)
create mode 100644 www/functions/func_failure.php
create mode 100644 www/functions/func_interface.php
create mode 100644 www/functions/func_invite.php
create mode 100644 www/functions/func_login.php
create mode 100644 www/functions/func_register.php
create mode 100644 www/functions/func_rewrite.php
create mode 100644 www/functions/func_select.php
create mode 100644 www/functions/func_user.php
(limited to 'www/functions')
diff --git a/www/functions/func_failure.php b/www/functions/func_failure.php
new file mode 100644
index 0000000..682aced
--- /dev/null
+++ b/www/functions/func_failure.php
@@ -0,0 +1,12 @@
+/* --PAGE NOT FOUND - 404 -- */
+
+function get_404($working_path, $wrong_folder){
+ include("404.php");
+ exit;
+}
+
+function failure($reason){
+ echo "A 404 error occurred.
";
+ echo $reason;
+ exit;
+}
diff --git a/www/functions/func_interface.php b/www/functions/func_interface.php
new file mode 100644
index 0000000..0116fe6
--- /dev/null
+++ b/www/functions/func_interface.php
@@ -0,0 +1,5 @@
+query("SELECT invites FROM user WHERE name='" . $safe_name . "';");
+ $invite_ar = $invite_db->fetchArray(SQLITE3_NUM);
+ $invite = $invite_ar[0];
+
+ if($invite > 0){
+
+ /*Generates the invite key => [-_0-9a-zA-Z]{11}*/
+
+ $key_array = array("a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z", "A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N", "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z", "_", "-", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9" );
+
+ $length = count($key_array);
+ $key = "";
+
+ for ($i=0;$i<11;$i++){
+ $index = mt_rand(0,$length-1);
+ $key = "$key".$key_array[$index];
+ }
+
+ $id_db = $db->query("SELECT id FROM USER WHERE name=' " . $safe_name . "';");
+ $id_ar = $id_db->fetchArray(SQLITE3_NUM);
+ $id = $id_ar[0];
+
+ /*Generates the new user and decrease the invites*/
+
+ $invite = $invite - 1;
+
+ if($db->exec("
+ BEGIN TRANSACTION;
+ INSERT INTO user (id, name, email, senpai, key, status) VALUES (NULL, NULL, '" . $safe_email . "', '" . $id . "', '" . $key . "', 0);
+ UPDATE user SET invites='" . $invite . "' WHERE id='" . $id . "';
+ COMMIT;")
+ ){
+ $subject="Welcome, you were invited to the new virtual filesystem.\nYour key is" . $key . "\nVisit files.iamfabulous.de/register to complete your registration.";
+
+ mail($email, "Invite", $subject, "From: mail@iamfabulous.de");
+
+ header("Refresh: 0; /invite?reason=success");
+ return true;
+
+ } else {
+ header("Refresh: 0; /invite?reason=database");
+ return false;
+ }
+
+ } else {
+ header("Refresh: 0; /invite?reason=invites");
+ return false;
+ }
+ } else {
+ echo "Formular";
+ return false;
+ }
+}
diff --git a/www/functions/func_login.php b/www/functions/func_login.php
new file mode 100644
index 0000000..f528076
--- /dev/null
+++ b/www/functions/func_login.php
@@ -0,0 +1,63 @@
+query("SELECT password FROM user WHERE name='" . $safe_username . "';");
+ while($real_password_array = $real_password_db->fetchArray(SQLITE3_NUM)){
+ foreach($real_password_array as $secondelement){
+ $real_password=$secondelement;
+ }
+ }
+
+ /*___Login___*/
+ if (password_verify($password, $real_password)) {
+
+ if($db->exec("
+ BEGIN TRANSACTION;
+ INSERT INTO log (id, user, login) VALUES (NULL, (SELECT id FROM user WHERE name='" . $username . "'), (SELECT datetime()) );
+ COMMIT;
+ ")){
+
+ $_SESSION["login"] = true;
+ $_SESSION["username"] = $username;
+
+ header("Refresh: 0; /");
+ return true;
+
+ } else {
+ header("Refresh: 0; login?reason=database&username=" . $username);
+ return false;
+ }
+ } else {
+ header("Refresh: 0; login?reason=failure&username=" . $username);
+ return false;
+ }
+ } else {
+ if($_SESSION["login"]){
+ header("Refresh: 0; /");
+ return false;
+ }
+ include("login.php");
+ return false;
+ }
+}
+
+function logout(){
+ $username=$_SESSION["username"];
+ if(session_destroy()){
+ header("Refresh: 0; login?reason=logout&username=" . $username);
+ return true;
+ } else {
+ return false;
+ }
+}
diff --git a/www/functions/func_register.php b/www/functions/func_register.php
new file mode 100644
index 0000000..3fc9949
--- /dev/null
+++ b/www/functions/func_register.php
@@ -0,0 +1,74 @@
+query("SELECT status FROM user WHERE email='" . $safe_email . "';");
+ $test_status_arr = $test_status_db->fetchArray(SQLITE3_NUM);
+ $test_status_int = $test_status_arr[0];
+
+ $test_key_db = $db->query("SELECT key FROM user WHERE email='" . $safe_email . "';");
+ $test_key_arr = $test_key_db->fetchArray(SQLITE3_NUM);
+ $test_key = $test_key_arr[0];
+
+ if (empty($test_status_db) || $test_status_int != 0 || $test_key != $_POST["key"] || $test_key == ""){
+ header("Refresh: 0; /register?reason=prohibited");
+ return false;
+ } else {
+
+ $id_db = $db->query("SELECT id FROM user WHERE email='" . $safe_email . "';");
+ $id_ar = $id_db->fetchArray(SQLITE3_NUM);
+ $id = $id_ar[0];
+
+ /*Generates the encrypted password and the database transactions*/
+
+ $pepper = file_get_contents("../database/pepper.txt");
+ $password = $password . $pepper;
+
+ $hash_password = password_hash($password, PASSWORD_DEFAULT);
+
+ if($db->exec("
+ BEGIN TRANSACTION;
+ UPDATE user SET name='" . $safe_name . "', password='" . $hash_password . "', invites=5, status=1, register=(SELECT datetime()) WHERE id=" . $id . ";
+ INSERT INTO files (id, parent, owner, name, folder, mime, size, share, size, hash) VALUES (NULL, 0, $id, '/', 'DIRECTORY', NULL, NULL, 'PUBLIC', 0, '');
+ COMMIT;")
+ ){
+ $_SESSION["login"] = true;
+ $_SESSION["username"] = $name;
+
+ return true;
+
+ } else {
+ header("Refresh: 0; /register?reason=database");
+ return false;
+ }
+ }
+
+ } else {
+ include("register.php");
+ return false;
+ }
+}
diff --git a/www/functions/func_rewrite.php b/www/functions/func_rewrite.php
new file mode 100644
index 0000000..5ca2171
--- /dev/null
+++ b/www/functions/func_rewrite.php
@@ -0,0 +1,31 @@
+query("SELECT id FROM user WHERE name='" . $name . "';");
+ $name_id_ar = $name_id_db->fetchArray(SQLITE3_NUM);
+
+ if(empty($name_id_ar)){
+
+ /* if first argument wasn't valid, rewrite the URL to include the username */
+
+ if($_SESSION["login"]){
+ header("Refresh: 0; /" . $_SESSION[username] . "/" . $_GET["name"] . "/" . $_GET["folder"] . "");
+ exit;
+ } else {
+
+ $wrong_folder = $_GET["name"];
+ $working_path = $_GET["name"];
+
+ get_404($working_path, $wrong_folder);
+ return false;
+ }
+ return false;
+ }
+
+ return true;
+}
+
diff --git a/www/functions/func_select.php b/www/functions/func_select.php
new file mode 100644
index 0000000..dc649f2
--- /dev/null
+++ b/www/functions/func_select.php
@@ -0,0 +1,79 @@
+query("SELECT id FROM user WHERE name='" . SQLite3::escapeString($user) . "';");
+ if(empty($owner_db)){
+ failure("This user doesn't exist.");
+ }
+
+ $owner_ar = $owner_db->fetchArray(SQLITE3_NUM);
+ $owner = $owner_ar[0];
+
+ $folder_array_unsafe = explode("/",$_GET["folder"]);
+ $length = count($folder_array_unsafe);
+
+ $root_db = $db->query("SELECT id FROM files WHERE parent=0 AND owner=" . $owner . " AND folder='DIRECTORY' " . $share . ";");
+ if(empty($root_db)){
+ failure("There is something seriously wrong. If you are a human you should never read this. Mail the admin please.");
+ }
+ $root_ar = $root_db->fetchArray(SQLITE3_NUM);
+ $root_id = $root_ar[0];
+ $parentdir = SQLite3::escapeString($root_id);
+ $temp_id = $root_id;
+
+ for($i=0; $i<$length; $i++){
+
+ if(!empty($folder_array_unsafe[$i])){
+ $parentdir_db = $db->query("SELECT id, parent FROM files WHERE owner=" . $owner . " AND folder='DIRECTORY' " . $share . " AND parent=" . $parentdir . " AND name='" . SQLite3::escapeString($folder_array_unsafe[$i]) . "';");
+ if(empty($parentdir_db)){
+ failure("Database error.");
+ }
+ $prim_id = $parentdir_db->fetchArray(SQLITE3_NUM);
+ if($parentdir != $prim_id[1]){
+
+ $wrong_folder = $folder_array_unsafe[$i];
+ $working_path[0] = $wrong_folder;
+
+ for($j=0; $j<$i; $j++){
+ $working_path[$j] = $folder_array_unsafe[$j];
+ }
+
+ get_404($working_path, $wrong_folder);
+ return false;
+ }
+
+ $parentdir = $prim_id[0];
+ }
+ }
+
+ $content_db = $db->query("SELECT * FROM files WHERE parent=" . $parentdir . " AND owner=" . $owner . ";");
+
+ $count=0;
+ while($row = $content_db->fetchArray(SQLITE3_NUM)){
+ $content[$count][0] = $row[0];
+ $content[$count][1] = $row[1];
+ $content[$count][2] = $row[2];
+ $content[$count][3] = $row[3];
+ $content[$count][4] = $row[4];
+ $content[$count][5] = $row[5];
+ $content[$count][6] = $row[6];
+ $content[$count][7] = $row[7];
+ $content[$count][8] = $row[8];
+ //echo "" . $content[$count][3] . "
";
+ $count++;
+ }
+
+ return $content;
+
+}
diff --git a/www/functions/func_user.php b/www/functions/func_user.php
new file mode 100644
index 0000000..2e49651
--- /dev/null
+++ b/www/functions/func_user.php
@@ -0,0 +1,13 @@
+query("SELECT invites FROM user WHERE name='" . $safe_name . "';");
+ $invite_ar = $invite_db->fetchArray(SQLITE3_NUM);
+ $invite = $invite_ar[0];
+
+ echo "
";
+ echo "You have currently $invite invites.
";
+ return true;
+}
+
--
cgit v1.2.3