From 886a54001e143139fb2ffbbd87049d426b0cfec1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bruno=20Ryb=C3=A1rsky?= Date: Mon, 7 Aug 2023 15:52:21 +0200 Subject: [PATCH] do some stuff --- api.php | 198 ++++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 156 insertions(+), 42 deletions(-) diff --git a/api.php b/api.php index 24c25fe..fd03f96 100644 --- a/api.php +++ b/api.php @@ -5,12 +5,12 @@ $mysqllogin = json_decode(file_get_contents("secrets/MysqlLogin.json"), false); $mysqli = new mysqli('localhost', $mysqllogin->DBUser, $mysqllogin->DBPassword, $mysqllogin->DBName); if ($_SERVER['REQUEST_METHOD'] === 'POST') { - $action = $_POST["action"]; + $action = htmlspecialchars($_POST["action"]); if($action == "login"){ - $uname = $_POST["username"]; - $pwd = $_POST["password"]; - $stmt1 = $mysqli->prepare("SELECT PWD, ID, FullName, Nickname, CanSeeFullNames, CanSeeOthersComments, IsAdmin FROM Users WHERE Username = %s;"); + $uname = htmlspecialchars($_POST["username"]); + $pwd = htmlspecialchars($_POST["password"]); + $stmt1 = $mysqli->prepare("SELECT PWD, ID, FullName, Nickname, CanSeeFullNames, CanSeeOthersComments, IsAdmin FROM Users WHERE Username = ?;"); $stmt1->bind_param('s', $uname); $stmt1->bind_result($pwdhash, $uid, $fullname, $nick, $fullnamepriv, $otherscommentspriv, $adminpriv); $stmt1->execute(); @@ -45,27 +45,27 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { function processUserRelated($actionin, mysqli $mysqliconn){ if($actionin == "setnickname"){ - $newNick = $_POST["newnick"]; + $newNick = htmlspecialchars($_POST["newnick"]); $_SESSION["nickname"] = $newNick; - $stmt2 = $mysqliconn->prepare("UPDATE Users SET Nickname=%s WHERE ID = %i;"); + $stmt2 = $mysqliconn->prepare("UPDATE Users SET Nickname=? WHERE ID = ?;"); $stmt2->bind_param('si', $newNick, $_SESSION["userID"]); $stmt2->execute(); $stmt2->store_result(); } if($actionin == "setfullname"){ - $newFull = $_POST["newFull"]; + $newFull = htmlspecialchars($_POST["newFull"]); $_SESSION["fullname"] = $newNick; - $stmt3 = $mysqliconn->prepare("UPDATE Users SET FullName=%s WHERE ID = %i;"); + $stmt3 = $mysqliconn->prepare("UPDATE Users SET FullName=? WHERE ID = ?;"); $stmt3->bind_param('si', $newFull, $_SESSION["userID"]); $stmt3->execute(); $stmt3->store_result(); } if($actionin == "setpassword"){ - $oldPWD = $_POST["oldPWD"]; - $newPWD = $_POST["newPWD"]; - $stmt4 = $mysqliconn->prepare("SELECT PWD FROM Users WHERE ID = %i AND Username = %s;"); + $oldPWD = htmlspecialchars($_POST["oldPWD"]); + $newPWD = htmlspecialchars($_POST["newPWD"]); + $stmt4 = $mysqliconn->prepare("SELECT PWD FROM Users WHERE ID = ? AND Username = ?;"); $stmt4->bind_param('is', $_SESSION["userID"], $_SESSION["username"]); $stmt4->bind_result($pwdhash); $stmt4->execute(); @@ -73,7 +73,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { if ($stmt4->num_rows > 0){ while ($stmt4->fetch()){ if(password_verify($oldPWD, $pwdhash)){ - $stmt5 = $mysqliconn->prepare("UPDATE Users SET PWD=%s WHERE ID = %i;"); + $stmt5 = $mysqliconn->prepare("UPDATE Users SET PWD=? WHERE ID = ?;"); $newPWDhash = password_hash($newPWD, PASSWORD_DEFAULT); $stmt5->bind_param('si', $newPWDhash, $_SESSION["userID"]); $stmt5->execute(); @@ -85,9 +85,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { } if($actionin == "getallusers"){ - $stmt6 = $mysqliconn->prepare("SELECT Username, Nickname, FullName, IsAdmin FROM Users;"); + $stmt6 = $mysqliconn->prepare("SELECT ID, Username, Nickname, FullName, IsAdmin FROM Users;"); $stmt6->execute(); - $stmt6->bind_result($uname, $nick, $fnamex, $isadmin); + $stmt6->bind_result($id, $uname, $nick, $fnamex, $isadmin); $stmt6->store_result(); $outarr = array(); if ($stmt6->num_rows > 0){ @@ -98,6 +98,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { else{ $fname = ""; } + $tmparr["id"] = $id; $tmparr["username"] = $uname; $tmparr["nickname"] = $nick; $tmparr["fullname"] = $fname; @@ -109,27 +110,21 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { } if($actionin == "adduser"){ - $stmt6 = $mysqliconn->prepare("INSERT INTO Users"); - $stmt6->execute(); - $stmt6->bind_result($uname, $nick, $fnamex, $isadmin); - $stmt6->store_result(); - $outarr = array(); - if ($stmt6->num_rows > 0){ - while ($stmt6->fetch()){ - if ($_SESSION["canseefullnames"] == 1){ - $fname = $fnamex; - } - else{ - $fname = ""; - } - $tmparr["username"] = $uname; - $tmparr["nickname"] = $nick; - $tmparr["fullname"] = $fname; - $tmparr["isadmin"] = $isadmin; - array_push($outarr, $tmparr); - } + if($_SESSION["isadmin"] == 1){ + $stmt7 = $mysqliconn->prepare("INSERT INTO Users (Username, Nickname, FullName, PWD, CanSeeFullNames, CanSeeOthersComments, IsAdmin) VALUES (?, ?, ?, ?, ?, ?, ?);"); + $uname = htmlspecialchars($_POST["username"]); + $nick = htmlspecialchars($_POST["nickname"]); + $fname = htmlspecialchars($_POST["fullname"]); + $pwdx = htmlspecialchars($_POST["password"]); + $canfullnames = intval($_POST["canseefullnames"]); + $cancomments = intval($_POST["canseeotherscomments"]); + $pwd = password_hash($pwdx, PASSWORD_DEFAULT); + $admin = intval($_POST["isadmin"]); + $stmt7->bind_param("ssssiii", $uname, $nick, $fname, $pwd, $canfullnames, $cancomments, $admin); + $stmt7->execute(); + $stmt7->store_result(); + return "User added"; } - return json_encode($outarr); } return 0; @@ -174,14 +169,49 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { if($actionin == "createtag"){ + $stmt9 = $mysqliconn->prepare("INSERT INTO Tags (TagName, CreatorID) VALUES (?, ?);"); + $tagname = htmlspecialchars($_POST["tagname"]); + $uid = $_SESSION["userID"]; + $stmt9->bind_param("si", $tagname, $uid); + $stmt9->execute(); + $stmt9->store_result(); + } if($actionin == "getalltags"){ - + $stmt10 = $mysqliconn->prepare("SELECT ID, TagName, CreatorID FROM Tags;"); + $stmt10->execute(); + $stmt10->bind_result($id, $tagname, $creatorid); + $stmt10->store_result(); + $outarr = array(); + if ($stmt10->num_rows > 0){ + while ($stmt10->fetch()){ + $tmparr["id"] = $id; + $tmparr["tagname"] = $tagname; + $tmparr["creatorid"] = $creatorid; + array_push($outarr, $tmparr); + } + } + return json_encode($outarr); } - if($actionin == "gettagsbycollection"){ - + if($actionin == "gettagsbycreator"){ + $stmt11 = $mysqliconn->prepare("SELECT ID, TagName, CreatorID FROM Tags WHERE CreatorID = ?;"); + $cruid = intval($_POST['creatorid']); + $stmt11->bind_param("i", $cruid); + $stmt11->execute(); + $stmt11->bind_result($id, $tagname, $creatorid); + $stmt11->store_result(); + $outarr = array(); + if ($stmt11->num_rows > 0){ + while ($stmt11->fetch()){ + $tmparr["id"] = $id; + $tmparr["tagname"] = $tagname; + $tmparr["creatorid"] = $creatorid; + array_push($outarr, $tmparr); + } + } + return json_encode($outarr); } return 0; @@ -190,15 +220,51 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { function processSourcesRelated($actionin, mysqli $mysqliconn){ if($actionin == "createsource"){ - + $stmt12 = $mysqliconn->prepare("INSERT INTO Sources (PublicationID, Place, CreatorID) VALUES (?, ?, ?);"); + $publicationid = intval($_POST["publicationid"]); + $place = htmlspecialchars($_POST["place"]); + $cruid = $_SESSION["userID"]; + $stmt12->bind_param("isi", $publicationid, $place, $cruid); + $stmt12->execute(); + $stmt12->store_result(); } if($actionin == "getallsources"){ - + $stmt13 = $mysqliconn->prepare("SELECT ID, PublicationID, Place, CreatorID FROM Sources;"); + $stmt13->execute(); + $stmt13->bind_result($id, $publicationid, $place, $creatorid); + $stmt13->store_result(); + $outarr = array(); + if ($stmt13->num_rows > 0){ + while ($stmt13->fetch()){ + $tmparr["id"] = $id; + $tmparr["publicationid"] = $publicationid; + $tmparr["place"] = $place; + $tmparr["creatorid"] = $creatorid; + array_push($outarr, $tmparr); + } + } + return json_encode($outarr); } if($actionin == "getallsourcesbycreator"){ - + $stmt13 = $mysqliconn->prepare("SELECT ID, PublicationID, Place, CreatorID FROM Sources WHERE CreatorID = ?;"); + $cruid = intval($_POST['creatorid']); + $stmt13->bind_param("i", $cruid); + $stmt13->execute(); + $stmt13->bind_result($id, $publicationid, $place, $creatorid); + $stmt13->store_result(); + $outarr = array(); + if ($stmt13->num_rows > 0){ + while ($stmt13->fetch()){ + $tmparr["id"] = $id; + $tmparr["publicationid"] = $publicationid; + $tmparr["place"] = $place; + $tmparr["creatorid"] = $creatorid; + array_push($outarr, $tmparr); + } + } + return json_encode($outarr); } return 0; @@ -207,17 +273,45 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { function processCommentRelated($actionin, mysqli $mysqliconn){ if($actionin == "createcomment"){ - + $stmt14 = $mysqliconn->prepare("INSERT INTO Comments (CreatorID, CitationID, CitationThreadID, Content) VALUES (?, ?, ?, ?);"); + $creatorid = $_SESSION["userid"]; + $citationid = intval($_POST["citationid"]); + $citationthreadid = intval($_POST["citationthreadid"]); + $content = htmlspecialchars($_POST["content"]); + $stmt14->bind_param("iiis", $creatorid, $citationid, $citationthreadid, $content); + $stmt14->execute(); + $stmt14->store_result(); } if($actionin == "getallcommentsbycreator"){ - + $stmt15 = $mysqliconn->prepare("SELECT ID, CreatorID, CitationID, CitationThreadID, Content FROM Comments WHERE CreatorID = ?;"); + $cruid = intval($_POST['creatorid']); + $stmt15->bind_param("i", $cruid); + $stmt15->execute(); + $stmt15->bind_result($id, $creatorid, $citationid, $citationthreadid, $content); + $stmt15->store_result(); + $outarr = array(); + if ($stmt15->num_rows > 0){ + while ($stmt15->fetch()){ + $tmparr["id"] = $id; + $tmparr["creatorid"] = $creatorid; + $tmparr["citationid"] = $citationid; + $tmparr["citationthreadid"] = $citationthreadid; + $tmparr["content"] = $content; + array_push($outarr, $tmparr); + } + } + return json_encode($outarr); } if($actionin == "getcommentsbycitationlatestversion"){ } + if($actionin == "getcommentsbycitationbyversion"){ + + } + if($actionin == "getcommentsbycitationallversions"){ } @@ -225,6 +319,14 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { return 0; } + function processAuthorRelated($actionin, mysqli $mysqliconn){ + + } + function processPublicationRelated($actionin, mysqli $mysqliconn){ + + } + + if($_SESSION["loggedin"] == 1){ $citationreturn = processCitationRelated($action, $mysqli); @@ -251,6 +353,18 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { return; } + $authorreturn = processAuthorRelated($action, $mysqli); + if($authorreturn != 0){ + echo $authorreturn; + return; + } + + $publicationreturn = processPublicationRelated($action, $mysqli); + if($publicationreturn != 0){ + echo $publicationreturn; + return; + } + $userreturn = processUserRelated($action, $mysqli); if($userreturn != 0){ echo $userreturn;