function initSession($userid, $username) { session_destroy(); session_id(generateSessionId()); session_start(); $_SESSION['loggedin'] = true; $_SESSION['userid'] = $userid; $_SESSION['username'] = $username; }
function newLogin() { withStatement("INSERT INTO SESSION (SESSION_ID,CREATED) VALUES (?,NOW())", function ($statement) { $sessionId = generateSessionId(); $statement->bind_param("s", $sessionId); executeStatement($statement); $baseUrl = getBaseUrl(); $loginEmail = emailPrefixToAddress(LOGIN_EMAIL_PREFIX); sendEmail(emailPrefixToAddress(LOGIN_EMAIL_PREFIX), "Innlogging", "\n\nLogg inn via denne linken:\n{$baseUrl}/php/login.php?sessionId={$sessionId}"); echo "{\"email\":\"{$loginEmail}\"}"; }); }
} else { logExit("Bad request method. POST/json required", "Bad request method. POST/json required"); } if (empty($json->username) or empty($json->password) or empty($json->clientToken)) { logExit("[auth16x.php] login process [Empty input] [ " . (empty($json->username) ? 'LOGIN ' : '') . (empty($json->password) ? 'PASSWORD ' : '') . (empty($json->clientToken) ? 'clientToken ' : '') . "]"); } loadTool('user.class.php'); DBinit('auth'); $login = $json->username; $password = $json->password; $clientToken = $json->clientToken; if (!preg_match("/^[a-zA-Z0-9_-]+\$/", $password) or !preg_match("/^[a-f0-9-]+\$/", $clientToken)) { logExit("[auth16x.php] login process [Bad symbols] User [{$login}] Password [{$password}] clientToken [{$clientToken}]"); } $BD_Field = strpos($login, '@') === false ? $bd_users['login'] : $bd_users['email']; $auth_user = new User($login, $BD_Field); if (!$auth_user->id()) { logExit("[auth16.php] login process [Unknown user] User [{$login}] Password [{$password}]"); } if ($auth_user->lvl() <= 1) { exit("Bad login"); } if (!$auth_user->authenticate($password)) { logExit("[auth16.php] login process [Wrong password] User [{$login}] Password [{$password}]"); } $sessid = generateSessionId(); getDB()->ask("UPDATE `{$bd_names['users']}` SET " . "`{$bd_users['session']}`=:session , " . "`{$bd_users['clientToken']}`=:token " . "WHERE `{$BD_Field}`=:login", array('session' => $sessid, 'login' => $login, 'token' => $clientToken)); vtxtlog("[auth16.php] login process [Success] User [{$login}] Session [{$sessid}] clientToken[{$clientToken}]"); $profile = array('id' => $auth_user->id(), 'name' => $auth_user->name()); $responce = array('clientToken' => $clientToken, 'accessToken' => $sessid, 'availableProfiles' => array(0 => $profile), 'selectedProfile' => $profile); exit(json_encode($responce));
/** * Dispatch function for POST /events * * Determines what the user is requesting -- for example, to add an * attachment or to create a new session -- and dispatches or handles. * * If a new event is requested, takes user input and turns it into an event, * including web call to Dialback provider, Event insertion, and API key * creation. * * @todo Why does event creation need to be JSON? Seemed like a good idea at * the time. Move to just HTTP POST fields. * * @todo Assumes web call for Dialback number succeeded. Add failure handling. * * @throws BadRequestException */ function api_EVENTS_POST_dispatch() { global $database; global $path; global $apiKey; switch (count($path)) { /** @noinspection PhpMissingBreakStatementInspection */ case 3: if ($path[2] != "") { $response = ['status' => ['code' => 400, 'message' => 'Bad Request'], 'error' => ['message' => 'Invalid Request Path']]; throw new BadRequestException($response); } /** @noinspection PhpMissingBreakStatementInspection */ /** @noinspection PhpMissingBreakStatementInspection */ case 2: $object2 = $path[1]; case 1: $session = $path[0]; break; case 0: break; default: $response = ['status' => ['code' => 400, 'message' => 'Bad Request'], 'error' => ['message' => 'Invalid Request Path']]; throw new BadRequestException($response); break; } $funcCall = str_replace("_dispatch", "", __FUNCTION__); if (isset($session) && strlen($session) > 0) { $funcCall = $funcCall . '_ID'; $parameter = $session; if (isset($object2) && strlen($object2) > 0) { $funcCall = $funcCall . '_' . strtoupper($object2); } } if ($funcCall != str_replace("_dispatch", "", __FUNCTION__)) { if (function_exists($funcCall)) { // Explicitly cast $action as a string to reassure the debugger. $funcCall = (string) $funcCall; if (isset($parameter)) { $funcCall($parameter); } else { $funcCall(); } } else { $response = ['status' => ['code' => 400, 'message' => 'Bad Request'], 'error' => ['message' => 'Unsupported API Request.']]; throw new BadRequestException($response); } } else { try { if (!($jsonRequest = json_decode($_POST['request'], true))) { throw new InvalidJsonException([$jsonRequest]); } $requiredFields = ['segment' => ['filter' => FILTER_VALIDATE_INT], 'phoneNumber' => ['filter' => FILTER_VALIDATE_REGEXP, 'options' => ['options' => ['regexp' => "/^\\+? ?[0-9 ]+\$/"]]], 'emailAddress' => ['filter' => FILTER_VALIDATE_EMAIL], 'state' => ['filter' => FILTER_VALIDATE_REGEXP, 'options' => ['options' => ['regexp' => "/^[A-Za-z ]{4,50}\$/"]]], 'latitude' => ['filter' => FILTER_VALIDATE_FLOAT], 'longitude' => ['filter' => FILTER_VALIDATE_FLOAT]]; foreach ($requiredFields as $key => $parameters) { if (!isset($jsonRequest[$key])) { throw new BadRequestException(["Required parameter `{$key}` is missing."]); } $value = $jsonRequest[$key]; $filter = $parameters['filter']; $options = isset($parameters['options']) ? $parameters['options'] : []; if (!filter_var($value, $filter, $options)) { throw new BadRequestException(["Parameter `{$key}`: Invalid value."]); } } $sqlQuery = <<<EOF SELECT productphoneserver FROM tbl__products INNER JOIN tbl__segments ON tbl__products.productkey=tbl__segments.productkey WHERE tbl__segments.segmentkey=? EOF; $dialbackQuery = $database->select($sqlQuery, [['i' => $jsonRequest['segment']]]); $data = ['emailaddress' => $jsonRequest['emailAddress'], 'phonenumber' => $jsonRequest['phoneNumber'], 'latitude' => $jsonRequest['latitude'], 'logitude' => $jsonRequest['longitude'], 'state' => $jsonRequest['state']]; // use key 'http' even if you send the request to https://... $options = array('http' => array('header' => "Content-type: \n application/x-www-form-urlencoded\r\n", 'method' => 'POST', 'content' => http_build_query($data))); $dialbackNumber = file_get_contents($dialbackQuery[0]['productphoneserver'], false, stream_context_create($options)); if ($dialbackNumber === FALSE) { /* Handle error */ throw new NoDialbackNumberProvidedException([]); } $sqlQuery = <<<EOF INSERT INTO tbl__events ( session, segmentkey, phonenumber, emailaddress, latitude, longitude, state, dialbacknumber ) VALUES (?, ?, ?, ?, ?, ?, ?, ?) EOF; $sessionId = null; $eventQuery = null; $eventAdded = false; $attempts = 1; $i = 0; $lastError = null; do { try { $sessionId = generateSessionId(); $eventQuery = $database->insert($sqlQuery, [['s' => $sessionId], ['i' => $jsonRequest['segment']], ['s' => $jsonRequest['phoneNumber']], ['s' => $jsonRequest['emailAddress']], ['d' => $jsonRequest['latitude']], ['d' => $jsonRequest['longitude']], ['s' => $jsonRequest['state']], ['s' => $dialbackNumber]]); $eventAdded = true; } catch (DatabaseInsertQueryFailedException $e) { $lastError = print_r($e, true); } $i++; } while (!$eventAdded and $i <= $attempts); if (!$eventAdded) { throw new EventNotAddedException([$lastError]); } $sqlQuery = <<<EOF INSERT INTO tbl__apikeys ( expiration, scope, ALLOW_RENEW, ALLOW_UPLOAD, ALLOW_LIST, apikey, scopekey ) VALUES ( DATE_ADD(NOW(), INTERVAL 1 HOUR), 'EVENT', 1, 1, 1, ?, ? ) EOF; $apiKey = null; $scopeKey = (int) $eventQuery->insert_id; $apiKeyAdded = false; $attempts = 1; $i = 0; $apiKeyQuery = null; do { try { $apiKey = generateApiKey($sessionId); $apiKeyQuery = $database->insert($sqlQuery, [['s' => $apiKey], ['i' => $scopeKey]]); $apiKeyAdded = true; } catch (DatabaseInsertQueryFailedException $e) { $lastError = print_r($e, true); } $i++; } while (!$apiKeyAdded and $i <= $attempts); if (!$apiKeyAdded) { throw new ApiKeyNotAddedException([$lastError]); } $eventQuery->close(); $apiKeyQuery->close(); $response = ['data' => ['session' => $sessionId, 'dial' => $dialbackNumber, 'apiKey' => $apiKey], 'status' => ['code' => 201]]; sendResponse($response); } catch (Exception $e) { sendResponse($e); } } }
function loginServer() { include "connect.php"; $ver = $_GET['version']; if (isset($_GET['user']) && isset($_GET['password']) && isset($_GET['version'])) { if (launcher() == $ver) { $postPass = $_GET['password']; $loginName = $_GET['user']; $login = mysql_real_escape_string($loginName); $result1 = mysql_query("SELECT {$db_columnUser}, {$db_columncheck} FROM {$db_table} WHERE {$db_columnUser} ='{$login}'") or die("������ � ���� ���������� �������." . mysql_error()); $row1 = mysql_fetch_assoc($result1); $checkrow = $row1[$db_columncheck]; if ($checkrow != 0) { die("abanned"); } if ($crypt == 'hash_md5' || $crypt == 'hash_authme' || $crypt == 'hash_xauth' || $crypt == 'hash_cauth' || $crypt == 'hash_joomla' || $crypt == 'hash_wordpress' || $crypt == 'hash_dle' || $crypt == 'hash_drupal') { $query = "SELECT {$db_columnUser}, {$db_columnPass} FROM {$db_table} WHERE {$db_columnUser}='{$login}'"; $result = mysql_query($query) or die(mysql_error()); $row = mysql_fetch_assoc($result); $realPass = $row[$db_columnPass]; } if ($crypt == 'hash_ipb' || $crypt == 'hash_vbulletin') { $query = "SELECT {$db_columnUser},{$db_columnPass},{$db_columnSalt} FROM {$db_table} WHERE {$db_columnUser}='{$login}'"; $result = mysql_query($query) or die(mysql_error()); $row = mysql_fetch_assoc($result); $realPass = $row[$db_columnPass]; $salt = $row[$db_columnSalt]; } if ($crypt == 'hash_xenforo') { $query = "SELECT {$db_table}.{$db_columnId},{$db_table}.{$db_columnUser},{$db_tableOther}.{$db_columnId},{$db_tableOther}.{$db_columnPass} FROM {$db_table}, {$db_tableOther} WHERE {$db_table}.{$db_columnId} = {$db_tableOther}.{$db_columnId} AND {$db_table}.{$db_columnUser}='{$login}'"; $result = mysql_query($query) or die(mysql_error()); $row = mysql_fetch_assoc($result); $realPass = substr($row[$db_columnPass], 22, 64); $salt = substr($row[$db_columnPass], 105, 64); } if ($realPass) { if ($crypt == 'hash_md5' || $crypt == 'hash_dle') { $checkPass = $crypt($postPass); } if ($crypt == 'hash_authme' || $crypt == 'hash_xauth' || $crypt == 'hash_cauth' || $crypt == 'hash_joomla' || $crypt == 'hash_wordpress' || $crypt == 'hash_drupal') { $checkPass = $crypt($realPass, $postPass); } if ($crypt == 'hash_ipb' || $crypt == 'hash_vbulletin' || $crypt == 'hash_xenforo') { $checkPass = $crypt($postPass, $salt); } if (strcmp($realPass, $checkPass) == 0) { $sessid = generateSessionId(); mysql_query("UPDATE {$db_table} SET {$db_columnSesId}='{$sessid}' WHERE {$db_columnUser} = '{$login}'") or die("������ � ���� ���������� �������."); die("0"); } else { die("abuse"); } } else { die("fail"); } } else { die("oldLauncher"); } } }