Replaced config.global.php with a second sql table, added timestamps to file uploads, general code cleanup
This commit is contained in:
parent
95ca5bf9f0
commit
3b7dc3c193
|
@ -1,3 +0,0 @@
|
|||
<?php
|
||||
|
||||
?>
|
|
@ -1,6 +1,5 @@
|
|||
<?php
|
||||
|
||||
require('config.global.php');
|
||||
require('functions.global.php');
|
||||
require('layout.php');
|
||||
|
||||
|
@ -29,7 +28,7 @@ if (!$realFile) {
|
|||
} else {
|
||||
$fileName = str_replace("files/", "", $fetched[0]);
|
||||
|
||||
if ($_GET['dl'] == "true") {
|
||||
if ($_GET['dl'] == "true") {
|
||||
|
||||
header('Content-Type: application/octet-stream');
|
||||
header("Content-Transfer-Encoding: Binary");
|
||||
|
|
|
@ -9,7 +9,6 @@ function contactDB($query, $column) {
|
|||
// 1: fileid
|
||||
// 2: filepath
|
||||
// 3: fileowner
|
||||
// 4: filedate
|
||||
// ie, $result = contactDB("SELECT * FROM files WHERE fileowner='admin';", 2);
|
||||
// populates the $result[] array with the file paths to every file owned by the admin user
|
||||
|
||||
|
|
12
index.php
12
index.php
|
@ -1,5 +1,17 @@
|
|||
<?php
|
||||
|
||||
/***
|
||||
* index.php:
|
||||
* Deliver main page
|
||||
*/
|
||||
|
||||
// Check if setup has been completed
|
||||
// If the file 'setup.php' still exists, the user should be redirected to it
|
||||
if (file_exists("./setup.php")) {
|
||||
header('location: ./setup.php');
|
||||
die();
|
||||
}
|
||||
|
||||
require('layout.php');
|
||||
|
||||
echo deliverTop("SimpleFS - Home");
|
||||
|
|
41
login.php
41
login.php
|
@ -1,32 +1,27 @@
|
|||
<?php
|
||||
|
||||
require('config.global.php');
|
||||
require('functions.global.php');
|
||||
require('layout.php');
|
||||
|
||||
if ($_POST['submitted'] == true) {
|
||||
if ($_POST['username'] == $adminuser) {
|
||||
if (password_verify($_POST['password'], $adminpass)) {
|
||||
$_SESSION['simplefsvalid'] = true;
|
||||
$_SESSION['simplefsuser'] = "admin";
|
||||
// signed in, redirect
|
||||
header('location: manage.php');
|
||||
} else {
|
||||
$_SESSION['simplefsvalid'] = false;
|
||||
$_SESSION['simplefsuser'] = NULL;
|
||||
die('Invalid username or password');
|
||||
|
||||
}
|
||||
} else if ($_POST['username'] == $secuser) {
|
||||
if (password_verify($_POST['password'], $secpass)) {
|
||||
$_SESSION['simplefsvalid'] = true;
|
||||
$_SESSION['simplefsuser'] = "guest";
|
||||
// signed in, redirect
|
||||
header('location: manage.php');
|
||||
} else {
|
||||
$_SESSION['simplefsvalid'] = false;
|
||||
$_SESSION['simplefsuser'] = NULL;
|
||||
die('Invalid username or password');
|
||||
}
|
||||
// Verify the username is legit
|
||||
$valid_usernames = contactDB("SELECT user_name FROM users", 0);
|
||||
$login_username = $_POST['username'];
|
||||
if (!in_array($login_username, $valid_usernames)) {
|
||||
die('Invalid username or password');
|
||||
}
|
||||
|
||||
$relevant_password_hash = contactDB("SELECT user_password FROM users WHERE user_name='$login_username';", 0);
|
||||
$relevant_password_hash = $relevant_password_hash[0];
|
||||
|
||||
$relevant_user_id = contactDB("SELECT user_id FROM users WHERE user_name='$login_username';", 0);
|
||||
$relevant_user_id = $relevant_user_id[0];
|
||||
|
||||
if (password_verify($_POST['password'], $relevant_password_hash)) {
|
||||
$_SESSION['simplefsvalid'] = true;
|
||||
$_SESSION['simplefsuser'] = (($relevant_user_id == 1) ? "admin" : "$login_username");
|
||||
header('location: manage.php');
|
||||
} else {
|
||||
$_SESSION['simplefsvalid'] = false;
|
||||
$_SESSION['simplefsuser'] = NULL;
|
||||
|
|
19
manage.php
19
manage.php
|
@ -1,6 +1,5 @@
|
|||
<?php
|
||||
|
||||
require('config.global.php');
|
||||
require('layout.php');
|
||||
require('functions.global.php');
|
||||
|
||||
|
@ -13,8 +12,13 @@ $currentUser = $_SESSION['simplefsuser'];
|
|||
|
||||
/* Obtain list of current user's files */
|
||||
|
||||
$myFilesId = contactDB("SELECT * FROM files WHERE fileowner='$currentUser';", 0);
|
||||
$myFilesName = contactDB("SELECT * FROM files where fileowner='$currentUser';", 1);
|
||||
if ($currentUser == "admin") {
|
||||
$myFilesId = contactDB("SELECT * FROM files;", 0);
|
||||
$myFilesName = contactDB("SELECT * FROM files;", 1);
|
||||
} else {
|
||||
$myFilesId = contactDB("SELECT * FROM files WHERE fileowner='$currentUser';", 0);
|
||||
$myFilesName = contactDB("SELECT * FROM files where fileowner='$currentUser';", 1);
|
||||
}
|
||||
|
||||
$nFiles = count($myFilesId);
|
||||
|
||||
|
@ -40,8 +44,13 @@ unset($myFilesId);
|
|||
unset($myFilesName); // Re-loading list after file deletion
|
||||
unset($nFiles);
|
||||
|
||||
$myFilesId = contactDB("SELECT * FROM files WHERE fileowner='$currentUser';", 0);
|
||||
$myFilesName = contactDB("SELECT * FROM files where fileowner='$currentUser';", 1);
|
||||
if ($currentUser == "admin") {
|
||||
$myFilesId = contactDB("SELECT * FROM files;", 0);
|
||||
$myFilesName = contactDB("SELECT * FROM files;", 1);
|
||||
} else {
|
||||
$myFilesId = contactDB("SELECT * FROM files WHERE fileowner='$currentUser';", 0);
|
||||
$myFilesName = contactDB("SELECT * FROM files where fileowner='$currentUser';", 1);
|
||||
}
|
||||
$nFiles = count($myFilesId);
|
||||
|
||||
if ($nFiles == 0) {
|
||||
|
|
63
setup.php
63
setup.php
|
@ -71,50 +71,53 @@ if ($_POST['formsubmitted'] == "true") {
|
|||
die('Error: Usernames cannot be identical to each other');
|
||||
exit();
|
||||
}
|
||||
}
|
||||
|
||||
// TODO: config.global.php should really just be a second SQL table
|
||||
$myfile = fopen("config.global.php", "w") or die("Fatal error: can't open file. Does your webserver have write permissions here?");
|
||||
|
||||
$admhash = password_hash($_POST['password'], PASSWORD_DEFAULT);
|
||||
if ($_POST['makeuser'] == true) {
|
||||
$usrhash = password_hash($_POST['pass2'], PASSWORD_DEFAULT);
|
||||
}
|
||||
fwrite($myfile, "<?php".PHP_EOL);
|
||||
fwrite($myfile, '$adminuser = \''.$_POST['username'].'\';'.PHP_EOL);
|
||||
fwrite($myfile, '$adminpass = \''.$admhash.'\';'.PHP_EOL);
|
||||
|
||||
if ($_POST['makeuser'] == true) {
|
||||
fwrite($myfile, '$secuser = \''.$_POST['user2'].'\';'.PHP_EOL);
|
||||
fwrite($myfile, '$secpass = \''.$usrhash.'\';'.PHP_EOL);
|
||||
}
|
||||
|
||||
fwrite($myfile, '$deleteafter = -1'.PHP_EOL);
|
||||
|
||||
if (!fwrite($myfile, "?>".PHP_EOL)) {
|
||||
echo '<br><font color="FF0000">Error creating <b>config.global.php</b></font><br>Does the web server have write permissions here?';
|
||||
die();
|
||||
if ($_POST['user2'] == "admin") {
|
||||
die('Error: Second username cannot be "admin"');
|
||||
exit();
|
||||
}
|
||||
}
|
||||
|
||||
echo '<br>User(s) created.';
|
||||
|
||||
|
||||
// Create the database
|
||||
if (file_exists("./filedb.sqlite")) {
|
||||
unlink("./filedb.sqlite");
|
||||
}
|
||||
|
||||
|
||||
touch("./filedb.sqlite");
|
||||
$initializeDB = contactDB("CREATE TABLE files (
|
||||
fileid int NOT NULL PRIMARY KEY,
|
||||
filepath varchar(255) NOT NULL,
|
||||
fileowner varchar(255) NOT NULL
|
||||
fileowner varchar(255) NOT NULL,
|
||||
filedate timestamp NOT NULL
|
||||
);", 0);
|
||||
|
||||
$add_config_table = contactDB("CREATE TABLE users (
|
||||
user_id INTEGER PRIMARY KEY AUTOINCREMENT,
|
||||
user_name varchar(255) NOT NULL,
|
||||
user_password varchar(255) NOT NULL,
|
||||
auto_delete_files_after int NOT NULL
|
||||
);", 0);
|
||||
|
||||
echo '<br>Initialized file database';
|
||||
echo '<br>Initialized SQLite database';
|
||||
|
||||
// Delete setup.php
|
||||
unlink("./setup.php");
|
||||
// Populate the 'users' table
|
||||
$admin_password_hash = password_hash($_POST['password'], PASSWORD_DEFAULT);
|
||||
$user_password_hash = password_hash($_POST['pass2'], PASSWORD_DEFAULT);
|
||||
|
||||
$add_user = contactDB("INSERT INTO users (user_name, user_password, auto_delete_files_after)
|
||||
VALUES ('".$_POST['username']."', '$admin_password_hash', -1);", 0);
|
||||
|
||||
if ($_POST['makeuser']) {
|
||||
$add_user = contactDB("INSERT INTO users (user_name, user_password, auto_delete_files_after)
|
||||
VALUES ('".$_POST['user2']."', '$user_password_hash', -1);", 0);
|
||||
}
|
||||
|
||||
echo '<br>User(s) created.';
|
||||
|
||||
// Delete setup.php
|
||||
unlink("./setup.php");
|
||||
|
||||
header('location: index.php');
|
||||
}
|
||||
|
||||
?>
|
||||
|
|
26
upload.php
26
upload.php
|
@ -1,7 +1,6 @@
|
|||
<?php
|
||||
|
||||
|
||||
require('config.global.php');
|
||||
require('functions.global.php');
|
||||
require('layout.php');
|
||||
|
||||
|
@ -18,13 +17,13 @@ if ($_POST['fsubmitted'] == "true") {
|
|||
|
||||
$target_dir = "files/";
|
||||
$target_file = $target_dir . basename($_FILES["upfile"]["name"]);
|
||||
$uploadOk = 1;
|
||||
$uploadOk = true;
|
||||
$fileType = strtolower(pathinfo($target_file,PATHINFO_EXTENSION));
|
||||
|
||||
|
||||
if (file_exists($target_file)) {
|
||||
echo "<div align='center'><h1>Error: file already exists</h1></div>";
|
||||
$uploadOk = 0;
|
||||
$uploadOk = false;
|
||||
}
|
||||
|
||||
/* *************************** */
|
||||
|
@ -42,23 +41,18 @@ if($fileType == "php" || $fileType == "htm" || $fileType == "html" || $fileType
|
|||
/* End of the aforementioned alterable security section */
|
||||
/* **************************************************** */
|
||||
|
||||
/* This following part shouldn't be deleted though, my apologies but without sanitizing these filenames, could break the whole thing */
|
||||
/* **** */
|
||||
if (strpos($target_file, "'") !== false) {
|
||||
echo "<div align='center'><h1>Error: Cannot upload files with apostrophes or quote-marks</h1></div>";
|
||||
$uploadOk = 0;
|
||||
}
|
||||
// TODO: Replace "sanitization" with prepared statements
|
||||
|
||||
if (strpos($target_file, '"') !== false) {
|
||||
echo "<div align='center'><h1>Error: Cannot upload files with apostrophes or quote-marks</h1></div>";
|
||||
$uploadOk = 0;
|
||||
if (strpos($target_file, "'") !== false || strpos($target_file, '"') !== false) {
|
||||
echo "<div align='center'><h1>Error: Cannot upload files with apostrophes or quote-marks</h1></div>";
|
||||
$uploadOk = false;
|
||||
}
|
||||
|
||||
/* Getting a list of all file IDs */
|
||||
|
||||
$fileListId = contactDB("SELECT * FROM files;", 0);
|
||||
|
||||
if ($uploadOk == 0) {
|
||||
if ($uploadOk == false) {
|
||||
echo "<div align='center'><h1>Error: file was not uploaded</h1></div>";
|
||||
} else {
|
||||
if (move_uploaded_file($_FILES["upfile"]["tmp_name"], $target_file)) {
|
||||
|
@ -70,9 +64,11 @@ if ($uploadOk == 0) {
|
|||
|
||||
|
||||
/* Write entry to DB */
|
||||
|
||||
$current_date = time();
|
||||
|
||||
$publish = contactDB("INSERT INTO files (fileid, filepath, fileowner)
|
||||
VALUES ($newFileId, '$target_file', '$currentUser');", 0);
|
||||
$publish = contactDB("INSERT INTO files (fileid, filepath, fileowner, filedate)
|
||||
VALUES ($newFileId, '$target_file', '$currentUser', $current_date);", 0);
|
||||
|
||||
/* Tell the user all is well */
|
||||
|
||||
|
|
Loading…
Reference in a new issue