From 99e60dae1bb5825a426852860e67b9d00e124161 Mon Sep 17 00:00:00 2001
From: Horus3
Date: Sun, 16 Mar 2014 17:58:05 +0100
Subject: Redesigned login and register function.

---
 www/functions/func_login.php    | 71 ++++++++++++--------------------
 www/functions/func_register.php | 91 +++++++++++++++++++----------------------
 2 files changed, 69 insertions(+), 93 deletions(-)

(limited to 'www/functions')

diff --git a/www/functions/func_login.php b/www/functions/func_login.php
index 46bb6d0..a09b198 100755
--- a/www/functions/func_login.php
+++ b/www/functions/func_login.php
@@ -1,65 +1,48 @@
 <?php
 function login($db){
-        if($_SERVER['REQUEST_METHOD'] == 'POST') {
 
         /*___Database Query: Login___*/
-                $username = $_POST["username"];
-                $password = $_POST["password"];
-                $safe_username = SQLite3::escapeString("$username");
+	$username = $_POST["username"];
+        $password = $_POST["password"];
+        $safe_username = SQLite3::escapeString("$username");
 
-		//$hash = password_hash($_GET["password"], PASSWORD_DEFAULT);
+	$pepper = file_get_contents("../database/pepper.txt");
+	$password = $password . $pepper;
 
-		$pepper = file_get_contents("../database/pepper.txt");
-		$password = $password . $pepper;
-
-                $real_password_db = $db->query("SELECT password FROM user WHERE name='" . $safe_username . "';");
-                while($real_password_array = $real_password_db->fetchArray(SQLITE3_NUM)){
-                         foreach($real_password_array as $secondelement){
-                                $real_password=$secondelement;
-                        }   
+        $real_password_db = $db->query("SELECT password FROM user WHERE name='" . $safe_username . "';");
+        while($real_password_array = $real_password_db->fetchArray(SQLITE3_NUM)){
+        	foreach($real_password_array as $secondelement){
+                	$real_password=$secondelement;
                 }   
+	}   
 
         /*___Login___*/
-                if (password_verify($password, $real_password)) {
+        if (!password_verify($password, $real_password)) {
+		return "failure";
+	}
 
-                        if($db->exec("
-                                BEGIN TRANSACTION;
-                                INSERT INTO log (id, user, login) VALUES (NULL, (SELECT id FROM user WHERE name='" . $username . "'), (SELECT datetime()) );
-                                COMMIT;
-                        ")){
-				$id = user($db, $username);
+        if($db->exec("
+        	BEGIN TRANSACTION;
+                INSERT INTO log (id, user, login) VALUES (NULL, (SELECT id FROM user WHERE name='" . $username . "'), (SELECT datetime()) );
+                COMMIT;
+	")){
 
-                                $_SESSION["login"] = true;
-                                $_SESSION["username"] = $username;
-				$_SESSION["userid"] = $id;
+		$id = user($db, $username);
 
-				header("Refresh: 0; /");
-				return true; 
+                $_SESSION["login"] = true;
+                $_SESSION["username"] = $username;
+		$_SESSION["userid"] = $id;
 
-                        } else {
-                                header("Refresh: 0; login?reason=database&username=" . $username);
-				return false;
-                        }   
-                } else {
-                        header("Refresh: 0; login?reason=failure&username=" . $username);
-			return false;
-                }   
-        } else {
-                if($_SESSION["login"]){
-                        header("Refresh: 0; /");
-			return false;
-                } 
+		return "success"; 
 
-		include("login.php");
-		return false;
-	}
+	} else {
+		return "database";
+	}   
 }
 
 function logout(){
-        $username=$_SESSION["username"];
         if(session_destroy()){
-                header("Refresh: 0; login?reason=logout&username=" . $username);
-                return true;
+                return "logout";
         } else {
                 return false;
         }   
diff --git a/www/functions/func_register.php b/www/functions/func_register.php
index 690e5d6..0555470 100755
--- a/www/functions/func_register.php
+++ b/www/functions/func_register.php
@@ -1,73 +1,66 @@
 <?php
 function register($db){
-        if($_SERVER['REQUEST_METHOD'] == 'POST') {
 
-                $name = $_POST["username"];
-                $cleartext_password = $_POST["pswd"];
-                $second_password = $_POST["2ndpswd"];
-                $email = $_POST["email"];
+	$name = $_POST["username"];
+        $cleartext_password = $_POST["pswd"];
+        $second_password = $_POST["2ndpswd"];
+        $email = $_POST["email"];
 
         /* checking for empty password etc. */
 
-                if(($cleartext_password != $second_password) || !isset($_POST["pswd"]) || !isset($_POST["2ndpswd"]) || $cleartext_password == "" || empty($_POST["pswd"]) || empty($_POST["2ndpswd"])){
-                        header("Refresh: 0; /register?reason=password");
-			return false;
-                }   
+        if(($cleartext_password != $second_password) || !isset($_POST["pswd"]) || !isset($_POST["2ndpswd"]) || $cleartext_password == "" || empty($_POST["pswd"]) || empty($_POST["2ndpswd"])){
+		return "password";
+	}   
 
-                if(!preg_match("/[^.+@.+]/", $email)){
-                        header("Refresh: 0; /register?reason=encoding");
-			return false;
-                }   
+	if(!preg_match("/[^.+@.+]/", $email)){
+		return "encoding";
+	}   
 
-                $safe_name =  SQLite3::escapeString("$name");
-                $safe_email =  SQLite3::escapeString("$email");
+        $safe_name =  SQLite3::escapeString("$name");
+        $safe_email =  SQLite3::escapeString("$email");
 
         /*Checks the validation of the registration attempt*/
 
-                $test_status_db = $db->query("SELECT status FROM user WHERE email='" . $safe_email . "';");
-                $test_status_ar = $test_status_db->fetchArray(SQLITE3_NUM);
-                $test_status_int = $test_status_ar[0];
+        $test_status_db = $db->query("SELECT status FROM user WHERE email='" . $safe_email . "';");
+        $test_status_ar = $test_status_db->fetchArray(SQLITE3_NUM);
+        $test_status_int = $test_status_ar[0];
 
-                $test_key_db = $db->query("SELECT key FROM user WHERE email='" . $safe_email . "';");
-                $test_key_ar = $test_key_db->fetchArray(SQLITE3_NUM);
-                $test_key = $test_key_ar[0];
+        $test_key_db = $db->query("SELECT key FROM user WHERE email='" . $safe_email . "';");
+        $test_key_ar = $test_key_db->fetchArray(SQLITE3_NUM);
+        $test_key = $test_key_ar[0];
 
-                if (empty($test_status_ar) || $test_status_int != 0 || $test_key != $_POST["key"] || $test_key == ""){
-                        header("Refresh: 0; /register?reason=prohibited");
-			return false;
-                } else {
+        if (empty($test_status_ar) || $test_status_int != 0 || $test_key != $_POST["key"] || $test_key == ""){
+		return "prohibited";
+	}
 
-                        $id_db = $db->query("SELECT id FROM user WHERE email='" . $safe_email . "';");
-                        $id_ar = $id_db->fetchArray(SQLITE3_NUM);
-                        $id = $id_ar[0];
+        $id_db = $db->query("SELECT id FROM user WHERE email='" . $safe_email . "';");
+        $id_ar = $id_db->fetchArray(SQLITE3_NUM);
+        $id = $id_ar[0];
 
         /*Generates the encrypted password and the database transactions*/
 
-			$pepper = file_get_contents("../database/pepper.txt");
-			$password = $cleartext_password . $pepper;
+	$pepper = file_get_contents("../database/pepper.txt");
+	$password = $cleartext_password . $pepper;
+
+	$hash_password = password_hash($password, PASSWORD_DEFAULT);
 
-			$hash_password = password_hash($password, PASSWORD_DEFAULT);
+        if($db->exec("
+		BEGIN TRANSACTION;
+                UPDATE user SET name='" . $safe_name . "', password='" . $hash_password . "', invites=5, status=1, register=(SELECT datetime()) WHERE id=" . $id . ";
+                INSERT INTO files (id, parent, owner, name, folder, mime, size, share, size, hash) VALUES (NULL, 0, $id, '/', 'DIRECTORY', NULL, NULL, 'PUBLIC', 0, '');
+                COMMIT;")
+	){
 
-                        if($db->exec("
-				BEGIN TRANSACTION;
-                                UPDATE user SET name='" . $safe_name . "', password='" . $hash_password . "', invites=5, status=1, register=(SELECT datetime()) WHERE id=" . $id . ";
-                                INSERT INTO files (id, parent, owner, name, folder, mime, size, share, size, hash) VALUES (NULL, 0, $id, '/', 'DIRECTORY', NULL, NULL, 'PUBLIC', 0, '');
-                                COMMIT;")
-                        ){
-                                $_SESSION["login"] = true;
-                                $_SESSION["username"] = $name;
+		$userid = user($db, $safe_name);
 
-				header("Refresh: 0; /");
-				return true;
+        	$_SESSION["login"] = true;
+                $_SESSION["username"] = $name;
+		$_SESSION["userid"] = $userid;
 
-                        } else {
-                                header("Refresh: 0; /register?reason=database");
-				return false;
-                        }
-                }
+		return "success";
 
-        } else {
-		include("register.php");
-		return false;
+	} else {
+		return "database";
 	}
+
 }
-- 
cgit v1.2.3