<?php require '../../utility/common.php'; list($user_id, $tree, $name) = logged_in(); $select_db = connect('select'); $query = 'SELECT p.message, ' . '(SELECT u.username FROM users u JOIN posts p2 ON p2.author_id = u.id WHERE p2.author_id = p.author_id LIMIT 1) as author_name, ' . 'p.image, g.name, p.created, p.id, gp.andor FROM posts p ' . 'JOIN group_posts gp ON p.id = gp.post_id ' . 'JOIN group_users gu ON gu.group_id = gp.group_id ' . 'JOIN groups g ON g.id = gu.group_id '; if (isset($_GET['groupid']) && $_GET['groupid']) { $params = validate_params('GET', array('groupid'), array(FILTER_VALIDATE_INT), array(FILTER_SANITIZE_NUMBER_INT)); $group_ids = get_path_to($select_db, $params['groupid']); $stmt = $select_db->prepare($query . 'WHERE gu.user_id = ? AND gp.group_id IN (' . implode(',', array_fill(0, count($group_ids), '?')) . ') ' . 'ORDER BY p.created DESC '); $stmt->bindParam(1, $user_id, PDO::PARAM_INT); for ($i = 0; $i < count($group_ids); $i++) { $stmt->bindParam($i + 2, $group_ids[$i]['id'], PDO::PARAM_INT); } $stmt->execute(); } else { $stmt = dbexec($select_db, $query . 'WHERE gu.user_id = ? ' . 'ORDER BY p.created DESC ', array($user_id), array(PDO::PARAM_INT)); } if ($stmt->rowCount() == 0) { echo '<p>There are no posts in that group</p>'; die; } $doc = new DOMDocument('1.0', 'utf-8'); $root = $doc->createElement('posts'); $doc->appendChild($root); $usergroups = $tree->vars('id'); //all groups the user is in //can't use dbexec, need to loop $groups_stmt = $select_db->prepare('SELECT group_id, andor FROM group_posts WHERE post_id = :postid'); $groups_stmt->bindParam(':postid', $post_id); while ($post_row = $stmt->fetch(PDO::FETCH_ASSOC)) {
<?php require '../../utility/common.php'; logged_out(); validate_key(); $params = validate_params('POST', array('username', 'password'), array(0, 0), array(0, 0)); if (!$params) { error('invalid form data', '/account/login.php'); } $select_db = connect('select'); $stmt = dbexec($select_db, 'SELECT * FROM users WHERE username = ?', array($params['username']), array(PDO::PARAM_STR)); $row = $stmt->fetch(PDO::FETCH_ASSOC); if (count($row) == 0) { //user is not in database, they need to sign up, or they have not activated their account yet error('You need to sign up first', '../login.php'); } elseif (!is_null($row['activation_key'])) { error('You have not activated your account yet', '../login.php'); } if (password_verify($params['password'], $row['password'])) { session_start(); session_regenerate_id(true); //stop session fixation $_SESSION['name'] = $row['username']; $_SESSION['user_id'] = $row['id']; $_SESSION['tree'] = get_tree($select_db, $row['id']); session_commit(); header('Location: /home/home.php'); } else { //users password was entered incorrectly error('Wrong password', '/account/login.php'); }
<?php require '../utility/common.php'; require '../utility/htmlcommon.php'; logged_out(); validate_key(); $params = validate_params('POST', array('email'), array(FILTER_VALIDATE_EMAIL), array(FILTER_SANITIZE_EMAIL)); if (!$params) { error('Invalid params', 'login.php'); } $select_db = connect('select'); $stmt = dbexec($select_db, 'SELECT username FROM users WHERE email = ?', array($params['email']), array(PDO::PARAM_STR)); $res = $stmt->fetch(PDO::FETCH_ASSOC); if ($stmt->rowCount() === 0) { echo 'That email does not exist in our database'; die; } $message = 'Hello, you recently requested to recover your username for the account associated with this email at Classmatches. If you did not request this information, we suggest you change your password at Classmatches as soon as possible. Your username is: ' . $res['username'] . '. Thank you for using Classmatches.'; $message = wordwrap($message, 100); mail($params['email'], 'Username account recovery', $message, 'From: accountrecovery@classmatches.com'); top(false, 'Account recovery submit'); ?> <div> <p>An email has been sent to <?php echo htmlspecialchars($params['email']); ?> with your username</p> <p><a href="login.php">Log In</a></p> </div>
<?php require '../../utility/common.php'; logged_in(); if (isset($_GET['groupsearch'])) { $params = validate_params('GET', array('groupsearch'), array(0), array(0)); if (!$params) { echo 'Wrong'; die; } } else { $params = array('groupsearch' => ''); } $tree = $_SESSION['tree']; $search = '%' . $params['groupsearch'] . '%'; $select_db = connect('select'); $stmt = dbexec($select_db, 'SELECT id, name, type, description FROM groups WHERE LOWER(name) LIKE LOWER(?) ORDER BY name', array($search), array(PDO::PARAM_STR)); $doc = new DOMDocument('1.0', 'utf-8'); $root = $doc->createElement('groups'); $doc->appendChild($root); while ($row = $stmt->fetch(PDO::FETCH_ASSOC)) { $node = $doc->createElement('group'); $node->setAttribute('group-id', htmlspecialchars($row['id'])); $node->setAttribute('name', htmlspecialchars($row['name'])); $node->setAttribute('type', htmlspecialchars($row['type'])); $node->appendChild($doc->createTextNode(htmlspecialchars($row['description']))); $parents = $doc->createElement('parents'); $path = get_path_to($select_db, $row['id']); for ($i = count($path) - 1; $i >= 0; $i--) { $parent = $doc->createElement('parent'); $parent->setAttribute('group-id', htmlspecialchars($path[$i]['id']));
echo "\t" . '-s --host' . "\t" . $lang_convert['Database server hostname'] . ' ' . sprintf($lang_convert['Default value'], $db_config_default['host']) . "\n"; echo "\t" . '-n --name' . "\t" . $lang_convert['Database name'] . "\n"; echo "\t" . '-u --user' . "\t" . $lang_convert['Database username'] . ' ' . sprintf($lang_convert['Default value'], $db_config_default['username']) . "\n"; echo "\t" . '-p --pass' . "\t" . $lang_convert['Database password'] . "\n"; echo "\t" . '-r --prefix' . "\t" . $lang_convert['Table prefix'] . "\n"; echo "\t" . '-c --charset' . "\t" . $lang_convert['Database charset'] . ' ' . sprintf($lang_convert['Default value'], $db_config_default['charset']) . "\n"; echo "\n" . $lang_convert['Note'] . "\n"; echo $lang_convert['Note info'] . "\n"; exit(1); } $forum_config = array('type' => isset($options['f']) ? $options['f'] : (isset($options['forum']) ? $options['forum'] : null), 'path' => isset($options['d']) ? $options['d'] : (isset($options['path']) ? $options['path'] : null)); $old_db_config = array('type' => isset($options['t']) ? $options['t'] : (isset($options['type']) ? $options['type'] : $db_config_default['type']), 'host' => isset($options['s']) ? $options['s'] : (isset($options['host']) ? $options['host'] : $db_config_default['host']), 'name' => isset($options['n']) ? $options['n'] : (isset($options['name']) ? $options['name'] : $db_config_default['name']), 'username' => isset($options['u']) ? $options['u'] : (isset($options['user']) ? $options['user'] : $db_config_default['username']), 'password' => isset($options['p']) ? $options['p'] : (isset($options['pass']) ? $options['pass'] : $db_config_default['password']), 'prefix' => isset($options['r']) ? $options['r'] : (isset($options['prefix']) ? $options['prefix'] : $db_config_default['prefix']), 'charset' => isset($options['c']) ? $options['c'] : (isset($options['charset']) ? $options['charset'] : $db_config_default['charset'])); $forum_config = array_map('trim', $forum_config); $old_db_config = array_map('trim', $old_db_config); // Check whether we have all needed data valid validate_params($forum_config, $old_db_config); if (!array_key_exists($forum_config['type'], $forums)) { // Try to correct forum name (ignore case) $keys = array_keys($forums); $values = array(); foreach ($keys as $cur_key) { if (strpos(strtolower($cur_key), strtolower($forum_config['type'])) === 0) { $values[] = $cur_key; } } if (count($values) == 1) { $forum_config['type'] = $values[0]; } else { if (($key = array_search(strtolower($forum_config['type']), array_map('strtolower', $keys))) !== false) { $forum_config['type'] = $keys[$key]; } else {
<?php require '../../utility/common.php'; list($user_id, $tree, $name) = logged_in(); validate_key(); $params = validate_params('POST', array('message', 'subject'), array(0, 0), array(0, 0)); if (!$params) { error('Illegal params', '../contactus.php'); } $select_db = connect('select'); $stmt = dbexec($select_db, 'SELECT email FROM users WHERE id = ?', array($user_id), array(PDO::PARAM_INT)); $row = $stmt->fetch(PDO::FETCH_ASSOC); mail('*****@*****.**', htmlspecialchars($params['subject']), htmlspecialchars($params['message']), 'From: ' . $row['email']); header('Location: ../contactus.php');
<?php require '../utility/common.php'; require '../utility/htmlcommon.php'; logged_out(); validate_key(); $params = validate_params('POST', array('email', 'first_name', 'last_name', 'username', 'password', 'password_conf'), array(FILTER_VALIDATE_EMAIL, 0, 0, 0, 0, 0), array(FILTER_SANITIZE_EMAIL, 0, 0, 0, 0, 0)); if (!$params || $params['password'] !== $params['password_conf']) { error('Two passwords didn\'t match', 'newaccount.php'); } /*$regex = '/^.+@(uw\\.edu|u\\.washington\\.edu)\$/'; if(!preg_match($regex, $params['email'])) { header('Location: login.php?error=regexnomatch'); die(); }*/ $params['password'] = password_hash($params['password'], PASSWORD_BCRYPT); $key = new SecureKey($params['username']); $insert_db = connect('insert'); $stmt = dbexec($insert_db, 'INSERT IGNORE INTO users (email, first_name, last_name, username, password, last_update, activation_key) VALUES (?, ?, ?, ?, ?, ?, ?)', array($params['email'], $params['first_name'], $params['last_name'], $params['username'], $params['password'], 0, $key->get_key()), array(PDO::PARAM_STR, PDO::PARAM_STR, PDO::PARAM_STR, PDO::PARAM_STR, PDO::PARAM_STR, PDO::PARAM_INT, PDO::PARAM_STR)); $last_id = $insert_db->lastInsertId(); $stmt = $insert_db->prepare('INSERT INTO group_users (user_id, group_id) VALUES (?, ?)'); $stmt->bindParam(1, $last_id, PDO::PARAM_INT); $stmt->bindParam(2, $group_id); $group_id = GROUP_ROOT; $stmt->execute(); //for the alpha //$group_id = CLASSMATCHES_ROOT; //$stmt->execute(); $message = 'Thank you for registering for an account with us here at Classmatches. To help ensure security for our website, we have sent you this email with a confirmation key. Follow
<?php require '../utility/common.php'; logged_out(); validate_key(); $params = validate_params('POST', array('username', 'temp_passwd', 'password', 'password_conf'), array(0, 0, 0, 0), array(0, 0, 0, 0)); if (!$params || $params['password'] !== $params['password_conf']) { error('The two passwords don\'t match', 'login.php'); } session_start(); $temp_id = $_SESSION['temp_id']; session_commit(); $select_db = connect('select'); $stmt = dbexec($select_db, 'SELECT u.id, pc.password_id FROM users u JOIN password_change pc ON pc.user_id = u.id WHERE u.username = ? AND u.id = ? LIMIT 1', array($params['username'], $temp_id), array(PDO::PARAM_STR, PDO::PARAM_INT)); if (!$stmt->rowCount()) { error('No username matches that', 'login.php'); } $row = $stmt->fetch(PDO::FETCH_ASSOC); if (!password_verify($params['temp_passwd'], $row['password_id'])) { error('Passwords didn\'t match', 'login.php'); } $params['password'] = password_hash($params['password'], PASSWORD_BCRYPT); $update_db = connect('update'); $stmt = dbexec($update_db, 'UPDATE users SET password = ? WHERE id = ?', array($params['password'], $row['id']), array(PDO::PARAM_STR, PDO::PARAM_INT)); header('Location: login.php');
<?php require '../../utility/common.php'; list($user_id, $tree, $name) = logged_in(); $_POST['message'] = stripslashes(substr($_POST['message'], 1, -1)); $_POST['post'] = (int) substr($_POST['post'], 1, -1); $params = validate_params('POST', array('message', 'post'), array(0, FILTER_VALIDATE_INT), array(0, FILTER_SANITIZE_NUMBER_INT)); if (!$params) { echo 'Wrong'; die; } $insert_db = connect('insert'); $stmt = dbexec($insert_db, 'INSERT INTO comments (message, post_id, author_id) VALUES (?, ?, ?)', array($params['message'], $params['post'], $_SESSION['user_id']), array(PDO::PARAM_STR, PDO::PARAM_INT, PDO::PARAM_INT)); if ($stmt->rowCount() == 1) { echo 'Worked'; } else { echo 'Didn\'t work'; } $last_id = $insert_db->lastInsertId(); $select_db = connect('select'); $stmt = dbexec($select_db, 'SELECT gp.group_id, gp.andor FROM comments c JOIN posts p ON p.id = c.post_id JOIN group_posts gp ON gp.post_id = p.id WHERE c.id = ? AND c.post_id = ?', array($last_id, $params['post']), array(PDO::PARAM_INT, PDO::PARAM_INT)); $notify_info = array('groups' => array(), 'andors' => array()); while ($row = $stmt->fetch(PDO::FETCH_ASSOC)) { array_push($notify_info['groups'], $row['group_id']); array_push($notify_info['andors'], $row['andor']); } notify($select_db, $insert_db, $user_id, 'created', $last_id, 'comments', $notify_info['groups'], $notify_info['andors']);
<?php require '../../utility/common.php'; list($user_id, $tree, $name) = logged_in(); $_POST['post'] = stripslashes(substr($_POST['post'], 1, -1)); $_POST['group_ids'] = json_decode($_POST['group_ids']); $_POST['andors'] = json_decode($_POST['andors']); $params = validate_params('POST', array('post', 'group_ids', 'andors'), array(0, array('filter' => FILTER_VALIDATE_INT, 'flags' => FILTER_REQUIRE_ARRAY), array('filter' => FILTER_VALIDATE_BOOLEAN, 'flags' => FILTER_REQUIRE_ARRAY)), array(0, array('filter' => FILTER_SANITIZE_NUMBER_INT, 'flags' => FILTER_FORCE_ARRAY), array('flags' => FILTER_FORCE_ARRAY))); if (!$params) { echo 'Wrong'; die; } if ($params['post'] == '' || count($params['group_ids']) !== count($params['andors'])) { echo 'Semantically Wrong'; die; } if (isset($_POST['image'])) { $image = $_POST['image']; } else { $image = false; } $insert_db = connect('insert'); if ($image) { $stmt = dbexec($insert_db, 'INSERT INTO posts (author_id, message, image) VALUES (?, ?, ?)', array($user_id['user_id'], $params['post'], $image), array(PDO::PARAM_INT, PDO::PARAM_STR, PDO::PARAM_STR)); } else { $stmt = dbexec($insert_db, 'INSERT INTO posts (author_id, message) VALUES (?, ?)', array($user_id, $params['post']), array(PDO::PARAM_INT, PDO::PARAM_STR)); } if ($stmt->rowCount() > 1) { echo 'Inserted more than one?'; die; } elseif ($stmt->rowCount() < 1) {
<?php require '../../utility/common.php'; list($user_id, $tree, $name) = logged_in(); validate_key(); $params = validate_params('POST', array('event_name', 'date', 'start_time', 'end_time', 'location', 'description', 'group'), array(0, 0, 0, 0, 0, 0, FILTER_VALIDATE_INT), array(0, 0, 0, 0, 0, 0, FILTER_SANITIZE_NUMBER_INT)); if (!$params) { error('Illegal params', '../create.php'); } $andors = array(true); $params['date'] = date('Y-m-d', strtotime($params['date'])); $params['start_time'] = date('H:i:s', strtotime($params['start_time'])); $params['end_time'] = date('H:i:s', strtotime($params['end_time'])); $insert_db = connect('insert'); $stmt = dbexec($insert_db, 'INSERT IGNORE INTO events (name, creator_id, date, start_time, end_time, location, description) VALUES (?, ?, ?, ?, ?, ?, ?)', array($params['event_name'], $user_id, $params['date'], $params['start_time'], $params['end_time'], $params['location'], $params['description']), array(PDO::PARAM_STR, PDO::PARAM_INT, PDO::PARAM_STR, PDO::PARAM_STR, PDO::PARAM_STR, PDO::PARAM_STR, PDO::PARAM_STR)); if ($stmt->rowCount() === 1) { echo 'Worked'; } else { echo 'Didn\'t work'; } $event_id = $insert_db->lastInsertId(); //come back and fix the andors $stmt = dbexec($insert_db, 'INSERT INTO group_events VALUES (?, ?, ?)', array($event_id, $params['group'], $andors[0]), array(PDO::PARAM_INT, PDO::PARAM_INT, PDO::PARAM_BOOL)); if ($stmt->rowCount() === 1) { echo 'Worked'; } else { echo 'Didn\'t work'; die; }
<?php require '../utility/common.php'; require '../utility/htmlcommon.php'; logged_out(); $params = validate_params('GET', array('username', 'passwd'), array(0, 0), array(0, 0)); if (!$params) { error('Invalid params', 'login.php'); } $select_db = connect('select'); $stmt = dbexec($select_db, 'SELECT user_id, time, password_id FROM password_change pc JOIN users u ON u.id = pc.user_id WHERE u.username = ? LIMIT 1', array($params['username']), array(PDO::PARAM_STR)); if (!$stmt->rowCount()) { error('No match for that username', 'login.php'); } $row = $stmt->fetch(PDO::FETCH_ASSOC); if (!password_verify($params['passwd'], $row['password_id'])) { error('Passwords don\'t match', 'login.php'); } session_start(); $_SESSION['temp_id'] = $row['user_id']; session_commit(); top(false, 'Forgot password'); ?> <form action="forgotreturn.php" method="post"> <input type="hidden" value="<?php echo htmlspecialchars($params['username']); ?> " name="username" /> <input type="hidden" value="<?php
<?php require '../utility/common.php'; require '../utility/htmlcommon.php'; logged_out(); $params = validate_params('GET', array('key', 'username'), array(0, 0), array(0, 0)); if (!$params) { error('Invalid params', 'login.php'); } $update_db = connect('update'); $stmt = dbexec($update_db, 'UPDATE users SET activation_key = NULL WHERE username = ? AND activation_key = ?', array($params['username'], $params['key']), array(PDO::PARAM_STR, PDO::PARAM_STR)); if ($stmt->rowCount() !== 1) { error('Wrong username or activation key', 'login.php'); } top(false, 'Account Activation'); ?> <p>You've successfully activated your account!</p> <p><a href="/account/login.php">Log in</a> to go to your new home page!</p> <?php bottom();
<?php require '../../utility/common.php'; list($user_id, $tree, $name) = logged_in(); validate_key(); $params = validate_params('POST', array('groupname', 'description', 'parent'), array(0, 0, FILTER_VALIDATE_INT), array(0, 0, FILTER_SANITIZE_NUMBER_INT)); $select_db = connect('select'); $stmt = dbexec($select_db, 'SELECT depth FROM groups g2 WHERE g2.id = ? LIMIT 1', array($params['parent']), array(PDO::PARAM_INT)); $row = $stmt->fetch(PDO::FETCH_ASSOC); //come back and check if that name and child_of already exists $insert_db = connect('insert'); $stmt = dbexec($insert_db, 'INSERT IGNORE INTO groups (child_of, depth, name, type, description) VALUES (?, ?, ?, (SELECT type FROM groups g2 WHERE g2.id = ? LIMIT 1), ?)', array($params['parent'], $row['depth'] + 1, $params['groupname'], $params['parent'], $params['description']), array(PDO::PARAM_INT, PDO::PARAM_INT, PDO::PARAM_STR, PDO::PARAM_INT, PDO::PARAM_STR)); if ($stmt->rowCount() === 0) { echo 'Inserted none'; die; } else { $lastid = $insert_db->lastInsertId(); $stmt = dbexec($insert_db, 'INSERT IGNORE INTO group_users VALUES (?, ?)', array($user_id, $lastid), array(PDO::PARAM_INT, PDO::PARAM_INT)); session_start(); $_SESSION['tree'] = get_tree($select_db, $user_id); session_commit(); header('Location: ../groups.php'); }