function open_door()
{
// TEMP: use md5sum over Date, random salt and shared secret
$req = "pin=0326&action=open";
$header = "POST / HTTP/1.1\r\n";
// HTTP POST request
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";
// Open a socket for the acknowledgement request
$fp = fsockopen('10.0.10.10', 80, $errno, $errstr, 30);
if ($fp) {
fputs($fp, $header . $req);
while (!feof($fp)) {
$res = fgets($fp, 1024);
}
fclose($fp);
header('Location: welcomeback.html', true, 303);
exec('/usr/bin/ssh -i /var/rpc_id_rsa root@10.0.10.5 ./add_mac.sh ' . $mac);
} else {
$fperr = $errstr;
header('Location: dooroffline.html', true, 303);
require_once 'mailer.php';
mail_and_die('The door is offline', 'fsockopen returned: ' . $fperr);
}
}
<?php
require 'inc/common.php';
require 'inc/mailer.php';
require 'inc/db.php';
// Find known MAC address
$mac = find_mac();
if ($mac) {
$mac2 = sha1('salT' . $mac);
} else {
$mac2 = 'whatever';
}
$link->exec("UPDATE Users SET count = count + 1 WHERE DATE('now') <= paid AND mac = '{$mac2}'") or mail_and_die('link->exec UPDATE error', __FILE__);
if ($link->changes() == 1) {
open_door();
} else {
header('Location: index.html', true, 303);
}
$link->close();
unset($link);
// TODO: generate this salt
$salt = 'salT';
// Friendlier pincode instead of password
$crc = crc32($salt . strtoupper($email)) & 0x7fffffff;
//remove sign
$password = sprintf("%06u", $crc % 1000000);
require 'inc/db.php';
$email2 = $link->escapeString($email);
$password2 = $link->escapeString($password);
$salt2 = $link->escapeString($salt);
$link->exec("INSERT OR IGNORE INTO Users (email,since) VALUES('{$email2}',DATETIME('now'))") or mail_and_die('link->exec INSERT Users error', __FILE__);
$isnew = $link->changes() == 1;
$link->exec("INSERT INTO Payments (email, submitted, amount) VALUES('{$email2}', DATETIME('now'), {$amount})") or mail_and_die('link->exec INSERT Payments error', __FILE__);
// Give new members the benefit of the doubt (trust, but verify):
// FIXME: might fail because of unique password (change salt)
$link->exec("UPDATE Users SET paid = DATE(MAX(IFNULL(paid,0), DATE('now')),'+{$months} MONTH'), salt = '{$salt2}', password = '******' WHERE email = '{$email2}'") or mail_and_die('link->exec UPDATE error', __FILE__);
if ($link->changes() != 1) {
mail_and_die('link->changes should be 1', __FILE__);
}
$link->close();
unset($link);
$subject = 'Welcome to Xinchejian 欢迎加入新车间';
$body = "Welcome! 欢迎!\n\nYou can now open the door by going to http://bouncer/\nPIN: {$password}\n\nNote that your access will be revoked if no payment was made.\n\n-- the script that sends out these emails";
mailer($email, $subject, $body);
if ($isnew) {
$neworold = "New";
} else {
$neworold = "Old";
}
mailer('*****@*****.**', "{$neworold} member: {$email}, paid {$amount} for {$months} month(s).", '-- ' . __FILE__);
header('Location: welcome.html', true, 303);
foreach ($lines as $line) {
$cols = preg_split('/\\s+/', trim($line));
if ($cols[1] == $ipAddress) {
$mac2 = ', mac = "' . mysql_real_escape_string($cols[3], $link) . '"';
break;
}
}
mysql_query('UPDATE members.Users SET count = count + 1' . $mac2 . " WHERE CURDATE() <= paid AND password = {$password2}", $link) or mail_and_die('mysql_query UPDATE error');
if (mysql_affected_rows($link) != 1) {
header('HTTP/1.1 403 Forbidden');
print "Access denied";
} else {
// TEMP: use md5sum over Date, random salt and shared secret
$req = "pin=0326&action=open";
header('HTTP/1.1 200 OK');
$header = "POST / HTTP/1.1\r\n";
// HTTP POST request
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";
// Open a socket for the acknowledgement request
$fp = fsockopen('10.0.10.10', 80, $errno, $errstr, 30) or mail_and_die('fsockopen returned ' . $errstr);
fputs($fp, $header . $req);
while (!feof($fp)) {
$res = fgets($fp, 1024);
}
fclose($fp);
header('HTTP/1.1 303 See Other');
header("Location: /welcomeback.html");
}
mysql_close($link);
unset($link);
</script>
</head>
<body>
<h1>Unverified Payments</h1>
<table>
<thead>
<tr>
<th>E-mail</th>
<th>Submitted</th>
<th>Amount</th>
<th>Verified?</th>
</tr>
</thead>
<tbody><?php
// add SetEnv MYSQL_PASSWORD "blah" to this site's Apache conf
$link = mysql_connect('localhost', 'webuser', getenv('MYSQL_PASSWORD')) or mail_and_die('mysql_connect error');
$result = mysql_query("SELECT id,email,submitted,amount FROM members.Payments WHERE verified IS NULL;", $link) or die('mysql_query SELECT error');
while ($row = mysql_fetch_assoc($result)) {
?>
<tr>
<td><?php
echo $row['email'];
?>
</td>
<td><?php
echo $row['submitted'];
?>
</td>
<td><?php
echo $row['amount'];
?>
<?php
require_once 'mailer.php';
$link = new SQLite3('/var/bouncer/members.db') or mail_and_die('SQLite3 ctor error', __FILE__);
</head>
<body>
<h1>Unverified Payments</h1>
<table style="width:100%">
<thead>
<tr>
<th>E-mail</th>
<th>Submitted</th>
<th>Amount</th>
<th>Verified?</th>
</tr>
</thead>
<tbody><?php
require 'inc/mailer.php';
require 'inc/db.php';
$result = $link->query("SELECT id,email,CAST(submitted AS DATE) as submitted,amount FROM Payments WHERE verified IS NULL;") or mail_and_die('link->query SELECT error', __FILE__);
while ($row = $result->fetchArray()) {
?>
<tr>
<td><?php
echo $row['email'];
?>
</td>
<td><?php
echo $row['submitted'];
?>
</td>
<td><?php
echo $row['amount'];
?>
</td>
require 'mailer.php';
$id = (int) $_GET['id'];
$ok = (int) $_GET['ok'];
$email = urldecode($_GET['email']);
$amount = $_GET['amount'];
if ($amount == '100') {
$months = 1;
} else {
if ($amount == '450') {
$months = 6;
} else {
mail_and_die('wrong amount');
}
}
function mail_and_die($m)
{
mailer('*****@*****.**', 'Error in ' . __FILE__, $m);
die($m);
}
// add SetEnv MYSQL_PASSWORD "blah" to this site's Apache conf
$link = mysql_connect('localhost', 'webuser', getenv('MYSQL_PASSWORD')) or mail_and_die('mysql_connect error');
$email2 = '"' . mysql_real_escape_string($email, $link) . '"';
mysql_query("UPDATE members.Payments SET verified = {$ok} WHERE id = {$id}", $link) or mail_and_die('mysql_query UPDATE Payments error');
if ($ok) {
mysql_query("UPDATE members.Users SET paid_verified = paid WHERE id = {$id}", $link) or mail_and_die('mysql_query UPDATE Users error');
} else {
mysql_query("UPDATE members.Users SET paid = paid - INTERVAL {$months} MONTH WHERE email = {$email2}", $link) or mail_and_die('mysql_query UPDATE Users error');
//mailer($email, $subject, $body);
}
mysql_close($link);
unset($link);
<?php
require 'inc/common.php';
require 'inc/mailer.php';
require 'inc/db.php';
$password = $_POST['password'];
$password2 = $link->escapeString($password);
// Register MAC address
$mac = find_mac();
if ($mac) {
$mac2 = ", mac = '" . sha1('salT' . $mac) . "'";
} else {
$mac2 = '';
}
$link->exec('UPDATE Users SET count = count + 1' . $mac2 . " WHERE DATE('now') <= paid AND password = '******'") or mail_and_die('link->exec UPDATE error', __FILE__);
if ($link->changes() != 1) {
header('Location: accessdenied.html', true, 303);
} else {
open_door();
}
$link->close();
unset($link);
$email2 = $link->escapeString($email);
$result = $link->query("SELECT email,amount FROM Payments WHERE id = {$paymentid};") or die('link->query SELECT error');
if ($row = $result->fetchArray()) {
$amount = $row['amount'];
}
if ($amount == '100') {
$months = 1;
} else {
if ($amount == '450') {
$months = 6;
} else {
if ($amount == '900') {
$months = 12;
} else {
if ($amount == '5000') {
$months = 12;
} else {
mail_and_die('wrong amount', __FILE__);
}
}
}
}
$link->exec("UPDATE Payments SET verified = {$ok} WHERE id = {$paymentid}") or mail_and_die('link->exec UPDATE Payments error', __FILE__);
if ($ok) {
$link->exec("UPDATE Users SET paid_verified = (SELECT submitted FROM Payments WHERE id = {$paymentid}) + INTERNAL {$months} MONTH WHERE email = '{$email2}'") or mail_and_die('link->exec UPDATE Users error', __FILE__);
} else {
$link->exec("UPDATE Users SET paid = DATE(paid, '-{$months} MONTH') WHERE email = '{$email2}'") or mail_and_die('link->exec UPDATE Users error', __FILE__);
//mailer($email, $subject, $body);
}
$link->close();
unset($link);
$macAddr = $cols[3];
}
}
// TODO: generate this salt
$salt = 'salT';
// Friendlier pincode instead of password
$crc = crc32($salt . strtoupper($email)) & 0x7fffffff;
//remove sign
$password = sprintf("%06u", $crc % 1000000);
// add SetEnv MYSQL_PASSWORD "blah" to this site's Apache conf
$link = mysql_connect('localhost', 'webuser', getenv('MYSQL_PASSWORD')) or mail_and_die('mysql_connect error');
$email2 = '"' . mysql_real_escape_string($email, $link) . '"';
$amount2 = '"' . mysql_real_escape_string($amount, $link) . '"';
$password2 = '"' . mysql_real_escape_string($password, $link) . '"';
$salt2 = '"' . mysql_real_escape_string($salt, $link) . '"';
mysql_query("INSERT IGNORE members.Users (email,since) VALUES({$email2},NOW())", $link) or mail_and_die('mysql_query INSERT Users error');
mysql_query("INSERT members.Payments (email, submitted, amount) VALUES({$email2}, NOW(), {$amount2})", $link) or mail_and_die('mysql_query INSERT Payments error');
// Give new members the benefit of the doubt (trust, but verify):
// FIXME: might fail because of unique password (change salt)
mysql_query("UPDATE members.Users SET paid = IF(CURDATE()<paid,paid,CURDATE()) + INTERVAL {$months} MONTH, salt = {$salt2}, password = {$password2} WHERE email = {$email2}", $link) or mail_and_die('mysql_query UPDATE error');
if (mysql_affected_rows($link) != 1) {
mail_and_die('mysql_affected_rows != 1');
}
mysql_close($link);
unset($link);
$subject = 'Welcome to Xinchejian 欢迎加入新车间';
$body = "Welcome! 欢迎!\n\nYou can now open the door by going to http://bouncer/\nPIN: {$password}\n\nNote that your access will be revoked if no payment was made.\n\n-- the script that sends out these emails";
mailer($email, $subject, $body);
mailer('*****@*****.**', "New member: {$email}, paid {$amount} for {$months} month(s).", '-- the script that sends out these emails');
header('HTTP/1.1 303 See Other');
header("Location: /welcome.html");
