1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
<?
function register($db){
if($_SERVER['REQUEST_METHOD'] == 'POST') {
$name = $_POST["username"];
$cleartext_password = $_POST["pswd"];
$second_password = $_POST["2ndpswd"];
$email = $_POST["email"];
/* checking for empty password etc. */
if(($cleartext_password != $second_password) || !isset($_POST["pswd"]) || !isset($_POST["2ndpswd"]) || $cleartext_password == "" || empty($_POST["pswd"]) || empty($_POST["2ndpswd"])){
header("Refresh: 0; register?reason=password");
return false;
}
/* TODO: allow full unicode */
if(preg_match("/[^-_0-9a-zA-Z]/", $name) || preg_match("/[^-_0-9a-zA-Z]/", $cleartext_password) || preg_match("/[^-_0-9a-zA-Z@.]/", $email)){
header("Refresh: 0; register?reason=encoding");
return false;
}
$safe_name = SQLite3::escapeString("$name");
$safe_email = SQLite3::escapeString("$email");
/*Checks the validation of the registration attempt*/
$test_status_db = $db->query("SELECT status FROM user WHERE email='" . $safe_email . "';");
$test_status_arr = $test_status_db->fetchArray(SQLITE3_NUM);
$test_status_int = $test_status_arr[0];
$test_key_db = $db->query("SELECT key FROM user WHERE email='" . $safe_email . "';");
$test_key_arr = $test_key_db->fetchArray(SQLITE3_NUM);
$test_key = $test_key_arr[0];
if (empty($test_status_db) || $test_status_int != 0 || $test_key != $_POST["key"] || $test_key == ""){
header("Refresh: 0; /register?reason=prohibited");
return false;
} else {
$id_db = $db->query("SELECT id FROM user WHERE email='" . $safe_email . "';");
$id_ar = $id_db->fetchArray(SQLITE3_NUM);
$id = $id_ar[0];
/*Generates the encrypted password and the database transactions*/
$pepper = file_get_contents("../database/pepper.txt");
$password = $password . $pepper;
$hash_password = password_hash($password, PASSWORD_DEFAULT);
if($db->exec("
BEGIN TRANSACTION;
UPDATE user SET name='" . $safe_name . "', password='" . $hash_password . "', invites=5, status=1, register=(SELECT datetime()) WHERE id=" . $id . ";
INSERT INTO files (id, parent, owner, name, folder, mime, size, share, size, hash) VALUES (NULL, 0, $id, '/', 'DIRECTORY', NULL, NULL, 'PUBLIC', 0, '');
COMMIT;")
){
$_SESSION["login"] = true;
$_SESSION["username"] = $name;
return true;
} else {
header("Refresh: 0; /register?reason=database");
return false;
}
}
} else {
include("register.php");
return false;
}
}
|
