diff options
Diffstat (limited to 'public_html/class')
| -rw-r--r-- | public_html/class/mysql.php | 71 | ||||
| -rw-r--r-- | public_html/class/vfsuser.php | 108 |
2 files changed, 154 insertions, 25 deletions
diff --git a/public_html/class/mysql.php b/public_html/class/mysql.php index 0fb46bb..0844eaa 100644 --- a/public_html/class/mysql.php +++ b/public_html/class/mysql.php @@ -16,7 +16,7 @@ class vfsdb { } if ( $this->db->connect_errno() ){ - failure("<p>Can't connect to the database. MySQL gave this error code: ".$this->db->connect_errno . "</p>", '500 Server Failure', false, '<h1>Connection to MySQL server failed.</h1>'); + failure("<p>Can't connect to the database. MySQL gave this error code: " . $this->db->connect_errno . "</p>", '500 Server Failure', false, '<h1>Connection to MySQL server failed.</h1>'); } if ( ! $this->db->ping() ){ @@ -41,23 +41,74 @@ class vfsdb { return true; } - private function _prepare($sql){ - if ( is_null($sql) || $sql == "") + # does a single MySQL query with output (SELECT, INSERT, UPDATE... ) + public function doQuery($string){ + if ( ! $this->check() ) return false; - return $this->db->real_escape_string($sql); + return $this->db->query($sql); } - public function doQuery($string){ + # does multiple queries WITHOUT output (INSERT, UPDATE, DELETE... ) + public function execMultipleQueries($sql){ if ( ! $this->check() ) - failure("<p>Can't reach MySQL server. Server says: ". $this->db->error . "</p>", '500 Server Failure', false, "<h1>Can't reach MySQL server!</h1>") + return false; - $sql = _prepare($string); - if ( ! $sql ) + $result = $this->db->multi_query($sql); + if ( ! $result ) return false; - return $this->db->query($sql); + do { + if( ! $this->db->more_results() ) + break; + if ( ! $this->db->next_result() ){ + if ( $this->db->error != "" ){ + $res->free(); + return false; + } + } + } while (true); + + return true; + } + + # code by WordPress. See @link https://core.trac.wordpress.org/browser/branches/4.0/src/wp-includes/wp-db.php#L1154 + # syntax like sprintf() + public function prepare( $query, $args ) { + if ( is_null( $query ) ) + return; + + // This is not meant to be foolproof -- but it will catch obviously incorrect usage. + if ( strpos( $query, '%' ) === false ) { + return false; + } + + $args = func_get_args(); + array_shift( $args ); + + // If args were passed as an array (as in vsprintf), move them up + if ( isset( $args[0] ) && is_array($args[0]) ) + $args = $args[0]; + + $query = str_replace( "'%s'", '%s', $query ); // in case someone mistakenly already singlequoted it + $query = str_replace( '"%s"', '%s', $query ); // doublequote unquoting + $query = preg_replace( '|(?<!%)%f|' , '%F', $query ); // Force floats to be locale unaware + $query = preg_replace( '|(?<!%)%s|', "'%s'", $query ); // quote the strings, avoiding escaped strings like %%s + + array_walk( $args, array( $this, '_escape_by_ref' ) ); + + return @vsprintf( $query, $args ); + } + + private function _escape_by_ref( &$string ){ + if ( ! is_float( $string ) ) + $string = $this->_real_escape( $string ); + } + + private function _real_escape( $string ){ + return $this->db->real_escape_string($string); } + # WordPress End public function createTables(){ $user_table = @@ -103,7 +154,7 @@ class vfsdb { ) ENGINE=InnoDB;'; - if ( ! $this->db->query($user_table . ' ' . $files_table . ' ' . $banned_user_table) ) + if ( ! $this->execMultipleQueries('BEGIN; '. $user_table . ' ' . $files_table . ' ' . $banned_user_table . ' END;') ) failure("<p>There was a problem during bootstrapping the database schema. " . $this->db->error . "</p>", '500 Server Failure', false, "<h1>CREATE TABLE FAILED</h1>"); } diff --git a/public_html/class/vfsuser.php b/public_html/class/vfsuser.php index 931c53c..e3767b8 100644 --- a/public_html/class/vfsuser.php +++ b/public_html/class/vfsuser.php @@ -3,21 +3,18 @@ class vfsuser { public $username; - public $login = false; + public $login = false; private $pepper; - private $query = false; + private $query = false; public function __construct($name){ $this->username = $name; if ( isset($_SESSION["loggedin"]) ) $this->login = $_SESSION["loggedin"]; - - if ( PEPPER_IS_FILE ) - $this->pepper=file_get_contents(PEPPER); - else - $this->pepper=PEPPER; + + $this->_setPepper(); $this->_setQuery(); } @@ -26,11 +23,19 @@ class vfsuser { private function _setQuery(){ global $vfsdb; - $db_db = $vfsdb->doQuery("SELECT * FROM " . DBPREFIX . "user WHERE name='" . $this->username . "';"); + $sql = $vfsdv->prepare("SELECT * FROM " . DBPREFIX . "user WHERE name=%s;", $this->username); + $db_db = $vfsdb->doQuery($sql); if ( is_bool($db_db) ) - $this->query=false; + $this->query = false; + else + $this->query = $db_db->fetch_array(MYSQLI_ASSOC); + } + + private function _setPepper(){ + if ( PEPPER_IS_FILE ) + $this->pepper = file_get_contents(PEPPER); else - $this->query=$db_db->fetch_array(MYSQLI_ASSOC); + $this->pepper = PEPPER; } public function getUser(){ @@ -69,17 +74,21 @@ class vfsuser { return $this->query['inviter']; } + # check if valid user + publlic function isValidUser(){ + if( ( is_bool($this->query) && ! $this->query ) || is_null($this->query) ) + return false + + return true; + } + # check if current user is authenticated public function isLoggedIn(){ return $this->login; } - public function login($password, $second_password){ + public function login($password){ - # check if both passwords the same - if ( $password != $second_password) - return false; - # get hashed password from the database $hashed_password = $this->getPassword(); @@ -117,4 +126,73 @@ class vfsuser { return true; } + + public function register($name, $password, $email){ + global $vfsdb; + + $sql = $vfsdb->prepare("SELECT 1 FROM " . DBPREFIX . "user WHERE name=%s;", $name); + $double_db = $vfsdb->doQuery($sql); + $double_ar = $double_db->fetch_array(MYSQLI_NUM); + if ( $double_ar[0] == 1 ) + return false; + + $sql = $vfsdb->prepare("SELECT id FROM " . DBPREFIX . "user WHERE email=%s;", $email); + $id_db = $vfsdb->doQuery($sql); + $id_ar = $id_db->fetch_array(MYSQLI_ASSOC); + $id = $id_ar['id']; + + $password = $password . PEPPER; + $hash = password_hash($password, PASSWORD_DEFAULT); + + $sql = $vfsdb->prepare(" + UPDATE user SET + name=%s, + password=%s, + invites=%d', + status=1, + register=%d, + color_folder='DEFAULT', + color_file='DEFAULT' + WHERE id=%d; + + INSERT INTO files ( + files_id, + parent, + owner, + name, + type, + mime, + size, + visibility, + hash ) + VALUES ( + NULL, + 0, + %d, + '/', + 'DIRECTORY', + NULL, + NULL, + 'PUBLIC', + '' + );", $name, $hash, INVITES_DEFAULT, time(), $id, $id); + + if ( ! $vfsdb->execMultipleQueries($sql) ) + return false; + + # the user is successfull registered, thus already logged in + $this->username = $name; + + # redefine the class attributes + $this->_setPepper(); + $this->_setQuery(); + + $this->login($password); + + return true; + } + + public function __destruct(){ + return true; + } } |