Replaced config.global.php with a second sql table, added timestamps to file uploads, general code cleanup

2023-04-24 17:28:31 -04:00 · 2023-04-24 17:28:31 -04:00 · 3b7dc3c193
parent 95ca5bf9f0
commit 3b7dc3c193
8 changed files with 89 additions and 79 deletions
--- a/config.global.php
+++ b/config.global.php
@ -1,3 +0,0 @@
-<?php
-
-?>
--- a/download.php
+++ b/download.php
@ -1,6 +1,5 @@
 <?php

-require('config.global.php');
 require('functions.global.php');
 require('layout.php');

@ -29,7 +28,7 @@ if (!$realFile) {
 } else {
 	$fileName = str_replace("files/", "", $fetched[0]);
 	
-		if ($_GET['dl'] == "true") {
+	if ($_GET['dl'] == "true") {

 		header('Content-Type: application/octet-stream');
 		header("Content-Transfer-Encoding: Binary"); 
--- a/functions.global.php
+++ b/functions.global.php
@ -9,7 +9,6 @@ function contactDB($query, $column) {
 	// 1: fileid
 	// 2: filepath
 	// 3: fileowner
-	// 4: filedate
 	// ie, $result = contactDB("SELECT * FROM files WHERE fileowner='admin';", 2);
 	// populates the $result[] array with the file paths to every file owned by the admin user
 	
--- a/index.php
+++ b/index.php
@ -1,5 +1,17 @@
 <?php

+/***
+ * index.php:
+ * Deliver main page
+ */
+
+ // Check if setup has been completed
+ // If the file 'setup.php' still exists, the user should be redirected to it
+ if (file_exists("./setup.php")) {
+	header('location: ./setup.php');
+	die();
+}
+
 require('layout.php');

 echo deliverTop("SimpleFS - Home");
--- a/login.php
+++ b/login.php
@ -1,32 +1,27 @@
 <?php

-require('config.global.php');
+require('functions.global.php');
 require('layout.php');

 if ($_POST['submitted'] == true) {
-	if ($_POST['username'] == $adminuser) {
-		if (password_verify($_POST['password'], $adminpass)) {
-			$_SESSION['simplefsvalid'] = true;
-			$_SESSION['simplefsuser'] = "admin";
-			// signed in, redirect
-			header('location: manage.php');
-		} else {
-			$_SESSION['simplefsvalid'] = false;
-			$_SESSION['simplefsuser'] = NULL;
-			die('Invalid username or password');

-		}
-	} else if ($_POST['username'] == $secuser) {
-		if (password_verify($_POST['password'], $secpass)) {
-			$_SESSION['simplefsvalid'] = true;
-			$_SESSION['simplefsuser'] = "guest";
-			// signed in, redirect
-			header('location: manage.php');
-		} else {
-			$_SESSION['simplefsvalid'] = false;
-			$_SESSION['simplefsuser'] = NULL;
-			die('Invalid username or password');
-		}
+	// Verify the username is legit
+	$valid_usernames = contactDB("SELECT user_name FROM users", 0);
+	$login_username = $_POST['username'];
+        if (!in_array($login_username, $valid_usernames)) {
+                die('Invalid username or password');
+        }
+
+        $relevant_password_hash = contactDB("SELECT user_password FROM users WHERE user_name='$login_username';", 0);
+	$relevant_password_hash = $relevant_password_hash[0];
+
+	$relevant_user_id = contactDB("SELECT user_id FROM users WHERE user_name='$login_username';", 0);
+	$relevant_user_id = $relevant_user_id[0];
+	
+	if (password_verify($_POST['password'], $relevant_password_hash)) {
+		$_SESSION['simplefsvalid'] = true;
+		$_SESSION['simplefsuser'] = (($relevant_user_id == 1) ? "admin" : "$login_username");
+		header('location: manage.php');
 	} else {
 		$_SESSION['simplefsvalid'] = false;
 		$_SESSION['simplefsuser'] = NULL;
--- a/manage.php
+++ b/manage.php
@ -1,6 +1,5 @@
 <?php

-require('config.global.php');
 require('layout.php');
 require('functions.global.php');

@ -13,8 +12,13 @@ $currentUser = $_SESSION['simplefsuser'];

 /* Obtain list of current user's files */

-$myFilesId = contactDB("SELECT * FROM files WHERE fileowner='$currentUser';", 0);
-$myFilesName = contactDB("SELECT * FROM files where fileowner='$currentUser';", 1);
+if ($currentUser == "admin") {
+	$myFilesId = contactDB("SELECT * FROM files;", 0);
+	$myFilesName = contactDB("SELECT * FROM files;", 1);
+} else {
+	$myFilesId = contactDB("SELECT * FROM files WHERE fileowner='$currentUser';", 0);
+	$myFilesName = contactDB("SELECT * FROM files where fileowner='$currentUser';", 1);
+}

 $nFiles = count($myFilesId);

@ -40,8 +44,13 @@ unset($myFilesId);
 unset($myFilesName); // Re-loading list after file deletion
 unset($nFiles);

-$myFilesId = contactDB("SELECT * FROM files WHERE fileowner='$currentUser';", 0);
-$myFilesName = contactDB("SELECT * FROM files where fileowner='$currentUser';", 1);
+if ($currentUser == "admin") {
+	$myFilesId = contactDB("SELECT * FROM files;", 0);
+	$myFilesName = contactDB("SELECT * FROM files;", 1);
+} else {
+	$myFilesId = contactDB("SELECT * FROM files WHERE fileowner='$currentUser';", 0);
+	$myFilesName = contactDB("SELECT * FROM files where fileowner='$currentUser';", 1);
+}
 $nFiles = count($myFilesId);

 if ($nFiles == 0) {
--- a/setup.php
+++ b/setup.php
@ -71,50 +71,53 @@ if ($_POST['formsubmitted'] == "true") {
 			die('Error: Usernames cannot be identical to each other');
 			exit();
 		}
-	}
-
-    // TODO: config.global.php should really just be a second SQL table
-	$myfile = fopen("config.global.php", "w") or die("Fatal error: can't open file. Does your webserver have write permissions here?");
-	
-	$admhash = password_hash($_POST['password'], PASSWORD_DEFAULT);
-	if ($_POST['makeuser'] == true) {
-		$usrhash = password_hash($_POST['pass2'], PASSWORD_DEFAULT);
-	}
-	fwrite($myfile, "<?php".PHP_EOL);
-	fwrite($myfile, '$adminuser = \''.$_POST['username'].'\';'.PHP_EOL);
-	fwrite($myfile, '$adminpass = \''.$admhash.'\';'.PHP_EOL);
-
-	if ($_POST['makeuser'] == true) {
-	   fwrite($myfile, '$secuser = \''.$_POST['user2'].'\';'.PHP_EOL);
-	   fwrite($myfile, '$secpass = \''.$usrhash.'\';'.PHP_EOL);
-	}
-
-    fwrite($myfile, '$deleteafter = -1'.PHP_EOL);
-
-	if (!fwrite($myfile, "?>".PHP_EOL)) {
-		echo '<br><font color="FF0000">Error creating <b>config.global.php</b></font><br>Does the web server have write permissions here?';
-        die();
+		if ($_POST['user2'] == "admin") {
+			die('Error: Second username cannot be "admin"');
+			exit();
+		}
 	}
 	
-	echo '<br>User(s) created.';
-	
+
+	// Create the database
 	if (file_exists("./filedb.sqlite")) {
 		unlink("./filedb.sqlite");
 	}

-
 	touch("./filedb.sqlite");
 	$initializeDB = contactDB("CREATE TABLE files (
 		fileid int NOT NULL PRIMARY KEY,
 		filepath varchar(255) NOT NULL,
-		fileowner varchar(255) NOT NULL
+		fileowner varchar(255) NOT NULL,
+		filedate timestamp NOT NULL
+		);", 0);
+	
+	$add_config_table = contactDB("CREATE TABLE users (
+		user_id INTEGER PRIMARY KEY AUTOINCREMENT,
+		user_name varchar(255) NOT NULL,
+		user_password varchar(255) NOT NULL,
+		auto_delete_files_after int NOT NULL
 		);", 0);
 				
-	echo '<br>Initialized file database';
+	echo '<br>Initialized SQLite database';

-    // Delete setup.php
-    unlink("./setup.php");
+	// Populate the 'users' table
+	$admin_password_hash = password_hash($_POST['password'], PASSWORD_DEFAULT);
+	$user_password_hash = password_hash($_POST['pass2'], PASSWORD_DEFAULT);
+
+	$add_user = contactDB("INSERT INTO users (user_name, user_password, auto_delete_files_after)
+		VALUES ('".$_POST['username']."', '$admin_password_hash', -1);", 0);
+
+	if ($_POST['makeuser']) {
+		$add_user = contactDB("INSERT INTO users (user_name, user_password, auto_delete_files_after)
+			VALUES ('".$_POST['user2']."', '$user_password_hash', -1);", 0);
+	}
 	
+	echo '<br>User(s) created.';
+
+	// Delete setup.php
+	unlink("./setup.php");
+	
+	header('location: index.php');
 }

 ?>
--- a/upload.php
+++ b/upload.php
@ -1,7 +1,6 @@
 <?php


-require('config.global.php');
 require('functions.global.php');
 require('layout.php');

@ -18,13 +17,13 @@ if ($_POST['fsubmitted'] == "true") {
 	
 $target_dir = "files/";
 $target_file = $target_dir . basename($_FILES["upfile"]["name"]);
-$uploadOk = 1;
+$uploadOk = true;
 $fileType = strtolower(pathinfo($target_file,PATHINFO_EXTENSION));


 if (file_exists($target_file)) {
  echo "<div align='center'><h1>Error: file already exists</h1></div>";
-  $uploadOk = 0;
+  $uploadOk = false;
 }

 /* *************************** */
@ -42,23 +41,18 @@ if($fileType == "php" || $fileType == "htm" || $fileType == "html" || $fileType
 /* End of the aforementioned alterable security section */
 /* **************************************************** */

-/* This following part shouldn't be deleted though, my apologies but without sanitizing these filenames, could break the whole thing */
-/* **** */
-if (strpos($target_file, "'") !== false) {
-	echo "<div align='center'><h1>Error: Cannot upload files with apostrophes or quote-marks</h1></div>";
-	$uploadOk = 0;
-}
+// TODO: Replace "sanitization" with prepared statements

-if (strpos($target_file, '"') !== false) {
-		echo "<div align='center'><h1>Error: Cannot upload files with apostrophes or quote-marks</h1></div>";
-	$uploadOk = 0;
+if (strpos($target_file, "'") !== false || strpos($target_file, '"') !== false) {
+	echo "<div align='center'><h1>Error: Cannot upload files with apostrophes or quote-marks</h1></div>";
+	$uploadOk = false;
 }

 /* Getting a list of all file IDs */

 $fileListId = contactDB("SELECT * FROM files;", 0);

-if ($uploadOk == 0) {
+if ($uploadOk == false) {
  echo "<div align='center'><h1>Error: file was not uploaded</h1></div>";
 } else {
  if (move_uploaded_file($_FILES["upfile"]["tmp_name"], $target_file)) {
@ -70,9 +64,11 @@ if ($uploadOk == 0) {

 	
 	/* Write entry to DB */
+
+	$current_date = time();
 	
-	$publish = contactDB("INSERT INTO files (fileid, filepath, fileowner)
-	VALUES ($newFileId, '$target_file', '$currentUser');", 0);
+	$publish = contactDB("INSERT INTO files (fileid, filepath, fileowner, filedate)
+	VALUES ($newFileId, '$target_file', '$currentUser', $current_date);", 0);
 	
 	/* Tell the user all is well */