From 3c4321ff76accb98ec3c99316766234ebcafae90 Mon Sep 17 00:00:00 2001
From: Philip Häusler
' . $msg . '
'; } else { - if (!isset ($_SESSION['msg'])) + if (! isset($_SESSION['msg'])) $_SESSION['msg'] = ""; $_SESSION['msg'] .= error($msg, true); } @@ -50,7 +50,7 @@ function success($msg, $immediatly = false) { return ""; return '' . $msg . '
'; } else { - if (!isset ($_SESSION['msg'])) + if (! isset($_SESSION['msg'])) $_SESSION['msg'] = ""; $_SESSION['msg'] .= success($msg, true); } diff --git a/includes/model/LogEntries_model.php b/includes/model/LogEntries_model.php index 1fa97356..30e2b58c 100644 --- a/includes/model/LogEntries_model.php +++ b/includes/model/LogEntries_model.php @@ -2,8 +2,10 @@ /** * Creates a log entry. + * * @param $nick Username - * @param $message Log Message + * @param $message Log + * Message */ function LogEntry_create($nick, $message) { return sql_query("INSERT INTO `LogEntries` SET `timestamp`=" . sql_escape(time()) . ", `nick`='" . sql_escape($nick) . "', `message`='" . sql_escape($message) . "'"); @@ -13,8 +15,7 @@ function LogEntry_create($nick, $message) { * Returns log entries of the last 24 hours with maximum count of 1000. */ function LogEntries() { - return sql_select("SELECT * FROM `LogEntries` WHERE `timestamp` > " . (time() - 24*60*60) . " ORDER BY `timestamp` DESC LIMIT 1000"); + return sql_select("SELECT * FROM `LogEntries` WHERE `timestamp` > " . (time() - 24 * 60 * 60) . " ORDER BY `timestamp` DESC LIMIT 1000"); } - ?> \ No newline at end of file diff --git a/includes/model/Sprache_model.php b/includes/model/Sprache_model.php index 55683411..0b18dbca 100644 --- a/includes/model/Sprache_model.php +++ b/includes/model/Sprache_model.php @@ -2,17 +2,23 @@ /** * Load a string by key. + * * @param string $textid * @param string $sprache */ function Sprache($textid, $sprache) { - $sprache_source = sql_select("SELECT * FROM `Sprache` WHERE `TextID`='" . sql_escape($textid) . "' AND `Sprache`='" . sql_escape($sprache) . "' LIMIT 1"); - if($sprache_source === false) + $sprache_source = sql_select(" + SELECT * + FROM `Sprache` + WHERE `TextID`='" . sql_escape($textid) . "' + AND `Sprache`='" . sql_escape($sprache) . "' + LIMIT 1 + "); + if ($sprache_source === false) return false; - if(count($sprache_source) == 1) + if (count($sprache_source) == 1) return $sprache_source[0]; return null; } - ?> \ No newline at end of file diff --git a/includes/model/User_model.php b/includes/model/User_model.php index 7eb31e8e..884aeae8 100644 --- a/includes/model/User_model.php +++ b/includes/model/User_model.php @@ -1,25 +1,29 @@ 0) + if (count($user_source) > 0) return $user_source[0]; return null; } /** * Returns User by api_key. - * @param string $api_key User api key + * + * @param string $api_key + * User api key * @return Matching user, null or false on error */ function User_by_api_key($api_key) { $user = sql_select("SELECT * FROM `User` WHERE `api_key`='" . sql_escape($api_key) . "' LIMIT 1"); - if($user === false) + if ($user === false) return false; if (count($user) == 0) return null; @@ -28,12 +32,13 @@ function User_by_api_key($api_key) { /** * Generates a new api key for given user. + * * @param User $user */ function User_reset_api_key(&$user) { $user['api_key'] = md5($user['Nick'] . time() . rand()); $result = sql_query("UPDATE `User` SET `api_key`='" . sql_escape($user['api_key']) . "' WHERE `UID`='" . sql_escape($user['UID']) . "' LIMIT 1"); - if($result === false) + if ($result === false) return false; engelsystem_log("API key resetted."); } diff --git a/includes/mysql_provider.php b/includes/mysql_provider.php index d9e78fb4..9f901a40 100644 --- a/includes/mysql_provider.php +++ b/includes/mysql_provider.php @@ -15,7 +15,7 @@ function sql_close() { function sql_transaction_start() { global $sql_nested_transaction_level; - if($sql_nested_transaction_level++ == 0) + if ($sql_nested_transaction_level ++ == 0) return sql_query("BEGIN"); else return true; @@ -27,7 +27,7 @@ function sql_transaction_start() { function sql_transaction_commit() { global $sql_nested_transaction_level; - if(--$sql_nested_transaction_level == 0) + if (-- $sql_nested_transaction_level == 0) return sql_query("COMMIT"); else return true; @@ -39,7 +39,7 @@ function sql_transaction_commit() { function sql_transaction_rollback() { global $sql_nested_transaction_level; - if(--$sql_nested_transaction_level == 0) + if (-- $sql_nested_transaction_level == 0) return sql_query("ROLLBACK"); else return true; @@ -47,6 +47,7 @@ function sql_transaction_rollback() { /** * Logs an sql error. + * * @param string $message * @return false */ @@ -63,10 +64,15 @@ function sql_error($message) { /** * Connect to mysql server. - * @param string $host Host - * @param string $user Username - * @param string $pass Password - * @param string $db DB to select + * + * @param string $host + * Host + * @param string $user + * Username + * @param string $pass + * Password + * @param string $db + * DB to select * @return mysqli The connection handler */ function sql_connect($host, $user, $pass, $db) { @@ -89,18 +95,21 @@ function sql_connect($host, $user, $pass, $db) { /** * Change the selected db in current mysql-connection. - * @param $db_name + * + * @param + * $db_name * @return bool true on success, false on error */ function sql_select_db($db_name) { global $sql_connection; - if (!$sql_connection->select_db($db_name)) + if (! $sql_connection->select_db($db_name)) return sql_error("No database selected."); return true; } /** * MySQL SELECT query + * * @param string $query * @return Result array or false on error */ @@ -119,8 +128,9 @@ function sql_select($query) { /** * MySQL execute a query + * * @param string $query - * @return mysqli_result|boolean Result resource or false on error + * @return mysqli_result boolean resource or false on error */ function sql_query($query) { global $sql_connection; @@ -129,7 +139,7 @@ function sql_query($query) { if ($result) { return $result; } else - usr_error("MySQL-query error: " . $query . " (" . $sql_connection->errno . ") " . $sql_connection->error); + return sql_error("MySQL-query error: " . $query . " (" . $sql_connection->errno . ") " . $sql_connection->error); } /** @@ -165,12 +175,12 @@ function sql_num_query($query) { } function sql_select_single_col($query) { - $result = sql_select($query); - return array_map('array_shift', $result); + $result = sql_select($query); + return array_map('array_shift', $result); } function sql_select_single_cell($query) { - return array_shift(array_shift(sql_select($query))); + return array_shift(array_shift(sql_select($query))); } ?> diff --git a/includes/sys_auth.php b/includes/sys_auth.php index a2fd98d8..9718f0c0 100644 --- a/includes/sys_auth.php +++ b/includes/sys_auth.php @@ -1,110 +1,109 @@ 0) { - // User ist eingeloggt, Datensatz zur Verfügung stellen und Timestamp updaten - list ($user) = $user; - sql_query("UPDATE `User` SET " . "`lastLogIn` = '" . time() . "'" . " WHERE `UID` = '" . sql_escape($_SESSION['uid']) . "' LIMIT 1;"); - } else - unset ($_SESSION['uid']); - } - - $privileges = isset ($user) ? privileges_for_user($user['UID']) : privileges_for_group(-1); + global $user, $privileges; + + $user = null; + if (isset($_SESSION['uid'])) { + $user = sql_select("SELECT * FROM `User` WHERE `UID`=" . sql_escape($_SESSION['uid']) . " LIMIT 1"); + if (count($user) > 0) { + // User ist eingeloggt, Datensatz zur Verfügung stellen und Timestamp updaten + list ($user) = $user; + sql_query("UPDATE `User` SET " . "`lastLogIn` = '" . time() . "'" . " WHERE `UID` = '" . sql_escape($_SESSION['uid']) . "' LIMIT 1;"); + } else + unset($_SESSION['uid']); + } + + $privileges = isset($user) ? privileges_for_user($user['UID']) : privileges_for_group(- 1); } // generate a salt (random string) of arbitrary length suitable for the use with crypt() function generate_salt($length = 16) { - $alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; - $salt = ""; - for ($i = 0; $i < $length; $i++) { - $salt .= $alphabet[rand(0, strlen($alphabet)-1)]; - } - return $salt; + $alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; + $salt = ""; + for($i = 0; $i < $length; $i ++) { + $salt .= $alphabet[rand(0, strlen($alphabet) - 1)]; + } + return $salt; } // set the password of a user function set_password($uid, $password) { - return sql_query("UPDATE `User` SET `Passwort` = '" . sql_escape(crypt($password, CRYPT_ALG . '$' . generate_salt(16) . '$')) . "' WHERE `UID` = " . intval($uid) . " LIMIT 1"); + return sql_query("UPDATE `User` SET `Passwort` = '" . sql_escape(crypt($password, CRYPT_ALG . '$' . generate_salt(16) . '$')) . "' WHERE `UID` = " . intval($uid) . " LIMIT 1"); } // verify a password given a precomputed salt. // if $uid is given and $salt is an old-style salt (plain md5), we convert it automatically function verify_password($password, $salt, $uid = false) { - $correct = false; - if (substr($salt, 0, 1) == '$') // new-style crypt() - $correct = crypt($password, $salt) == $salt; - elseif (substr($salt, 0, 7) == '{crypt}') // old-style crypt() with DES and static salt - not used anymore - $correct = crypt($password, '77') == $salt; - elseif (strlen($salt) == 32) // old-style md5 without salt - not used anymore - $correct = md5($password) == $salt; - - if($correct && substr($salt, 0, strlen(CRYPT_ALG)) != CRYPT_ALG && $uid) { - // this password is stored in another format than we want it to be. - // let's update it! - // we duplicate the query from the above set_password() function to have the extra safety of checking the old hash - sql_query("UPDATE `User` SET `Passwort` = '" . sql_escape(crypt($password, CRYPT_ALG . '$' . generate_salt() . '$')) . "' WHERE `UID` = " . intval($uid) . " AND `Passwort` = '" . sql_escape($salt) . "' LIMIT 1"); - } - return $correct; + $correct = false; + if (substr($salt, 0, 1) == '$') // new-style crypt() + $correct = crypt($password, $salt) == $salt; + elseif (substr($salt, 0, 7) == '{crypt}') // old-style crypt() with DES and static salt - not used anymore + $correct = crypt($password, '77') == $salt; + elseif (strlen($salt) == 32) // old-style md5 without salt - not used anymore + $correct = md5($password) == $salt; + + if ($correct && substr($salt, 0, strlen(CRYPT_ALG)) != CRYPT_ALG && $uid) { + // this password is stored in another format than we want it to be. + // let's update it! + // we duplicate the query from the above set_password() function to have the extra safety of checking the old hash + sql_query("UPDATE `User` SET `Passwort` = '" . sql_escape(crypt($password, CRYPT_ALG . '$' . generate_salt() . '$')) . "' WHERE `UID` = " . intval($uid) . " AND `Passwort` = '" . sql_escape($salt) . "' LIMIT 1"); + } + return $correct; } // JSON Authorisierungs-Schnittstelle function json_auth_service() { - global $CurrentExternAuthPass; - - header("Content-Type: application/json"); - - $User = $_REQUEST['user']; - $Pass = $_REQUEST['pw']; - $SourceOuth = $_REQUEST['so']; - - if (isset ($CurrentExternAuthPass) && $SourceOuth == $CurrentExternAuthPass) { - $sql = "SELECT `UID`, `Passwort` FROM `User` WHERE `Nick`='" . sql_escape($User) . "'"; - $Erg = sql_select($sql); - - if (count($Erg) == 1) { - $Erg = $Erg[0]; - if (verify_password($Pass, $Erg["Passwort"], $Erg["UID"])) { - $user_privs = sql_select("SELECT `Privileges`.`name` FROM `User` JOIN `UserGroups` ON (`User`.`UID` = `UserGroups`.`uid`) JOIN `GroupPrivileges` ON (`UserGroups`.`group_id` = `GroupPrivileges`.`group_id`) JOIN `Privileges` ON (`GroupPrivileges`.`privilege_id` = `Privileges`.`id`) WHERE `User`.`UID`=" . sql_escape($UID) . ";"); - foreach ($user_privs as $user_priv) - $privileges[] = $user_priv['name']; - - $msg = array ( - 'status' => 'success', - 'rights' => $privileges - ); - echo json_encode($msg); - die(); - } - } - } - - echo json_encode(array ( - 'status' => 'failed', - 'error' => "JSON Service GET syntax: https://engelsystem.de/?auth&user='; } @@ -131,7 +154,8 @@ function form($elements, $action = "") { } /** - * Generiert HTML Code für eine "Seite". Fügt dazu die übergebenen Elemente zusammen. + * Generiert HTML Code für eine "Seite". + * Fügt dazu die übergebenen Elemente zusammen. */ function page($elements) { return join($elements); @@ -153,10 +177,10 @@ function table($columns, $rows, $data = true) { foreach ($rows as $row) { $html .= ' | |||
' . $row[$key] . ' | '; - else - $html .= ''; + if (isset($row[$key])) + $html .= ' | ' . $row[$key] . ' | '; + else + $html .= ''; $html .= ' |