function strict_form_checking($injection, $uname, $pwd, $message)
{
if (0 == strcmp($injection, "block")) {
$uname = sanitize_username($uname);
$pwd = sanitize_password($pwd);
$message = sanitize_message($message);
}
echo "username is: " . $uname . "<br>";
echo "password is: " . $pwd . "<br>";
echo "message is: " . $message . "<br>";
$user_details = array($uname, $pwd);
return $user_details;
}
function process_form()
{
// INITIAL DATA FETCHING
global $name, $email, $cell, $yog, $mailings;
// so that the show_form function can use these values later
$name = htmlentities(ucwords(trim(strtolower($_POST['name']), ' \\-\'')));
foreach (array('-', '\'') as $delimiter) {
if (strpos($name, $delimiter) !== false) {
$name = implode($delimiter, array_map('ucfirst', explode($delimiter, $name)));
}
}
// forces characters after spaces, hyphens and apostrophes to be capitalized
$name = preg_replace('/[\\s\']*\\-+[\\s\']*/', '-', $name);
// removes hyphens not between two characters
$name = preg_replace('/[\\s\\-]*\'+[\\s\\-]*/', '\'', $name);
// removes apostrophes not between two characters
$name = preg_replace('/\\s+/', ' ', $name);
// removes multiple consecutive spaces
$name = preg_replace('/\\-+/', '-', $name);
// removes multiple consecutive hyphens
$name = preg_replace('/\'+/', '\'', $name);
// removes multiple consecutive apostrophes
$email = htmlentities(strtolower($_POST['email']));
$cell = htmlentities($_POST['cell']);
$yog = $_POST['yog'];
$pass = $_POST['pass1'];
$mailings = '0';
if ($_POST['mailings'] == 'Yes') {
$mailings = '1';
}
// CHECK THAT THE NAME IS VALID
if (($name = sanitize_username($name)) === false) {
alert('Your name must have only letters, hyphens, apostrophes, and spaces, and be between 3 and 30 characters long', -1);
show_form();
return;
}
if (strpos($name, ' ') == false) {
alert('Please enter both your first <span class="i">and</span> last name', -1);
show_form();
return;
}
// CHECK THAT THE EMAIL ADDRESS IS VALID
if (!val('e', $email)) {
alert('That\'s not a valid email address', -1);
show_form();
return;
}
// CHECK AND FORMAT CELL PHONE NUMBER
if ($cell != '' && ($cell = format_phone_number($cell)) === false) {
//Validate the format of the cell phone number (if it's not left blank)
alert('That\'s not a valid cell phone number', -1);
show_form();
return;
}
// CHECK THAT THE YOG IS VALID
$grade = intval(getGradeFromYOG($yog));
if ($grade < 9 || $grade > 12) {
alert('That is not a valid YOG (' . $grade . 'you have to be in high school)', -1);
show_form();
return;
}
// CHECK THAT THE PASSWORDS MATCH, MEET MINIMUM LENGTH
if ($pass != $_POST['pass2']) {
alert('The passwords that you entered do not match', -1);
show_form();
return;
}
if (strlen($pass) < 6) {
alert('Please choose a password that has at least 6 characters', -1);
show_form();
return;
}
// CHECK THAT THEY ENTERED THE RECAPTCHA CORRECTLY
// CURRENTLY BROKEN: NEED TO UPDATE RECAPTCHA
/*
$recaptcha_msg = validate_recaptcha();
if ($recaptcha_msg !== true) {
alert($recaptcha_msg, -1);
show_form();
return;
}
*/
// CHECK THAT AN ACCOUNT WITH THAT EMAIL DOES NOT ALREADY EXIST
// this is done *after* checking the reCaptcha to prevent bots from harvesting our email
// addresses via a brute-force attack.
if (DBExt::queryCount('users', 'LOWER(email)=LOWER(%s)', $email) != 0) {
alert('An account with that email address already exists', -1);
show_form();
return;
}
// CHECK THAT AN ACCOUNT WITH THE SAME NAME IN THE SAME GRADE DOES NOT EXIST
// - with the exception that if it's permissions = 'E', they probably mistyped their email and are redoing it.
if (DBExt::queryCount('users', 'LOWER(name)=%s AND yog=%i AND permissions!="E"', strtolower($name), $yog) != 0) {
alert('An account in your grade with that name already exists', -1);
show_form();
return;
}
// ** All information has been validated at this point **
$verification_code = generate_code(5);
// for verifying ownership of the email address
// Check if email address has been pre-approved
if (isset($_SESSION['PREAPPROVED']) && $email === $_SESSION['PREAPPROVED']) {
$approved = '1';
// skip Captain approval
$verification_code = '1';
// skip email verification (already done)
} else {
$approved = '0';
}
// Create database entry
$passhash = hash_pass($email, $pass);
if ($cell == '') {
$cell = 'None';
} else {
$cell = preg_replace('#[^\\d]#', '', $_POST['cell']);
}
// remove non-numbers from cell phone # again
DB::insert('users', array('name' => $name, 'email' => $email, 'passhash' => $passhash, 'cell' => $cell, 'yog' => $yog, 'mailings' => $mailings, 'approved' => $approved, 'email_verification' => $verification_code, 'registration_ip' => htmlentities(strtolower($_SERVER['REMOTE_ADDR']))));
set_login_data(DB::insertId());
// LOG THEM IN
// For pre-approved members:
if ($approved == '1') {
global $WEBMASTER_EMAIL;
$to = array($email => $name);
$subject = 'Account Created';
$body = <<<HEREDOC
Welcome to the LHS Math Club website, {$name}!
Your account has been created. If you have any questions about the site, please email
the webmaster at {$WEBMASTER_EMAIL}
HEREDOC;
send_email($to, $subject, $body, $WEBMASTER_EMAIL);
$_SESSION['HOME_welcome'] = 'Welcome to the LHS Math Club website, ' . $name . '!';
header('Location: Home');
}
$_SESSION['ACCOUNT_do_send_verification_email'] = true;
header('Location: Verify_Email');
}
function process_form()
{
// Check XSRF token
if ($_SESSION['xsrf_token'] != $_REQUEST['xsrf_token']) {
trigger_error('Invalid XSRF token', E_USER_ERROR);
}
//Check Test ID
$row = DB::queryFirstRow('SELECT test_id, name, total_points FROM tests WHERE test_id=%s LIMIT 1', $_REQUEST['ID']);
if (!$row) {
trigger_error('Process_Form: Invalid Test ID', E_USER_ERROR);
}
//Get some data
$test_name = $row['name'];
$test_id = intval($row['test_id']);
$total_points = intval($row['total_points']);
$score = $_REQUEST['score'];
//No intval() because intval('') is 0.
$user = sanitize_username($_REQUEST['user']);
if ($user === false) {
//Validate username
alert('Name must have only letters, hyphens, apostrophes, and spaces, and be between 3 and 30 characters long', -1);
} elseif (!val('i0+', $score) || ($score = intval($score)) > $total_points) {
//Validate Score
alert('Score must be a nonnegative integer not more than the total points', -1);
} elseif (count($userdata = autocomplete_users_php($user)) == 0) {
// Check for username - No such users found.
if (@isset($_GET['Temporary'])) {
if (DB::queryFirstField('SELECT COUNT(*) FROM users WHERE name=%s', $user) > 0) {
alert('User already exists!', -1);
}
DB::insert('users', array('name' => $user, 'permissions' => 'T', 'approved' => 1));
DB::insert('test_scores', array('test_id' => $test_id, 'user_id' => DB::insertId(), 'score' => $score));
alert('Created new temporary user <b>' . $user . '</b>, and entered a score of ' . $score . '.', 1);
} else {
alert('Could not find <b>' . $user . '</b>. <a href="Enter_Scores?Temporary&ID=' . $test_id . '&user='******'&score=' . $score . '&xsrf_token=' . $_SESSION['xsrf_token'] . '">Create Temporary User</a>?', -1);
}
} elseif (count($userdata) > 1) {
alert('<b>' . $user . '</b> matches multiple people.' . ' <a href="Enter_Scores?Temporary&ID=' . $test_id . '&user='******'&score=' . $score . '&xsrf_token=' . $_SESSION['xsrf_token'] . '">Create Temporary User?</a>', -1);
} else {
//We've got exactly one match for the user name.
$user = $userdata[0]['name'];
$user_id = (int) $userdata[0]['id'];
// Check for previously-entered scores
$row = DB::queryFirstRow('SELECT score_id, score FROM test_scores WHERE test_id=%i AND user_id=%i LIMIT 1', $test_id, $user_id);
$prev_score = $row['score'];
$score_id = $row['score_id'];
if (!is_null($prev_score)) {
//Already entered.
$prev_score = intval($prev_score);
if ($prev_score == $score) {
alert('<b>' . $user . '</b>\'s score has already been entered as ' . $prev_score, -1);
} else {
if (@isset($_REQUEST['Override'])) {
DB::update('test_scores', array('score' => $score), 'score_id=%i LIMIT 1', $score_id);
alert('Changed score from ' . $prev_score . ' to ' . $score . ' for <b>' . $user . '</b>', 1);
} else {
alert("<b>{$user}</b>'s score has already been entered as {$prev_score}. <a href='?Override&ID={$test_id}&user={$user}&score={$score}&xsrf_token={$_SESSION['xsrf_token']}'>Change to {$score}?</a>", -1);
}
}
} else {
//Non-duplicate, valid. Let's enter it.
DB::insert('test_scores', array('test_id' => $test_id, 'user_id' => $user_id, 'score' => $score));
alert('Entered a score of ' . $score . ' for ' . $user, 1);
}
}
show_page();
}
function do_verify()
{
$output = '';
// All users have a valid name
$new_output = '';
$result = DB::queryRaw('SELECT name FROM users');
$row = mysqli_fetch_assoc($result);
while ($row) {
if (sanitize_username($row['name']) === false) {
$new_output .= ' <span style="color: #a00;">User "' . htmlentities($row['name']) . '" does not have a valid name</span><br />' . "\n";
}
$row = mysqli_fetch_assoc($result);
}
if ($new_output == '') {
$new_output .= ' <span style="color: #0a0;">All users have a valid name</span><br />' . "\n";
}
$output .= $new_output . ' <br />' . "\n";
// Check for duplicate emails
$new_output = '';
$result = DB::queryRaw('SELECT email FROM users GROUP BY email HAVING COUNT(*) > 1');
$row = mysqli_fetch_assoc($result);
while ($row) {
if ($row['email'] != '') {
$new_output .= ' <span style="color: #a00;">Duplicate email: <' . htmlentities($row['email']) . '></span><br />' . "\n";
}
$row = mysqli_fetch_assoc($result);
}
if ($new_output == '') {
$new_output .= ' <span style="color: #0a0;">No duplicate email addresses</span><br />' . "\n";
}
$output .= $new_output . ' <br />' . "\n";
// All non-temporary users have an email address
$new_output = '';
$result = DB::queryRaw('SELECT name FROM users WHERE email="" AND permissions!="T"');
$row = mysqli_fetch_assoc($result);
while ($row) {
$new_output .= ' <span style="color: #a00;">User "' . htmlentities($row['name']) . '" does not have an email address</span><br />' . "\n";
$row = mysqli_fetch_assoc($result);
}
if ($new_output == '') {
$new_output .= ' <span style="color: #0a0;">All users have email addresses</span><br />' . "\n";
}
$output .= $new_output . ' <br />' . "\n";
// All non-temporary users have a password
$new_output = '';
$query = 'SELECT name FROM users WHERE passhash NOT REGEXP "^[0-9a-fA-F]{128}$" AND permissions!="T"';
$result = DB::queryRaw($query);
$row = mysqli_fetch_assoc($result);
while ($row) {
$new_output .= ' <span style="color: #a00;">User "' . htmlentities($row['name']) . '" does not have a valid password hash</span><br />' . "\n";
$row = mysqli_fetch_assoc($result);
}
if ($new_output == '') {
$new_output .= ' <span style="color: #0a0;">All users have valid password hashes</span><br />' . "\n";
}
$output .= $new_output . ' <br />' . "\n";
// All users have valid cell phone information
$new_output = '';
$query = 'SELECT name FROM users WHERE cell NOT REGEXP "^[0-9]{10}$" AND cell!="None" AND permissions!="T"';
$result = DB::queryRaw($query);
$row = mysqli_fetch_assoc($result);
while ($row) {
$new_output .= ' <span style="color: #a00;">User "' . htmlentities($row['name']) . '" has invalid cell phone information</span><br />' . "\n";
$row = mysqli_fetch_assoc($result);
}
if ($new_output == '') {
$new_output .= ' <span style="color: #0a0;">All users have valid cell phone information</span><br />' . "\n";
}
$output .= $new_output . ' <br />' . "\n";
// All users have a valid YOG
$new_output = '';
$query = 'SELECT name FROM users WHERE yog NOT REGEXP "^[0-9]{4}$" AND permissions!="T"';
$result = DB::queryRaw($query);
$row = mysqli_fetch_assoc($result);
while ($row) {
$new_output .= ' <span style="color: #a00;">User "' . htmlentities($row['name']) . '" has an invalid YOG</span><br />' . "\n";
$row = mysqli_fetch_assoc($result);
}
if ($new_output == '') {
$new_output .= ' <span style="color: #0a0;">All users have a valid YOG</span><br />' . "\n";
}
$output .= $new_output . ' <br />' . "\n";
// All users have valid permissions
$new_output = '';
$query = 'SELECT name FROM users WHERE permissions!="C" AND permissions!="A" AND permissions!="R" AND permissions!="L" AND permissions!="T"';
$result = DB::queryRaw($query);
$row = mysqli_fetch_assoc($result);
while ($row) {
$new_output .= ' <span style="color: #a00;">User "' . htmlentities($row['name']) . '" has an invalid permission state</span><br />' . "\n";
$row = mysqli_fetch_assoc($result);
}
if ($new_output == '') {
$new_output .= ' <span style="color: #0a0;">All users have valid permission states</span><br />' . "\n";
}
$output .= $new_output . ' <br />' . "\n";
// All users have valid approval states
$new_output = '';
$query = 'SELECT name FROM users WHERE approved!="1" AND approved!="0" AND approved!="-1"';
$result = DB::queryRaw($query);
$row = mysqli_fetch_assoc($result);
while ($row) {
$new_output .= ' <span style="color: #a00;">User "' . htmlentities($row['name']) . '" has an invalid approval state</span><br />' . "\n";
$row = mysqli_fetch_assoc($result);
}
if ($new_output == '') {
$new_output .= ' <span style="color: #0a0;">All users have valid approval states</span><br />' . "\n";
}
$output .= $new_output . ' <br />' . "\n";
// All users have a valid email verification status
$new_output = '';
$query = 'SELECT name FROM users WHERE email_verification NOT REGEXP "^[0-9a-fA-F]{5}$" AND email_verification!="1" AND permissions!="T"';
$result = DB::queryRaw($query);
$row = mysqli_fetch_assoc($result);
while ($row) {
$new_output .= ' <span style="color: #a00;">User "' . htmlentities($row['name']) . '" has an invalid email verification state</span><br />' . "\n";
$row = mysqli_fetch_assoc($result);
}
if ($new_output == '') {
$new_output .= ' <span style="color: #0a0;">All users have valid email verification states</span><br />' . "\n";
}
$output .= $new_output . ' <br />' . "\n";
// All users have a valid password reset status
$new_output = '';
$query = 'SELECT name FROM users WHERE password_reset_code NOT REGEXP "^[0-9a-fA-F]{5}$" AND password_reset_code!="0"';
$result = DB::queryRaw($query);
$row = mysqli_fetch_assoc($result);
while ($row) {
$new_output .= ' <span style="color: #a00;">User "' . htmlentities($row['name']) . 'quot; has an invalid password reset state</span><br />' . "\n";
$row = mysqli_fetch_assoc($result);
}
if ($new_output == '') {
$new_output .= ' <span style="color: #0a0;">All users have valid password reset states</span><br />' . "\n";
}
$output .= $new_output . ' <br />' . "\n";
// All test scores match a test
$new_output = '';
$query = 'SELECT score_id FROM test_scores WHERE NOT EXISTS (SELECT * FROM tests WHERE tests.test_id = test_scores.test_id)';
$result = DB::queryRaw($query);
$row = mysqli_fetch_assoc($result);
while ($row) {
$new_output .= ' <span style="color: #a00;">Score entry #' . htmlentities($row['score_id']) . ' is not associated with a real test</span><br />' . "\n";
$row = mysqli_fetch_assoc($result);
}
if ($new_output == '') {
$new_output .= ' <span style="color: #0a0;">All score entries are associated with a real test</span><br />' . "\n";
}
$output .= $new_output . ' <br />' . "\n";
// All test scores match a user
$new_output = '';
$query = 'SELECT score_id FROM test_scores WHERE NOT EXISTS (SELECT * FROM users WHERE users.id = test_scores.user_id)';
$result = DB::queryRaw($query);
$row = mysqli_fetch_assoc($result);
while ($row) {
$new_output .= ' <span style="color: #a00;">Score entry #' . htmlentities($row['score_id']) . ' is not associated with a real user</span><br />' . "\n";
$row = mysqli_fetch_assoc($result);
}
if ($new_output == '') {
$new_output .= ' <span style="color: #0a0;">All score entries are associated with a real user</span><br />' . "\n";
}
$output .= $new_output . ' <br />' . "\n";
// All test scores are under the maximum
$new_output = '';
$query = 'SELECT score_id FROM test_scores WHERE score < 0 OR EXISTS (SELECT * FROM tests WHERE tests.test_id = test_scores.test_id AND test_scores.score > tests.total_points)';
$result = DB::queryRaw($query);
$row = mysqli_fetch_assoc($result);
while ($row) {
$new_output .= ' <span style="color: #a00;">Score entry #' . htmlentities($row['score_id']) . ' has an invalid score</span><br />' . "\n";
$row = mysqli_fetch_assoc($result);
}
if ($new_output == '') {
$new_output .= ' <span style="color: #0a0;">All score entries have valid scores</span><br />' . "\n";
}
$output .= $new_output . ' <br />' . "\n";
// No file_category ID 0
$query = 'SELECT * FROM file_categories WHERE category_id="0"';
$result = DB::queryRaw($query);
$row = mysqli_fetch_assoc($result);
if ($row) {
$output .= '<span style="color: #a00;">The file category "' . $row['name'] . '" has an ID of 0</span><br />' . "\n" . ' <br />' . "\n";
} else {
$output .= '<span style="color: #0a0;">No file categories have an ID of 0</span><br />' . "\n" . ' <br />' . "\n";
}
// All files have a valid category
$new_output = '';
$query = 'SELECT name FROM files WHERE category!="0" AND NOT EXISTS (SELECT * FROM file_categories WHERE file_categories.category_id = files.category)';
$result = DB::queryRaw($query);
$row = mysqli_fetch_assoc($result);
while ($row) {
$new_output .= ' <span style="color: #a00;">The file "' . $row['name'] . '" is not in a real category</span><br />' . "\n";
$row = mysqli_fetch_assoc($result);
}
if ($new_output == '') {
$new_output .= ' <span style="color: #0a0;">All files are in real categories</span><br />' . "\n";
}
$output .= $new_output . ' <br />' . "\n";
// All files have valid permissions
$new_output = '';
$query = 'SELECT name FROM files WHERE permissions!="A" AND permissions!="M" AND permissions!="P"';
$result = DB::queryRaw($query);
$row = mysqli_fetch_assoc($result);
while ($row) {
$new_output .= ' <span style="color: #a00;">The file "' . $row['name'] . '" has an invalid permission state</span><br />' . "\n";
$row = mysqli_fetch_assoc($result);
}
if ($new_output == '') {
$new_output .= ' <span style="color: #0a0;">All files have valid permission states</span><br />' . "\n";
}
$output .= $new_output . ' <br />' . "\n";
// All files exist on disk
$new_output = '';
$query = 'SELECT name, filename FROM files';
$result = DB::queryRaw($query);
$row = mysqli_fetch_assoc($result);
while ($row) {
if (!file_exists('../.content/uploads/' . $row['filename'])) {
$new_output .= ' <span style="color: #a00;">The file "' . $row['name'] . '" [' . htmlentities($row['filename']) . '] does not exist on disk</span><br />' . "\n";
}
$row = mysqli_fetch_assoc($result);
}
if ($new_output == '') {
$new_output .= ' <span style="color: #0a0;">All files exist on disk</span><br />' . "\n";
}
$output .= $new_output . ' <br />' . "\n";
// No duplicate orders
$new_output = '';
$query = 'SELECT name FROM file_categories WHERE EXISTS (SELECT * FROM files WHERE files.category=file_categories.category_id GROUP BY order_num HAVING COUNT(*) > 1)';
$result = DB::queryRaw($query);
$row = mysqli_fetch_assoc($result);
while ($row) {
$new_output .= ' <span style="color: #a00;">The file category "' . $row['name'] . '" has multiple files with the same order number</span><br />' . "\n";
$row = mysqli_fetch_assoc($result);
}
$query = 'SELECT * FROM files WHERE files.category="0" GROUP BY order_num HAVING COUNT(*) > 1';
$result = DB::queryRaw($query);
if (mysqli_num_rows($result) == 1) {
$new_output .= ' <span style="color: #a00;">The file category "Miscellaneous" has multiple files with the same order number</span><br />' . "\n";
}
if ($new_output == '') {
$new_output .= ' <span style="color: #0a0;">All files have valid order numbers</span><br />' . "\n";
}
$output .= $new_output . ' <br />' . "\n";
$output .= ' <a href="Database" class="small">[Clear]</a>';
show_page($output);
}
