arman/science-ation
1
1
Fork 0
forked from science-ation/science-ation
Code Pull Requests Activity

Hash passwords in database without affecting program functionality

Browse Source
This commit is contained in:
patrick 2025-02-01 22:04:28 +00:00
parent c6f9271654
commit 93554bd67a
21 changed files with 117 additions and 128 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
.devcontainer/science-ation-blank-generic.sql
View File

@ -3397,9 +3397,9 @@ CREATE TABLE `users` (
`lastname` varchar(32) NOT NULL DEFAULT '', `lastname` varchar(32) NOT NULL DEFAULT '',
`sex` enum('male','female') DEFAULT NULL, `sex` enum('male','female') DEFAULT NULL,
`username` varchar(128) NOT NULL DEFAULT '', `username` varchar(128) NOT NULL DEFAULT '',
`password` varchar(32) NOT NULL DEFAULT '', `password` varchar(60) NOT NULL DEFAULT '',
`passwordset` date DEFAULT NULL, `passwordset` date DEFAULT NULL,
`oldpassword` varchar(32) NOT NULL, `oldpassword` varchar(60) NOT NULL,
`email` varchar(128) NOT NULL DEFAULT '', `email` varchar(128) NOT NULL DEFAULT '',
`year` int(11) NOT NULL, `year` int(11) NOT NULL,
`phonehome` varchar(32) NOT NULL DEFAULT '', `phonehome` varchar(32) NOT NULL DEFAULT '',
@ -3432,9 +3432,8 @@ CREATE TABLE `users` (
LOCK TABLES `users` WRITE; LOCK TABLES `users` WRITE;
/*!40000 ALTER TABLE `users` DISABLE KEYS */; /*!40000 ALTER TABLE `users` DISABLE KEYS */;
INSERT INTO `users` VALUES INSERT INTO `users` VALUES
(1,1,'fair','','','',NULL,'kvGbxRTM','5kyYcbBAmf4Y','0000-00-00','','',2025,'','','','','','0000-00-00','','2009-10-22 12:56:09','0000-00-00 00:00:00','','','','','','no','no','no',NULL), (1,1,'fair','','','',NULL,'kvGbxRTM','$2y$10$OYeIx.U53utmuzyZkVTqtukGB0ELi5piz62KtbaYj0uEPN7fD6NtS','0000-00-00','','',2025,'','','','','','0000-00-00','','2009-10-22 12:56:09','0000-00-00 00:00:00','','','','','','no','no','no',NULL),
(2,2,'fair','','','',NULL,'k5HPLPGm','EUuqF2J5HbGD','0000-00-00','','',2025,'','','','','','0000-00-00','','2009-10-22 12:56:09','0000-00-00 00:00:00','','','','','','no','no','no',NULL), (2,2,'committee','','Superuser','Account',NULL,'contact@science-ation.ca','$2y$10$LlhOxjkJD3F0of.W75a4UuyiRci4PnPa8koxi4RknfSh38nxoYLXG','2024-10-16','','contact@science-ation.ca',2025,'','','','','','0000-00-00','','2024-10-16 04:38:47','0000-00-00 00:00:00','','','','','','no','no','no',NULL);
(3,3,'committee','','Superuser','Account',NULL,'contact@science-ation.ca','admin','2024-10-16','hpqSaPCggQes','contact@science-ation.ca',2025,'','','','','','0000-00-00','','2024-10-16 04:38:47','0000-00-00 00:00:00','','','','','','no','no','no',NULL);
/*!40000 ALTER TABLE `users` ENABLE KEYS */; /*!40000 ALTER TABLE `users` ENABLE KEYS */;
UNLOCK TABLES; UNLOCK TABLES;

6
admin/award_download.php
View File

@ -32,8 +32,8 @@ switch (get_value_from_array($_GET, 'action')) {
case 'check': case 'check':
$fairs_id = intval($_GET['fairs_id']); $fairs_id = intval($_GET['fairs_id']);
$q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id'"); $q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
$q->execute(); $q->execute([$fairs_id]);
$fair = $q->fetch(PDO::FETCH_ASSOC); $fair = $q->fetch(PDO::FETCH_ASSOC);
if (!($fair['username'] && $fair['password'])) { if (!($fair['username'] && $fair['password'])) {
echo error(i18n("Username and Password are not set for source '%1'. Please set them in the SFIAB Configuration/External Award Sources editor first", array($r->name))); echo error(i18n("Username and Password are not set for source '%1'. Please set them in the SFIAB Configuration/External Award Sources editor first", array($r->name)));
@ -174,7 +174,7 @@ switch (get_value_from_array($_GET, 'action')) {
AND year='$year' AND year='$year'
"); ");
$q->execute(); $q->execute();
echo $q->errorInfo(); show_pdo_errors_if_any($pdo);
// update the prizes // update the prizes
$prizes = $award['prizes']; $prizes = $award['prizes'];

10
admin/award_upload.php
View File

@ -30,7 +30,7 @@ user_auth_required('committee', 'admin');
// function get_cwsf_award_winners() // function get_cwsf_award_winners()
function get_winners($awardid, $fairs_id) function get_winners($awardid, $fairs_id)
{ {
global $config; global $config, $pdo;
/* Mappings of the name we want => to the column name returned in MYSQL */ /* Mappings of the name we want => to the column name returned in MYSQL */
$school_fields = array('schoolname' => 'school', $school_fields = array('schoolname' => 'school',
@ -125,7 +125,7 @@ function get_winners($awardid, $fairs_id)
awards_prizes_id='$pid' AND awards_prizes_id='$pid' AND
winners.year='{$config['FAIRYEAR']}'"); winners.year='{$config['FAIRYEAR']}'");
$wq->execute(); $wq->execute();
echo $pdo->erroInfo(); show_pdo_errors_if_any($pdo);
/* Get all projects assigned to this prize */ /* Get all projects assigned to this prize */
$prizewinners = array(); $prizewinners = array();
while ($project = $wq->fetch(PDO::FETCH_ASSOC)) { while ($project = $wq->fetch(PDO::FETCH_ASSOC)) {
@ -185,7 +185,7 @@ function get_winners($awardid, $fairs_id)
function count_winners($awardid, $fairs_id) function count_winners($awardid, $fairs_id)
{ {
global $config; global $config, $pdo;
$count = 0; $count = 0;
$awards = array(); $awards = array();
if ($awardid == -1) { if ($awardid == -1) {
@ -237,7 +237,7 @@ function count_winners($awardid, $fairs_id)
function load_server_cats_divs($fairs_id) function load_server_cats_divs($fairs_id)
{ {
global $config; global $config, $pdo;
$q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id'"); $q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id'");
$q->execute(); $q->execute();
@ -302,7 +302,7 @@ switch (get_value_from_array($_GET, 'action')) {
$q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id}'"); $q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id}'");
$q->execute(); $q->execute();
$fair = $q->fetch(PDO::FETCH_ASSOC);; $fair = $q->fetch(PDO::FETCH_ASSOC);
echo '<br />'; echo '<br />';

37
admin/cwsfregister.php
View File

@ -27,14 +27,17 @@ require_once ('../user.inc.php');
function get_cwsf_award_winners() function get_cwsf_award_winners()
{ {
global $config; global $config, $pdo;
$winners = array(); $winners = array();
$q = $pdo->prepare("SELECT * FROM award_awards WHERE cwsfaward='1' AND year='" . $config['FAIRYEAR'] . "'"); $q = $pdo->prepare("SELECT * FROM award_awards WHERE cwsfaward='1' AND year=?");
$q->execute(); $q->execute([$config['FAIRYEAR']]);
if ($q->rowCount() == 1) { if ($q->rowCount() == 1) {
$award = $q->fetch(PDO::FETCH_OBJ); $award = $q->fetch(PDO::FETCH_OBJ);
$pq = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id='$award->id'"); $pq = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id=?");
$pq->execute([$award->id]);
while ($prize = $pq->fetch(PDO::FETCH_OBJ)) { while ($prize = $pq->fetch(PDO::FETCH_OBJ)) {
$wq = $pdo->prepare("SELECT $wq = $pdo->prepare("SELECT
projects.id, projects.id,
@ -50,16 +53,18 @@ function get_cwsf_award_winners()
projects projects
WHERE WHERE
winners.projects_id=projects.id AND winners.projects_id=projects.id AND
awards_prizes_id='$prize->id' AND awards_prizes_id=? AND
winners.year='" . $config['FAIRYEAR'] . "'"); winners.year=?");
$wq->execute(); $wq->execute([$prize->id, $config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
while ($project = $wq->fetch(PDO::FETCH_OBJ)) { while ($project = $wq->fetch(PDO::FETCH_OBJ)) {
$sq = $pdo->prepare("SELECT * FROM students WHERE registrations_id='$project->registrations_id' AND year='" . $config['FAIRYEAR'] . "'"); $sq = $pdo->prepare("SELECT * FROM students WHERE registrations_id=? AND year=?");
$sq->execute(); $sq->execute([$project->registrations_id, $config['FAIRYEAR']]);
$students = array(); $students = array();
$cwsf_agecategory = 0; $cwsf_agecategory = 0;
while ($s = $sq->fetch(PDO::FETCH_OBJ)) { while ($s = $sq->fetch(PDO::FETCH_OBJ)) {
if ($s->grade >= 7 && $s->grade <= 8) { if ($s->grade >= 7 && $s->grade <= 8) {
if ($cwsf_agecategory < 1) if ($cwsf_agecategory < 1)
@ -122,8 +127,8 @@ echo '<br />';
if (count(get_value_from_array($_POST, 'cwsfdivision', []))) { if (count(get_value_from_array($_POST, 'cwsfdivision', []))) {
foreach ($_POST['cwsfdivision'] AS $p => $d) { foreach ($_POST['cwsfdivision'] AS $p => $d) {
$q = $pdo->prepare("UPDATE projects SET cwsfdivisionid='$d' WHERE id='$p'"); $q = $pdo->prepare("UPDATE projects SET cwsfdivisionid=? WHERE id=?");
$q->execute(); $q->execute([$d, $p]);
} }
echo happy(i18n('CWSF Project Divisions saved')); echo happy(i18n('CWSF Project Divisions saved'));
} }
@ -178,8 +183,8 @@ if ($ysc_region_password == '') {
} }
if ($ok) { if ($ok) {
$q = $pdo->prepare("SELECT * FROM award_awards WHERE cwsfaward='1' AND year='" . $config['FAIRYEAR'] . "'"); $q = $pdo->prepare("SELECT * FROM award_awards WHERE cwsfaward='1' AND year=?");
$q->execute(); $q->execute([$config['FAIRYEAR']]);
if (!$q->rowCount()) { if (!$q->rowCount()) {
echo error(i18n('Cannot find an award that is specified as the Canada-Wide Science Fair Award')); echo error(i18n('Cannot find an award that is specified as the Canada-Wide Science Fair Award'));
echo i18n('Please go to the awards manager and select which award identifies your CWSF students'); echo i18n('Please go to the awards manager and select which award identifies your CWSF students');
@ -248,8 +253,8 @@ if ($ok) {
echo '</td><td>'; echo '</td><td>';
$t = $q->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' AND id='" . $winner['projectdivisions_id'] . "'"); $t = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? AND id=?");
$t->execute(); $t->execute([$config['FAIRYEAR'], $winner['projectdivisions_id']]);
$tr = $t->fetch(PDO::FETCH_OBJ); $tr = $t->fetch(PDO::FETCH_OBJ);
echo $tr->division; echo $tr->division;
echo '<br />'; echo '<br />';

14
admin/fix_judges_autocomplete.php
View File

@ -11,15 +11,15 @@ while ($i = $q->fetch(PDO::FETCH_OBJ)) {
echo "Autocompleting Judge {$i->email}<br />"; echo "Autocompleting Judge {$i->email}<br />";
$id = $i->id; $id = $i->id;
$p = generatePassword(12); $p = password_hash(generatePassword(), PASSWORD_BCRYPT);
$stmt = $pdo->prepare("UPDATE judges SET password='$p',complete='yes'"); $stmt = $pdo->prepare("UPDATE judges SET password=?,complete=?");
$stmt->execute(); $stmt->execute([$p, 'yes']);
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
$stmt = $pdo->prepare("DELETE FROM judges_years WHERE judges_id='$id'"); $stmt = $pdo->prepare("DELETE FROM judges_years WHERE judges_id=?");
$stmt->execute(); $stmt->execute([$id]);
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
$stmt = $pdo->prepare("INSERT INTO judges_years (`judges_id`,`year`) VALUES ('$id','{$config['FAIRYEAR']}')"); $stmt = $pdo->prepare("INSERT INTO judges_years (`judges_id`,`year`) VALUES (?, ?)");
$stmt->execute(); $stmt->execute([$id, $config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
} }

9
admin/judges_invite.php
View File

@ -34,14 +34,15 @@ send_header('Invite Judges',
'Judges' => 'admin/judges.php')); 'Judges' => 'admin/judges.php'));
echo '<br />'; echo '<br />';
if ($_POST['action'] == 'invite' && $_POST['email']) { if ($_POST['action'] == 'invite' && $_POST['email']) {
$q = $pdo->prepare("SELECT id FROM judges WHERE email='" . $_POST['email'] . "'"); $q = $pdo->prepare("SELECT id FROM judges WHERE email=?");
$q->execute(); $q->execute([$_POST['email']]);
if ($q->rowCount()) { if ($q->rowCount()) {
echo error(i18n('A judge already exists with that email address')); echo error(i18n('A judge already exists with that email address'));
} else { } else {
$pass = generatePassword(); $pass = generatePassword();
$pdo->prepare("INSERT INTO judges (email,password) VALUES ('" . stripslashes($_POST['email'])) . "','$pass')"; $hash = password_hash($pass, PASSWORD_BCRYPT);
$pdo->execute(); $stmt = $pdo->prepare("INSERT INTO judges (email,password) VALUES (?, ?)");
$stmt->execute([$_POST['email'], $hash]);
email_send('new_judge_invite', stripslashes($_POST['email']), array('FAIRNAME' => $config['fairname']), array('FAIRNAME' => $config['fairname'], 'EMAIL' => stripslashes($_POST['email']), 'PASSWORD' => $pass)); email_send('new_judge_invite', stripslashes($_POST['email']), array('FAIRNAME' => $config['fairname']), array('FAIRNAME' => $config['fairname'], 'EMAIL' => stripslashes($_POST['email']), 'PASSWORD' => $pass));
echo happy(i18n('%1 has been invited to be a judge', array($_POST['email']))); echo happy(i18n('%1 has been invited to be a judge', array($_POST['email'])));

3
admin/reports_students.inc.php
View File

@ -69,6 +69,7 @@ function report_student_get_cheque_date_format($report, $field, $text)
function report_student_safety_question($report, $field, $text) function report_student_safety_question($report, $field, $text)
{ {
global $pdo;
/* Field is 'safetyquestion_x', registration_id is passed in $text */ /* Field is 'safetyquestion_x', registration_id is passed in $text */
$q_ord = intval(substr($field, 15)); $q_ord = intval(substr($field, 15));
$regid = $text; $regid = $text;
@ -90,6 +91,7 @@ function report_student_safety_question($report, $field, $text)
function reports_students_numstudents($report, $field, $text) function reports_students_numstudents($report, $field, $text)
{ {
global $pdo;
$year = $report['year']; $year = $report['year'];
$q = $pdo->prepare("SELECT students.id FROM students $q = $pdo->prepare("SELECT students.id FROM students
WHERE students.registrations_id='$text' WHERE students.registrations_id='$text'
@ -100,6 +102,7 @@ function reports_students_numstudents($report, $field, $text)
function reports_students_award_selfnom_num($report, $field, $text, $n) function reports_students_award_selfnom_num($report, $field, $text, $n)
{ {
global $pdo;
$year = $report['year']; $year = $report['year'];
$q = $pdo->prepare("SELECT award_awards.name FROM $q = $pdo->prepare("SELECT award_awards.name FROM
projects projects

4
admin/schools.php
View File

@ -73,7 +73,7 @@ if (get_value_from_array($_POST, 'save') == 'edit' || get_value_from_array($_POS
if (get_value_from_array($i, 'principal_uid') > 0) if (get_value_from_array($i, 'principal_uid') > 0)
$pl = user_load_by_uid($i['principal_uid']); $pl = user_load_by_uid($i['principal_uid']);
else if ($first != '' && $last != '') { else if ($first != '' && $last != '') {
$pl = user_create('principal', "*$first$last" . user_generate_password()); $pl = user_create('principal', "*$first$last" . generatePassword());
$principal_update = "principal_uid='{$pl['uid']}',"; $principal_update = "principal_uid='{$pl['uid']}',";
} else } else
$pl = false; $pl = false;
@ -108,7 +108,7 @@ if (get_value_from_array($_POST, 'save') == 'edit' || get_value_from_array($_POS
} }
$em = get_value_from_array($_POST, 'scienceheademail'); $em = get_value_from_array($_POST, 'scienceheademail');
if ($em == '' && ($first != '' || $last != '')) if ($em == '' && ($first != '' || $last != ''))
$em = "*$first$last" . user_generate_password(); $em = "*$first$last" . generatePassword();
/* /*
* Load existing record, or create new if there's something * Load existing record, or create new if there's something

4
admin/student_editor.php
View File

@ -139,7 +139,7 @@ function students_save()
$x = 1; $x = 1;
while ($_POST['num'][$x]) { while ($_POST['num'][$x]) {
if ($_POST['id'][$x] == 0) { if ($_POST['id'][$x] == 0) {
// if they use schoolpassword or singlepassword, then we need to set the school based on the school stored in the registration record. for anything else they can school the school on their own. // if they use schoolpassword or singlepassword, then we need to set the school based on the school stored in the registration record. for anything else they can choose the school on their own.
if ($config['participant_registration_type'] == 'schoolpassword' || $config['participant_registration_type'] == 'invite') { if ($config['participant_registration_type'] == 'schoolpassword' || $config['participant_registration_type'] == 'invite') {
$q = $pdo->prepare("SELECT schools_id FROM registrations WHERE id='$registrations_id' AND YEAR='{$config['FAIRYEAR']}'"); $q = $pdo->prepare("SELECT schools_id FROM registrations WHERE id='$registrations_id' AND YEAR='{$config['FAIRYEAR']}'");
$q->execute(); $q->execute();
@ -151,7 +151,7 @@ function students_save()
} }
// INSERT new record // INSERT new record
$dob = $_POST['year'][$x] . '-' . $_POST['month'][$x] . '-' . $_POST['day'][$x]; $dob = $_POST['year'][$x] . '-' . $_POST['month'][$x] . '-' . $_POST['day'][$x];
$stmt->prepare('INSERT INTO students (registrations_id,firstname,lastname,sex,email,address,city,province,postalcode,phone,dateofbirth,grade,schools_id,tshirt,medicalalert,foodreq,teachername,teacheremail,year) VALUES (' $stmt = $pdo->prepare('INSERT INTO students (registrations_id,firstname,lastname,sex,email,address,city,province,postalcode,phone,dateofbirth,grade,schools_id,tshirt,medicalalert,foodreq,teachername,teacheremail,year) VALUES ('
. "'" . $registrations_id . "', " . "'" . $registrations_id . "', "
. "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['firstname'][$x])) . "', " . "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['firstname'][$x])) . "', "
. "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['lastname'][$x])) . "', " . "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['lastname'][$x])) . "', "

16
common.inc.php
View File

@ -1120,20 +1120,8 @@ function email_send_new($to, $from, $subject, $body, $bodyhtml = '')
send_footer(); send_footer();
} }
function generatePassword($pwlen = 8) // config specific warning
{ function config_warnings() {}
// these are good characters that are not easily confused with other characters :)
$available = 'ABCDEFGHJKLMNPQRSTUVWXYZabcdefghjkmnpqrstuvwxyz23456789';
$len = strlen($available) - 1;
$key = '';
for ($x = 0; $x < $pwlen; $x++)
$key .= $available[rand(0, $len)];
return $key;
}
// config specific warning
function config_warnings() {}
// admin specific warnings // admin specific warnings
function admin_warnings() {} function admin_warnings() {}

6
fair_info.php
View File

@ -53,7 +53,7 @@ switch (get_value_from_array($_GET, 'action')) {
$fairs_id = intval($u['fairs_id']); $fairs_id = intval($u['fairs_id']);
if ($fairs_id == 0) { if ($fairs_id == 0) {
$stmt = $pdo->prepare("INSERT INTO fairs ('id', 'name') VALUES('', 'new entry')"); $stmt = $pdo->prepare("INSERT INTO fairs ('id', 'name') VALUES('', 'new entry')");
$stmt->execute([$id, $name]); $stmt->execute();
$id = $pdo->lastInsertId(); $id = $pdo->lastInsertId();
} else { } else {
$id = intval($fairs_id); $id = intval($fairs_id);
@ -65,8 +65,8 @@ switch (get_value_from_array($_GET, 'action')) {
$website = $pdo->quote($_POST['website']); $website = $pdo->quote($_POST['website']);
$type = array_key_exists($_POST['type'], $fair_type) ? $_POST['type'] : ''; $type = array_key_exists($_POST['type'], $fair_type) ? $_POST['type'] : '';
$username = $pdo->prepare(stripslashes($_POST['username'])); $username = $pdo->quote(stripslashes($_POST['username']));
$password = $pdo->prepare(stripslashes($_POST['password'])); $password = $pdo->quote(stripslashes(password_hash($_POST['password'], PASSWORD_BCRYPT)));
$enable_stats = ($_POST['enable_stats'] == 'yes') ? 'yes' : 'no'; $enable_stats = ($_POST['enable_stats'] == 'yes') ? 'yes' : 'no';
$enable_awards = ($_POST['enable_awards'] == 'yes') ? 'yes' : 'no'; $enable_awards = ($_POST['enable_awards'] == 'yes') ? 'yes' : 'no';

10
remote.php
View File

@ -492,20 +492,20 @@ if ($u == false) {
} }
if (!is_array($u) || $u['password'] == '') { if (!is_array($u) || $u['password'] == '') {
$response['error'] = 1; $response['error'] = 1;
$response['message'] = 'Authentication Failed2'; $response['message'] = 'Authentication Failed';
echo json_encode($response); echo json_encode($response);
exit; exit;
} }
if ($u['password'] != $password) { if (!password_verify($password, $u['password'])) {
$response['error'] = 1; $response['error'] = 1;
$response['message'] = 'Authentication Failed3'; $response['message'] = 'Authentication Failed';
echo json_encode($response); echo json_encode($response);
exit; exit;
} }
$q = $pdo->prepare("SELECT * FROM fairs WHERE id='{$u['fairs_id']}'"); $q = $pdo->prepare("SELECT * FROM fairs WHERE id='?'");
$q->execute(); $q->execute([$u['fairs_id']]);
$fair = $q->fetch(PDO::FETCH_ASSOC); $fair = $q->fetch(PDO::FETCH_ASSOC);
$response = array(); $response = array();

2
schoolaccess.php
View File

@ -38,7 +38,7 @@ if (get_value_from_array($_SESSION, 'schoolid') && $_SESSION['schoolaccesscode']
list($first, $last) = explode(' ', $_POST['sciencehead'], 2); list($first, $last) = explode(' ', $_POST['sciencehead'], 2);
$em = $_POST['scienceheademail']; $em = $_POST['scienceheademail'];
if ($em == '' && ($first != '' || $last != '')) if ($em == '' && ($first != '' || $last != ''))
$em = "*$first$last" . user_generate_password(); $em = "*$first$last" . generatePassword();
/* /*
* Load existing record, or create new if there's something * Load existing record, or create new if there's something

1
scripts/rolloverschools.php
View File

@ -33,6 +33,7 @@ require_once ('../config_editor.inc.php');
function roll($currentfairyear, $newfairyear, $table, $fields) function roll($currentfairyear, $newfairyear, $table, $fields)
{ {
global $pdo;
$q = $pdo->prepare("SELECT * FROM $table WHERE year='$currentfairyear'"); $q = $pdo->prepare("SELECT * FROM $table WHERE year='$currentfairyear'");
$q->execute(); $q->execute();
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);

2
sponsor_main.php
View File

@ -76,7 +76,7 @@
echo " <th>".i18n("Action")."</th>"; echo " <th>".i18n("Action")."</th>";
echo "</tr>\n"; echo "</tr>\n";
$total=0; $total=0;
while($sr=$sq->fetch(PDO::FETCH-OBJ)) { while($sr=$sq->fetch(PDO::FETCH_OBJ)) {
echo "<tr id=\"donations_$sr->id\" class=\"fundraising{$sr->status}\">"; echo "<tr id=\"donations_$sr->id\" class=\"fundraising{$sr->status}\">";
echo "<td>$sr->name</td>\n"; echo "<td>$sr->name</td>\n";
echo "<td>$sr->status</td>"; echo "<td>$sr->status</td>";

44
user.inc.php
View File

@ -54,14 +54,10 @@ function user_valid_type($type)
return true; return true;
} }
/*
* Duplicate of common.inc.php:generatePassword, which will be deleted function generatePassword($pwlen = 16)
* eventually when ALL users are handled through this file
*/
function user_generate_password($pwlen = 8)
{ {
// these are good characters that are not easily confused with other characters :) $available = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
$available = 'ABCDEFGHJKLMNPQRSTUVWXYZabcdefghjkmnpqrstuvwxyz23456789';
$len = strlen($available) - 1; $len = strlen($available) - 1;
$key = ''; $key = '';
@ -69,7 +65,6 @@ function user_generate_password($pwlen = 8)
$key .= $available[rand(0, $len)]; $key .= $available[rand(0, $len)];
return $key; return $key;
} }
/* /*
* Separate user_load_type functions, these could make additional database * Separate user_load_type functions, these could make additional database
* calls if required * calls if required
@ -92,6 +87,7 @@ function user_load_student(&$u)
function user_load_judge(&$u) function user_load_judge(&$u)
{ {
global $pdo;
$u['judge_active'] = ($u['judge_active'] == 'yes') ? 'yes' : 'no'; $u['judge_active'] = ($u['judge_active'] == 'yes') ? 'yes' : 'no';
$u['judge_complete'] = ($u['judge_complete'] == 'yes') ? 'yes' : 'no'; $u['judge_complete'] = ($u['judge_complete'] == 'yes') ? 'yes' : 'no';
$u['years_school'] = intval($u['years_school']); $u['years_school'] = intval($u['years_school']);
@ -318,6 +314,7 @@ function user_load_by_uid($uid)
function user_load_by_email($email) function user_load_by_email($email)
{ {
global $pdo;
/* Find the most recent uid for the email, regardless of deleted status */ /* Find the most recent uid for the email, regardless of deleted status */
$e = $email; $e = $email;
$q = $pdo->prepare("SELECT uid FROM users WHERE email='$e' OR username='$e' ORDER BY year DESC LIMIT 1"); $q = $pdo->prepare("SELECT uid FROM users WHERE email='$e' OR username='$e' ORDER BY year DESC LIMIT 1");
@ -331,8 +328,9 @@ function user_load_by_email($email)
function user_load_by_uid_year($uid, $year) function user_load_by_uid_year($uid, $year)
{ {
$q = $pdo->prepare("SELECT id FROM users WHERE uid='$uid' AND year <= '$year'"); global $pdo;
$q->execute(); $q = $pdo->prepare("SELECT id FROM users WHERE uid=? AND year <= ?");
$q->execute([$uid, $year]);
if (!$q->rowCount()) if (!$q->rowCount())
return false; return false;
$i = $q->fetch(PDO::FETCH_ASSOC); $i = $q->fetch(PDO::FETCH_ASSOC);
@ -345,11 +343,11 @@ function user_set_password($id, $password = NULL)
/* pass $u by reference so we can update it */ /* pass $u by reference so we can update it */
$save_old = false; $save_old = false;
if ($password == NULL) { if ($password == NULL) {
$q = $pdo->prepare("SELECT passwordset FROM users WHERE id='$id'"); $q = $pdo->prepare("SELECT passwordset FROM users WHERE id=?");
$q->execute(); $q->execute([$id]);
$u = $q->fetch(PDO::FETCH_ASSOC); $u = $q->fetch(PDO::FETCH_ASSOC);
/* Generate a new password */ /* Generate a new password */
$password = user_generate_password(12); $password = generatePassword();
/* save the old password only if it's not an auto-generated one */ /* save the old password only if it's not an auto-generated one */
if ($u['passwordset'] != '0000-00-00') if ($u['passwordset'] != '0000-00-00')
$save_old = true; $save_old = true;
@ -362,10 +360,12 @@ function user_set_password($id, $password = NULL)
} }
$p = $password; $p = $password;
$set = ($save_old == true) ? 'oldpassword=password, ' : '';
$set .= "password='$p', passwordset=$save_set ";
$query = "UPDATE users SET $set WHERE id='$id'"; $set = ($save_old == true) ? 'oldpassword=password, ' : '';
$set .= "password='" . password_hash($p, PASSWORD_BCRYPT) . "', passwordset=$save_set ";
////FIXME This one may be tricky
$query = "UPDATE users SET $set WHERE id=$id";
$stmt = $pdo->prepare($query); $stmt = $pdo->prepare($query);
$stmt->execute(); $stmt->execute();
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
@ -474,8 +474,8 @@ function user_save(&$u)
exit; exit;
} }
// give em a record, the primary key on the table takes care of uniqueness // give em a record, the primary key on the table takes care of uniqueness
$q = $pdo->prepare("INSERT INTO users_$t (users_id) VALUES ('{$u['id']}')"); $q = $pdo->prepare("INSERT INTO users_$t (users_id) VALUES (?)");
$q->execute(); $q->execute([$u['id']]);
} }
$fields = array('salutation', 'firstname', 'lastname', 'username', $fields = array('salutation', 'firstname', 'lastname', 'username',
@ -503,13 +503,14 @@ function user_save(&$u)
// print_r($u); // print_r($u);
// echo "</pre>"; // echo "</pre>";
if ($set != '') { if ($set != '') {
$query = "UPDATE users SET $set WHERE id='{$u['id']}'"; $query = "UPDATE users SET $set WHERE id=?";
$stmt = $pdo->prepare($query); $stmt = $pdo->prepare($query);
$stmt->execute(); $stmt->execute([$u['id']]);
// echo "query=[$query]"; // echo "query=[$query]";
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
} }
/* Save the password if it changed */ /* Save the password if it changed */
if ($u['password'] != $u['orig']['password']) if ($u['password'] != $u['orig']['password'])
user_set_password($u['id'], $u['password']); user_set_password($u['id'], $u['password']);
@ -811,14 +812,15 @@ function user_create($type, $username, $u = NULL)
$stmt->execute(); $stmt->execute();
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
$uid = $pdo->lastInsertId(); $uid = $pdo->lastInsertId();
if (user_valid_email($username)) { if (user_valid_email($username)) {
$stmt = $pdo->prepare("UPDATE users SET email='$username' WHERE id='$uid'"); $stmt = $pdo->prepare("UPDATE users SET email='$username' WHERE id='$uid'");
$stmt->execute(); $stmt->execute();
} }
$stmt = $pdo->prepare("UPDATE users SET uid='$uid' WHERE id='$uid'"); $stmt = $pdo->prepare("UPDATE users SET uid='$uid' WHERE id='$uid'");
$stmt->execute(); $stmt->execute();
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
user_set_password($uid, NULL);
/* /*
* Since the user already has a type, user_save won't create this * Since the user already has a type, user_save won't create this

5
user_invite.php
View File

@ -196,11 +196,14 @@ if (get_value_from_array($_POST, 'action', '') && get_value_from_array($_POST, '
$u = user_create($type, $email); $u = user_create($type, $email);
$u['email'] = $email; $u['email'] = $email;
user_save($u); user_save($u);
$password = user_set_password($u['id'], NULL);
email_send("{$type}_new_invite", $u['email'], email_send("{$type}_new_invite", $u['email'],
array('FAIRNAME' => $config['fairname']), array('FAIRNAME' => $config['fairname']),
array('FAIRNAME' => $config['fairname'], array('FAIRNAME' => $config['fairname'],
'EMAIL' => $u['email'], 'EMAIL' => $u['email'],
'PASSWORD' => $u['password'])); 'PASSWORD' => $password));
echo happy(i18n('%1 has been invited to be a %2', array($u['email'], $user_what[$type]))); echo happy(i18n('%1 has been invited to be a %2', array($u['email'], $user_what[$type])));
echo happy(i18n('An email has been sent to %1', array($u['email']))); echo happy(i18n('An email has been sent to %1', array($u['email'])));
break; break;

38
user_login.php
View File

@ -41,21 +41,13 @@ function try_login($user, $pass)
* in the username field * in the username field
*/ */
/* /* See if the user email or username is valid */
* FIXME: this should be user_valid_email, but can't be yet, because if (!user_valid_email($user) || !user_valid_user($user)) {
* we copy the usernames from the email field, and that field may
* contain a name too
*/
if (!isEmailAddress($user)) {
/* It's possible that it's a username */ /* It's possible that it's a username */
if (!user_valid_user($user))
return false; return false;
} }
// we cannot check for a valid_password here, because converted users dont enforce password length of 6 which user_valid_password does. if (!user_valid_password($pass))
// all we can do is check if its a length >0
// $x = user_valid_password($pass);
if (!strlen($pass))
return false; return false;
$q = $pdo->prepare("SELECT id, username, password, year, deleted $q = $pdo->prepare("SELECT id, username, password, year, deleted
@ -65,8 +57,8 @@ function try_login($user, $pass)
ORDER BY year DESC LIMIT 1"); ORDER BY year DESC LIMIT 1");
$q->bindParam(':username', $user, PDO::PARAM_STR); $q->bindParam(':username', $user, PDO::PARAM_STR);
$q->execute(); $q->execute();
if ($q->rowCount() < 1) if ($q->rowCount() < 1)
return false; return false;
@ -77,11 +69,11 @@ function try_login($user, $pass)
if ($r->deleted == 'yes') if ($r->deleted == 'yes')
return false; return false;
/* See if the password matches */
// ///// FIXME Use hash passwords
if ($r->password != $pass) /* See if the password matches */
if (!password_verify($pass, $r->password)) {
return false; return false;
}
/* Login successful */ /* Login successful */
return $r->id; return $r->id;
@ -246,8 +238,8 @@ if (get_value_from_array($_POST, 'action') == 'login') {
} }
$q = $pdo->prepare("UPDATE users SET lastlogin=NOW() $q = $pdo->prepare("UPDATE users SET lastlogin=NOW()
WHERE id={$u['id']}"); WHERE id=?");
$q->execute(); $q->execute([$u['id']]);
/* /*
* Setup multirole so a multirole user can switch if they want to * Setup multirole so a multirole user can switch if they want to
@ -352,16 +344,17 @@ if (get_value_from_array($_POST, 'action') == 'login') {
if (user_valid_email($email)) { if (user_valid_email($email)) {
/* valid email address */ /* valid email address */
$e = $email; $e = $email;
$q = $pdo->prepare("SELECT * FROM users WHERE (username='$e' OR email='$e') ORDER BY year DESC LIMIT 1"); $q = $pdo->prepare("SELECT * FROM users WHERE (username=? OR email=?) ORDER BY year DESC LIMIT 1");
$q->execute(); $q->execute([$e, $e]);
$r = $q->fetch(PDO::FETCH_OBJ); $r = $q->fetch(PDO::FETCH_OBJ);
if ($r) { if ($r) {
$fn = trim($_POST['fn']); $fn = trim($_POST['fn']);
$ln = trim($_POST['ln']); $ln = trim($_POST['ln']);
/* Check name match */ /* Check name match */
if (strcasecmp($r->firstname, $fn) != 0 || strcasecmp($r->lastname, $ln) != 0) { if (strcasecmp($r->firstname, $fn) != 0 || strcasecmp($r->lastname, $ln) != 0) {
message_push(error(i18n('The name you entered does not match the one in your account'))); message_push(notice(i18n('If you credentials match, your new password has been sent to your email address.')));
header("Location: user_login.php?type=$type"); header("Location: user_login.php?type=$type");
exit; exit;
} }
@ -369,6 +362,7 @@ if (get_value_from_array($_POST, 'action') == 'login') {
/* Reset the password, and force it to expire */ /* Reset the password, and force it to expire */
$password = user_set_password($r->id, NULL); $password = user_set_password($r->id, NULL);
/* volunteer_recover_password, judge_recover_password, student_recover_password, /* volunteer_recover_password, judge_recover_password, student_recover_password,
committee_recover_password */ committee_recover_password */
email_send("{$type}_recover_password", email_send("{$type}_recover_password",
@ -377,11 +371,11 @@ if (get_value_from_array($_POST, 'action') == 'login') {
array('PASSWORD' => $password, array('PASSWORD' => $password,
'EMAIL' => $email)); 'EMAIL' => $email));
message_push(notice(i18n('Your password has been sent to your email address'))); message_push(notice(i18n('If you credentials match, your new password has been sent to your email address.')));
header("Location: user_login.php?type=$type"); header("Location: user_login.php?type=$type");
exit; exit;
} else { } else {
message_push(error(i18n('Could not find your email address for recovery'))); message_push(notice(i18n('If you credentials match, your new password has been sent to your email address.')));
header("Location: user_login.php?type=$type"); header("Location: user_login.php?type=$type");
exit; exit;
} }

4
user_new.php
View File

@ -124,8 +124,8 @@ switch ($action) {
} }
/* See if this email already exists */ /* See if this email already exists */
$q = $pdo->prepare("SELECT id,types,MAX(year) AS year,deleted FROM users WHERE (email='$sql_email' OR username='$sql_email' )"); $q = $pdo->prepare("SELECT id,types,MAX(year) AS year,deleted FROM users WHERE (email=? OR username=? )");
$q->execute(); $q->execute([$sql_email, $sql_email]);
// select *, max(year) from users where username=sql_email // select *, max(year) from users where username=sql_email
// if deleted and year = current yera - just undelete // if deleted and year = current yera - just undelete
// if deleted and year != current yera - proceed normally and recreate the user // if deleted and year != current yera - proceed normally and recreate the user

10
user_password.php
View File

@ -62,11 +62,11 @@ $password_expiry_days = get_value_from_array($config, "{$type}_password_expiry_d
if (get_value_from_array($_POST, 'action') == 'save') { if (get_value_from_array($_POST, 'action') == 'save') {
$pass = $_POST['pass1']; $pass = $_POST['pass1'];
// first, lets see if they choosed the same password again (bad bad bad) // first, lets see if they choosed the same password again (bad bad bad)
$q = $pdo->prepare("SELECT password FROM users WHERE $q = $pdo->prepare("SELECT password FROM users WHERE id=?");
id='{$_SESSION['users_id']}' $q->execute([$_SESSION['users_id']]);
AND password='$pass'"); $hash = $q->fetch(PDO::FETCH_ASSOC)['password'];
$q->execute();
if ($q->rowCount()) if (password_verify($pass, $hash))
message_push(error(i18n('You cannot choose the same password again. Please choose a different password'))); message_push(error(i18n('You cannot choose the same password again. Please choose a different password')));
else if (!$_POST['pass1']) else if (!$_POST['pass1'])
message_push(error(i18n('New Password is required'))); message_push(error(i18n('New Password is required')));

7
user_personal.php
View File

@ -40,7 +40,6 @@ $user_personal_fields = array(
'lastname' => array('name' => 'Last Name'), 'lastname' => array('name' => 'Last Name'),
'email' => array('name' => 'Email Address'), 'email' => array('name' => 'Email Address'),
'username' => array('name' => 'Username'), 'username' => array('name' => 'Username'),
'password' => array('name' => 'Password'),
'address' => array('name' => 'Address 1'), 'address' => array('name' => 'Address 1'),
'address2' => array('name' => 'Address 2'), 'address2' => array('name' => 'Address 2'),
'city' => array('name' => 'City'), 'city' => array('name' => 'City'),
@ -98,12 +97,6 @@ foreach ($u['types'] as $t) {
user_personal_required_fields($t)); user_personal_required_fields($t));
} }
if (committee_auth_has_access('super')) {
/* If the editer is super, let them see/edit/save the user/pass */
$fields[] = 'username';
$fields[] = 'password';
}
switch (get_value_from_array($_GET, 'action')) { switch (get_value_from_array($_GET, 'action')) {
case 'save': case 'save':
$users_id = intval($_POST['users_id']); $users_id = intval($_POST['users_id']);