-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
5 changed files
with
84 additions
and
85 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -71,26 +71,26 @@ function generateOneTimePassword($conn, $userInfo, $pD) | |
| $to = $userInfo["email"]; | ||
| $subject = "OTP from PassMan"; | ||
| // $txt = uniqid("otp_", true); | ||
| $txt = "otp_" . bin2hex(openssl_random_pseudo_bytes(4)); | ||
| $txt = "otp_" . bin2hex(openssl_random_pseudo_bytes(4));// makes a 8 letter otp | ||
| $tempPath = "./temp/email.html"; | ||
| try //tries to read email template | ||
| { | ||
| $f = fopen($tempPath, 'r'); | ||
| $temp = fread($f, filesize($tempPath)); | ||
| fclose($f); | ||
| $f = fopen($tempPath, 'r');// tries to open template | ||
| $temp = fread($f, filesize($tempPath));//reads template | ||
| fclose($f);//closes it | ||
| } catch (Exception $ex) { | ||
| $temp = '$name here is your code:<br/>$code'; | ||
| $temp = '$name here is your code:<br/>$code';//failsafe if didn't work | ||
| } | ||
| if (($temp == "") or ($temp == null)) { | ||
| $temp = '$name here is your code:<br/>$code'; | ||
| $temp = '$name here is your code:<br/>$code';//another failsave | ||
| } | ||
| try { | ||
| include "getBrowserInfo.php"; | ||
| $browser = getOS() . " - " . getBrowser(); | ||
| include "getBrowserInfo.php";// imports function to find browser info | ||
| $browser = getOS() . " - " . getBrowser();//gets browser info | ||
| } catch (Exception $ex) { | ||
| $browser = grabIp(); | ||
| $browser = grabIp();//failsafe to just use users ip | ||
| } | ||
| $body = str_replace('$device', $browser, str_replace('$code', $txt, str_replace('$name', $userInfo["first_name"], $temp))); | ||
| $body = str_replace('$device', $browser, str_replace('$code', $txt, str_replace('$name', $userInfo["first_name"], $temp)));//replaces values in template with data | ||
| $headers = "MIME-Version: 1.0" . "\r\n"; // tells email provider to accept next line | ||
| $headers .= "Content-type:text/html;charset=UTF-8" . "\r\n"; // tells email provider that this email is formatted in HTML | ||
| $headers .= "From: [email protected]"; //tells email that it was sent by | ||
|
|
@@ -198,42 +198,42 @@ function keyGen($conn, $password, $user_id) | |
| function changeUserPassword($conn, $user_id, $oldPassword, $newPassword) | ||
| { | ||
| try { | ||
| mysqli_autocommit($conn, FALSE); // stops rollbacks | ||
| mysqli_autocommit($conn, FALSE); // stops commits to allow rollback | ||
|
|
||
| mysqli_commit($conn); | ||
| mysqli_commit($conn);// makes commit to rollback too | ||
| } catch (Exception $e) { | ||
| return [98, "Error caught by try:\n " . $e . ", Unknown DBMS state"]; | ||
| die("Can't change passwrod safely"); | ||
| } | ||
| try { | ||
| $resultFromKeyChange = keyPasswordChange($conn, $user_id, $oldPassword, $newPassword); | ||
| $resultFromKeyChange = keyPasswordChange($conn, $user_id, $oldPassword, $newPassword);// tries to change key to new password | ||
| $pswdHash = password_hash($newPassword, PASSWORD_DEFAULT); //hashes the users password before it is stored | ||
| if ($resultFromKeyChange) { | ||
| $sql = "update user set master_password = ? where user_id = ?;"; | ||
| $sql = "update user set master_password = ? where user_id = ?;";// sql to update master password | ||
| $stmt = mysqli_stmt_init($conn); | ||
| mysqli_stmt_prepare($stmt, $sql); | ||
| mysqli_stmt_bind_param($stmt, "si", $pswdHash, $user_id); | ||
| mysqli_stmt_execute($stmt); | ||
| $sql = "SELECT `master_password` FROM user WHERE user_id = ?;"; | ||
| $sql = "SELECT `master_password` FROM user WHERE user_id = ?;";// sql to check new master password | ||
| $stmt = mysqli_stmt_init($conn); | ||
| mysqli_stmt_prepare($stmt, $sql); | ||
| mysqli_stmt_bind_param($stmt, "i", $user_id); | ||
| mysqli_stmt_execute($stmt); //executes sql query | ||
| $stmtresult = mysqli_stmt_get_result($stmt); //gets the result of the sql query | ||
| if ($row = mysqli_fetch_assoc($stmtresult)) { // creates an associative array of the sql result | ||
| if (password_verify($newPassword, $row["master_password"])) { | ||
| mysqli_commit($conn); | ||
| mysqli_autocommit($conn, TRUE); | ||
| if (password_verify($newPassword, $row["master_password"])) {//verifies master password has changed and works | ||
| mysqli_commit($conn);// if all is good commit changes | ||
| mysqli_autocommit($conn, TRUE);// enable autocommit again | ||
| return [0, "Success"]; | ||
| } else { | ||
| mysqli_rollback($conn); | ||
| mysqli_rollback($conn);//rollback database | ||
| mysqli_autocommit($conn, TRUE); | ||
| return [2, "Failure to change Passwrod, DBMS rolled back"]; | ||
| return [2, "Failure to change Passwrod, DBMS rolled back"];//tell user that the password could not be changed but account is fine | ||
| } | ||
| } else { | ||
| mysqli_rollback($conn); | ||
| mysqli_rollback($conn);// rollback database | ||
| mysqli_autocommit($conn, TRUE); | ||
| return [2, "Failure to change Passwrod, DBMS rolled back"]; | ||
| return [2, "Failure to change Passwrod, DBMS rolled back"];//rell user that the passwoudl could not be changed but account is fine | ||
| } | ||
| } else { | ||
| mysqli_rollback($conn); | ||
|
|
@@ -246,10 +246,10 @@ function changeUserPassword($conn, $user_id, $oldPassword, $newPassword) | |
| mysqli_autocommit($conn, TRUE); | ||
| return [4, "Error Caught By Try: " . $e . ", DBMS rolled back"]; | ||
| } catch (Exception $ee) { | ||
| return [98, "Error caught by try:\n " . $ee . "\n\nAND\n\n" . $e . ", Unknown DBMS state"]; | ||
| return [98, "Error caught by try:\n " . $ee . "\n\nAND\n\n" . $e . ", Unknown DBMS state"];// report full error and the state of database is unknown | ||
| } | ||
| } | ||
| return [99, "Catastrophic Failure, Unknown DBMS stat"]; | ||
| return [99, "Catastrophic Failure, Unknown DBMS stat"];// report error and that state of database is unknown | ||
| } | ||
| /** | ||
| * This updates the key to new password\ | ||
|
|
@@ -273,15 +273,15 @@ function keyPasswordChange($conn, $user_id, $oldPassword, $newPassword) | |
| { | ||
| try { | ||
| $iv = generateIV(); // genorates iv | ||
| $key = keyGet($conn, $oldPassword, $user_id); | ||
| $based_iv = base64_encode($iv); //base64 | ||
| $masterkey = encryptData($key, $newPassword, $iv); | ||
| $key = keyGet($conn, $oldPassword, $user_id);// gets current key | ||
| $based_iv = base64_encode($iv); // turns IV to base64 to store | ||
| $masterkey = encryptData($key, $newPassword, $iv);// encrypts the master key with the master password | ||
| $sql = "update user set masterkey = ?, masteriv = ? where user_id = ?;"; | ||
| $stmt = mysqli_stmt_init($conn); | ||
| mysqli_stmt_prepare($stmt, $sql); | ||
| mysqli_stmt_bind_param($stmt, "ssi", $masterkey, $based_iv, $user_id); | ||
| mysqli_stmt_execute($stmt); | ||
| if ($key == keyGet($conn, $newPassword, $user_id)) { | ||
| if ($key == keyGet($conn, $newPassword, $user_id)) {//tests if the key has been updated and is the same value | ||
| return TRUE; | ||
| } else { | ||
| return FALSE; | ||
|
|
@@ -342,23 +342,6 @@ function decryptData($ciphertext, $key, $iv) | |
| return -1; | ||
| } | ||
| } | ||
|
|
||
| function createWebEntry($conn, $pD) | ||
| { | ||
| $sql = "INSERT INTO saved_website (user_id, website_name, web_address) VALUES (?,?,?);"; | ||
| $stmt = mysqli_stmt_init($conn); | ||
| if (!mysqli_stmt_prepare($stmt, $sql)) { | ||
| header("location: ../index.php?error=stmtfailed"); | ||
| exit(); | ||
| } | ||
| mysqli_stmt_bind_param($stmt, "sss", $_SESSION["user_id"], $pD["website_name"], $pD["web_address"]); | ||
| if (!mysqli_stmt_execute($stmt)) { //executes the INSERT statement | ||
| header("location:../index.php?error=stmtfailed"); | ||
| exit(); | ||
| } | ||
| header("location:../index.php?error=success"); | ||
| } | ||
|
|
||
| function passwordComplex($pswd) | ||
| { | ||
| if (strlen($pswd) < 20) { | ||
|
|
@@ -377,35 +360,39 @@ function passwordComplex($pswd) | |
| } | ||
| function getWebsiteList($conn, $user_identifier) | ||
| { | ||
| // gets user id from either user id or auth code | ||
| $user_id = ""; | ||
| if ($user_identifier[0] == 0) | ||
| $user_id = $user_identifier[1]; | ||
| else | ||
| $user_id = getUidWhereAuthCode($conn, $user_identifier[1]); | ||
| // setup sql select statement to get all websites linked to a userr | ||
| $sql = "SELECT website_id, website_name, web_address from user JOIN saved_website ON user.user_id = saved_website.user_id WHERE user.user_id = ? order by saved_website.website_name"; | ||
| $stmt = mysqli_stmt_init($conn); | ||
| mysqli_stmt_prepare($stmt, $sql); | ||
| mysqli_stmt_bind_param($stmt, "s", $user_id); | ||
| mysqli_stmt_execute($stmt); | ||
|
|
||
| $stmtresult = mysqli_stmt_get_result($stmt); | ||
| $result = mysqli_fetch_all($stmtresult, MYSQLI_ASSOC); | ||
| mysqli_free_result($stmtresult); | ||
| return json_encode($result); | ||
| return json_encode($result);// sending results to user | ||
| } | ||
| /** | ||
| * checks if website with web address exists | ||
| */ | ||
| function checkIfExists($conn,$user_id,$wb_address){ | ||
|
|
||
| $sql = "SELECT website_id FROM `saved_website` WHERE web_address = ? and user_id = ?"; | ||
| $stmt = mysqli_stmt_init($conn); | ||
| mysqli_stmt_prepare($stmt, $sql); | ||
| mysqli_stmt_bind_param($stmt, "ss", $wb_address,$user_id); | ||
| mysqli_stmt_execute($stmt); | ||
| $stmtresult = mysqli_stmt_get_result($stmt); | ||
| $result = mysqli_fetch_all($stmtresult, MYSQLI_ASSOC); | ||
| if(sizeof($result) >= 1) | ||
| return $result[0]["webiste_id"]; | ||
| if(sizeof($result) >= 1)// if one or more websites with the same address exists then | ||
| return $result[0]["webiste_id"];// send website ids | ||
| else | ||
| return 0; | ||
|
|
||
| return 0;// return 0 | ||
| } | ||
| function addWebsite($conn, $user_identifier, $wb_name, $wb_address) | ||
| { | ||
|
|
@@ -418,6 +405,7 @@ function addWebsite($conn, $user_identifier, $wb_name, $wb_address) | |
| $user_id = getUidWhereAuthCode($conn, $user_identifier[1]); | ||
| $rand = 0; | ||
| $available = false; | ||
| // makes a random number webiste id and checks if it is already taken, if it is try another random number | ||
| do { | ||
| $rand = rand(1, 999999999); | ||
| $sql = "SELECT 1 as 'exists' from saved_website WHERE website_id = ?"; | ||
|
|
@@ -435,6 +423,7 @@ function addWebsite($conn, $user_identifier, $wb_name, $wb_address) | |
| } | ||
| $stmt->close(); | ||
| } while (!$available); | ||
| //creates sql to create new website entry | ||
| $sql = "INSERT INTO saved_website VALUES (?,?,?,?,CURRENT_TIMESTAMP(),CURRENT_TIMESTAMP())"; | ||
|
|
||
| $stmt = mysqli_stmt_init($conn); | ||
|
|
@@ -447,17 +436,19 @@ function addWebsite($conn, $user_identifier, $wb_name, $wb_address) | |
| } | ||
| function addPassword($conn, $user_identifier, $website_id, $pw_username, $pw_password, $key) | ||
| { | ||
| $iv = generateIV(); // genorates a new IV per new version of a password | ||
| $cryptUsername = encryptData($pw_username, $key, $iv); | ||
| $cryptPassword = encryptData($pw_password, $key, $iv); | ||
| // creates a initialization vector to keep passwords secure | ||
| $iv = generateIV(); // genorates a new IV per new version of a password for securty | ||
| $cryptUsername = encryptData($pw_username, $key, $iv);// encrypts username | ||
| $cryptPassword = encryptData($pw_password, $key, $iv);// encrypts password | ||
| $user_id = ""; | ||
| if ($user_identifier[0] == 0) | ||
| $user_id = $user_identifier[1]; | ||
| else | ||
|
|
||
| $user_id = getUidWhereAuthCode($conn, $user_identifier[1]); | ||
|
|
||
| $rand = 0; | ||
| $available = false; | ||
| // creates a random password_id until one is not already taken | ||
| do { | ||
| $rand = rand(0, 999999999); | ||
| $sql = "SELECT 1 as 'exists' from website_password WHERE password_id = ?"; | ||
|
|
@@ -475,9 +466,8 @@ function addPassword($conn, $user_identifier, $website_id, $pw_username, $pw_pas | |
| } | ||
| $stmt->close(); | ||
| } while (!$available); | ||
| // adds encrypted passwords to databse | ||
| $sql = "INSERT INTO website_password values (?,(SELECT sw.website_id FROM `saved_website` as sw WHERE sw.website_id = ? AND sw.user_id = ?),?,?,?)"; | ||
| //$sql = "INSERT INTO website_password values (?,(SELECT website_id FROM `saved_website` WHERE website_id = ? AND user_id = ?),?,?,?)"; | ||
| //$sql = "INSERT INTO password_id VALUES (?,?,?,?,CURRENT_TIMESTAMP(),CURRENT_TIMESTAMP())"; | ||
| $stmt = mysqli_stmt_init($conn); | ||
| mysqli_stmt_prepare($stmt, $sql); | ||
| mysqli_stmt_bind_param($stmt, "iiisss", $rand, $website_id, $user_id, $cryptUsername, $cryptPassword, base64_encode($iv)); | ||
|
|
@@ -502,11 +492,14 @@ function getPasswordList($conn, $user_identifier, $website_id, $key) | |
| $cipher = mysqli_fetch_all($stmtresult, MYSQLI_ASSOC); | ||
| mysqli_free_result($stmtresult); | ||
| $result = []; | ||
| // creates new array with decrypted passwords | ||
| for ($i = 0; $i < sizeof($cipher); $i++) { | ||
| $result[$i] = []; | ||
| $result[$i]["website_id"] = $cipher[$i]["website_id"]; | ||
| $result[$i]["password_id"] = $cipher[$i]["password_id"]; | ||
| //decrypts username | ||
| $result[$i]["username"] = decryptData($cipher[$i]["username"], $key, base64_decode($cipher[$i]["iv"])); | ||
| //decrypts password | ||
| $result[$i]["password"] = decryptData($cipher[$i]["password"], $key, base64_decode($cipher[$i]["iv"])); | ||
| } | ||
| return json_encode($result); | ||
|
|
@@ -519,6 +512,7 @@ function response($response, $error = "none") | |
| echo json_encode($return); | ||
| exit(); | ||
| } | ||
| // Gets the user_id when an authentication token is used | ||
| function getUidWhereAuthCode($conn, $authToken) | ||
| { | ||
| /**TODO: | ||
|
|
@@ -541,14 +535,13 @@ function deletePassword($conn, $user_identifier, $password_id) | |
| $user_id = $user_identifier[1]; | ||
| else | ||
| $user_id = getUidWhereAuthCode($conn, $user_identifier[1]); | ||
| //$sql = "SELECT website_password.website_id, password_id, username, password, vi from website_password JOIN [SELECT website_id, from user JOIN saved_website ON user.user_id = saved_website.user_id WHERE user.user_id = ?] where website"; | ||
| //$sql = "SELECT website_password.* from website_password JOIN (SELECT website_id FROM user JOIN saved_website ON user.user_id = saved_website.user_id where user.user_id = ?) as websites on website_password.website_id = websites.website_id where website_password.website_id = ?"; | ||
| //$sql = "UPDATE website_password as tb set tb.username = ?, tb.password = ?, tb.iv = ? where tb.password_id = ? AND password_id in (select website_password.password_id from user inner join saved_website on user.user_id = saved_website.user_id inner join website_password on saved_website.website_id = website_password.website_id WHERE user.user_id = ?) "; | ||
| // creates sql to delete passwrod | ||
| $sql = "DELETE FROM website_password where password_id = ? AND password_id in (select website_password.password_id from user inner join saved_website on user.user_id = saved_website.user_id inner join website_password on saved_website.website_id = website_password.website_id WHERE user.user_id = ?) "; | ||
| $stmt = mysqli_stmt_init($conn); | ||
| mysqli_stmt_prepare($stmt, $sql); | ||
| mysqli_stmt_bind_param($stmt, "ii", $password_id, $user_id); | ||
| mysqli_stmt_execute($stmt); | ||
| // return how many rows were affected as success value, will either be 1 or 0 | ||
| return ["success" => mysqli_stmt_affected_rows($stmt)]; | ||
| } | ||
| function deleteWebsite($conn, $user_identifier, $website_id) | ||
|
|
@@ -558,15 +551,12 @@ function deleteWebsite($conn, $user_identifier, $website_id) | |
| $user_id = $user_identifier[1]; | ||
| else | ||
| $user_id = getUidWhereAuthCode($conn, $user_identifier[1]); | ||
| //$sql = "SELECT website_password.website_id, password_id, username, password, vi from website_password JOIN [SELECT website_id, from user JOIN saved_website ON user.user_id = saved_website.user_id WHERE user.user_id = ?] where website"; | ||
| //$sql = "SELECT website_password.* from website_password JOIN (SELECT website_id FROM user JOIN saved_website ON user.user_id = saved_website.user_id where user.user_id = ?) as websites on website_password.website_id = websites.website_id where website_password.website_id = ?"; | ||
| //$sql = "UPDATE website_password as tb set tb.username = ?, tb.password = ?, tb.iv = ? where tb.password_id = ? AND password_id in (select website_password.password_id from user inner join saved_website on user.user_id = saved_website.user_id inner join website_password on saved_website.website_id = website_password.website_id WHERE user.user_id = ?) "; | ||
| //$sql = "DELETE FROM website_password where password_id = ? AND password_id in (select website_password.password_id from user inner join saved_website on user.user_id = saved_website.user_id inner join website_password on saved_website.website_id = website_password.website_id WHERE user.user_id = ?) "; | ||
| $sql = "DELETE FROM saved_website where website_id = ? AND user_id = ?"; | ||
| $stmt = mysqli_stmt_init($conn); | ||
| mysqli_stmt_prepare($stmt, $sql); | ||
| mysqli_stmt_bind_param($stmt, "ii", $website_id, $user_id); | ||
| mysqli_stmt_execute($stmt); | ||
| //returns how many rows were affected as success value, will either be 1 or 0 | ||
| return ["success" => mysqli_stmt_affected_rows($stmt)]; | ||
| } | ||
| function setPassword($conn, $user_identifier, $password_id, $key, $username, $password) | ||
|
|
@@ -577,17 +567,19 @@ function setPassword($conn, $user_identifier, $password_id, $key, $username, $pa | |
| else | ||
| $user_id = getUidWhereAuthCode($conn, $user_identifier[1]); | ||
| $iv = generateIV(); // genorates a new IV per new version of a password | ||
| //$sql = "SELECT website_password.website_id, password_id, username, password, vi from website_password JOIN [SELECT website_id, from user JOIN saved_website ON user.user_id = saved_website.user_id WHERE user.user_id = ?] where website"; | ||
| //$sql = "SELECT website_password.* from website_password JOIN (SELECT website_id FROM user JOIN saved_website ON user.user_id = saved_website.user_id where user.user_id = ?) as websites on website_password.website_id = websites.website_id where website_password.website_id = ?"; | ||
| // encrypt username and password | ||
| $cryptUsername = encryptData($username, $key, $iv); | ||
| $cryptPassword = encryptData($password, $key, $iv); | ||
| //updates password | ||
| $sql = "UPDATE website_password as tb set tb.username = ?, tb.password = ?, tb.iv = ? where tb.password_id = ? AND password_id in (select website_password.password_id from user inner join saved_website on user.user_id = saved_website.user_id inner join website_password on saved_website.website_id = website_password.website_id WHERE user.user_id = ?) "; | ||
| $stmt = mysqli_stmt_init($conn); | ||
| mysqli_stmt_prepare($stmt, $sql); | ||
| mysqli_stmt_bind_param($stmt, "sssii", $cryptUsername, $cryptPassword, base64_encode($iv), $password_id, $user_id); | ||
| mysqli_stmt_execute($stmt); | ||
| //returns how many rows were affected as success value, will either be 1 or 0 | ||
| return ["success" => mysqli_stmt_affected_rows($stmt)]; | ||
| } | ||
| // checks if password is in common passwords | ||
| function commonPassword($conn, $pD) | ||
| { | ||
| $pD["password"] = strtolower($pD["password"]); | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.