public function render($body, $template) { session_start(); if (!isset($_SESSION['admin'])) { header('HTTP/1.0 401 Unautorized'); if ($_SERVER['REQUEST_METHOD'] == 'POST') { $this->user = trim(strip_tags($_POST['user'])); $this->pwd = trim(strip_tags($_POST['pwd'])); if ($this->user and $this->pwd) { $secure = new Secure(); if ($result = $secure->userExists($this->user)) { list($login, $password, $salt, $iteration) = explode(':', $result); if ($secure->getHash($this->pwd, $salt, $iteration) == $password) { $_SESSION['admin'] = true; header('Location: /admin'); } else { $this->result = 'Неравильный логин или пароль'; } } else { $this->result = 'Неравильный логин или пароль'; } } else { $this->result = 'Заполнены не все поля'; } } include $template; } else { header('Location: /admin'); } }
public function addUser() { $secure = new Secure(); if (!$this->salt) { $this->salt = str_replace('=', '', base64_encode(md5(microtime() . md5(microtime())))); } if (!$secure->userExists($this->user)) { $hash = $secure->getHash($this->pwd, $this->salt, $this->iteration); if ($secure->saveHash($this->user, $hash, $this->salt, $this->iteration)) { $this->result = "Хеш {$pwd} успешно записан в файл"; } else { $this->result = "Произошла ошибка при записи хеша"; } } else { $this->result = "Пользователь с таким именем уже существует"; } }
public function testSecureHasMessageAndUrl() { $secure = Secure::createRequest('eJxVUuFygjAMfhXPw9IWh', 'https://acs—ap.3dsecure.net/shopping'); $this->assertSame('eJxVUuFygjAMfhXPw9IWh', $secure->request); $this->assertSame('https://acs—ap.3dsecure.net/shopping', $secure->url); $secure = Secure::createResponse('eJxVUuFygjAMfhXPw9IWh', 'https://acs—ap.3dsecure.net/shopping'); $this->assertSame('eJxVUuFygjAMfhXPw9IWh', $secure->response); $this->assertSame('https://acs—ap.3dsecure.net/shopping', $secure->url); }
/** * Fonction qui récupère des agruments et lance une requête SQL * permet d'afficher les produits * @param $recept * @param $name */ function testarg($recept, $name) { require_once '../../control/gestion/Secure.php'; include_once '../../model/front/ReqFront.php'; $idprod = Secure::bdd($recept); $namcat = Secure::bdd($name); if (is_numeric($idprod)) { $aff = new ReqFront(); $aff->presenterProds($idprod, $namcat); } else { echo "Requete non conforme -> vérifier le type de l'id."; } }
//echo PATH_USER_SECURE;die(); //----- path Template define('PATH_VUE_TEMPLATE', PLUM_RACINE . "vue/template." . TEMPLATE . "/"); define('PATH_WWW_TEMPLATE', PATH_WWW . "template." . TEMPLATE . "/"); define('PATH_WWW_EXPOSE', PATH_WWW . "expose/"); //contient les fichiers css, js et image supplémentaires.utilisé par Plum_vue //include des fichiers php externes define('PATH_INCLUDE', PLUM_RACINE . "include/"); define('PATH_FONCTION', PLUM_RACINE . "fonction/"); //----- includes du framework plum include_once PLUM_RACINE . "plum/plum.sacoche.php"; include_once PLUM_RACINE . "plum/plum.controleur.php"; include_once PLUM_RACINE . "plum/plum.fonction.php"; include_once PLUM_RACINE . "plum/plum.secure.php"; //----- démarrage session 'only cookie' + 'id unique pour chaque paquetage' Secure::session_start(); //----- Engine : -- démarrage du contrôleur -- class Engine extends Plum_controleur { function __construct($param) { parent::__construct($param); $controleur = $this->paramUrl->mvc_controleur; $action = $this->paramUrl->mvc_action; if ($controleur == "") { $controleur = DEFAUT_CONTROLEUR; } if ($action == "") { $action = DEFAUT_ACTION; } $c = $this->execute($controleur, $action);
public function change_password() { $this->cut_notlogged(); $this->user = new UsersModel(); if (!empty($_POST)) { // Check for CSRF first. Secure::csrf_checknredir($_POST['csrf_tkn']); $in = new In(); $validation = $in->validate_input($_POST, array('password' => array('required' => 'true', 'min' => '6', 'max' => '16'), 'password2' => array('required' => 'true', 'equal_field' => 'password'))); if ($validation) { $salt = Secure::salt(32); $upd_user['password'] = Secure::do_hash($_POST['password'], $salt); $upd_user['salt'] = $salt; $upd_user['id'] = $_SESSION['user']['id']; $this->user->update($upd_user); // Out::flash('Password updated.'); header("Location: " . ROOT_URI . '/admin/users'); exit; } else { // output errors $ers = ''; foreach ($in->errors as $er) { $ers .= $er . "<br />"; } Out::flash($ers); header("Location: " . ROOT_URI . "/admin/users/change_password"); exit; } } // end if POST // which user to edit $id = $_SESSION['user']['id']; $user2edit = $this->user->get_user($id); $this->set_view_var($user2edit); }
<?php /** * Created by Nicolas DUPUIS. * ---- LPSIL 2015-2016 ---- * Date: 30/12/15 * Time: 02:03 */ include_once '../../model/gestion/Requete.php'; require_once './Secure.php'; /** * Controle et gère le reclassement d'une catégorie */ if (isset($_POST['idcl']) && isset($_POST['licl'])) { // Sécurisation des entrées qui proviennent de l'utilisateur. $idcategorie = Secure::bdd($_POST['idcl']); $idlien = Secure::bdd($_POST['licl']); if (is_numeric($idcategorie) && is_numeric($idlien)) { $add = new Requete(); $add->reclasserCategorie($idcategorie, $idlien); echo "L'oppération s'est déroulée sans problème."; } else { echo "Requete non conforme -> vérifier le type de l'id."; } }
<input type="text" name="email" class="col-md-offset-0 col-md-8" value="<?php if (isset($_POST['email'])) { echo Out::esc($_POST['email']); } ?> "/> </div> <div class="input-group col-md-8 row"> <label for="password" class="col-md-offset-0 col-md-4">Password:</label> <input type="password" name="password" class="col-md-offset-0 col-md-8" /> </div> <div class="input-group col-md-8 row"> <label for="password2" class="col-md-offset-0 col-md-4">Re-enter Password:</label> <input type="password" name="password2" class="col-md-offset-0 col-md-8" /> </div> <input type="hidden" name="csrf_tkn" value="<?php echo Secure::csrf_generate(); ?> " /> <div class="input-group col-md-8 row"> <div class="submit"> <input name="submit" class="col-md-offset-4 col-md-8" type="submit" value="Register"/> </div> </div> </form> </div> </div>
<?php /** * Created by Nicolas DUPUIS. * ---- LPSIL 2015-2016 ---- * Date: 05/01/16 * Time: 01:29 */ include_once '../../model/gestion/Requete.php'; require_once './Secure.php'; /** * Control et lance une requête por supprimer un produit */ if (isset($_POST['refpro'])) { // Vérification obligatoire, la donnée provient d'un input utilisateur. $verifId = Secure::bdd($_POST['refpro']); if (is_numeric($verifId)) { $drop = new Requete(); $result = $drop->supprimerProduit($verifId); if ($result) { echo "Requête effectuée"; } else { echo "requête non effectuée"; } } else { echo "Requête non conforme."; } }
/** * Permet de sécuriser une id transmise via GET * donc potentiellement à risque */ function retourarg() { require_once '../../control/gestion/Secure.php'; $ret = Secure::bdd($GLOBALS['id']); echo $ret; }
<?php /** * Created by Nicolas DUPUIS. * ---- LPSIL 2015-2016 ---- * Date: 29/12/15 * Time: 23:01 */ include_once '../../model/gestion/Requete.php'; require_once './Secure.php'; /** * Contrôle et gère la modif d'une rubrique */ if (isset($_POST['refr']) && isset($_POST['rubr'])) { // Sécurisation des entrées qui proviennent de l'utilisateur. $nom = Secure::bdd($_POST['rubr']); $id = Secure::bdd($_POST['refr']); if (is_numeric($id)) { $add = new Requete(); $add->modifierCategorie($id, $nom); echo "L'oppération s'est déroulée sans problème."; } else { echo "Requete non conforme -> vérifier le type de l'id."; } }
function retarg($recept) { require_once './Secure.php'; $ret = Secure::bdd($recept); echo $ret; }
session_start(); set_time_limit(0); // Ajustamos la zona horaria date_default_timezone_set('America/Mexico_City'); // Importamos las clases require_once '../config.php'; require_once '../phpmailer/PHPMailerAutoload.php'; require_once '../include/Secure.php'; require_once '../include/Db.php'; require_once '../include/Fnc.php'; require_once '../include/Template.php'; // Inicializamos los objetos $db = new Db(); $fnc = new Fnc(); $mail = new PHPMailer(); $sec = new Secure(); $template = new Template(); // Evitamos ataques sql $sec->secureGlobals(); if (empty($_POST['type'])) { $type = ''; } else { $type = addslashes($_POST['type']); } // Router del server switch ($type) { case 'form_contacto': form_contacto($db, $fnc); break; case 'form_login': form_login($db, $fnc, $mail, $data_email);
<?php /** * Created by Nicolas DUPUIS. * ---- LPSIL 2015-2016 ---- * Date: 21/12/15 * Time: 23:33 */ include_once '../../model/gestion/Requete.php'; require_once './Secure.php'; /** * Control et lance la requête de création d'une catégorie */ $choix = $_POST['chx']; if (isset($_POST['catname']) && isset($_POST['idpere'])) { // Sécurisation des entrées qui proviennent de l'utilisateur. $nom = Secure::bdd($_POST['catname']); $idp = Secure::bdd($_POST['idpere']); if (is_numeric($idp)) { $add = new Requete(); $add->creerCategorie($idp, $nom, $choix); echo "L'opération s'est déroulée sans problème."; echo $choix; } else { echo "Requete non conforme -> vérifier le type de l'id."; } }
* Created by Nicolas DUPUIS. * ---- LPSIL 2015-2016 ---- * Date: 07/01/16 * Time: 23:27 */ include_once '../../model/gestion/Requete.php'; require_once '../../control/gestion/Secure.php'; /** * code pour transferer le fichier sur le site avec un id unique. */ /** * Controle et gère l'upload des images des produits * A améliorer */ $addnom = md5(uniqid(rand(), true)); //Pour la base de donnée.. $nom = "ski" . $addnom; //Pour le serveur $nomcomp = "../../model/images/ski" . $addnom; //Déplacement du fichier du rep temporaire du serveur vers le répertoire choisis. $resultat = move_uploaded_file($_FILES['fich']['tmp_name'], $nomcomp); if ($resultat) { echo "transfert réussi"; } $secid = Secure::bdd($_POST['refprodimg']); $img = new Requete(); $img->ajouterImage($secid, $nom); header('Location:../../control/gestion/explorer.php'); ?>
public function login($in_email, $in_pass) { $user_exists = $this->find($in_email); $data = $this->user_data[0]; if ($user_exists) { if ($data->password == Secure::do_hash($in_pass, $data->salt)) { // TODO update last_login field in DB //die("user_exists :" . $user_exists); $_SESSION['user']['id'] = $data->id; $_SESSION['user']['email'] = $data->email; $_SESSION['user']['active'] = $data->active; $_SESSION['user']['user_group_id'] = $data->user_group_id; $_SESSION['user_group']['descr'] = $data->descr; $upd_user['id'] = $data->id; $upd_user['last_login'] = date("Y-m-d H:i:s", time()); $this->update($upd_user); return TRUE; } } return FALSE; }
$hid_inp_id = !empty($user2edit['id']) ? $user2edit['id'] : ''; ?> <input type="hidden" name="id" value="<?php echo $hid_inp_id; ?> " /> <!-- CSRF only protection <input type="hidden" name="csrf_tkn" value="<php echo Secure::csrf_generate()?>" /> --> <?php // build an array with all protected inputs and their values. $locked_inputs = array('id' => $hid_inp_id); ?> <input type="hidden" name="frmlock_tkn" value="<?php echo Secure::frmlock_generate($locked_inputs); ?> " /> <div class="input-group col-md-6 row"> <div class="submit"> <input name="submit" class="col-md-offset-4 col-md-8" type="submit" value="Update"/> </div> </div> </form> </div> <?php //echo "<pre>"; //print_r($_SESSION);
public function login() { $this->app->config->layout = "default"; if ($this->check_logged()) { if ($this->isAdmin()) { header("Location: " . ROOT_URI . "/admin"); exit; } else { header("Location: " . ROOT_URI); exit; } } if (!empty($_POST)) { // Check for CSRF first. Secure::csrf_checknredir($_POST['csrf_tkn']); $this->user = new UsersModel(); $in = new In(); $validation = $in->validate_input($_POST, array('email' => array('required' => 'true', 'valid_email' => 'true'), 'password' => array('required' => 'true'))); if ($validation) { $login = $this->user->login($_POST['email'], $_POST['password']); if ($login) { if ($this->isAdmin()) { Out::flash('Welcome admin'); header("Location: " . ROOT_URI . '/admin'); exit; } else { Out::flash('Welcome user'); header("Location: " . ROOT_URI); exit; } } else { Out::flash('Wrong login.'); } } else { // output errors $ers = ''; foreach ($in->errors as $er) { $ers .= $er . "<br />"; } Out::flash($ers); } } }
/** * Created by Nicolas DUPUIS. * ---- LPSIL 2015-2016 ---- * Date: 05/01/16 * Time: 01:28 */ include_once '../../model/gestion/Requete.php'; require_once './Secure.php'; /** * Controle et lance une requête pour ajouter un produit */ if (isset($_POST['catid'])) { // Vérification obligatoire, la donnée provient d'un input utilisateur. $verifIdcat = Secure::bdd($_POST['catid']); $nom = Secure::bdd($_POST['name']); $comment = Secure::bdd($_POST['com']); if (is_numeric($verifIdcat)) { $add = new Requete(); $result = $add->ajouterProduit($verifIdcat, $nom, $comment); if ($result) { echo "Requête effectuée"; } else { echo "requête non effectuée"; } } else { echo "Requête non conforme."; } } else { echo "Pas de paramètres"; }
private static function iou() { include Secure::pathFile("config.php", PATH_USER_SECURE); $io = $configXuSec['io']; switch ($io) { case 'file': return new UserIoFile($configXuSec); case 'database': return new UserIoDatabase($configXuSec); case 'ldap': return null; } die("plum.secure.php::iou() mode 'io' inconnu pour [" . PATH_CONTROLEUR_SECURE . "]"); }
public function connect($user, $password) { $this->secure = Secure::connect($user, $password); }
public function update(array $input) { if ($this->secure == true && isset($input['password'])) { $s = new Secure(); $input['password'] = $s->make($input['password']); } // pull keys from assoc array $fields = array_keys($input); // pull values from assoc array $this->values = array_values($input); // Check if table has been chosen, if not return a string telling them to choose one! if (!isset($this->table)) { return "Please choose a table first using the selectTable function."; } $sql = "UPDATE " . $this->table . " SET "; if (count($fields) == 1) { $sql .= $fields[0] . "= ?"; } else { for ($i = 0; $i < count($fields) - 1; $i++) { $sql .= $fields[$i] . "= ?, "; } $sql .= $fields[count($fields) - 1] . "= ?"; } if ($this->timestamps == true) { $sql .= ", updated_at = now()"; } $this->sql = $sql; return $this; }
/** * @param array $data * @param string $type * @param string $secret */ public function __construct(array $data, $type, $secret) { Secure::sign($data, $type, $secret); $this->data = $data; }
// Désactivation des messages d'erreur de l'interpréteur php // Contrôle de l'environnement, seul les messages voulus arriveront // au client (sensation de fiabilité) et évite les pirates de base. ini_set("display_errors", 0); error_reporting(0); /** * Ces lignes permettent de lancer la requête de reservation */ require '../../control/gestion/Secure.php'; include_once '../../model/gestion/RequeteRESA.php'; if (isset($_POST['name']) && isset($_POST['forname']) && isset($_POST['adr']) && isset($_POST['letter']) && isset($_POST['deb']) && isset($_POST['end'])) { //Sécurisation des variables car elle proviennent de l'utilisateur pour la plupart. //Sauf mat, mais il a transité, donc à pu être remplacé. $nom = Secure::bdd($_POST['name']); $prenom = Secure::bdd($_POST['forname']); $adresse = Secure::bdd($_POST['adr']); $mail = Secure::bdd($_POST['letter']); $datedeb = Secure::bdd($_POST['deb']); $datefin = Secure::bdd($_POST['end']); $idmat = Secure::bdd($_POST['mat']); $appel = new RequeteRESA(); $retour = $appel->reservationMateriel($nom, $prenom, $adresse, $mail, $datedeb, $datefin, $idmat); if ($retour) { echo "<h4><span class='glyphicon glyphicon-thumbs-up' aria-hidden='true'></span> Votre réservation est confirmée."; echo "</br></br>Merci de patienter, retour à l'accueil...</h4>"; } else { echo "La réservation n'a pu être faite."; } } else { echo "Recommencer SVP"; }
<?php /** * Created by Nicolas DUPUIS. * ---- LPSIL 2015-2016 ---- * Date: 05/01/16 * Time: 15:31 */ include_once '../../model/gestion/Requete.php'; require_once './Secure.php'; /** * Controle et lance une requête pour changer les cacractéristique d'un produit */ if (isset($_POST['refr']) && isset($_POST['namp']) && isset($_POST['txt'])) { // Sécurisation des entrées qui proviennent de l'utilisateur. $nom = Secure::bdd($_POST['namp']); $id = Secure::bdd($_POST['refr']); $text = Secure::bdd($_POST['txt']); if (is_numeric($id)) { $modif = new Requete(); $modif->changerProduit($id, $nom, $text); echo "L'oppération s'est déroulée sans problème."; } else { echo "Requete non conforme -> vérifier le type de l'id."; } }
<?php /** * Created by Nicolas DUPUIS. * ---- LPSIL 2015-2016 ---- * Date: 20/12/15 * Time: 02:09 */ include_once '../../model/gestion/Requete.php'; require_once './Secure.php'; /** * Controle et lance la requête d'effacement d'une catégorie * Non utilisée car non demandée de plus dangeureuse car risque de perte de donnée sur fausse manip */ if (isset($_POST['num'])) { // Vérification obligatoire, la donnée provient d'un input utilisateur. $verifId = Secure::bdd($_POST['num']); if (is_numeric($verifId)) { $drop = new Requete(); $result = $drop->effacerCategorie($verifId); if (is_null($result)) { echo "Aucun requête n'a été faite."; } elseif ($result == 00) { echo "La requête à été effectuée."; } else { echo "Un code d'erreur à été retourné."; } } else { echo "Requête non conforme."; } }
public function setLoggedIn($id, $passhash) { $ss = new Secure(); $ss->cb = true; $ss->cib = 2; $ss->open(); unset($ss); $_SESSION['uid'] = $id; $_SESSION['pass'] = $passhash; return true; }
public static function userCheck($ACP = false) { global $CURUSER, $AUTH_DB, $DB, $CORE; //If we are not logged in empty the session meaning logout if (!isset($_SESSION['uid']) || !isset($_SESSION['pass'])) { return; } //get the user id if set $id = 0 + (int) $_SESSION['uid']; //empty session if there is no id or the passhash is incorrect length if (!$id || strlen($_SESSION['pass']) != 40) { return; } //get the column names for table accounts $columns = CORE_COLUMNS::get('accounts'); //Select accounts_more $res = $AUTH_DB->prepare("SELECT * FROM `" . $columns['self'] . "` WHERE `" . $columns['id'] . "` = :id LIMIT 1"); $res->bindParam(':id', $id, PDO::PARAM_INT); $res->execute(); $row = $res->fetch(); unset($res); //If user with that ID actually exists else empty session if (!$row) { $_SESSION = array(); return; } //check user pass if (strtolower($_SESSION['pass']) !== strtolower($row['sha_pass_hash'])) { $_SESSION = array(); return; } //if this is check for the admin panel if ($ACP) { $perms = new Permissions($row[$columns['id']]); //check if the account is allowed if (!$perms->IsAllowedToUseACP()) { $_SESSION = array(); return; } //save the permission object $CURUSER->setPermissionsObject($perms); } //let's add some security to the session $ss = new Secure(); $ss->cb = true; $ss->cib = 2; //if the session is stolen we empty it if (!$ss->check()) { unset($ss); $_SESSION = array(); return; } unset($ss); //find the webiste record $res = $DB->prepare("SELECT * FROM `account_data` WHERE `id` = :id LIMIT 1"); $res->bindParam(':id', $id, PDO::PARAM_INT); $res->execute(); $webRow = $res->fetch(PDO::FETCH_ASSOC); unset($res); //create new translated row $newRow['id'] = $row[$columns['id']]; $newRow['username'] = $row[$columns['username']]; $newRow['shapasshash'] = $row[$columns['shapasshash']]; $newRow['lastip'] = $row[$columns['lastip']]; $newRow['lastlogin'] = $row[$columns['lastlogin']]; $newRow['flags'] = $row[$columns['flags']]; $newRow['email'] = $row[$columns['email']]; $newRow['joindate'] = $row[$columns['joindate']]; $newRow['recruiter'] = $row[$columns['recruiter']]; //merge the website row with the newly made auth row if ($webRow) { $newRow = array_merge($newRow, $webRow); } //set the CMS database accounts_more record of this user $CURUSER->setrecord($newRow); //free the result and unset the row unset($row); unset($newRow); //if the session is not tagged as logged we do so if (!isset($_SESSION['logged'])) { $_SESSION['logged'] = '1'; } }