using WordPress escape() function in the database layer now

5 files changed, 163 insertions, 30 deletions

diff --git a/public_html/class/mysql.php b/public_html/class/mysql.php
index 0fb46bb..0844eaa 100644
--- a/public_html/class/mysql.php
+++ b/public_html/class/mysql.php
@@ -16,7 +16,7 @@ class vfsdb {
 		}
 
 		if ( $this->db->connect_errno() ){
-			failure("<p>Can't connect to the database. MySQL gave this error code: ".$this->db->connect_errno . "</p>", '500 Server Failure', false, '<h1>Connection to MySQL server failed.</h1>');
+			failure("<p>Can't connect to the database. MySQL gave this error code: " . $this->db->connect_errno . "</p>", '500 Server Failure', false, '<h1>Connection to MySQL server failed.</h1>');
 		}
 
 		if ( ! $this->db->ping() ){
@@ -41,23 +41,74 @@ class vfsdb {
 		return true;
 	}
 
-	private function _prepare($sql){
-		if ( is_null($sql) || $sql == "")
+	# does a single MySQL query with output (SELECT, INSERT, UPDATE... )
+	public function doQuery($string){
+		if ( ! $this->check() )
 			return false;
 
-		return $this->db->real_escape_string($sql);
+		return $this->db->query($sql);
 	}
 
-	public function doQuery($string){
+	# does multiple queries WITHOUT output (INSERT, UPDATE, DELETE... )
+	public function execMultipleQueries($sql){
 		if ( ! $this->check() )
-			failure("<p>Can't reach MySQL server. Server says: ". $this->db->error . "</p>", '500 Server Failure', false, "<h1>Can't reach MySQL server!</h1>")
+			return false;	
 
-		$sql = _prepare($string);
-		if ( ! $sql )
+		$result = $this->db->multi_query($sql);
+		if ( ! $result )
 			return false;
 
-		return $this->db->query($sql);
+		do {
+			if( ! $this->db->more_results() )	
+				break;
+			if ( ! $this->db->next_result() ){
+				if ( $this->db->error != "" ){
+					$res->free();
+					return false;
+				}
+			}
+		} while (true);
+
+		return true;
+	}
+
+	# code by WordPress. See @link https://core.trac.wordpress.org/browser/branches/4.0/src/wp-includes/wp-db.php#L1154
+	# syntax like sprintf()
+	public function prepare( $query, $args ) {
+		if ( is_null( $query ) )
+			return;
+		
+		// This is not meant to be foolproof -- but it will catch obviously incorrect usage.
+		if ( strpos( $query, '%' ) === false ) {
+			return false;
+		}
+		
+		$args = func_get_args();
+		array_shift( $args );
+
+		// If args were passed as an array (as in vsprintf), move them up
+		if ( isset( $args[0] ) && is_array($args[0]) )
+			$args = $args[0];
+
+		$query = str_replace( "'%s'", '%s', $query ); // in case someone mistakenly already singlequoted it
+		$query = str_replace( '"%s"', '%s', $query ); // doublequote unquoting
+		$query = preg_replace( '|(?<!%)%f|' , '%F', $query ); // Force floats to be locale unaware
+		$query = preg_replace( '|(?<!%)%s|', "'%s'", $query ); // quote the strings, avoiding escaped strings like %%s
+
+		array_walk( $args, array( $this, '_escape_by_ref' ) );
+
+		return @vsprintf( $query, $args );
+	}
+
+	private function _escape_by_ref( &$string ){
+		if ( ! is_float( $string ) )
+			$string = $this->_real_escape( $string );
+	}
+
+	private function _real_escape( $string ){
+		return $this->db->real_escape_string($string);
 	}
+	# WordPress End
 
 	public function createTables(){
 		$user_table = 
@@ -103,7 +154,7 @@ class vfsdb {
 			)
 		ENGINE=InnoDB;';
 
-		if ( ! $this->db->query($user_table . ' ' . $files_table . ' ' . $banned_user_table) )
+		if ( ! $this->execMultipleQueries('BEGIN; '. $user_table . ' ' . $files_table . ' ' . $banned_user_table . ' END;') )
 			failure("<p>There was a problem during bootstrapping the database schema. " . $this->db->error . "</p>", '500 Server Failure', false, "<h1>CREATE TABLE FAILED</h1>");
 	}
 	
diff --git a/public_html/class/vfsuser.php b/public_html/class/vfsuser.php
index 931c53c..e3767b8 100644
--- a/public_html/class/vfsuser.php
+++ b/public_html/class/vfsuser.php
@@ -3,21 +3,18 @@
 class vfsuser {
 
 	public $username;
-	public $login	= false;
+	public $login 	= false;
 
 	private $pepper;
-	private $query = false;
+	private $query 	= false;
 	
 	public function __construct($name){
 		$this->username = $name;
 
 		if ( isset($_SESSION["loggedin"]) )
 			$this->login = $_SESSION["loggedin"];
-
-		if ( PEPPER_IS_FILE )
-			$this->pepper=file_get_contents(PEPPER);
-		else
-			$this->pepper=PEPPER;
+		
+		$this->_setPepper();
 
 		$this->_setQuery();
 	}
@@ -26,11 +23,19 @@ class vfsuser {
 	private function _setQuery(){
 		global $vfsdb;
 
-		$db_db = $vfsdb->doQuery("SELECT * FROM " . DBPREFIX . "user WHERE name='" . $this->username . "';");
+		$sql = $vfsdv->prepare("SELECT * FROM " . DBPREFIX . "user WHERE name=%s;", $this->username);
+		$db_db = $vfsdb->doQuery($sql);
 		if ( is_bool($db_db) )
-			$this->query=false;
+			$this->query = false;
+		else
+			$this->query = $db_db->fetch_array(MYSQLI_ASSOC);
+	}
+
+	private function _setPepper(){
+		if ( PEPPER_IS_FILE )
+			$this->pepper = file_get_contents(PEPPER);
 		else
-			$this->query=$db_db->fetch_array(MYSQLI_ASSOC);
+			$this->pepper = PEPPER;
 	}
 
 	public function getUser(){
@@ -69,17 +74,21 @@ class vfsuser {
 		return $this->query['inviter'];
 	}
 
+	# check if valid user
+	publlic function isValidUser(){
+		if( ( is_bool($this->query) && ! $this->query ) || is_null($this->query) )
+			return false
+
+		return true;
+	}
+
 	# check if current user is authenticated
 	public function isLoggedIn(){
 		return $this->login;	
 	}
 
-	public function login($password, $second_password){
+	public function login($password){
 		
-		# check if both passwords the same
-		if ( $password != $second_password)
-			return false;
-
 		# get hashed password from the database
 		$hashed_password = $this->getPassword();
 
@@ -117,4 +126,73 @@ class vfsuser {
 
 		return true;
 	}
+
+	public function register($name, $password, $email){
+		global $vfsdb;
+
+		$sql	   = $vfsdb->prepare("SELECT 1 FROM " . DBPREFIX . "user WHERE name=%s;", $name);
+		$double_db = $vfsdb->doQuery($sql);
+		$double_ar = $double_db->fetch_array(MYSQLI_NUM);
+		if ( $double_ar[0] == 1 )
+			return false;
+
+		$sql   = $vfsdb->prepare("SELECT id FROM " . DBPREFIX . "user WHERE email=%s;", $email);
+		$id_db = $vfsdb->doQuery($sql);
+		$id_ar = $id_db->fetch_array(MYSQLI_ASSOC);
+		$id    = $id_ar['id'];
+
+		$password = $password . PEPPER;
+		$hash	  = password_hash($password, PASSWORD_DEFAULT);
+
+		$sql = $vfsdb->prepare("
+			UPDATE user SET 
+				name=%s,
+				password=%s,
+				invites=%d',
+				status=1,
+				register=%d,
+				color_folder='DEFAULT',
+				color_file='DEFAULT'
+			WHERE id=%d;
+
+			INSERT INTO files (
+				files_id,
+				parent,
+				owner,
+				name,
+				type,
+				mime,
+				size,
+				visibility,
+				hash )
+			VALUES (
+				NULL,
+				0,
+				%d,
+				'/',
+				'DIRECTORY',
+				NULL,
+				NULL,
+				'PUBLIC',
+				''
+			);", $name, $hash, INVITES_DEFAULT, time(), $id, $id);
+
+		if ( ! $vfsdb->execMultipleQueries($sql) )
+			return false;
+
+		# the user is successfull registered, thus already logged in
+		$this->username = $name;
+
+		# redefine the class attributes
+		$this->_setPepper();
+		$this->_setQuery();
+
+		$this->login($password);
+
+		return true;
+	}
+
+	public function __destruct(){
+		return true;
+	}
 }
diff --git a/public_html/functions.php b/public_html/functions.php
index 51979da..8c998fc 100644
--- a/public_html/functions.php
+++ b/public_html/functions.php
@@ -3,21 +3,21 @@
 function failure($reason, $httpcode, $ajax = true, $heading = NULL){
 
 	# send header with $httpcode
-	header($_SERVER['SERVER_PROTOCOL'] . " " . $httpcode)
+	header($_SERVER['SERVER_PROTOCOL'] . " " . $httpcode);
 
 	# just echo the reason to the ajax response
 	if($ajax){
-		echo htmlentities($reason);
-		exit
+		echo $reason;
+		exit;
 	}
 
 	// TODO: Put pretty HTML here, please
 
 	# print full error page
 	if($heading != NULL)
-		echo htmlentities($heading);
+		echo $heading;
 
-	echo htmlentities($reason);
+	echo $reason;
 
 	# exit the script here
 	exit;
diff --git a/public_html/vfs_bootstrap.php b/public_html/vfs_bootstrap.php
index 26be764..065c73e 100644
--- a/public_html/vfs_bootstrap.php
+++ b/public_html/vfs_bootstrap.php
@@ -50,6 +50,7 @@ if ( $_SERVER['HTTP_HOST'] != HOST){
 
 require(ABSPATH . 'functions.php');
 require(ABSPATH . VFS_CLASS . 'mysql.php');
+require(ABSPATH . VFS_CLASS . 'vfsuser.php');
 
 if ( file_exists(ABSPATH . 'setup.php') )
 	require(ABSPATh . 'setup.php');
diff --git a/public_html/vfs_config.php b/public_html/vfs_config.php
index b1f4e4b..f2b9aef 100644
--- a/public_html/vfs_config.php
+++ b/public_html/vfs_config.php
@@ -12,6 +12,9 @@ define('DBPREFIX', 'vfs_');
 define('PEPPER_IS_FILE', false);
 define('PEPPER', 'somelongstringhere');
 
+# how many invites new user gets per default
+define('INVITES_DEFAULT', 5);
+
 # define('PEPPER_IS_FILE', true);
 # define('PEPPER', dirname(__FILE__) . '/../pepper.txt');