<input type='text' name='data' placeholder='Data to save'/><br/> <?php echo $select; ?> <br/> <input type='submit'/> </form> <?php } else { echo "Please log in above to test this."; } } catch (Exception $e) { echo "You've not logged in. Please log in above to test this."; } if ($_REQUEST['t'] == 'write') { echo displayDebug($u->writeToUser($_POST['data'], $_POST['col'])); } ?> </div> <div> <h3>Show User Data</h3> <?php try { if ($u->validateUser()) { ?> <form action='?t=show' method='post'> <p>User: <?php echo $_COOKIE[$cookieuser]; ?> </p> <input type='password' name='pw' placeholder='password'/><br/>
function saveToUser($get) { /*** * These are OK to pass with plaintext, they'll change with a different device anyway (non-persistent). * Worst-case scenario it only exposes public function calls. Sensitive things will need explicit revalidation. ***/ $conf = $get['hash']; $s = $get['secret']; $id = $get['dblink']; $replace = boolstr($get['replace']); /*** * These fields can only be written to from directly inside of a script, rather than an AJAX call. ***/ $protected_fields = array('username', 'password', 'admin_flag', 'su_flag', 'private_key', 'public_key', 'creation', 'dblink', 'secret', 'emergency_code'); if (!empty($conf) && !empty($s) && !empty($id) && !empty($get['data']) && !empty($get['col'])) { $u = new UserFunctions(); if ($u->validateUser($id, $conf, $s)) { // Yes, writeToUser looks up the validation again, but it is a more robust feedback like this // Could pass in $get for validation data, but let's be more limited $val = array('dblink' => $id, 'hash' => $conf, 'secret' => $s); $data = decode64($get['data']); $col = decode64($get['col']); if (empty($data) || empty($col)) { return array('status' => false, 'error' => 'Invalid data format (required valid base64 data)'); } // User safety if (in_array($col, $protected_fields, true)) { return array('status' => false, 'error' => 'Cannot write to $col : protected field'); } return $u->writeToUser($data, $col, $val); } else { return array('status' => false, 'error' => 'Invalid user'); } } return array('status' => false, 'error' => 'One or more required fields were left blank'); }
function updateOwnProfile($get, $col = "public_profile") { /*** * Update the self-profile of a user * * * ***/ # Verify the JSON integrity of the file $structuredData = smart_decode64($get["data"]); if (!is_array($structuredData)) { $raw = base64_decode($get["data"]); $structuredData = json_decode($raw, true); } //check nullness objectness etc if (!is_array($structuredData)) { return array("status" => false, "error" => "BAD_DATA", "human_error" => "Provided data should be a Base-64 representation of a JSON object.", "provided" => $get); } # Check required keys $requiredKeys = array("place", "social", "privacy", "profile"); foreach ($requiredKeys as $key) { if (!array_key_exists($key, $structuredData)) { return array("status" => false, "error" => "MISSING_REQUIRED_KEY", "human_error" => "Required key '{$key}' cannot be found in the posted dataset", "provided" => $get); } } $jsonOptions = JSON_NUMERIC_CHECK | JSON_HEX_QUOT | JSON_HEX_APOS; $data = json_encode($structuredData, $jsonOptions); $u = new UserFunctions(); # We'll use writeToUser and use default cookie-based validation. #return $structuredData; $writeResult = $u->writeToUser($data, $col); $rStatus = $writeResult["status"]; if (!is_bool($rStatus)) { $rStatus = false; } $response = array("status" => $rStatus, "write_response" => $writeResult, "provided" => array("raw" => $get["data"], "decoded" => $structuredData)); return $response; }