aboutsummaryrefslogtreecommitdiff
path: root/bootstrap/action.php
diff options
context:
space:
mode:
Diffstat (limited to 'bootstrap/action.php')
-rw-r--r--bootstrap/action.php211
1 files changed, 0 insertions, 211 deletions
diff --git a/bootstrap/action.php b/bootstrap/action.php
deleted file mode 100644
index a52d471..0000000
--- a/bootstrap/action.php
+++ /dev/null
@@ -1,211 +0,0 @@
-<?php
-if ( ! isset($_GET["page"]) || $_GET["page"] != "action" ){
- header($_SERVER["SERVER_PROTOCOL"] . " 404 Not Found");
- ob_clean();
- exit;
-}
-
-if ( ! isset($_GET["task"]) || $_GET["task"] == "" ){
- header($_SERVER["SERVER_PROTOCOL"] . "400 Wrong Request");
- header("Location: /?page=index");
- ob_clean();
- exit;
-}
-
-switch($_GET["task"]){
- case("login"):
- if ( $_SERVER['REQUEST_METHOD'] != 'POST' ){
- header($_SERVER["SERVER_PROTOCOL"] . " 405 Method Not Allowed");
- ob_clean();
- echo "Method not allowed";
- exit;
- }
- if ( ! isset($_POST["name"]) || $_POST["name"] == "" || ! isset($_POST["password"]) || $_POST["password"] == "" ){
- print_login("missing");
- } else if ( $user->login($_POST["name"], $_POST["password"]) ){
- header($_SERVER["SERVER_PROTOCOL"] . " 302 Moved");
- header("Location: /?page=" . $_GET["goto"]);
- ob_clean();
- exit;
- } else {
- print_login("password");
- }
- break;
-
- case("register"):
- if ( $_SERVER['REQUEST_METHOD'] != 'POST' ){
- header($_SERVER["SERVER_PROTOCOL"] . " 405 Method Not Allowed");
- ob_clean();
- echo "Method not allowed";
- exit;
- }
- if ( ! isset($_POST["name"]) || $_POST["name"] == "" || ! isset($_POST["password"]) || $_POST["password"] == "" || ! isset($_POST["confirm"]) || $_POST["confirm"] == "" || ! isset($_POST["key"])){
- print_login("missing");
- }
- else if ( $_POST["key"] != INVITEKEY ){
- print_login("key");
- }
- else if ( $_POST["password"] != $_POST["confirm"]){
- print_login("password");
- } else {
- if ( ! isset($_POST["email"]) || $_POST["email"] == "" ){
- $email = "null";
- $sql = $db->prepare("SELECT 1 FROM " . DBPREFIX . "user WHERE name = %s LIMIT 1;", $_POST["name"]);
- }
- else {
- $email = $_POST["email"];
- $sql = $db->prepare("SELECT 1 FROM " . DBPREFIX . "user WHERE name = %s OR email = %s LIMIT 1", $_POST["name"], $_POST["email"]);
- }
- $check_db = $db->doQuery($sql);
- $check_ar = $check_db->fetch_array(MYSQLI_NUM);
- if ( $check_ar[0] == 1) {
- print_login("double");
- } else {
- if ( ! $user->register($_POST["name"], $_POST["password"], $email))
- print_login("database");
- else {
- header($_SERVER["SERVER_PROTOCOL"] . " 302 Moved");
- header("Location: /?page=" . $_GET["goto"]);
- ob_clean();
- exit;
- }
- }
- }
- break;
-
- case("update"):
- if ( $_SERVER['REQUEST_METHOD'] != 'POST' ){
- header($_SERVER["SERVER_PROTOCOL"] . " 405 Method Not Allowed");
- ob_clean();
- echo "Method not allowed";
- exit;
- }
- if ( ! isset($_GET["id"]) || $_GET["id"] == 0 || $_GET["id"] == "" ){
- print_list("update");
- } else {
- $sql = $db->prepare("UPDATE " . DBPREFIX . "member SET name = %s, adresse = %s, telefonnummer = %s, handynummer = %s, email = %s, geburtstag = %s WHERE member_id = %d;",
- $_POST["name"], $_POST["adresse"], $_POST["telefonnummer"], $_POST["handynummer"], $_POST["email"], $_POST["geburtstag"], $_GET["id"]
- );
- if ( ! $sql ){
- ob_clean();
- echo "SQL preparation failed.";
- exit;
- }
- if ( $result = $db->doQuery($sql) ){
- header($_SERVER["SERVER_PROTOCOL"] . " 302 Moved");
- header("Location: /?page=" . $_GET["goto"]);
- $c->flush();
- }
- }
- break;
-
- case("add"):
- if ( $_SERVER['REQUEST_METHOD'] != 'POST' ){
- header($_SERVER["SERVER_PROTOCOL"] . " 405 Method Not Allowed");
- echo "Method not allowed";
- exit;
- }
- $sql = $db->prepare("INSERT INTO " . DBPREFIX . "member (member_id, name, adresse, telefonnummer, handynummer, email, geburtstag) VALUES (NULL, %s, %s, %s, %s, %s, %s);",
- $_POST["name"], $_POST["adresse"], $_POST["telefonnummer"], $_POST["handynummer"], $_POST["email"], $_POST["geburtstag"]
- );
- if ( ! $sql ){
- echo "SQL preparation failed.";
- exit;
- }
- if ( $result = $db->doQuery($sql) ){
- header($_SERVER["SERVER_PROTOCOL"] . " 302 Moved");
- header("Location: /?page=" . $_GET["goto"]);
- $c->flush($_GET["_flush"]);
- }
- break;
- case("account"):
- if ( $_SERVER['REQUEST_METHOD'] != 'POST' ){
- header($_SERVER["SERVER_PROTOCOL"] . " 405 Method Not Allowed");
- echo "Method not allowed";
- exit;
- }
- if ( ! isset($_POST["name"]) || $_POST["name"] == "" || ! isset($_POST["confirm"]) || $_POST["confirm"] == ""){
- print_account("info");
- } else if ( ! isset($_POST["email"]) ){
- $_POST["email"] = "";
- } else if ( ! password_verify($_POST["confirm"] . PEPPER , $user->getPassword()) ) {
- print_account("password");
- } else {
- $sql = false;
- $check_ar[0] = 0;
- if ( $_POST["name"] != $_SESSION["username"]){
-
- if ( isset($_POST["email"]) && $_POST["email"] != "" && $_POST["email"] != $user->getEmail() )
- $sql = $db->prepare("SELECT 1 FROM " . DBPREFIX ."user WHERE name = %s OR email = %s ;", $_POST["name"], $_POST["email"]);
- else
- $sql = $db->prepare("SELECT 1 FROM " . DBPREFIX ."user WHERE name = %s ;", $_POST["name"]);
-
- } else if ( isset($_POST["email"]) && $_POST["email"] != "" && $_POST["email"] != $user->getEmail() ){
- $sql = $db->prepare("SELECT 1 FROM " . DBPREFIX ."user WHERE email = %s ;", $_POST["email"]);
-
- } else if ( $_POST["password"] == "" ){
- redirect("account");
- }
-
- if ( $sql ){
- $check_db = $db->doQuery($sql);
- $check_ar = $check_db->fetch_array(MYSQLI_NUM);
- }
-
- if ( $check_ar[0] == 1){
- print_account("double");
- } else {
- if ( $_POST["password"] != $_POST["confirm"] && $_POST["password"] != "" ){
- $sql = $db->prepare("UPDATE " . DBPREFIX . "user SET name = %s, password = %s, email = %s WHERE id = %d;", $_POST["name"] , password_hash($_POST["password"]. PEPPER, PASSWORD_DEFAULT), $_POST["email"], $_SESSION["userid"]);
- } else
- $sql = $db->prepare("UPDATE " . DBPREFIX . "user SET name = %s, email = %s WHERE id = %d;", $_POST["name"], $_POST["email"], $_SESSION["userid"]);
- if ( ! $db->doQuery($sql) ){
-
- echo $sql;
- print_account("database");
- } else
- $_SESSION["username"] = $_POST["name"];
- redirect("account&success=1");
- }
- }
- break;
- case("recover"):
- if ( $_SERVER['REQUEST_METHOD'] != 'POST' ){
- header($_SERVER["SERVER_PROTOCOL"] . " 405 Method Not Allowed");
- echo "Method not allowed";
- exit;
- }
- $sql = $db->prepare("SELECT 1, name FROM " . DBPREFIX . "user WHERE email = %s ;", $_POST["email"]);
- $result_db = $db->doQuery($sql);
- $result_ar = $result_db->fetch_array(MYSQLI_NUM);
- if ( $result_ar[0] == 1){
-
- $arr = array("a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z", "A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N", "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "_", "-");
- $password = "";
- $l = count($arr) -1 ;
- for ($i=0;$i<10;$i++){
- $r = mt_rand(0, $l);
- $password.=$arr[$r];
- }
-
- $hash = password_hash($password . PEPPER, PASSWORD_DEFAULT);
- $sql = $db->prepare("UPDATE " . DBPREFIX . "user SET password = %s WHERE email = %s ;", $hash, $_POST["email"]);
- if ( ! $db->doQuery($sql) )
- redirect("recover&track=0");
-
- $body =
-"Hello,
-someone requested a new password for '".$result_ar[1]."' on https://jungegemeinde.iamfabulous.de.
-The new password is '". $password ."'. Remember to change it immediately at https://jungegemeinde.iamfabulous.de/?page=account after successfull login.
-
-Kindly regards,
-JG Adlershof";
-
- // header injection
- mail($_POST["email"], "JG: Passwort Reset", $body, "From: JG Adlershof <noreply@jungegemeinde.iamfabulous.de>\r\n" );
- redirect("recover&track=1");
- } else {
- redirect("recover&track=0");
- }
- break;
-}