diff --git a/.gitignore b/.gitignore index d8e16cd..fc9f404 100644 --- a/.gitignore +++ b/.gitignore @@ -22,4 +22,5 @@ !.vscode/*.code-snippets # End of https://www.toptal.com/developers/gitignore/api/visualstudiocode -.DS_Store \ No newline at end of file +.DS_Store +error.log diff --git a/error.log b/error.log new file mode 100644 index 0000000..2d28a3f --- /dev/null +++ b/error.log @@ -0,0 +1,3 @@ +2021/12/16 12:10:50 [error] 393007#393007: *1 FastCGI sent in stderr: "PHP message: PHP Notice: Undefined index: passwordCsv in /var/www/passman/public_html/upload.php on line 20PHP message: PHP Stack trace:PHP message: PHP 1. {main}() /var/www/passman/public_html/upload.php:0PHP message: PHP Notice: Trying to access array offset on value of type null in /var/www/passman/public_html/upload.php on line 20PHP message: PHP Stack trace:PHP message: PHP 1. {main}() /var/www/passman/public_html/upload.php:0PHP message: PHP Warning: file_get_contents(): Filename cannot be empty in /var/www/passman/public_html/upload.php on line 20PHP message: PHP Stack trace:PHP message: PHP 1. {main}() /var/www/passman/public_html/upload.php:0PHP message: PHP 2. file_get_contents($filename = NULL) /var/www/passman/public_html/upload.php:20PHP message: PHP Notice: Undefined index: passwordCsv in /var/www/passman/public_html/upload.php on line 21PHP message: PHP Stack trace:PHP message: PHP 1. {main}() /var/www/passman/public_html/upload.php:0PHP message: PHP Notice: Trying to access array offset on value of type null in /var/www/passman/public_html/upload.php on line 21PHP message: PHP Stack trace:PHP message: PHP 1. {main}() /var/www/passman/public_html/upload.php:0" while reading response header from upstream, client: 194.80.64.241, server: passman.harrysy.red, request: "POST /upload.php HTTP/2.0", upstream: "fastcgi://unix:/run/php/php7.4-fpm.sock:", host: "passman.harrysy.red", referrer: "https://passman.harrysy.red/upload.php" +2021/12/16 12:10:58 [error] 393007#393007: *1 FastCGI sent in stderr: "PHP message: PHP Notice: Trying to access array offset on value of type int in /var/www/passman/public_html/scripts/functions.php on line 415PHP message: PHP Stack trace:PHP message: PHP 1. {main}() /var/www/passman/public_html/upload.php:0PHP message: PHP 2. addWebsite($conn = class mysqli { public $affected_rows = -1; public $client_info = 'mysqlnd 7.4.25'; public $client_version = 70425; public $connect_errno = 0; public $connect_error = NULL; public $errno = 0; public $error = ''; public $error_list = []; public $field_count = 1; public $host_info = 'Localhost via UNIX socket'; public $info = NULL; public $insert_id = 0; public $server_info = '5.5.5-10.5.12-MariaDB-0+deb11u1'; public $server_version = 100512; public $sqlstate = '00000'; public $protocol_version = 10; public $thread_id = 13152; public $warning_count = 0 }, $user_identifier = 21, $wb_name = 'https://benforino.co.uk/login', $wb_address = 'https://benforino.co.uk/login') /var/www/passman/public_html/upload.php:55PHP message: PHP Notice: Trying to access array offset on value of type int in /var/www/passman/public_html/scripts/functions.php on line 416PHP message: PHP Stack trace:PHP message: PHP 1. {main}() /var/www/passman/public_html/upload.php:0PHP message: PHP 2. addWebsite($conn = class mysqli { public $affected_rows = -1; public $client_info = 'mysqlnd 7.4.25'; public $client_version = 70425; public $connect_errno = 0; public $connect_error = NULL; public $errno = 0; public $error = ''; public $error_list = []; public $field_count = 1; public $host_info = 'Localhost via UNIX socket'; public $info = NULL; public $insert_id = 0; public $server_info = '5.5.5-10.5.12-MariaDB-0+deb11u1'; public $server_version = 100512; public $sqlstate = '00000'; public $protocol_version = 10; public $thread_id = 13152; public $warning_count = 0 }, $user_identifier = 21, $wb_name = 'https://benforino.co.uk/login', $wb_address = 'https://benforino.co.uk/login') /var/www/passman/pub +2021/12/16 12:15:00 [error] 393007#393007: *5 FastCGI sent in stderr: "PHP message: PHP Notice: Trying to access array offset on value of type int in /var/www/passman/public_html/scripts/functions.php on line 415PHP message: PHP Stack trace:PHP message: PHP 1. {main}() /var/www/passman/public_html/upload.php:0PHP message: PHP 2. addWebsite($conn = class mysqli { public $affected_rows = -1; public $client_info = 'mysqlnd 7.4.25'; public $client_version = 70425; public $connect_errno = 0; public $connect_error = NULL; public $errno = 0; public $error = ''; public $error_list = []; public $field_count = 1; public $host_info = 'Localhost via UNIX socket'; public $info = NULL; public $insert_id = 0; public $server_info = '5.5.5-10.5.12-MariaDB-0+deb11u1'; public $server_version = 100512; public $sqlstate = '00000'; public $protocol_version = 10; public $thread_id = 13154; public $warning_count = 0 }, $user_identifier = 21, $wb_name = 'https://benforino.co.uk/login', $wb_address = 'https://benforino.co.uk/login') /var/www/passman/public_html/upload.php:55PHP message: PHP Notice: Trying to access array offset on value of type int in /var/www/passman/public_html/scripts/functions.php on line 416PHP message: PHP Stack trace:PHP message: PHP 1. {main}() /var/www/passman/public_html/upload.php:0PHP message: PHP 2. addWebsite($conn = class mysqli { public $affected_rows = -1; public $client_info = 'mysqlnd 7.4.25'; public $client_version = 70425; public $connect_errno = 0; public $connect_error = NULL; public $errno = 0; public $error = ''; public $error_list = []; public $field_count = 1; public $host_info = 'Localhost via UNIX socket'; public $info = NULL; public $insert_id = 0; public $server_info = '5.5.5-10.5.12-MariaDB-0+deb11u1'; public $server_version = 100512; public $sqlstate = '00000'; public $protocol_version = 10; public $thread_id = 13154; public $warning_count = 0 }, $user_identifier = 21, $wb_name = 'https://benforino.co.uk/login', $wb_address = 'https://benforino.co.uk/login') /var/www/passman/pub diff --git a/public_html/account.php b/public_html/account.php index 83167d6..4d72794 100644 --- a/public_html/account.php +++ b/public_html/account.php @@ -15,6 +15,12 @@ + + +

diff --git a/public_html/footer.php b/public_html/footer.php index 84973d5..c7f70c3 100644 --- a/public_html/footer.php +++ b/public_html/footer.php @@ -1,9 +1,11 @@ - - - PassMan - - - - -
-
- -
- -
- -
- -

Email verification code sent to example@gmail.com

- -
- - -
- -
-

-
-
-
- diff --git a/public_html/scripts/errorHandle.js b/public_html/scripts/errorHandle.js index a22f074..e7542eb 100644 --- a/public_html/scripts/errorHandle.js +++ b/public_html/scripts/errorHandle.js @@ -36,6 +36,7 @@ $(document).ready(function () { }); function errorMsg($_GET) { + //Gets the error message returned and outputs it switch ($_GET["error"]) { case "ef": displayErrorMsg( diff --git a/public_html/scripts/functions.php b/public_html/scripts/functions.php index a71507f..b546e13 100644 --- a/public_html/scripts/functions.php +++ b/public_html/scripts/functions.php @@ -71,26 +71,26 @@ function generateOneTimePassword($conn, $userInfo, $pD) $to = $userInfo["email"]; $subject = "OTP from PassMan"; // $txt = uniqid("otp_", true); - $txt = "otp_" . bin2hex(openssl_random_pseudo_bytes(4)); + $txt = "otp_" . bin2hex(openssl_random_pseudo_bytes(4));// makes a 8 letter otp $tempPath = "./temp/email.html"; try //tries to read email template { - $f = fopen($tempPath, 'r'); - $temp = fread($f, filesize($tempPath)); - fclose($f); + $f = fopen($tempPath, 'r');// tries to open template + $temp = fread($f, filesize($tempPath));//reads template + fclose($f);//closes it } catch (Exception $ex) { - $temp = '$name here is your code:
$code'; + $temp = '$name here is your code:
$code';//failsafe if didn't work } if (($temp == "") or ($temp == null)) { - $temp = '$name here is your code:
$code'; + $temp = '$name here is your code:
$code';//another failsave } try { - include "getBrowserInfo.php"; - $browser = getOS() . " - " . getBrowser(); + include "getBrowserInfo.php";// imports function to find browser info + $browser = getOS() . " - " . getBrowser();//gets browser info } catch (Exception $ex) { - $browser = grabIp(); + $browser = grabIp();//failsafe to just use users ip } - $body = str_replace('$device', $browser, str_replace('$code', $txt, str_replace('$name', $userInfo["first_name"], $temp))); + $body = str_replace('$device', $browser, str_replace('$code', $txt, str_replace('$name', $userInfo["first_name"], $temp)));//replaces values in template with data $headers = "MIME-Version: 1.0" . "\r\n"; // tells email provider to accept next line $headers .= "Content-type:text/html;charset=UTF-8" . "\r\n"; // tells email provider that this email is formatted in HTML $headers .= "From: otp@passman.harrysy.red"; //tells email that it was sent by @@ -195,46 +195,45 @@ function keyGen($conn, $password, $user_id) * `[98, "Unknown error, Unknown DBMS state"]`\ * `[99, "Catastrophic Failure, Unknown DBMS stat"]` */ -function changeUserPassword($conn, $oldPassword, $newPassword) +function changeUserPassword($conn, $user_id, $oldPassword, $newPassword) { try { - mysqli_autocommit($conn, FALSE); // stops rollbacks + mysqli_autocommit($conn, FALSE); // stops commits to allow rollback - mysqli_commit($conn); + mysqli_commit($conn);// makes commit to rollback too } catch (Exception $e) { return [98, "Error caught by try:\n " . $e . ", Unknown DBMS state"]; die("Can't change passwrod safely"); } try { - $resultFromKeyChange = keyPasswordChange($conn, $_SESSION["user_id"], $oldPassword, $newPassword); + $resultFromKeyChange = keyPasswordChange($conn, $user_id, $oldPassword, $newPassword);// tries to change key to new password $pswdHash = password_hash($newPassword, PASSWORD_DEFAULT); //hashes the users password before it is stored if ($resultFromKeyChange) { - $sql = "update user set master_password = ? where user_id = ?;"; + $sql = "update user set master_password = ? where user_id = ?;";// sql to update master password $stmt = mysqli_stmt_init($conn); mysqli_stmt_prepare($stmt, $sql); - mysqli_stmt_bind_param($stmt, "si", $pswdHash, $_SESSION["user_id"]); + mysqli_stmt_bind_param($stmt, "si", $pswdHash, $user_id); mysqli_stmt_execute($stmt); - $sql = "SELECT `master_password` FROM user WHERE user_id = ?;"; + $sql = "SELECT `master_password` FROM user WHERE user_id = ?;";// sql to check new master password $stmt = mysqli_stmt_init($conn); mysqli_stmt_prepare($stmt, $sql); - mysqli_stmt_bind_param($stmt, "i", $_SESSION["user_id"]); + mysqli_stmt_bind_param($stmt, "i", $user_id); mysqli_stmt_execute($stmt); //executes sql query $stmtresult = mysqli_stmt_get_result($stmt); //gets the result of the sql query if ($row = mysqli_fetch_assoc($stmtresult)) { // creates an associative array of the sql result - if (password_verify($newPassword, $row["master_password"])) { - mysqli_commit($conn); - mysqli_autocommit($conn, TRUE); + if (password_verify($newPassword, $row["master_password"])) {//verifies master password has changed and works + mysqli_commit($conn);// if all is good commit changes + mysqli_autocommit($conn, TRUE);// enable autocommit again return [0, "Success"]; } else { - - mysqli_rollback($conn); + mysqli_rollback($conn);//rollback database mysqli_autocommit($conn, TRUE); - return [2, "Failure to change Passwrod, DBMS rolled back"]; + return [2, "Failure to change Passwrod, DBMS rolled back"];//tell user that the password could not be changed but account is fine } } else { - mysqli_rollback($conn); + mysqli_rollback($conn);// rollback database mysqli_autocommit($conn, TRUE); - return [2, "Failure to change Passwrod, DBMS rolled back"]; + return [2, "Failure to change Passwrod, DBMS rolled back"];//rell user that the passwoudl could not be changed but account is fine } } else { mysqli_rollback($conn); @@ -247,10 +246,10 @@ function changeUserPassword($conn, $oldPassword, $newPassword) mysqli_autocommit($conn, TRUE); return [4, "Error Caught By Try: " . $e . ", DBMS rolled back"]; } catch (Exception $ee) { - return [98, "Error caught by try:\n " . $ee . "\n\nAND\n\n" . $e . ", Unknown DBMS state"]; + return [98, "Error caught by try:\n " . $ee . "\n\nAND\n\n" . $e . ", Unknown DBMS state"];// report full error and the state of database is unknown } } - return [99, "Catastrophic Failure, Unknown DBMS stat"]; + return [99, "Catastrophic Failure, Unknown DBMS stat"];// report error and that state of database is unknown } /** * This updates the key to new password\ @@ -274,15 +273,15 @@ function keyPasswordChange($conn, $user_id, $oldPassword, $newPassword) { try { $iv = generateIV(); // genorates iv - $key = keyGet($conn, $oldPassword, $user_id); - $based_iv = base64_encode($iv); //base64 - $masterkey = encryptData($key, $newPassword, $iv); + $key = keyGet($conn, $oldPassword, $user_id);// gets current key + $based_iv = base64_encode($iv); // turns IV to base64 to store + $masterkey = encryptData($key, $newPassword, $iv);// encrypts the master key with the master password $sql = "update user set masterkey = ?, masteriv = ? where user_id = ?;"; $stmt = mysqli_stmt_init($conn); mysqli_stmt_prepare($stmt, $sql); mysqli_stmt_bind_param($stmt, "ssi", $masterkey, $based_iv, $user_id); mysqli_stmt_execute($stmt); - if ($key == keyGet($conn, $user_id, $newPassword)) { + if ($key == keyGet($conn, $newPassword, $user_id)) {//tests if the key has been updated and is the same value return TRUE; } else { return FALSE; @@ -343,23 +342,6 @@ function decryptData($ciphertext, $key, $iv) return -1; } } - -function createWebEntry($conn, $pD) -{ - $sql = "INSERT INTO saved_website (user_id, website_name, web_address) VALUES (?,?,?);"; - $stmt = mysqli_stmt_init($conn); - if (!mysqli_stmt_prepare($stmt, $sql)) { - header("location: ../index.php?error=stmtfailed"); - exit(); - } - mysqli_stmt_bind_param($stmt, "sss", $_SESSION["user_id"], $pD["website_name"], $pD["web_address"]); - if (!mysqli_stmt_execute($stmt)) { //executes the INSERT statement - header("location:../index.php?error=stmtfailed"); - exit(); - } - header("location:../index.php?error=success"); -} - function passwordComplex($pswd) { if (strlen($pswd) < 20) { @@ -378,20 +360,39 @@ function passwordComplex($pswd) } function getWebsiteList($conn, $user_identifier) { + // gets user id from either user id or auth code $user_id = ""; if ($user_identifier[0] == 0) $user_id = $user_identifier[1]; else - $user_id = getUidWhereAuthCode($conn, $user_identifier[1]); + $user_id = getUidWhereAuthCode($conn, $user_identifier[1]); + // setup sql select statement to get all websites linked to a userr $sql = "SELECT website_id, website_name, web_address from user JOIN saved_website ON user.user_id = saved_website.user_id WHERE user.user_id = ? order by saved_website.website_name"; $stmt = mysqli_stmt_init($conn); mysqli_stmt_prepare($stmt, $sql); mysqli_stmt_bind_param($stmt, "s", $user_id); mysqli_stmt_execute($stmt); + $stmtresult = mysqli_stmt_get_result($stmt); $result = mysqli_fetch_all($stmtresult, MYSQLI_ASSOC); mysqli_free_result($stmtresult); - return json_encode($result); + return json_encode($result);// sending results to user +} +/** + * checks if website with web address exists + */ +function checkIfExists($conn,$user_id,$wb_address){ + $sql = "SELECT website_id FROM `saved_website` WHERE web_address = ? and user_id = ?"; + $stmt = mysqli_stmt_init($conn); + mysqli_stmt_prepare($stmt, $sql); + mysqli_stmt_bind_param($stmt, "ss", $wb_address,$user_id); + mysqli_stmt_execute($stmt); + $stmtresult = mysqli_stmt_get_result($stmt); + $result = mysqli_fetch_all($stmtresult, MYSQLI_ASSOC); + if(sizeof($result) >= 1)// if one or more websites with the same address exists then + return $result[0]["webiste_id"];// send website ids + else + return 0;// return 0 } function addWebsite($conn, $user_identifier, $wb_name, $wb_address) { @@ -404,8 +405,9 @@ function addWebsite($conn, $user_identifier, $wb_name, $wb_address) $user_id = getUidWhereAuthCode($conn, $user_identifier[1]); $rand = 0; $available = false; + // makes a random number webiste id and checks if it is already taken, if it is try another random number do { - $rand = rand(0, 999999999); + $rand = rand(1, 999999999); $sql = "SELECT 1 as 'exists' from saved_website WHERE website_id = ?"; $stmt = mysqli_stmt_init($conn); mysqli_stmt_prepare($stmt, $sql); @@ -421,27 +423,32 @@ function addWebsite($conn, $user_identifier, $wb_name, $wb_address) } $stmt->close(); } while (!$available); + //creates sql to create new website entry $sql = "INSERT INTO saved_website VALUES (?,?,?,?,CURRENT_TIMESTAMP(),CURRENT_TIMESTAMP())"; + $stmt = mysqli_stmt_init($conn); mysqli_stmt_prepare($stmt, $sql); mysqli_stmt_bind_param($stmt, "iiss", $rand, $user_id, $website_name, $website_address); mysqli_stmt_execute($stmt); + echo mysqli_stmt_error($stmt); $result = mysqli_stmt_affected_rows($stmt); - return json_encode(["result" => $result, "name" => $website_name, "address" => $website_address]); + return json_encode(["result" => $result,"website_id" => $rand]); } function addPassword($conn, $user_identifier, $website_id, $pw_username, $pw_password, $key) { - $iv = generateIV(); // genorates a new IV per new version of a password - $cryptUsername = encryptData($pw_username, $key, $iv); - $cryptPassword = encryptData($pw_password, $key, $iv); + // creates a initialization vector to keep passwords secure + $iv = generateIV(); // genorates a new IV per new version of a password for securty + $cryptUsername = encryptData($pw_username, $key, $iv);// encrypts username + $cryptPassword = encryptData($pw_password, $key, $iv);// encrypts password $user_id = ""; if ($user_identifier[0] == 0) $user_id = $user_identifier[1]; else - $user_id = getUidWhereAuthCode($conn, $user_identifier[1]); + $rand = 0; $available = false; + // creates a random password_id until one is not already taken do { $rand = rand(0, 999999999); $sql = "SELECT 1 as 'exists' from website_password WHERE password_id = ?"; @@ -459,9 +466,8 @@ function addPassword($conn, $user_identifier, $website_id, $pw_username, $pw_pas } $stmt->close(); } while (!$available); + // adds encrypted passwords to databse $sql = "INSERT INTO website_password values (?,(SELECT sw.website_id FROM `saved_website` as sw WHERE sw.website_id = ? AND sw.user_id = ?),?,?,?)"; - //$sql = "INSERT INTO website_password values (?,(SELECT website_id FROM `saved_website` WHERE website_id = ? AND user_id = ?),?,?,?)"; - //$sql = "INSERT INTO password_id VALUES (?,?,?,?,CURRENT_TIMESTAMP(),CURRENT_TIMESTAMP())"; $stmt = mysqli_stmt_init($conn); mysqli_stmt_prepare($stmt, $sql); mysqli_stmt_bind_param($stmt, "iiisss", $rand, $website_id, $user_id, $cryptUsername, $cryptPassword, base64_encode($iv)); @@ -486,11 +492,14 @@ function getPasswordList($conn, $user_identifier, $website_id, $key) $cipher = mysqli_fetch_all($stmtresult, MYSQLI_ASSOC); mysqli_free_result($stmtresult); $result = []; + // creates new array with decrypted passwords for ($i = 0; $i < sizeof($cipher); $i++) { $result[$i] = []; $result[$i]["website_id"] = $cipher[$i]["website_id"]; $result[$i]["password_id"] = $cipher[$i]["password_id"]; + //decrypts username $result[$i]["username"] = decryptData($cipher[$i]["username"], $key, base64_decode($cipher[$i]["iv"])); + //decrypts password $result[$i]["password"] = decryptData($cipher[$i]["password"], $key, base64_decode($cipher[$i]["iv"])); } return json_encode($result); @@ -503,6 +512,7 @@ function response($response, $error = "none") echo json_encode($return); exit(); } +// Gets the user_id when an authentication token is used function getUidWhereAuthCode($conn, $authToken) { /**TODO: @@ -525,14 +535,13 @@ function deletePassword($conn, $user_identifier, $password_id) $user_id = $user_identifier[1]; else $user_id = getUidWhereAuthCode($conn, $user_identifier[1]); - //$sql = "SELECT website_password.website_id, password_id, username, password, vi from website_password JOIN [SELECT website_id, from user JOIN saved_website ON user.user_id = saved_website.user_id WHERE user.user_id = ?] where website"; - //$sql = "SELECT website_password.* from website_password JOIN (SELECT website_id FROM user JOIN saved_website ON user.user_id = saved_website.user_id where user.user_id = ?) as websites on website_password.website_id = websites.website_id where website_password.website_id = ?"; - //$sql = "UPDATE website_password as tb set tb.username = ?, tb.password = ?, tb.iv = ? where tb.password_id = ? AND password_id in (select website_password.password_id from user inner join saved_website on user.user_id = saved_website.user_id inner join website_password on saved_website.website_id = website_password.website_id WHERE user.user_id = ?) "; + // creates sql to delete passwrod $sql = "DELETE FROM website_password where password_id = ? AND password_id in (select website_password.password_id from user inner join saved_website on user.user_id = saved_website.user_id inner join website_password on saved_website.website_id = website_password.website_id WHERE user.user_id = ?) "; $stmt = mysqli_stmt_init($conn); mysqli_stmt_prepare($stmt, $sql); mysqli_stmt_bind_param($stmt, "ii", $password_id, $user_id); mysqli_stmt_execute($stmt); + // return how many rows were affected as success value, will either be 1 or 0 return ["success" => mysqli_stmt_affected_rows($stmt)]; } function deleteWebsite($conn, $user_identifier, $website_id) @@ -542,15 +551,12 @@ function deleteWebsite($conn, $user_identifier, $website_id) $user_id = $user_identifier[1]; else $user_id = getUidWhereAuthCode($conn, $user_identifier[1]); - //$sql = "SELECT website_password.website_id, password_id, username, password, vi from website_password JOIN [SELECT website_id, from user JOIN saved_website ON user.user_id = saved_website.user_id WHERE user.user_id = ?] where website"; - //$sql = "SELECT website_password.* from website_password JOIN (SELECT website_id FROM user JOIN saved_website ON user.user_id = saved_website.user_id where user.user_id = ?) as websites on website_password.website_id = websites.website_id where website_password.website_id = ?"; - //$sql = "UPDATE website_password as tb set tb.username = ?, tb.password = ?, tb.iv = ? where tb.password_id = ? AND password_id in (select website_password.password_id from user inner join saved_website on user.user_id = saved_website.user_id inner join website_password on saved_website.website_id = website_password.website_id WHERE user.user_id = ?) "; - //$sql = "DELETE FROM website_password where password_id = ? AND password_id in (select website_password.password_id from user inner join saved_website on user.user_id = saved_website.user_id inner join website_password on saved_website.website_id = website_password.website_id WHERE user.user_id = ?) "; $sql = "DELETE FROM saved_website where website_id = ? AND user_id = ?"; $stmt = mysqli_stmt_init($conn); mysqli_stmt_prepare($stmt, $sql); mysqli_stmt_bind_param($stmt, "ii", $website_id, $user_id); mysqli_stmt_execute($stmt); + //returns how many rows were affected as success value, will either be 1 or 0 return ["success" => mysqli_stmt_affected_rows($stmt)]; } function setPassword($conn, $user_identifier, $password_id, $key, $username, $password) @@ -561,17 +567,19 @@ function setPassword($conn, $user_identifier, $password_id, $key, $username, $pa else $user_id = getUidWhereAuthCode($conn, $user_identifier[1]); $iv = generateIV(); // genorates a new IV per new version of a password - //$sql = "SELECT website_password.website_id, password_id, username, password, vi from website_password JOIN [SELECT website_id, from user JOIN saved_website ON user.user_id = saved_website.user_id WHERE user.user_id = ?] where website"; - //$sql = "SELECT website_password.* from website_password JOIN (SELECT website_id FROM user JOIN saved_website ON user.user_id = saved_website.user_id where user.user_id = ?) as websites on website_password.website_id = websites.website_id where website_password.website_id = ?"; + // encrypt username and password $cryptUsername = encryptData($username, $key, $iv); $cryptPassword = encryptData($password, $key, $iv); + //updates password $sql = "UPDATE website_password as tb set tb.username = ?, tb.password = ?, tb.iv = ? where tb.password_id = ? AND password_id in (select website_password.password_id from user inner join saved_website on user.user_id = saved_website.user_id inner join website_password on saved_website.website_id = website_password.website_id WHERE user.user_id = ?) "; $stmt = mysqli_stmt_init($conn); mysqli_stmt_prepare($stmt, $sql); mysqli_stmt_bind_param($stmt, "sssii", $cryptUsername, $cryptPassword, base64_encode($iv), $password_id, $user_id); mysqli_stmt_execute($stmt); + //returns how many rows were affected as success value, will either be 1 or 0 return ["success" => mysqli_stmt_affected_rows($stmt)]; } +// checks if password is in common passwords function commonPassword($conn, $pD) { $pD["password"] = strtolower($pD["password"]); diff --git a/public_html/scripts/loginAPI.php b/public_html/scripts/loginAPI.php deleted file mode 100644 index 3c33438..0000000 --- a/public_html/scripts/loginAPI.php +++ /dev/null @@ -1,32 +0,0 @@ -prepare($sql); -$statement->bindParam(':username', $username, PDO::PARAM_STR); -$statement->execute(); -$rows = $statement->fetchAll(PDO::FETCH_ASSOC); -$passwordhash = password_hash($password, PASSWORD_DEFAULT); -if (count($rows) == 1) { - if ( - ($rows[0]["username"] == $username) - and - ($rows[0]["password"] == $passwordhash) - ) { - echo "Result: Logged in as " . $rows[0]["username"]; - // this will be turned into function and used elsewhere - } else { - echo "Result: Could not authenticate"; - } -} else { - echo "Result: Could not authenticate"; -} -//elseif (($action == "search") and $debug) { -// echo "Result:
".htmlspecialchars(var_export($rows,true))."
"; -// //print_r(str_replace("\n","
",var_export($rows,true))); diff --git a/public_html/scripts/manageAccount.php b/public_html/scripts/manageAccount.php index 5e94075..9b05c49 100644 --- a/public_html/scripts/manageAccount.php +++ b/public_html/scripts/manageAccount.php @@ -94,6 +94,18 @@ echo json_encode(array("result" => mysqli_stmt_error($stmt))); exit(); } + } elseif ($_POST["request"] == "changePassword") { + $pD = array_map('htmlentities', $_POST); + if (!emptyFields($pD)) { + echo json_encode(array("result" => "error", "error" => "ef")); + exit(); + } + if (!passwordComplex($_POST["newPassword"])) { + echo json_encode(array("result" => "error", "error" => "passcomplex")); + exit(); + } + echo json_encode(changeUserPassword($conn, $_SESSION["user_id"], $_POST["oldPassword"], $_POST["newPassword"])); + exit(); } else { echo json_encode(array("result" => "error", "error" => "selection not understood")); exit(); diff --git a/public_html/scripts/userInfo.php b/public_html/scripts/userInfo.php index cdf4f7e..bd48ef1 100644 --- a/public_html/scripts/userInfo.php +++ b/public_html/scripts/userInfo.php @@ -1,7 +1,7 @@ "passman.harrysy.red"]); require_once "db.php"; if (isset($_SESSION["user_id"])) { - $sql = "SELECT first_name, last_name FROM user WHERE user_id = ?"; + $sql = "SELECT first_name, last_name FROM user WHERE user_id = ?"; //Selects the user details required and returns them in a JSON format $stmt = mysqli_stmt_init($conn); mysqli_stmt_prepare($stmt, $sql); mysqli_stmt_bind_param($stmt, "i", $_SESSION["user_id"]); diff --git a/public_html/styles/styles.css b/public_html/styles/styles.css index 4cad2eb..fcaf2c5 100644 --- a/public_html/styles/styles.css +++ b/public_html/styles/styles.css @@ -168,6 +168,9 @@ button#bugSend:hover { font-size: 2.5rem; padding: 15px; } +#output { + text-align: center; +} .containerReportBug { display: flex; @@ -574,6 +577,7 @@ div.overlay > div.btn > input { border-style: solid; border-width: 0.5rem; border-top-right-radius: 0.5rem; + visibility: hidden; } .ad button { background-color: red; diff --git a/public_html/upload.php b/public_html/upload.php new file mode 100644 index 0000000..bdedbc8 --- /dev/null +++ b/public_html/upload.php @@ -0,0 +1,86 @@ + "passman.harrysy.red"]); +/** + * @param string[] $head + * The column header of the CVS + * @return bool + * If its valid or not + */ +function csvValidator($head){ + if(sizeof($head) >= 3) + if(in_array("url",$head)||in_array("login_uri",$head)) + if(in_array("username",$head)||in_array("login_username",$head)) + if(in_array("password",$head)||in_array("login_password",$head)) + return TRUE; + return FALSE; +} +if($_SERVER['REQUEST_METHOD'] == 'POST'){ + $f = file_get_contents($_FILES["passwordCsv"]["tmp_name"]);// grabs the text of the file + $s = $_FILES["passwordCsv"]["size"];// this get the size of the file + /** @var array> */ + $array = array_map("str_getcsv", explode("\n", $f));// turns content into an array of each line that is an array of each value (that was seperated by commas) + if((sizeof($array)>1) && csvValidator($array[0])){ + if(536870912 >= $s){// check the size of the file + $head = $array[0];// sets the first line to an array that is the headers of the data + $noName = !in_array("name",$head);// checks if the csv header for name + $tmpPwd = [];// temporay array of passwords + + /** + * This will add arrays contianint URL, NAME, USERNAME and PASSWORDS values + */ + for ($i = 1;$i < sizeof($array);$i++){ + $row = $array[$i]; + for ($j = 0;$j < min(sizeof($head),sizeof($row));$j++){ + if(($head[$j] == "url")||($head[$j] == "login_uri")) + $tmpPwd[$i]["url"] = $row[$j]; + else if($head[$j] == "name") + $tmpPwd[$i]["name"] = $row[$j]; + else if(($head[$j] == "username")||($head[$j] == "login_username")) + $tmpPwd[$i]["username"] = $row[$j]; + else if(($head[$j] == "password")||($head[$j] == "login_password")) + $tmpPwd[$i]["password"] = $row[$j]; + } + } + $count = 0;// counts how many passwords are added to database + + // takes tmpPwd and adds it to database + for ($i = 0;$i < sizeof($tmpPwd);$i++){ + if(isset($tmpPwd[$i]["username"]) && isset($tmpPwd[$i]["password"])){ + $ifExists = checkIfExists($conn,$_SESSION["user_id"],$tmpPwd[$i]["url"]); + if($ifExists != 0){ + addPassword($conn,[0,$_SESSION["user_id"]],$ifExists,$tmpPwd[$i]["username"],$tmpPwd[$i]["password"],$_COOKIE["key"]); + }else{ + $websiteId = ""; + if($noName){ + $websiteId = json_decode(addWebsite($conn,[0,$_SESSION["user_id"]],$tmpPwd[$i]["url"],$tmpPwd[$i]["url"]),true)["website_id"]; + } + else{ + $websiteId = json_decode(addWebsite($conn,[0,$_SESSION["user_id"]],$tmpPwd[$i]["name"],$tmpPwd[$i]["url"]),true)["website_id"]; + } + addPassword($conn,[0,$_SESSION["user_id"]],$websiteId,$tmpPwd[$i]["username"],$tmpPwd[$i]["password"],$_COOKIE["key"]); + } + $count++; + } + } + echo "Added ".$count." of ".sizeof($tmpPwd); + }else{ + die("

Error:


Go back and try again");//tells user that the CSV has been rejected + } + }else{ + die("

Error:

Wrong Format, the CVS provided is not formated correctly or is incompatible at the current time. Current supported formates are 'Chrome', 'Firefox', 'BitWarden'


Go back and try again");// tells the user that the CSV has been rejected + } + +} +else{ +echo ' +
+

Upload your old passwords:

+ + +
+ '; +} +require "footer.php"; \ No newline at end of file