function open_door() { // TEMP: use md5sum over Date, random salt and shared secret $req = "pin=0326&action=open"; $header = "POST / HTTP/1.1\r\n"; // HTTP POST request $header .= "Content-Type: application/x-www-form-urlencoded\r\n"; $header .= "Content-Length: " . strlen($req) . "\r\n\r\n"; // Open a socket for the acknowledgement request $fp = fsockopen('10.0.10.10', 80, $errno, $errstr, 30); if ($fp) { fputs($fp, $header . $req); while (!feof($fp)) { $res = fgets($fp, 1024); } fclose($fp); header('Location: welcomeback.html', true, 303); exec('/usr/bin/ssh -i /var/rpc_id_rsa root@10.0.10.5 ./add_mac.sh ' . $mac); } else { $fperr = $errstr; header('Location: dooroffline.html', true, 303); require_once 'mailer.php'; mail_and_die('The door is offline', 'fsockopen returned: ' . $fperr); } }
<?php require 'inc/common.php'; require 'inc/mailer.php'; require 'inc/db.php'; // Find known MAC address $mac = find_mac(); if ($mac) { $mac2 = sha1('salT' . $mac); } else { $mac2 = 'whatever'; } $link->exec("UPDATE Users SET count = count + 1 WHERE DATE('now') <= paid AND mac = '{$mac2}'") or mail_and_die('link->exec UPDATE error', __FILE__); if ($link->changes() == 1) { open_door(); } else { header('Location: index.html', true, 303); } $link->close(); unset($link);
// TODO: generate this salt $salt = 'salT'; // Friendlier pincode instead of password $crc = crc32($salt . strtoupper($email)) & 0x7fffffff; //remove sign $password = sprintf("%06u", $crc % 1000000); require 'inc/db.php'; $email2 = $link->escapeString($email); $password2 = $link->escapeString($password); $salt2 = $link->escapeString($salt); $link->exec("INSERT OR IGNORE INTO Users (email,since) VALUES('{$email2}',DATETIME('now'))") or mail_and_die('link->exec INSERT Users error', __FILE__); $isnew = $link->changes() == 1; $link->exec("INSERT INTO Payments (email, submitted, amount) VALUES('{$email2}', DATETIME('now'), {$amount})") or mail_and_die('link->exec INSERT Payments error', __FILE__); // Give new members the benefit of the doubt (trust, but verify): // FIXME: might fail because of unique password (change salt) $link->exec("UPDATE Users SET paid = DATE(MAX(IFNULL(paid,0), DATE('now')),'+{$months} MONTH'), salt = '{$salt2}', password = '******' WHERE email = '{$email2}'") or mail_and_die('link->exec UPDATE error', __FILE__); if ($link->changes() != 1) { mail_and_die('link->changes should be 1', __FILE__); } $link->close(); unset($link); $subject = 'Welcome to Xinchejian 欢迎加入新车间'; $body = "Welcome! 欢迎!\n\nYou can now open the door by going to http://bouncer/\nPIN: {$password}\n\nNote that your access will be revoked if no payment was made.\n\n-- the script that sends out these emails"; mailer($email, $subject, $body); if ($isnew) { $neworold = "New"; } else { $neworold = "Old"; } mailer('*****@*****.**', "{$neworold} member: {$email}, paid {$amount} for {$months} month(s).", '-- ' . __FILE__); header('Location: welcome.html', true, 303);
foreach ($lines as $line) { $cols = preg_split('/\\s+/', trim($line)); if ($cols[1] == $ipAddress) { $mac2 = ', mac = "' . mysql_real_escape_string($cols[3], $link) . '"'; break; } } mysql_query('UPDATE members.Users SET count = count + 1' . $mac2 . " WHERE CURDATE() <= paid AND password = {$password2}", $link) or mail_and_die('mysql_query UPDATE error'); if (mysql_affected_rows($link) != 1) { header('HTTP/1.1 403 Forbidden'); print "Access denied"; } else { // TEMP: use md5sum over Date, random salt and shared secret $req = "pin=0326&action=open"; header('HTTP/1.1 200 OK'); $header = "POST / HTTP/1.1\r\n"; // HTTP POST request $header .= "Content-Type: application/x-www-form-urlencoded\r\n"; $header .= "Content-Length: " . strlen($req) . "\r\n\r\n"; // Open a socket for the acknowledgement request $fp = fsockopen('10.0.10.10', 80, $errno, $errstr, 30) or mail_and_die('fsockopen returned ' . $errstr); fputs($fp, $header . $req); while (!feof($fp)) { $res = fgets($fp, 1024); } fclose($fp); header('HTTP/1.1 303 See Other'); header("Location: /welcomeback.html"); } mysql_close($link); unset($link);
</script> </head> <body> <h1>Unverified Payments</h1> <table> <thead> <tr> <th>E-mail</th> <th>Submitted</th> <th>Amount</th> <th>Verified?</th> </tr> </thead> <tbody><?php // add SetEnv MYSQL_PASSWORD "blah" to this site's Apache conf $link = mysql_connect('localhost', 'webuser', getenv('MYSQL_PASSWORD')) or mail_and_die('mysql_connect error'); $result = mysql_query("SELECT id,email,submitted,amount FROM members.Payments WHERE verified IS NULL;", $link) or die('mysql_query SELECT error'); while ($row = mysql_fetch_assoc($result)) { ?> <tr> <td><?php echo $row['email']; ?> </td> <td><?php echo $row['submitted']; ?> </td> <td><?php echo $row['amount']; ?>
<?php require_once 'mailer.php'; $link = new SQLite3('/var/bouncer/members.db') or mail_and_die('SQLite3 ctor error', __FILE__);
</head> <body> <h1>Unverified Payments</h1> <table style="width:100%"> <thead> <tr> <th>E-mail</th> <th>Submitted</th> <th>Amount</th> <th>Verified?</th> </tr> </thead> <tbody><?php require 'inc/mailer.php'; require 'inc/db.php'; $result = $link->query("SELECT id,email,CAST(submitted AS DATE) as submitted,amount FROM Payments WHERE verified IS NULL;") or mail_and_die('link->query SELECT error', __FILE__); while ($row = $result->fetchArray()) { ?> <tr> <td><?php echo $row['email']; ?> </td> <td><?php echo $row['submitted']; ?> </td> <td><?php echo $row['amount']; ?> </td>
require 'mailer.php'; $id = (int) $_GET['id']; $ok = (int) $_GET['ok']; $email = urldecode($_GET['email']); $amount = $_GET['amount']; if ($amount == '100') { $months = 1; } else { if ($amount == '450') { $months = 6; } else { mail_and_die('wrong amount'); } } function mail_and_die($m) { mailer('*****@*****.**', 'Error in ' . __FILE__, $m); die($m); } // add SetEnv MYSQL_PASSWORD "blah" to this site's Apache conf $link = mysql_connect('localhost', 'webuser', getenv('MYSQL_PASSWORD')) or mail_and_die('mysql_connect error'); $email2 = '"' . mysql_real_escape_string($email, $link) . '"'; mysql_query("UPDATE members.Payments SET verified = {$ok} WHERE id = {$id}", $link) or mail_and_die('mysql_query UPDATE Payments error'); if ($ok) { mysql_query("UPDATE members.Users SET paid_verified = paid WHERE id = {$id}", $link) or mail_and_die('mysql_query UPDATE Users error'); } else { mysql_query("UPDATE members.Users SET paid = paid - INTERVAL {$months} MONTH WHERE email = {$email2}", $link) or mail_and_die('mysql_query UPDATE Users error'); //mailer($email, $subject, $body); } mysql_close($link); unset($link);
<?php require 'inc/common.php'; require 'inc/mailer.php'; require 'inc/db.php'; $password = $_POST['password']; $password2 = $link->escapeString($password); // Register MAC address $mac = find_mac(); if ($mac) { $mac2 = ", mac = '" . sha1('salT' . $mac) . "'"; } else { $mac2 = ''; } $link->exec('UPDATE Users SET count = count + 1' . $mac2 . " WHERE DATE('now') <= paid AND password = '******'") or mail_and_die('link->exec UPDATE error', __FILE__); if ($link->changes() != 1) { header('Location: accessdenied.html', true, 303); } else { open_door(); } $link->close(); unset($link);
$email2 = $link->escapeString($email); $result = $link->query("SELECT email,amount FROM Payments WHERE id = {$paymentid};") or die('link->query SELECT error'); if ($row = $result->fetchArray()) { $amount = $row['amount']; } if ($amount == '100') { $months = 1; } else { if ($amount == '450') { $months = 6; } else { if ($amount == '900') { $months = 12; } else { if ($amount == '5000') { $months = 12; } else { mail_and_die('wrong amount', __FILE__); } } } } $link->exec("UPDATE Payments SET verified = {$ok} WHERE id = {$paymentid}") or mail_and_die('link->exec UPDATE Payments error', __FILE__); if ($ok) { $link->exec("UPDATE Users SET paid_verified = (SELECT submitted FROM Payments WHERE id = {$paymentid}) + INTERNAL {$months} MONTH WHERE email = '{$email2}'") or mail_and_die('link->exec UPDATE Users error', __FILE__); } else { $link->exec("UPDATE Users SET paid = DATE(paid, '-{$months} MONTH') WHERE email = '{$email2}'") or mail_and_die('link->exec UPDATE Users error', __FILE__); //mailer($email, $subject, $body); } $link->close(); unset($link);
$macAddr = $cols[3]; } } // TODO: generate this salt $salt = 'salT'; // Friendlier pincode instead of password $crc = crc32($salt . strtoupper($email)) & 0x7fffffff; //remove sign $password = sprintf("%06u", $crc % 1000000); // add SetEnv MYSQL_PASSWORD "blah" to this site's Apache conf $link = mysql_connect('localhost', 'webuser', getenv('MYSQL_PASSWORD')) or mail_and_die('mysql_connect error'); $email2 = '"' . mysql_real_escape_string($email, $link) . '"'; $amount2 = '"' . mysql_real_escape_string($amount, $link) . '"'; $password2 = '"' . mysql_real_escape_string($password, $link) . '"'; $salt2 = '"' . mysql_real_escape_string($salt, $link) . '"'; mysql_query("INSERT IGNORE members.Users (email,since) VALUES({$email2},NOW())", $link) or mail_and_die('mysql_query INSERT Users error'); mysql_query("INSERT members.Payments (email, submitted, amount) VALUES({$email2}, NOW(), {$amount2})", $link) or mail_and_die('mysql_query INSERT Payments error'); // Give new members the benefit of the doubt (trust, but verify): // FIXME: might fail because of unique password (change salt) mysql_query("UPDATE members.Users SET paid = IF(CURDATE()<paid,paid,CURDATE()) + INTERVAL {$months} MONTH, salt = {$salt2}, password = {$password2} WHERE email = {$email2}", $link) or mail_and_die('mysql_query UPDATE error'); if (mysql_affected_rows($link) != 1) { mail_and_die('mysql_affected_rows != 1'); } mysql_close($link); unset($link); $subject = 'Welcome to Xinchejian 欢迎加入新车间'; $body = "Welcome! 欢迎!\n\nYou can now open the door by going to http://bouncer/\nPIN: {$password}\n\nNote that your access will be revoked if no payment was made.\n\n-- the script that sends out these emails"; mailer($email, $subject, $body); mailer('*****@*****.**', "New member: {$email}, paid {$amount} for {$months} month(s).", '-- the script that sends out these emails'); header('HTTP/1.1 303 See Other'); header("Location: /welcome.html");