Improve security
Change-Id: Ia98bb629c8c81f609d3a5e4d023616a95f9c4248
diff --git a/main.php b/main.php
index 146237b..ac913a3 100644
--- a/main.php
+++ b/main.php
@@ -1,28 +1,11 @@
<?php
require './credentials.php';
require './php/utils.php';
-
- $credentials = new Credentials();
- $usersdb = $credentials->usersdb;
- $mortsdb = $credentials->mortsdb;
+ require_once('./php/security.php');
date_default_timezone_set("Europe/Madrid");
- $user = $_COOKIE['user']; // (int)$_POST['user'];
- $password = $_COOKIE['password']; // isset($_POST['password']) ? md5($_POST['password']) : '';
-
- if (!isset($_COOKIE['user']) or $_COOKIE['user'] == '') {
- die("<script>window.location.href = './'</script>");
- } else if (isset($_COOKIE['password'])) {
- $query_password = "SELECT password FROM $usersdb WHERE id=$user";
- if (query($query_password)->fetch_row()[0] != $password) {
- // Unset variables
- setcookie('user', '', -1, "/");
- setcookie('password', '', -1, "/");
-
- die("<script>window.location.href = './?passwordchanged=1'</script>");
- }
- }
+ Security::checkIsSignedIn();
?>
<html>
<head>
@@ -51,11 +34,11 @@
<script src="./js/animations.js"></script>
<?php
- $user = get_users($user);
+ $user = get_users($_SESSION["id"]);
$victim = get_users($user->quimata);
if ($user->mort) die("<script>window.location.href = './dead.php'</script>");
- $bits = dec2bits($user->bits);
+ $bits = dec2bits($user->bits);
$bit_counter = 0;
?>
@@ -66,7 +49,7 @@
'requested': <?=(int)$user->requested?>,
'mort': <?=(int)$user->mort?>,
- 'nom': "<?=$user->nomcomplet?>",
+ 'nom': "<?=Security::htmlsafe($user->nomcomplet)?>",
'curs': <?=(int)$user->curs?>,
'grau': <?=(int)$user->grau?>
};
@@ -77,12 +60,12 @@
<div id="outter-container">
<div id="inner-container">
<a href="./" class="goback">Canvi d'usuari</a><br />
- <h2>Hola <name id="user_name"><?=$user->nom()?></name>,</h2>
+ <h2>Hola <name id="user_name"><?=Security::htmlsafe($user->nom())?></name>,</h2>
<div class="formulari_contrasenya">
<p>Sembla que no tens clau d'accés, la gent podrà entrar al teu compte...</p>
<form action="./php/change_password.php" method="POST">
- <input type="hidden" value="<?=$user->id?>" name="userid">
+ <input type="hidden" value="<?=(int)$user->id?>" name="userid">
<input type="password" placeholder="Nova clau d'accés..." name="password" /><br />
<input type="password" placeholder="Repeteix la clau d'accés" name="confirmation"/><br />
<input type="submit" value="Posar clau d'accés">
@@ -110,11 +93,11 @@
</div>
</td>
<td class="table_text">
- <div id="victim_name"><?=$victim->nomcomplet?></div>
+ <div id="victim_name"><?=Security::htmlsafe($victim->nomcomplet)?></div>
<div id="victim_curs_i_grau">
- <span id="victim_curs"><?=$victim->nomcurs()?></span>
+ <span id="victim_curs"><?=Security::htmlsafe($victim->nomcurs())?></span>
-
- <span id="victim_grau"><?=$victim->nomgrau()?></span>
+ <span id="victim_grau"><?=Security::htmlsafe($victim->nomgrau())?></span>
</div>
<div id="butons" class="options">
<button id="win" onclick="js: send_request(user, 'REQ KILL');">L'he matat</button>
@@ -125,10 +108,10 @@
</div>
<?php
- $query_seen_victim = "SELECT COUNT(*) FROM missatges WHERE `seen` = 0 AND (`receiver_id` = " . $user->id . " AND `sender_id` = " . $user->quimata . ")";
- $query_seen_killer = "SELECT COUNT(*) FROM missatges WHERE `seen` = 0 AND (`receiver_id` = " . $user->id . " AND `sender_id` != " . $user->quimata . ")";
+ $query_seen_victim = "SELECT COUNT(*) FROM missatges WHERE `seen` = 0 AND (`receiver_id` = " . (int)$user->id . " AND `sender_id` = " . (int)$user->quimata . ")";
+ $query_seen_killer = "SELECT COUNT(*) FROM missatges WHERE `seen` = 0 AND (`receiver_id` = " . (int)$user->id . " AND `sender_id` != " . (int)$user->quimata . ")";
?>
-
+
<div>
<p>Podeu posar aquesta pàgina com a icona apretant el botó de "Add to Home Screen" del vostre navegador.</p>
<a href="./ranking.php">Anar al rànquing</a><br />