Takes an uploaded file as input, as well as the page title
Checks if the file is an acceptable file type, and is within the size limits
Then checks if the relevant directory exists (directories within Upload are organised by page title)
The file is then moved from the temporary storage to the correct location
Finally, the user is redirected back to the display page
*/
// Includes for DB setup and the extractSanitiseVar function
include 'config.php';
include 'db.php';
include 'utils.php';
if (isset($_POST['pageTitle']) && isset($_POST['content'])) {
// Page title and new content are set in the POST request
// Title, new content and last editor's username are extracted and sanitised
$pageTitle = extractSanitiseVar('pageTitle', '');
$content = extractSanitiseVar('content', '');
$username = extractSanitiseVar('username', '');
// New date and time created for entry into the DB - formatted for MySQL DATETIME
$daytime = date("Y-m-d H:i");
// DB setup - connects and selects
connectAndSelectDB();
// Inserts the new edit into the Edits table
$query = "INSERT INTO Edits (content, pageTitle, dateTimeModified, username) VALUES ('{$content}', '{$pageTitle}', '{$daytime}', '{$username}')";
mysql_query($query);
// Gets the id from the edit insertion, so that it can be used in the Pages table
$id = mysql_insert_id();
if (isset($_POST['isNew'])) {
// The isNew flag is set
// Storing a new page - a new entry needs to be inserted into the Pages table
// Inserts the new page into Page table
$query = "INSERT INTO Pages (pageTitle, lastEditId) VALUES ('{$pageTitle}', '{$id}')";
mysql_query($query);
Hashes and salts the password for security, then stores in the DB
Cookie is set on success and user redirected to the Home page
*/
// Includes for DB setup and extractSanitiseVar functions
include '../../lib/db.php';
include '../../lib/config.php';
include '../../lib/utils.php';
// Include for setLoginCookie function
include 'loginUtils.php';
// Connects and selects the database
connectAndSelectDB();
if (isset($_POST['username']) && $_POST['password']) {
// Username and password are set
// Extracts and sanitises the username and password
$username = extractSanitiseVar('username', '');
$password = extractSanitiseVar('password', '');
/*
NOTE: Following code adapted from http://elbertf.com/2010/01/store-passwords-safely-with-php-and-mysql/
A random salt is generated and appended to the given password to generate a hash
This is then hashed 100000 times for extra security
The salt is then appended to the hash, so that the salt can be retrieved later (i.e. on log in)
*/
// Create a 256 bit (64 characters) long random salt
// Add 'something random' and the username to the salt as well for added security
$salt = hash('sha256', uniqid(mt_rand(), true) . 'something random' . strtolower($username));
// Prefix the password with the salt
$hash = $salt . $password;
// Hash the salted password 100000 times
for ($i = 0; $i < 100000; $i++) {
$hash = hash('sha256', $hash);
}
<?php
/*
Read API for page content - i.e. the notes
Takes the page title as input from the request
Outputs a JSON object with all the page content and metadata
*/
// Includes for DB setup and extractSanitiseVar function
include '../../lib/config.php';
include '../../lib/db.php';
include '../../lib/utils.php';
if (isset($_REQUEST['title'])) {
// Title is set in GET or POST request
// Title is extracted and sanitised
$pageTitle = extractSanitiseVar('title', '');
// DB setup - connects and selects
connectAndSelectDB();
// Query for the DB. Join of Pages and Edits table to allow access to all data
// Pulls title, date (formatted correctly), page content, username of last editor, whether the page is locked, and whether it is featured
$query = "SELECT Edits.id, Pages.pageTitle, content, DATE_FORMAT(dateTimeModified, '%h:%i%p %e %b %Y') AS dateTimeModified, username, isLocked, isFeatured FROM Pages JOIN Edits ON Pages.lastEditId = Edits.id WHERE Pages.pageTitle = '{$pageTitle}'";
$rows = mysql_query($query);
if (mysql_num_rows($rows) == 0) {
// If no matches in the DB are found, a 404 Not Found is returned
header("HTTP/1.0 404 Not Found");
header("x-failure-details: No page with this title");
}
// Initialises an empty array
$array = array();
while ($line = mysql_fetch_assoc($rows)) {
// For each line in the returned DB result
// Page content is passed through the Markdown script
// Only a id has been set - only that particular edit is to be returned
// Extracts and sanitises the id variable
$id = extractSanitiseVar('id', '');
// Sets the relevant DB query fragment
$id = "AND id = {$id}";
} else {
if (isset($_REQUEST['from'])) {
// Only "from" has been set - all edits from that edit to the current edit are to be returned
// Extracts and sanitises the from variable
$from = extractSanitiseVar('from', '');
// Sets the relevant DB query fragment
$id = "AND id >= {$from}";
if (isset($_REQUEST['to'])) {
// Both "from" and "to" have been set - the range of edit between those ids are to be returned
// Extracts and sanitises the tom variable
$to = extractSanitiseVar('to', '');
// Sets the relevant DB query fragment
$id = "AND id BETWEEN {$from} AND {$to}";
}
} else {
// No id has been set, so the DB query fragment is empty
$id = "";
}
}
// Query for the DB. Pulls data from Edits table where the title matches
// Id variable holds query fragment if id is set in request
$query = "SELECT * FROM Edits WHERE pageTitle = '{$pageTitle}' {$id} ORDER BY id DESC";
$rows = mysql_query($query);
if (mysql_num_rows($rows) == 0) {
// If no matches in the DB are found, a 404 Not Found is returned
header("HTTP/1.0 404 Not Found");
Takes the search query from the GET request (although this is optional - if no query provided, a blank search box is provided)
This is used to query the DB either to find an exact match, or to find some text within a page that matches
A list of matches is then displayed
*/
// Includes for DB setup and extractSanitiseVar function
include 'lib/config.php';
include 'lib/db.php';
include 'lib/utils.php';
// Include to pull the header (including <head> section) from the header file
include 'common/header.php';
// Connects and selects the DB
connectAndSelectDB();
if (isset($_GET['search'])) {
// A search query is provided in the GET request
// The query is extracted and sanitised
$search = extractSanitiseVar('search', '');
// DB query - searches for exact match to a page title
$query = "SELECT Pages.pageTitle, content FROM Pages JOIN Edits ON Pages.lastEditId = Edits.id WHERE Pages.pageTitle='{$search}'";
$rows = mysql_query($query);
if (mysql_num_rows($rows) == 1) {
// Page with exact title match found
$line = mysql_fetch_assoc($rows);
$pageTitle = $line['pageTitle'];
// User is redirected to the page matching the search
header("Location: ./index.php?title={$pageTitle}");
} else {
// No page with exact title match found
// User provided with a search page of possible matches
// DB query - searches for non-exact matches to a page title or within page content
$query = "SELECT Pages.pageTitle, content FROM Pages JOIN Edits ON Pages.lastEditId = Edits.id WHERE Pages.pageTitle LIKE '%{$search}%' OR content LIKE '%{$search}%'";
$rows = mysql_query($query);
