under the BSD-type license at http://basepath.com/aup/copyright.htm.
*/
require_once 'lib/common.php';
use PDOException;
class MyPage extends Page
{
protected function request()
{
$val = isset($_POST['field']) ? $_POST['field'] : '';
echo <<<EOT
<form action='{$_SERVER['PHP_SELF']}' method=post
accept-charset=UTF-8>
<input type=text name=field size=115 value='{$val}'>
<input type=submit name=action_go value=Submit>
</form>
<!--
<button type=button onclick='window.location=
"member.php?csrftoken={$_SESSION['csrftoken']}";'>Go</button>
<button type=button onclick="transfer('member.php',
{csrftoken: '{$_SESSION['csrftoken']}'});">Go</button>
-->
EOT;
}
protected function action_go()
{
// ... code to save data ...
$this->message('Saved', true);
}
}
$page = new MyPage('XSS Example', true);
$page->go();
$stmt = $this->db->query('select person_pk, name_last,
name_first, name_middle
from person where name_last like :pfxpat and
person_pk != :pk and
replacedby_fk is null order by name_last, name_first,
name_middle', array('pfxpat' => "{$pfx}%", 'pk' => $pk));
while ($row = $stmt->fetch()) {
$jw1 = JaroWinkler($last, $row['name_last'], true);
if (empty($first)) {
$jw2 = $jw3 = $jw4 = 1;
} else {
$name1 = explode(' ', trim($first));
$name2 = explode(' ', trim($row['name_first']));
$jw2 = JaroWinkler($name1[0], $name2[0], true);
$jw3 = JaroWinkler($name1[0], $row['name_middle'], true);
$jw4 = JaroWinkler($name2[0], $middle, true);
}
if ($jw1 > 0.9 && ($jw2 > 0.75 || $jw3 > 0.75 || $jw4 > 0.75)) {
$names[] = $this->build_name($row);
$pks[] = $row['person_pk'];
}
}
}
protected function build_name($row)
{
return htmlspecial(trim("{$row['name_last']}, {$row['name_first']} {$row['name_middle']}"));
}
}
$page = new MyPage('Variant Names');
$page->getdb()->set_database('cwadb');
$page->go();
} else {
if (!mail($_POST['email'], $subject, $msg)) {
return;
}
}
echo <<<EOT
<p>
Your temporary password has been sent. When you receive it,
<br>
use it to login. You'll then be prompted to choose a new password.
<p>
EOT;
$this->button('Login', null, 'login.php');
return true;
}
private function set_temp_password($userid)
{
$tmp = bin2hex(openssl_random_pseudo_bytes(6));
$security = new Security();
if ($security->set_password($userid, $tmp, true)) {
return $tmp;
}
return null;
}
}
$page = new MyPage('Login', false);
if (isset($_COOKIE['EPMADD']) && !isset($_POST['pre_action_logout'])) {
$page->transfer('login.php', array('pre_action_logout' => 1));
} else {
$page->go();
}
$form->text('userid', 'Desired User ID:', 15, 'UserID');
$form->text('pw1', 'Password:'******'Password', true, true);
$form->password_strength('pw1', '');
$form->text('pw2', 'Repeat:', 50, 'Password', true, true);
}
$form->text('first', 'First Name:', 25, 'First Name');
$form->hspace(3);
$form->text('last', 'Last Name:', 25, 'Last Name', false);
$form->text('email', 'Email:', 75, '*****@*****.**');
$form->text('phone', 'Verification Phone:', 25, '303-555-1234');
$form->radio('phone_method', 'SMS (text)', 'sms');
$form->hspace(5);
$form->radio('phone_method', 'Voice', 'voice', false);
$form->button('action_register', $this->is_logged_in() ? 'Save' : 'Register');
// Next line for clickjacking example
//$form->button('action_disable', 'Disable 2FA');
$form->end();
$userid = isset($data['userid']) ? $data['userid'] : '';
echo <<<EOT
<script>
\$('#pw1').bind('keydown', function() {
PasswordDidChange('pw1', '{$userid}');
});
</script>
EOT;
}
}
$page = new MyPage('Register', false);
$page->start_session();
// OK if not logged in
$page->go();
$f = new Form();
$f->start();
$f->text('yubikey', 'YubiKey:', 50, '', true, true);
$f->button('action_yubikey', 'Verify', false);
$f->end();
}
protected function action_yubikey()
{
$y = $_POST['yubikey'];
if (strlen($y) > 34) {
$identity = substr($y, 0, strlen($y) - 32);
$stmt = $this->db->query('select identity from
user where userid = :userid', array('userid' => $_SESSION['userid_pending']));
if (($row = $stmt->fetch()) && $row['identity'] == $identity) {
$yubi = new \Auth_Yubico(CLIENT_ID, CLIENT_KEY);
if ($yubi->verify($y) === true) {
if (!isset($_SESSION['expired'])) {
$security = new Security();
$security->store_verification($_SESSION['userid_pending'], true);
}
$this->is_verified();
return;
}
}
}
$this->show_form_yubikey();
$this->message('Invalid YubiKey OTP');
}
}
$page = new MyPage('Login');
$page->go(true);
