From e16d63609ebb0901468b8cf3ba57406bf21ec502 Mon Sep 17 00:00:00 2001 From: Unknown Date: Tue, 13 Feb 2018 15:50:13 -0800 Subject: [PATCH 01/30] Account Creation/Login changes When account is created, password is now hashed and stored in the db. Account login checks for the hash in the db to verify. --- Server PHP/accountFunctions.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Server PHP/accountFunctions.php b/Server PHP/accountFunctions.php index 5278d70..b6822b6 100644 --- a/Server PHP/accountFunctions.php +++ b/Server PHP/accountFunctions.php @@ -18,8 +18,10 @@ function createAccount($email, $username, $password, $sock) { $check_username = "SELECT * FROM UserInfo WHERE Username = '$username'"; $check_email = "SELECT * FROM UserInfo WHERE Email = '$email'"; + $passwordHash = password_hash($password, PASSWORD_DEFAULT); + //Insert Query - $insert = "INSERT INTO UserInfo (Username, Pass, Email) VALUES ('$username', '$password', '$email')"; + $insert = "INSERT INTO UserInfo (Username, Pass, Email) VALUES ('$username', '$passwordHash', '$email')"; if (($username_exists = checkExists($connection, $check_username)) > 0) { //returns failcase of username existing. $message = "FAILUsername exists, please try again."; @@ -49,7 +51,7 @@ function loginAccount($username, $password, $sock) { //Checks if username exists before attempting to login, will return error otherwise. if (($username_exists = checkExists($connection, $check_username)) > 0) { $checkPass = getObjString($connection, $check_password)->Pass; - if ($checkPass == $password) { + if (password_verify($password, $checkPass)) { $resultEmail = getObjString($connection, $check_email)->Email; $message = "SUCC{$resultEmail}"; //Successful if matches and writes back email belonging to user for UI sendMessage($message, $sock); From 7a9d882721ab8163067a19f09ecb13166f7da871 Mon Sep 17 00:00:00 2001 From: Unknown Date: Tue, 20 Feb 2018 15:04:35 -0800 Subject: [PATCH 02/30] Send email with recover username Recover username will now send the username of the email to that email. flash cards were updated with = instead of == --- Server PHP/accountFunctions.php | 18 ++++++++++-------- Server PHP/flashCardFunctions.php | 8 ++++---- Server PHP/sendEmail.php | 11 +++++++++++ 3 files changed, 25 insertions(+), 12 deletions(-) diff --git a/Server PHP/accountFunctions.php b/Server PHP/accountFunctions.php index b6822b6..4a4d8c9 100644 --- a/Server PHP/accountFunctions.php +++ b/Server PHP/accountFunctions.php @@ -105,7 +105,6 @@ function changePassword($username, $password, $sock) { // unfinised account recovery using email method. outdated, unused, unloved function recoverAccount($email, $password, $sock) { $connection = connectAccount(); - //check if email exists before attempting to send recovery email, will return error otherwise. $check_email = "SELECT Email FROM UserInfo WHERE Email = '$email'"; $change_password = "UPDATE UserInfo SET Pass= '$newPass' WHERE Email = '$email'"; @@ -133,17 +132,20 @@ function recoverAccount($email, $password, $sock) { // takes users email, returns users username. function rememberUsername ($email, $sock) { $connection = connectAccount(); - $find_user = "SELECT Username FROM UserInfo WHERE Email = '$email'"; //finds a username tied to a email - $resultUser = mysqli_query($connection, $find_user); //runs find_user - $obj = $resultUser->fetch_object(); - $returnUser = $obj->Username; // returnUser == return value of find_user - $message = "SUCC{$returnUser}"; - sendMessage($message, $socket); - + if(checkExists($connection, $find_user) > 0) { + $returnUser = getObjString($connection, $find_user)->Username; + $message = "SUCC"; + sendMessage($message, $sock); + sendVerEmail($email, $returnUser); + } + else { + fwrite($sock, "FAIL\n"); + } disconnect($connection); } + // recovery option for remembering a password, sends a recovery email function rememberPassword ($username, $email, $sock) { $connection = connectAccount(); diff --git a/Server PHP/flashCardFunctions.php b/Server PHP/flashCardFunctions.php index 4a01a36..1581c9e 100755 --- a/Server PHP/flashCardFunctions.php +++ b/Server PHP/flashCardFunctions.php @@ -13,11 +13,11 @@ function updateFlashCards($connection, $ip, $clients, $groupID, $sock) { //RETURN FRONT SIDE AND BACK SIDE for($i= 0; $i<2; $i++){ if($i == 0){ - $side == 'side1'; + $side = 'side1'; $code = 'FCFT'; } else if($i == 1){ - $side == 'side2'; + $side = 'side2'; $code = 'FCBK'; } $return_FlashCards = "SELECT id, $side @@ -101,10 +101,10 @@ function addToCard($groupID, $num, $message, $user, $clientList, $sock, $side) { $keySock = $clientList[$keyIP]->getSocket(); $FlashCards = "$groupID $returnID $message"; if($side == 'side1'){ - $clientMessage == "FCFT$FlashCards"; + $clientMessage = "FCFT$FlashCards"; } else if($side == 'side2'){ - $clientMessage == "FCBK$FlashCards"; + $clientMessage = "FCBK$FlashCards"; } sendMessage($clientMessage, $keySock); }// end while loop diff --git a/Server PHP/sendEmail.php b/Server PHP/sendEmail.php index 14c8e3a..1876c1b 100644 --- a/Server PHP/sendEmail.php +++ b/Server PHP/sendEmail.php @@ -31,5 +31,16 @@ function recPWEmail($email, $user, $pass){ } +function sendVerEmail($email, $user){ + $to = "$email"; + $subject = "StudyGroup Username Requested!"; + $body = "Hello, you recently requested the username belong to this email: $email.\n\nThe username associated with this account is: $user.\n\nThank you for using our software, and be on the lookout for new StudyGroupPro++ Limited Release DLC Platinum Package which now allows you to resize the window!"; + if (mail($to, $subject, $body)) { + echo("

Email successfully sent!

"); + } else { + echo("

Email delivery failed…

"); + } +} + ?> From cf477b18d06b7863059fcde42e57cc7da303664b Mon Sep 17 00:00:00 2001 From: Unknown Date: Sun, 25 Feb 2018 20:43:56 -0800 Subject: [PATCH 03/30] SUCC and FAIL message implement New messages sent to client after searching for email in database and sending email to that address --- Server PHP/accountFunctions.php | 4 +- Server PHP/flashCardFunctions.php | 66 ++++++++++++++++--------------- 2 files changed, 37 insertions(+), 33 deletions(-) diff --git a/Server PHP/accountFunctions.php b/Server PHP/accountFunctions.php index 4a4d8c9..63025ec 100644 --- a/Server PHP/accountFunctions.php +++ b/Server PHP/accountFunctions.php @@ -135,12 +135,12 @@ function rememberUsername ($email, $sock) { $find_user = "SELECT Username FROM UserInfo WHERE Email = '$email'"; //finds a username tied to a email if(checkExists($connection, $find_user) > 0) { $returnUser = getObjString($connection, $find_user)->Username; - $message = "SUCC"; + $message = "SUCC1Email has been sent with your username. Make sure to check your spam folder!\n"; sendMessage($message, $sock); sendVerEmail($email, $returnUser); } else { - fwrite($sock, "FAIL\n"); + fwrite($sock, "FAILNo username found with that email. Try again!"); } disconnect($connection); } diff --git a/Server PHP/flashCardFunctions.php b/Server PHP/flashCardFunctions.php index 1581c9e..bef941a 100755 --- a/Server PHP/flashCardFunctions.php +++ b/Server PHP/flashCardFunctions.php @@ -37,10 +37,9 @@ function updateFlashCards($connection, $ip, $clients, $groupID, $sock) { } //closes query for loop } //closes front/back for loop disconnect($connection); - - }//Close function + function addToCard($groupID, $num, $message, $user, $clientList, $sock, $side) { $side = "side" . "$side"; $connection = connectGroup(); @@ -53,6 +52,10 @@ function addToCard($groupID, $num, $message, $user, $clientList, $sock, $side) { $username = mysqli_real_escape_string($connection, $username); $message = mysqli_real_escape_string($connection, $message); $groupID = mysqli_real_escape_string($connection, $groupID); + + $unescMessage = stripslashes($message); + $unescGroupID = stripslashes($groupID); + $flashGroupID = "$groupID" . "FC"; $return_ipList = "SELECT ipAddress FROM $groupID WHERE ipAddress IS NOT NULL"; $resultIP = mysqli_query($connection, $return_ipList); //Returns list of current IP addresses i.e. current user list connected. @@ -61,29 +64,29 @@ function addToCard($groupID, $num, $message, $user, $clientList, $sock, $side) { // Check to see if the id for this card exists already $check_card = "SELECT * FROM $flashGroupID WHERE (id='$num')"; if (checkExists($connection, $check_card) > 0){ - echo "Card exists already "; + echo "Card exists already \n"; $update = "UPDATE $flashGroupID SET user= '$username', $side='$message' WHERE (id='$num')"; mysqli_query($connection, $update); $NewID = "SELECT id FROM $flashGroupID WHERE (user='$username' AND $side='$message')"; $returnID = getObjString($connection, $NewID)->id; $returnID = $returnID -1; - $clientMessage = "SUCC{$returnID}"; + /*$clientMessage = "SUCC{$returnID}"; sendMessage($clientMessage, $sock); - echo "$clientMessage \n"; + //echo "$clientMessage \n";*/ - while($rowIP = mysqli_fetch_array($resultIP)){ - $keyIP = $rowIP[0]; - $keySock = $clientList[$keyIP]->getSocket(); - $FlashCards = "$groupID $returnID $message"; - if($side == 'side1'){ - $clientMessage = "FCFT$FlashCards"; - } - else if($side == 'side2'){ - $clientMessage = "FCBK$FlashCards"; - } - sendMessage($clientMessage, $keySock); - } //Closes while loop + while($rowIP = mysqli_fetch_array($resultIP)){ + $keyIP = $rowIP[0]; + $keySock = $clientList[$keyIP]->getSocket(); + $FlashCards = "$unescGroupID $returnID $unescMessage"; + if($side == 'side1'){ + $clientMessage = "FCFT$FlashCards"; + } + else if($side == 'side2'){ + $clientMessage = "FCBK$FlashCards"; + } + sendMessage($clientMessage, $keySock); + } //Closes while loop }//Closes outer if statement else{ @@ -92,24 +95,25 @@ function addToCard($groupID, $num, $message, $user, $clientList, $sock, $side) { $returnID = getObjString($connection, $NewID)->id; $returnID = $returnID -1; //echo "returnID is: $returnID\n\n"; - $clientMessage = "SUCC{$returnID}"; + /*$clientMessage = "SUCC{$returnID}"; //echo "clientMessage is: $clientMessage\n\n"; - sendMessage($clientMessage, $sock); + sendMessage($clientMessage, $sock);*/ -while($rowIP = mysqli_fetch_array($resultIP)){ - $keyIP = $rowIP[0]; - $keySock = $clientList[$keyIP]->getSocket(); - $FlashCards = "$groupID $returnID $message"; - if($side == 'side1'){ - $clientMessage = "FCFT$FlashCards"; - } - else if($side == 'side2'){ - $clientMessage = "FCBK$FlashCards"; - } - sendMessage($clientMessage, $keySock); -}// end while loop + while($rowIP = mysqli_fetch_array($resultIP)){ + $keyIP = $rowIP[0]; + $keySock = $clientList[$keyIP]->getSocket(); + $FlashCards = "$unescGroupID $returnID $unescMessage"; + if($side == 'side1'){ + $clientMessage = "FCFT$FlashCards"; + } + else if($side == 'side2'){ + $clientMessage = "FCBK$FlashCards"; + } + sendMessage($clientMessage, $keySock); + }// end while loop } // end else bracket disconnect($connection); }//close function + ?> From 5b5bf746a30439eae1cd968c387e3b3dd8b58d82 Mon Sep 17 00:00:00 2001 From: Unknown Date: Sun, 25 Feb 2018 20:52:23 -0800 Subject: [PATCH 04/30] new sendMessage last version still had an fwrite instead of sendMessage function --- Server PHP/accountFunctions.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Server PHP/accountFunctions.php b/Server PHP/accountFunctions.php index 63025ec..e477a30 100644 --- a/Server PHP/accountFunctions.php +++ b/Server PHP/accountFunctions.php @@ -140,7 +140,8 @@ function rememberUsername ($email, $sock) { sendVerEmail($email, $returnUser); } else { - fwrite($sock, "FAILNo username found with that email. Try again!"); + $message = "FAILNo username found with that email. Try again!"); + sendMessage($message, $sock); } disconnect($connection); } From da6311509ba98092103d3960d1491b3f10a13484 Mon Sep 17 00:00:00 2001 From: Unknown Date: Sun, 25 Feb 2018 20:53:54 -0800 Subject: [PATCH 05/30] derp left an extra character in $message --- Server PHP/accountFunctions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Server PHP/accountFunctions.php b/Server PHP/accountFunctions.php index e477a30..f2aae44 100644 --- a/Server PHP/accountFunctions.php +++ b/Server PHP/accountFunctions.php @@ -140,7 +140,7 @@ function rememberUsername ($email, $sock) { sendVerEmail($email, $returnUser); } else { - $message = "FAILNo username found with that email. Try again!"); + $message = "FAILNo username found with that email. Try again!\n"; sendMessage($message, $sock); } disconnect($connection); From 1bbc6ef700e123ee2a76903965ad9a8a0aa908d3 Mon Sep 17 00:00:00 2001 From: Unknown Date: Mon, 26 Feb 2018 00:22:44 -0800 Subject: [PATCH 06/30] Set and get recovery questions/answers All new file with functions to set and retrieve security questions and answers from db --- Server PHP/accountFunctions.php | 6 ++- Server PHP/flashCardFunctions.php | 1 - Server PHP/securityQuestions.php | 79 +++++++++++++++++++++++++++++++ Server PHP/server.php | 12 +++++ 4 files changed, 96 insertions(+), 2 deletions(-) create mode 100644 Server PHP/securityQuestions.php diff --git a/Server PHP/accountFunctions.php b/Server PHP/accountFunctions.php index f2aae44..b5d4c32 100644 --- a/Server PHP/accountFunctions.php +++ b/Server PHP/accountFunctions.php @@ -20,8 +20,12 @@ function createAccount($email, $username, $password, $sock) { $passwordHash = password_hash($password, PASSWORD_DEFAULT); + $defaultQ1 = "What_is_your_mother's_maiden_name?"; + $defaultQ2 = "What_is_the_name_of_the_street_you_grew_up_on?"; + $defaultQ3 = "What_was_the_name_of_your_first_pet?"; + //Insert Query - $insert = "INSERT INTO UserInfo (Username, Pass, Email) VALUES ('$username', '$passwordHash', '$email')"; + $insert = "INSERT INTO UserInfo (Username, Pass, Email, SQ1, SQ2, SQ3) VALUES ('$username', '$passwordHash', '$email', '$defaultQ1', '$defaultQ2', '$defaultQ3')"; if (($username_exists = checkExists($connection, $check_username)) > 0) { //returns failcase of username existing. $message = "FAILUsername exists, please try again."; diff --git a/Server PHP/flashCardFunctions.php b/Server PHP/flashCardFunctions.php index bef941a..8524723 100755 --- a/Server PHP/flashCardFunctions.php +++ b/Server PHP/flashCardFunctions.php @@ -3,7 +3,6 @@ include_once 'utilityFunctions.php'; include_once 'groupFunctions.php'; include_once 'whiteboardFunctions.php'; -include_once 'utilityFunctions.php'; diff --git a/Server PHP/securityQuestions.php b/Server PHP/securityQuestions.php new file mode 100644 index 0000000..d7c33ee --- /dev/null +++ b/Server PHP/securityQuestions.php @@ -0,0 +1,79 @@ + diff --git a/Server PHP/server.php b/Server PHP/server.php index ef0ab1e..922c9ec 100755 --- a/Server PHP/server.php +++ b/Server PHP/server.php @@ -208,6 +208,18 @@ case "FCFT": addToCard($codeMessage[0], $codeMessage[1], $codeMessage[2], $client, $clientList, $sock, 1); // 0 = groupID 1 = card id 2 = message break; + case "REQQ": + reqSecQuest($client, $sock); + break; + case "REQA": + reqSecAns($client, $sock); + break; + case "SETQ": + setSecQuest($client, $codeMessage[0], $codeMessage[1], $codeMessage[2], $sock); // 0 = question 1, 1 = question 2, 2 = question 3 + break; + case "SETA": + setSecAns($client, $codeMessage[0], $codeMessage[1], $codeMessage[2], $sock); // 0 = answer 1, 1 = answer 2, 2 = answer 3 + break; }//Switch Statement }//Closes else }//Closes foreach From 8be0c297748d534ed308294361b6c1f28f9f80d5 Mon Sep 17 00:00:00 2001 From: Unknown Date: Mon, 26 Feb 2018 00:36:37 -0800 Subject: [PATCH 07/30] testing issue with CACC create account having some issues so I reverted it by removing the hard coded security questions to see if my changes were the issue --- Server PHP/accountFunctions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Server PHP/accountFunctions.php b/Server PHP/accountFunctions.php index b5d4c32..d795fa0 100644 --- a/Server PHP/accountFunctions.php +++ b/Server PHP/accountFunctions.php @@ -25,7 +25,7 @@ function createAccount($email, $username, $password, $sock) { $defaultQ3 = "What_was_the_name_of_your_first_pet?"; //Insert Query - $insert = "INSERT INTO UserInfo (Username, Pass, Email, SQ1, SQ2, SQ3) VALUES ('$username', '$passwordHash', '$email', '$defaultQ1', '$defaultQ2', '$defaultQ3')"; + $insert = "INSERT INTO UserInfo (Username, Pass, Email) VALUES ('$username', '$passwordHash', '$email')"; if (($username_exists = checkExists($connection, $check_username)) > 0) { //returns failcase of username existing. $message = "FAILUsername exists, please try again."; From a90c5913902976e17d6dfa1407a8e5c9f5c49b1a Mon Sep 17 00:00:00 2001 From: Unknown Date: Mon, 26 Feb 2018 00:47:34 -0800 Subject: [PATCH 08/30] debug for create account included error debug for create account insertion to find mistake --- Server PHP/accountFunctions.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Server PHP/accountFunctions.php b/Server PHP/accountFunctions.php index d795fa0..e0677c6 100644 --- a/Server PHP/accountFunctions.php +++ b/Server PHP/accountFunctions.php @@ -25,7 +25,7 @@ function createAccount($email, $username, $password, $sock) { $defaultQ3 = "What_was_the_name_of_your_first_pet?"; //Insert Query - $insert = "INSERT INTO UserInfo (Username, Pass, Email) VALUES ('$username', '$passwordHash', '$email')"; + $insert = "INSERT INTO UserInfo (Username, Pass, Email, SQ1, SQ2, SQ3) VALUES ('$username', '$passwordHash', '$email', '$defaultQ1', '$defaultQ2', '$defaultQ3')"; if (($username_exists = checkExists($connection, $check_username)) > 0) { //returns failcase of username existing. $message = "FAILUsername exists, please try again."; @@ -41,6 +41,9 @@ function createAccount($email, $username, $password, $sock) { sendMessage($message, $sock); sendRegEmail($email); } + else { + echo("Error description: " . mysqli_error($connection)); + } } disconnect($connection); } From 8f6f8c365e8df32d6b7f705f4d8586d41c1c6084 Mon Sep 17 00:00:00 2001 From: Unknown Date: Mon, 26 Feb 2018 00:49:49 -0800 Subject: [PATCH 09/30] escape string hotfix hardcoded questions were not being escape stringed. fixed that --- Server PHP/accountFunctions.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Server PHP/accountFunctions.php b/Server PHP/accountFunctions.php index e0677c6..0104dde 100644 --- a/Server PHP/accountFunctions.php +++ b/Server PHP/accountFunctions.php @@ -24,6 +24,10 @@ function createAccount($email, $username, $password, $sock) { $defaultQ2 = "What_is_the_name_of_the_street_you_grew_up_on?"; $defaultQ3 = "What_was_the_name_of_your_first_pet?"; + $defaultQ1 = mysqli_real_escape_string($defaultQ1); + $defaultQ2 = mysqli_real_escape_string($defaultQ2); + $defaultQ3 = mysqli_real_escape_string($defaultQ3); + //Insert Query $insert = "INSERT INTO UserInfo (Username, Pass, Email, SQ1, SQ2, SQ3) VALUES ('$username', '$passwordHash', '$email', '$defaultQ1', '$defaultQ2', '$defaultQ3')"; From acd831d2f48559caf1af593ffcf8a7d6cfa2bab0 Mon Sep 17 00:00:00 2001 From: Unknown Date: Mon, 26 Feb 2018 00:52:01 -0800 Subject: [PATCH 10/30] include new security q file forgot to include_once new security questions files and functions --- Server PHP/server.php | 1 + 1 file changed, 1 insertion(+) diff --git a/Server PHP/server.php b/Server PHP/server.php index 922c9ec..051c1ce 100755 --- a/Server PHP/server.php +++ b/Server PHP/server.php @@ -4,6 +4,7 @@ include_once 'flashCardFunctions.php'; include_once 'whiteboardFunctions.php'; include_once 'utilityFunctions.php'; +include_once 'securityQuestions.php'; $server = stream_socket_server("tcp://0.0.0.0:9001", $errno, $errorMessage); //AWS EC2 server From b87a9a2faea17b01daa45661cdae579b9d0338cb Mon Sep 17 00:00:00 2001 From: Unknown Date: Mon, 26 Feb 2018 00:54:28 -0800 Subject: [PATCH 11/30] sql insert hotfix needed to include $connection in escape string query --- Server PHP/accountFunctions.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Server PHP/accountFunctions.php b/Server PHP/accountFunctions.php index 0104dde..5b63e6f 100644 --- a/Server PHP/accountFunctions.php +++ b/Server PHP/accountFunctions.php @@ -24,9 +24,9 @@ function createAccount($email, $username, $password, $sock) { $defaultQ2 = "What_is_the_name_of_the_street_you_grew_up_on?"; $defaultQ3 = "What_was_the_name_of_your_first_pet?"; - $defaultQ1 = mysqli_real_escape_string($defaultQ1); - $defaultQ2 = mysqli_real_escape_string($defaultQ2); - $defaultQ3 = mysqli_real_escape_string($defaultQ3); + $defaultQ1 = mysqli_real_escape_string($connection, $defaultQ1); + $defaultQ2 = mysqli_real_escape_string($connection, $defaultQ2); + $defaultQ3 = mysqli_real_escape_string($connection, $defaultQ3); //Insert Query $insert = "INSERT INTO UserInfo (Username, Pass, Email, SQ1, SQ2, SQ3) VALUES ('$username', '$passwordHash', '$email', '$defaultQ1', '$defaultQ2', '$defaultQ3')"; From 570184a3cc5aa27062d3f0daea6e8d2a99836ad3 Mon Sep 17 00:00:00 2001 From: Unknown Date: Mon, 26 Feb 2018 01:01:56 -0800 Subject: [PATCH 12/30] duh username was not accessed via getName method. fixed that --- Server PHP/securityQuestions.php | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/Server PHP/securityQuestions.php b/Server PHP/securityQuestions.php index d7c33ee..4cc372b 100644 --- a/Server PHP/securityQuestions.php +++ b/Server PHP/securityQuestions.php @@ -5,8 +5,9 @@ include_once 'sendEmail.php'; -function reqSecQuest($username, $sock) { +function reqSecQuest($user, $sock) { $connection = connectAccount(); + $username = $user->getName(); $q1 = "SELECT SQ1 FROM UserInfo WHERE Username = '$username'"; $q2 = "SELECT SQ2 FROM UserInfo WHERE Username = '$username'"; $q3 = "SELECT SQ3 FROM UserInfo WHERE Username = '$username'"; @@ -18,8 +19,9 @@ function reqSecQuest($username, $sock) { //might actually not need this function but i'm leaving it for now -function reqSecAns($username, $sock) { +function reqSecAns($user, $sock) { $connection = connectAccount(); + $username = $user->getName(); $a1 = "SELECT SQA1 FROM UserInfo WHERE Username = '$username'"; $a2 = "SELECT SQA2 FROM UserInfo WHERE Username = '$username'"; $a3 = "SELECT SQA3 FROM UserInfo WHERE Username = '$username'"; @@ -29,8 +31,9 @@ function reqSecAns($username, $sock) { disconnect($connection); } -function setSecQuest($username, $q1, $q2, $q3, $sock) { +function setSecQuest($user, $q1, $q2, $q3, $sock) { $connection = connectAccount(); + $username = $user->getName(); /*will only need these if client sends the server questions without spaces, but probably will not need $q1_nospaces = str_replace(' ','_',$q1); $q2_nospaces = str_replace(' ','_',$q2); @@ -50,8 +53,9 @@ function setSecQuest($username, $q1, $q2, $q3, $sock) { -function setSecAns($username, $a1, $a2, $a3, $sock) { +function setSecAns($user, $a1, $a2, $a3, $sock) { $connection = connectAccount(); + $username = $user->getName(); /*will only need these if client sends the server questions without spaces, but probably will not need $q1_nospaces = str_replace(' ','_',$q1); $q2_nospaces = str_replace(' ','_',$q2); From c3299a617cecad708648321a9ea8274456ed949b Mon Sep 17 00:00:00 2001 From: Unknown Date: Mon, 26 Feb 2018 01:10:57 -0800 Subject: [PATCH 13/30] question query fix questions were not being queried properly. fixed that --- Server PHP/securityQuestions.php | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/Server PHP/securityQuestions.php b/Server PHP/securityQuestions.php index 4cc372b..37ceb32 100644 --- a/Server PHP/securityQuestions.php +++ b/Server PHP/securityQuestions.php @@ -8,9 +8,14 @@ function reqSecQuest($user, $sock) { $connection = connectAccount(); $username = $user->getName(); - $q1 = "SELECT SQ1 FROM UserInfo WHERE Username = '$username'"; - $q2 = "SELECT SQ2 FROM UserInfo WHERE Username = '$username'"; - $q3 = "SELECT SQ3 FROM UserInfo WHERE Username = '$username'"; + $query1 = "SELECT SQ1 FROM UserInfo WHERE Username = '$username'"; + $query2 = "SELECT SQ2 FROM UserInfo WHERE Username = '$username'"; + $query3 = "SELECT SQ3 FROM UserInfo WHERE Username = '$username'"; + + $q1 = mysqli_query($connection, $query1); + $q2 = mysqli_query($connection, $query2); + $q3 = mysqli_query($connection, $query3); + $message = "REQQ$q1 $q2 $q3"; sendMessage($message, $sock); @@ -22,9 +27,13 @@ function reqSecQuest($user, $sock) { function reqSecAns($user, $sock) { $connection = connectAccount(); $username = $user->getName(); - $a1 = "SELECT SQA1 FROM UserInfo WHERE Username = '$username'"; - $a2 = "SELECT SQA2 FROM UserInfo WHERE Username = '$username'"; - $a3 = "SELECT SQA3 FROM UserInfo WHERE Username = '$username'"; + $query1 = "SELECT SQA1 FROM UserInfo WHERE Username = '$username'"; + $query2 = "SELECT SQA2 FROM UserInfo WHERE Username = '$username'"; + $query3 = "SELECT SQA3 FROM UserInfo WHERE Username = '$username'"; + + $a1 = mysqli_query($connection, $query1); + $a2 = mysqli_query($connection, $query2); + $a3 = mysqli_query($connection, $query3); $message = "REQA$a1 $a2 $a3"; sendMessage($message, $sock); From 6135791a37771c77e2f8267f4ed77944143528a3 Mon Sep 17 00:00:00 2001 From: Unknown Date: Mon, 26 Feb 2018 01:16:49 -0800 Subject: [PATCH 14/30] echo debug added echo debug for security question queries --- Server PHP/securityQuestions.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Server PHP/securityQuestions.php b/Server PHP/securityQuestions.php index 37ceb32..5a0c298 100644 --- a/Server PHP/securityQuestions.php +++ b/Server PHP/securityQuestions.php @@ -13,9 +13,11 @@ function reqSecQuest($user, $sock) { $query3 = "SELECT SQ3 FROM UserInfo WHERE Username = '$username'"; $q1 = mysqli_query($connection, $query1); + echo "q1 is: $q1\n\n"; $q2 = mysqli_query($connection, $query2); + echo "q2 is: $q2\n\n"; $q3 = mysqli_query($connection, $query3); - + echo "q3 is: $q3\n\n"; $message = "REQQ$q1 $q2 $q3"; sendMessage($message, $sock); From ea428f02137b47240e600b974bc965b8e0b711d8 Mon Sep 17 00:00:00 2001 From: Unknown Date: Mon, 26 Feb 2018 01:23:57 -0800 Subject: [PATCH 15/30] query hotfix query was returning object instead of string. used correct function to return strings --- Server PHP/securityQuestions.php | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/Server PHP/securityQuestions.php b/Server PHP/securityQuestions.php index 5a0c298..25b45d7 100644 --- a/Server PHP/securityQuestions.php +++ b/Server PHP/securityQuestions.php @@ -12,12 +12,18 @@ function reqSecQuest($user, $sock) { $query2 = "SELECT SQ2 FROM UserInfo WHERE Username = '$username'"; $query3 = "SELECT SQ3 FROM UserInfo WHERE Username = '$username'"; + /* not working for now, think it's a getobj string error $q1 = mysqli_query($connection, $query1); echo "q1 is: $q1\n\n"; $q2 = mysqli_query($connection, $query2); echo "q2 is: $q2\n\n"; $q3 = mysqli_query($connection, $query3); echo "q3 is: $q3\n\n"; + */ + + $q1 = getObjString($connection, $query1)->SQ1; + $q2 = getObjString($connection, $query2)->SQ2; + $q3 = getObjString($connection, $query3)->SQ3; $message = "REQQ$q1 $q2 $q3"; sendMessage($message, $sock); @@ -33,9 +39,9 @@ function reqSecAns($user, $sock) { $query2 = "SELECT SQA2 FROM UserInfo WHERE Username = '$username'"; $query3 = "SELECT SQA3 FROM UserInfo WHERE Username = '$username'"; - $a1 = mysqli_query($connection, $query1); - $a2 = mysqli_query($connection, $query2); - $a3 = mysqli_query($connection, $query3); + $a1 = getObjString($connection, $query1)->SQA1; + $a2 = getObjString($connection, $query2)->SQA2; + $a3 = getObjString($connection, $query3)->SQA3; $message = "REQA$a1 $a2 $a3"; sendMessage($message, $sock); From ef64a261bd80b95b867253e86ad68df33e4cafa1 Mon Sep 17 00:00:00 2001 From: Unknown Date: Mon, 26 Feb 2018 01:30:19 -0800 Subject: [PATCH 16/30] more echo debugs --- Server PHP/securityQuestions.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Server PHP/securityQuestions.php b/Server PHP/securityQuestions.php index 25b45d7..5d66c2d 100644 --- a/Server PHP/securityQuestions.php +++ b/Server PHP/securityQuestions.php @@ -22,8 +22,11 @@ function reqSecQuest($user, $sock) { */ $q1 = getObjString($connection, $query1)->SQ1; + echo "This is q1: $q1\n\n"; $q2 = getObjString($connection, $query2)->SQ2; + echo "This is q2: $q2\n\n"; $q3 = getObjString($connection, $query3)->SQ3; + echo "This is q3: $q3\n\n"; $message = "REQQ$q1 $q2 $q3"; sendMessage($message, $sock); From 5b226c532092c48ad02c4ad3ed4f60854054bff1 Mon Sep 17 00:00:00 2001 From: Unknown Date: Mon, 26 Feb 2018 01:36:14 -0800 Subject: [PATCH 17/30] way too sleepy --- Server PHP/securityQuestions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Server PHP/securityQuestions.php b/Server PHP/securityQuestions.php index 5d66c2d..cd3cafe 100644 --- a/Server PHP/securityQuestions.php +++ b/Server PHP/securityQuestions.php @@ -28,7 +28,7 @@ function reqSecQuest($user, $sock) { $q3 = getObjString($connection, $query3)->SQ3; echo "This is q3: $q3\n\n"; - $message = "REQQ$q1 $q2 $q3"; + $message = "REQQ{$q1} {$q2} {$q3}"; sendMessage($message, $sock); disconnect($connection); } From 7fef8304f54bafd1b1a4db63cbc05e91aa3bd8ae Mon Sep 17 00:00:00 2001 From: Unknown Date: Mon, 26 Feb 2018 01:45:35 -0800 Subject: [PATCH 18/30] debugs galore --- Server PHP/securityQuestions.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Server PHP/securityQuestions.php b/Server PHP/securityQuestions.php index cd3cafe..92e26c7 100644 --- a/Server PHP/securityQuestions.php +++ b/Server PHP/securityQuestions.php @@ -8,6 +8,7 @@ function reqSecQuest($user, $sock) { $connection = connectAccount(); $username = $user->getName(); + echo "the username input to the function is: $username"; $query1 = "SELECT SQ1 FROM UserInfo WHERE Username = '$username'"; $query2 = "SELECT SQ2 FROM UserInfo WHERE Username = '$username'"; $query3 = "SELECT SQ3 FROM UserInfo WHERE Username = '$username'"; @@ -22,11 +23,11 @@ function reqSecQuest($user, $sock) { */ $q1 = getObjString($connection, $query1)->SQ1; - echo "This is q1: $q1\n\n"; + echo "This is q1:" . "$q1"; $q2 = getObjString($connection, $query2)->SQ2; - echo "This is q2: $q2\n\n"; + echo "This is q2: {$q2}\n\n"; $q3 = getObjString($connection, $query3)->SQ3; - echo "This is q3: $q3\n\n"; + echo "This is q3: {$q3}\n\n"; $message = "REQQ{$q1} {$q2} {$q3}"; sendMessage($message, $sock); From a262f1a8fe1666d75327e6eae26571e7cd495b02 Mon Sep 17 00:00:00 2001 From: Unknown Date: Mon, 26 Feb 2018 01:54:36 -0800 Subject: [PATCH 19/30] server username access fix was trying to access username via client, but can't access since user is not logged in --- Server PHP/server.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Server PHP/server.php b/Server PHP/server.php index 051c1ce..2332694 100755 --- a/Server PHP/server.php +++ b/Server PHP/server.php @@ -210,10 +210,10 @@ addToCard($codeMessage[0], $codeMessage[1], $codeMessage[2], $client, $clientList, $sock, 1); // 0 = groupID 1 = card id 2 = message break; case "REQQ": - reqSecQuest($client, $sock); + reqSecQuest($codeMessage[0], $sock); // code[0] is username because user is not logged in yet so can't access via client break; case "REQA": - reqSecAns($client, $sock); + reqSecAns($codeMessage[0], $sock); // code[0] is username because user is not logged in yet so can't access via client break; case "SETQ": setSecQuest($client, $codeMessage[0], $codeMessage[1], $codeMessage[2], $sock); // 0 = question 1, 1 = question 2, 2 = question 3 From 1d6c60f100e2c044a774a0dc67c31977ef93b9d3 Mon Sep 17 00:00:00 2001 From: Unknown Date: Mon, 26 Feb 2018 02:01:46 -0800 Subject: [PATCH 20/30] server file parameters changed how security questions are called with username now --- Server PHP/securityQuestions.php | 14 +++++++------- Server PHP/server.php | 7 +++++-- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/Server PHP/securityQuestions.php b/Server PHP/securityQuestions.php index 92e26c7..923c26b 100644 --- a/Server PHP/securityQuestions.php +++ b/Server PHP/securityQuestions.php @@ -7,7 +7,7 @@ function reqSecQuest($user, $sock) { $connection = connectAccount(); - $username = $user->getName(); + $username = $user; echo "the username input to the function is: $username"; $query1 = "SELECT SQ1 FROM UserInfo WHERE Username = '$username'"; $query2 = "SELECT SQ2 FROM UserInfo WHERE Username = '$username'"; @@ -23,11 +23,11 @@ function reqSecQuest($user, $sock) { */ $q1 = getObjString($connection, $query1)->SQ1; - echo "This is q1:" . "$q1"; + echo "This is q1: " . "$q1\n"; $q2 = getObjString($connection, $query2)->SQ2; - echo "This is q2: {$q2}\n\n"; + //echo "This is q2: {$q2}\n\n"; $q3 = getObjString($connection, $query3)->SQ3; - echo "This is q3: {$q3}\n\n"; + //echo "This is q3: {$q3}\n\n"; $message = "REQQ{$q1} {$q2} {$q3}"; sendMessage($message, $sock); @@ -38,7 +38,7 @@ function reqSecQuest($user, $sock) { //might actually not need this function but i'm leaving it for now function reqSecAns($user, $sock) { $connection = connectAccount(); - $username = $user->getName(); + $username = $user; $query1 = "SELECT SQA1 FROM UserInfo WHERE Username = '$username'"; $query2 = "SELECT SQA2 FROM UserInfo WHERE Username = '$username'"; $query3 = "SELECT SQA3 FROM UserInfo WHERE Username = '$username'"; @@ -54,7 +54,7 @@ function reqSecAns($user, $sock) { function setSecQuest($user, $q1, $q2, $q3, $sock) { $connection = connectAccount(); - $username = $user->getName(); + $username = $user; /*will only need these if client sends the server questions without spaces, but probably will not need $q1_nospaces = str_replace(' ','_',$q1); $q2_nospaces = str_replace(' ','_',$q2); @@ -76,7 +76,7 @@ function setSecQuest($user, $q1, $q2, $q3, $sock) { function setSecAns($user, $a1, $a2, $a3, $sock) { $connection = connectAccount(); - $username = $user->getName(); + $username = $user; /*will only need these if client sends the server questions without spaces, but probably will not need $q1_nospaces = str_replace(' ','_',$q1); $q2_nospaces = str_replace(' ','_',$q2); diff --git a/Server PHP/server.php b/Server PHP/server.php index 2332694..25484a2 100755 --- a/Server PHP/server.php +++ b/Server PHP/server.php @@ -156,6 +156,9 @@ if ($code == "GCHT" || $code == "SVWB") { $limit = 2; } + elseif ($code == "SETQ" || $code == "SETA") { + $limit = 4; + } $codeMessage = explode(" ", $msg, $limit); //Puts message into array switch($code) { @@ -216,10 +219,10 @@ reqSecAns($codeMessage[0], $sock); // code[0] is username because user is not logged in yet so can't access via client break; case "SETQ": - setSecQuest($client, $codeMessage[0], $codeMessage[1], $codeMessage[2], $sock); // 0 = question 1, 1 = question 2, 2 = question 3 + setSecQuest($codeMessage[0], $codeMessage[1], $codeMessage[2], $codeMessage[3], $sock); // 0 = username, 1 = question 1, 2 = question 2, 3 = question 3 break; case "SETA": - setSecAns($client, $codeMessage[0], $codeMessage[1], $codeMessage[2], $sock); // 0 = answer 1, 1 = answer 2, 2 = answer 3 + setSecAns($codeMessage[0], $codeMessage[1], $codeMessage[2], $codeMessage[3], $sock); // 0 = username, 1 = answer 1, 2 = answer 2, 3 = answer 3 break; }//Switch Statement }//Closes else From 4b3d01dfa2718f471174eaac98c3b5f470255f7a Mon Sep 17 00:00:00 2001 From: Unknown Date: Thu, 1 Mar 2018 21:59:02 -0800 Subject: [PATCH 21/30] small changes changed server code for username recovery email being sent. escape string for sec question answer hashes before writing to db --- Server PHP/accountFunctions.php | 3 ++- Server PHP/securityQuestions.php | 23 ++++++++++++++++++++--- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/Server PHP/accountFunctions.php b/Server PHP/accountFunctions.php index 5b63e6f..43af5f2 100644 --- a/Server PHP/accountFunctions.php +++ b/Server PHP/accountFunctions.php @@ -146,7 +146,8 @@ function rememberUsername ($email, $sock) { $find_user = "SELECT Username FROM UserInfo WHERE Email = '$email'"; //finds a username tied to a email if(checkExists($connection, $find_user) > 0) { $returnUser = getObjString($connection, $find_user)->Username; - $message = "SUCC1Email has been sent with your username. Make sure to check your spam folder!\n"; +// $message = "SUCC1Email has been sent with your username. Make sure to check your spam folder!\n"; + $message = "RUSRSUCC Email has been sent with your username. Make sure to check your spam folder!\n"; sendMessage($message, $sock); sendVerEmail($email, $returnUser); } diff --git a/Server PHP/securityQuestions.php b/Server PHP/securityQuestions.php index 923c26b..73191aa 100644 --- a/Server PHP/securityQuestions.php +++ b/Server PHP/securityQuestions.php @@ -89,9 +89,11 @@ function setSecAns($user, $a1, $a2, $a3, $sock) { $escA3 = mysqli_real_escape_string($connection, $a3); */ - $a1Hash = password_hash($a1, PASSWORD_DEFAULT); - $a2Hash = password_hash($a2, PASSWORD_DEFAULT); - $a3Hash = password_hash($a3, PASSWORD_DEFAULT); + $a1Hash = mysqli_real_escape_string($connection, password_hash($a1, PASSWORD_DEFAULT)); + $a2Hash = mysqli_real_escape_string($connection, password_hash($a2, PASSWORD_DEFAULT)); + $a3Hash = mysqli_real_escape_string($connection, password_hash($a3, PASSWORD_DEFAULT)); + + $query = "UPDATE UserInfo SET SQA1='$a1Hash', SET SQA2='$a2Hash', SET SQA3='$a3Hash' WHERE Username = '$username'"; if (!mysqli_query($connection, $query)) { @@ -101,4 +103,19 @@ function setSecAns($user, $a1, $a2, $a3, $sock) { } +/* +function generateRecCode() { + + +} + + +function verifyCode($user, $code) { + + + + +} +*/ + ?> From e687618698cd9d91c2db743d3630c741a0d36789 Mon Sep 17 00:00:00 2001 From: Unknown Date: Sun, 4 Mar 2018 00:18:24 -0800 Subject: [PATCH 22/30] testing recovery code added new function to send email with recovery code and store that same code in the db. testing.php file is just to call it without UI --- Server PHP/sendEmail.php | 69 +++++++++++++++++++++++++++++----------- Server PHP/testing.php | 52 ++++++++++++++++++++++++++++++ 2 files changed, 102 insertions(+), 19 deletions(-) create mode 100644 Server PHP/testing.php diff --git a/Server PHP/sendEmail.php b/Server PHP/sendEmail.php index 1876c1b..9b1068e 100644 --- a/Server PHP/sendEmail.php +++ b/Server PHP/sendEmail.php @@ -2,14 +2,15 @@ function sendRegEmail($email){ - $to = "$email"; - $subject = "Welcome to StudyGroup!"; - $body = "Hi,\n\nHow are you? \nThis is a confirmation email letting you know that your account $email has been created."; - if (mail($to, $subject, $body)) { - echo("

Email successfully sent!

"); - } else { - echo("

Email delivery failed…

"); - } + $to = "$email"; + $subject = "Welcome to StudyGroup!"; + $body = "Hi,\n\nHow are you? \nThis is a confirmation email letting you know that your account $email has been created."; + if (mail($to, $subject, $body)) { + echo("

Email successfully sent!

"); + } + else { + echo("

Email delivery failed…

"); + } } function recPWEmail($email, $user, $pass){ @@ -22,9 +23,10 @@ function recPWEmail($email, $user, $pass){ $body .= ""; //success kid $body .= ""; if (mail($to, $subject, $body, $headers)) { - echo("

Email successfully sent!

"); - } else { - echo("

Email delivery failed…

"); + echo("

Email successfully sent!

"); + } + else { + echo("

Email delivery failed…

"); } @@ -32,15 +34,44 @@ function recPWEmail($email, $user, $pass){ } function sendVerEmail($email, $user){ - $to = "$email"; - $subject = "StudyGroup Username Requested!"; - $body = "Hello, you recently requested the username belong to this email: $email.\n\nThe username associated with this account is: $user.\n\nThank you for using our software, and be on the lookout for new StudyGroupPro++ Limited Release DLC Platinum Package which now allows you to resize the window!"; - if (mail($to, $subject, $body)) { - echo("

Email successfully sent!

"); - } else { - echo("

Email delivery failed…

"); - } + $to = "$email"; + $subject = "StudyGroup Username Requested!"; + $body = "Hello, you recently requested the username belong to this email: $email.\n\nThe username associated with this account is: $user.\n\nThank you for using our software, and be on the lookout for new StudyGroupPro++ Limited Release DLC Platinum Package which now allows you to resize the window!"; + if (mail($to, $subject, $body)) { + echo("

Email successfully sent!

"); + } + else { + echo("

Email delivery failed…

"); + } +} + + +function sendRecCode($email, $user){ + $connection = connectAccount(); + $code = rand(1000, 9999); + $insert = "UPDATE UserInfo SET RecCode='$code' WHERE Username = '$user'"; + + + $headers = 'MIME-Version: 1.0' . "\r\n"; + $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n"; + $to = "$email"; + $subject = "Password Recovery Code"; + $body = ""; + $body .= "

Looks like you forgot your password, buddy.

"; + $body .= "

That's okay, we've got you covered. Enter this code into the client to reset your password: $code. Thank you for using our software!

"; + $body .= ""; + if (mail($to, $subject, $body, $headers)) { + echo("

Email successfully sent!

"); + mysqli_query($connection, $insert); + } + else { + echo("

Email delivery failed…

"); + } + + disconnect($connection); } + + ?> diff --git a/Server PHP/testing.php b/Server PHP/testing.php new file mode 100644 index 0000000..a59bcc3 --- /dev/null +++ b/Server PHP/testing.php @@ -0,0 +1,52 @@ + 0) { + echo "Username exists already!: $user\n\n"; + } + else { + mysqli_query($connection, $insert); + } + } + + +disconnect($connection); +*/ +$email = "mejia.juan.dev@gmail.com"; +$user = "testemail"; +sendRecCode($email, $user); + + + +?> From 47c766da816ab21ec5b1b52182a0590427346507 Mon Sep 17 00:00:00 2001 From: Unknown Date: Mon, 5 Mar 2018 06:46:23 -0800 Subject: [PATCH 23/30] set sec q/a change no longer using escape string after hashing the answers and before writing to the database --- Server PHP/securityQuestions.php | 27 +++++++++------------------ 1 file changed, 9 insertions(+), 18 deletions(-) diff --git a/Server PHP/securityQuestions.php b/Server PHP/securityQuestions.php index 73191aa..b28fb59 100644 --- a/Server PHP/securityQuestions.php +++ b/Server PHP/securityQuestions.php @@ -55,12 +55,6 @@ function reqSecAns($user, $sock) { function setSecQuest($user, $q1, $q2, $q3, $sock) { $connection = connectAccount(); $username = $user; - /*will only need these if client sends the server questions without spaces, but probably will not need - $q1_nospaces = str_replace(' ','_',$q1); - $q2_nospaces = str_replace(' ','_',$q2); - $q3_nospaces = str_replace(' ','_',$q3); - */ - $escQ1 = mysqli_real_escape_string($connection, $q1); $escQ2 = mysqli_real_escape_string($connection, $q2); $escQ3 = mysqli_real_escape_string($connection, $q3); @@ -77,11 +71,7 @@ function setSecQuest($user, $q1, $q2, $q3, $sock) { function setSecAns($user, $a1, $a2, $a3, $sock) { $connection = connectAccount(); $username = $user; - /*will only need these if client sends the server questions without spaces, but probably will not need - $q1_nospaces = str_replace(' ','_',$q1); - $q2_nospaces = str_replace(' ','_',$q2); - $q3_nospaces = str_replace(' ','_',$q3); - */ + /*not sure if i need to escape string, or if hashing will be good enough. leaving this in case hashing alone does not work $escA1 = mysqli_real_escape_string($connection, $a1); @@ -89,9 +79,13 @@ function setSecAns($user, $a1, $a2, $a3, $sock) { $escA3 = mysqli_real_escape_string($connection, $a3); */ - $a1Hash = mysqli_real_escape_string($connection, password_hash($a1, PASSWORD_DEFAULT)); - $a2Hash = mysqli_real_escape_string($connection, password_hash($a2, PASSWORD_DEFAULT)); - $a3Hash = mysqli_real_escape_string($connection, password_hash($a3, PASSWORD_DEFAULT)); + //$a1Hash = mysqli_real_escape_string($connection, password_hash($a1, PASSWORD_DEFAULT)); + //$a2Hash = mysqli_real_escape_string($connection, password_hash($a2, PASSWORD_DEFAULT)); + //$a3Hash = mysqli_real_escape_string($connection, password_hash($a3, PASSWORD_DEFAULT)); + + $a1Hash = password_hash($a1, PASSWORD_DEFAULT); + $a2Hash = password_hash($a2, PASSWORD_DEFAULT); + $a3Hash = password_hash($a3, PASSWORD_DEFAULT); @@ -103,11 +97,8 @@ function setSecAns($user, $a1, $a2, $a3, $sock) { } -/* -function generateRecCode() { -} function verifyCode($user, $code) { @@ -116,6 +107,6 @@ function verifyCode($user, $code) { } -*/ + ?> From 52838f0b5a591cbf4688668453e51a14c4836917 Mon Sep 17 00:00:00 2001 From: Unknown Date: Tue, 6 Mar 2018 15:20:05 -0800 Subject: [PATCH 24/30] tons of debugs for setting q added lots of echos to see how variables act and also added mysql error report --- Server PHP/securityQuestions.php | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/Server PHP/securityQuestions.php b/Server PHP/securityQuestions.php index b28fb59..7d49eb0 100644 --- a/Server PHP/securityQuestions.php +++ b/Server PHP/securityQuestions.php @@ -8,10 +8,13 @@ function reqSecQuest($user, $sock) { $connection = connectAccount(); $username = $user; - echo "the username input to the function is: $username"; + echo "the username input to the function is: $username\n\n"; $query1 = "SELECT SQ1 FROM UserInfo WHERE Username = '$username'"; + echo "This is question1 query: $query1"; $query2 = "SELECT SQ2 FROM UserInfo WHERE Username = '$username'"; + echo "This is question2 query: $query2"; $query3 = "SELECT SQ3 FROM UserInfo WHERE Username = '$username'"; + echo "This is question3 query: $query3"; /* not working for now, think it's a getobj string error $q1 = mysqli_query($connection, $query1); @@ -23,11 +26,11 @@ function reqSecQuest($user, $sock) { */ $q1 = getObjString($connection, $query1)->SQ1; - echo "This is q1: " . "$q1\n"; + echo "This is q1 as string: " . "$q1\n"; $q2 = getObjString($connection, $query2)->SQ2; - //echo "This is q2: {$q2}\n\n"; + echo "This is q2 as object? : " . "{$q2}\n\n"; $q3 = getObjString($connection, $query3)->SQ3; - //echo "This is q3: {$q3}\n\n"; + echo "This is q3 as object? : " . "{$q3}\n\n"; $message = "REQQ{$q1} {$q2} {$q3}"; sendMessage($message, $sock); @@ -55,14 +58,25 @@ function reqSecAns($user, $sock) { function setSecQuest($user, $q1, $q2, $q3, $sock) { $connection = connectAccount(); $username = $user; + echo "This is q1 as received by setSecQuest: $q1\n\n"; + echo "This is q2 as received by setSecQuest: $q2\n\n"; + echo "This is q3 as received by setSecQuest: $q3\n\n"; $escQ1 = mysqli_real_escape_string($connection, $q1); $escQ2 = mysqli_real_escape_string($connection, $q2); $escQ3 = mysqli_real_escape_string($connection, $q3); + echo "This is escq1: $escQ1\n\n"; + echo "This is escq2: $escQ2\n\n"; + echo "This is escq3: $escQ3\n\n"; $query = "UPDATE UserInfo SET SQ1='$escQ1', SET SQ2='$escQ2', SET SQ3='$escQ3' WHERE Username = '$username'"; + echo "Here is the setSecQuest query: $query\n\n"; if (!mysqli_query($connection, $query)) { $message = "FAILThere was an issue setting the security questions.\n\n"; + echo("Error description: " . mysqli_error($connection)); sendMessage($message, $sock); } + else { + + } } From 3b01c2085ef3e59a69a44d43f02c13e218ba1686 Mon Sep 17 00:00:00 2001 From: Unknown Date: Tue, 6 Mar 2018 22:52:06 -0800 Subject: [PATCH 25/30] sql syntax i did a bad thing but i undid the thing --- Server PHP/securityQuestions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Server PHP/securityQuestions.php b/Server PHP/securityQuestions.php index 7d49eb0..9bf13b2 100644 --- a/Server PHP/securityQuestions.php +++ b/Server PHP/securityQuestions.php @@ -67,7 +67,7 @@ function setSecQuest($user, $q1, $q2, $q3, $sock) { echo "This is escq1: $escQ1\n\n"; echo "This is escq2: $escQ2\n\n"; echo "This is escq3: $escQ3\n\n"; - $query = "UPDATE UserInfo SET SQ1='$escQ1', SET SQ2='$escQ2', SET SQ3='$escQ3' WHERE Username = '$username'"; + $query = "UPDATE UserInfo SET SQ1='$escQ1', SQ2='$escQ2', SQ3='$escQ3' WHERE Username = '$username'"; echo "Here is the setSecQuest query: $query\n\n"; if (!mysqli_query($connection, $query)) { $message = "FAILThere was an issue setting the security questions.\n\n"; From a0b0fe3347ee89fcfbdafb85c42d94241e36863b Mon Sep 17 00:00:00 2001 From: Unknown Date: Tue, 6 Mar 2018 22:55:58 -0800 Subject: [PATCH 26/30] setSecAns fix did the same fix that was done for questions on previous commit --- Server PHP/securityQuestions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Server PHP/securityQuestions.php b/Server PHP/securityQuestions.php index 9bf13b2..8d5e73b 100644 --- a/Server PHP/securityQuestions.php +++ b/Server PHP/securityQuestions.php @@ -103,7 +103,7 @@ function setSecAns($user, $a1, $a2, $a3, $sock) { - $query = "UPDATE UserInfo SET SQA1='$a1Hash', SET SQA2='$a2Hash', SET SQA3='$a3Hash' WHERE Username = '$username'"; + $query = "UPDATE UserInfo SET SQA1='$a1Hash', SQA2='$a2Hash', SQA3='$a3Hash' WHERE Username = '$username'"; if (!mysqli_query($connection, $query)) { $message = "FAILThere was an issue setting the security question answers.\n\n"; sendMessage($message, $sock); From f3a74baaa7d2a19e62e9e57562fb2197b170e9b4 Mon Sep 17 00:00:00 2001 From: Unknown Date: Sat, 10 Mar 2018 00:56:42 -0800 Subject: [PATCH 27/30] Reset Password functions First commit for reset password functions that should be working. send random security question, check security question answers, send out code and verify --- Server PHP/accountFunctions.php | 14 +++--- Server PHP/securityQuestions.php | 73 ++++++++++++++++++++++++++------ Server PHP/server.php | 11 ++++- 3 files changed, 77 insertions(+), 21 deletions(-) diff --git a/Server PHP/accountFunctions.php b/Server PHP/accountFunctions.php index 43af5f2..12c81f8 100644 --- a/Server PHP/accountFunctions.php +++ b/Server PHP/accountFunctions.php @@ -99,17 +99,15 @@ function logoutAccount($username, $sock) { //unfinished code to change a users password, need client input function changePassword($username, $password, $sock) { $connection = connectAccount(); - - // UI should now send a 'they did it' message and a new password - $newPass = nul; //new pass from UI goes here - $change_password = "UPDATE UserInfo SET Pass= 'newPass' WHERE Username = '$username'"; - if (mysqli_query($connection, $change_password)) { - fwrite($sock, "SUCC\n"); + $query = "UPDATE UserInfo SET Pass='$password' WHERE Username = '$username'"; + if (!mysqli_query($connection, $query)) { + $message = "FAILSomething went wrong. Either the username does not exist or there was an issue connecting to the database.\n\n"; + sendMessage($message, $sock); } else { - fwrite($sock, "FAIL\n"); + $message = "CHPWSUCC Password was successfully changed!\n\n"; + sendMessage($message, $sock); } - disconnect($connection); } diff --git a/Server PHP/securityQuestions.php b/Server PHP/securityQuestions.php index 8d5e73b..cb8f41f 100644 --- a/Server PHP/securityQuestions.php +++ b/Server PHP/securityQuestions.php @@ -5,9 +5,11 @@ include_once 'sendEmail.php'; -function reqSecQuest($user, $sock) { +function reqSecQuest($user, $sock) { /*why not combine this function to take multiple parameters? then you could re-use function. + maybe like another input determining how many questions to send and if it's just one, run randomizer? so like sendquest1, 2, 3, etc + */ $connection = connectAccount(); - $username = $user; + $username = $user; //why username = user? why not just change parameter to username?? FOR ALL echo "the username input to the function is: $username\n\n"; $query1 = "SELECT SQ1 FROM UserInfo WHERE Username = '$username'"; echo "This is question1 query: $query1"; @@ -74,10 +76,6 @@ function setSecQuest($user, $q1, $q2, $q3, $sock) { echo("Error description: " . mysqli_error($connection)); sendMessage($message, $sock); } - else { - - } - } @@ -111,15 +109,66 @@ function setSecAns($user, $a1, $a2, $a3, $sock) { } +function sendRandomSecQuest($user, $sock) { + $connection = connectAccount(); + $num = rand(1,3); + $column = "SQ" . "$num"; + $query = "SELECT $column FROM UserInfo WHERE (Username='$user')"; + if (!mysqli_query($connection, $query)) { + $message = "FAILUser doesn't exist or questions are not set.\n\n"; + sendMessage($message, $sock); + } + else { + $question = getObjString($connection, $query)->$column; + $message ="RPWD$num $question"; + sendMessage($message, $sock); + } + disconnect($connection); +} +function checkSecAnswer($user, $num, $answer, $sock) { + $connection = connectAccount(); + $column = "SQA" . "$num"; + $query = "SELECT $column FROM UserInfo WHERE (Username='$user')"; + if(!mysqli_query($connection, $query)) { + $message = "FAILUser doesn't exist or answer not set.\n\n"; + sendMessage($message, $sock); + } + else { + $answerDB = getObjString($connection, $query)->$column; + if (password_verify($answer, $answerDB)) { + $query = "SELECT Email FROM UserInfo WHERE (Username='$user')"; + $email = getObjString($connection, $query)->Email; + sendRecCode($email, $user); + $message = "RPWDSUCC An email has been sent to you with a recovery code. Please remember to check your spam folder!\n\n"; + sendMessage($message, $sock); + } + else { + $message = "FAIL"; + sendMessage($message, $sock); + } + } +} - -function verifyCode($user, $code) { - - - - +function checkCode($user, $code, $sock) { + $connection = connectAccount(); + $query = "SELECT RecCode FROM UserInfo WHERE (Username='$user')"; + if(!mysqli_query($connection, $query)) { + $message = "FAIL"; + sendMessage($message, $sock); + } + else { + if ($code == getObjString($connection, $query)->RecCode) { + $message = "CHKCSUCC"; + sendMessage($message, $sock); + } + else { + $message = "FAIL"; + sendMessage($message, $sock); + } + } + disconnect($connection); } diff --git a/Server PHP/server.php b/Server PHP/server.php index 25484a2..3d61dba 100755 --- a/Server PHP/server.php +++ b/Server PHP/server.php @@ -195,7 +195,7 @@ saveWhiteBoard($codeMessage[0], $codeMessage[1], $sock); break; //groupID, wb string, socket case "CHPW": - changePassword($clients[$ip][1], $codeMessage[1], $sock); + changePassword($codeMessage[0], $codeMessage[1], $sock); //user, new pass break; case "RACC": recoverAccount($codeMessage[0], $codeMessage[1], $sock); @@ -224,6 +224,15 @@ case "SETA": setSecAns($codeMessage[0], $codeMessage[1], $codeMessage[2], $codeMessage[3], $sock); // 0 = username, 1 = answer 1, 2 = answer 2, 3 = answer 3 break; + case "RPWD": + sendRandomSecQuest($codeMessage[0], $sock); // username + break; + case "CHKA": + checkSecAnswer($codeMessage[0], $codeMessage[1], $codeMessage[2], $sock); // user, answer#, answer + break; + case "CHKC": + checkCode($codeMessage[0], $codeMessage[1], $sock); // user, code + break; }//Switch Statement }//Closes else }//Closes foreach From 02ea073eb5582859f44941d9dd9ea37489512b72 Mon Sep 17 00:00:00 2001 From: Unknown Date: Sat, 10 Mar 2018 01:10:13 -0800 Subject: [PATCH 28/30] small change in communication between client/server took out some of the 4 character codes that communicate between server and client, also added a few error/success messages --- Server PHP/accountFunctions.php | 2 +- Server PHP/securityQuestions.php | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Server PHP/accountFunctions.php b/Server PHP/accountFunctions.php index 12c81f8..531dd81 100644 --- a/Server PHP/accountFunctions.php +++ b/Server PHP/accountFunctions.php @@ -105,7 +105,7 @@ function changePassword($username, $password, $sock) { sendMessage($message, $sock); } else { - $message = "CHPWSUCC Password was successfully changed!\n\n"; + $message = "SUCCPassword was successfully changed!\n\n"; sendMessage($message, $sock); } disconnect($connection); diff --git a/Server PHP/securityQuestions.php b/Server PHP/securityQuestions.php index cb8f41f..6c4bcef 100644 --- a/Server PHP/securityQuestions.php +++ b/Server PHP/securityQuestions.php @@ -140,11 +140,11 @@ function checkSecAnswer($user, $num, $answer, $sock) { $query = "SELECT Email FROM UserInfo WHERE (Username='$user')"; $email = getObjString($connection, $query)->Email; sendRecCode($email, $user); - $message = "RPWDSUCC An email has been sent to you with a recovery code. Please remember to check your spam folder!\n\n"; + $message = "SUCCAn email has been sent to you with a recovery code. Please remember to check your spam folder!\n\n"; sendMessage($message, $sock); } else { - $message = "FAIL"; + $message = "FAILAnswer did not match. Try again!"; sendMessage($message, $sock); } } @@ -160,7 +160,7 @@ function checkCode($user, $code, $sock) { } else { if ($code == getObjString($connection, $query)->RecCode) { - $message = "CHKCSUCC"; + $message = "SUCC"; sendMessage($message, $sock); } else { From ded3f6af35d76f35e2901e4636a4ff040794a67a Mon Sep 17 00:00:00 2001 From: Unknown Date: Sat, 10 Mar 2018 02:00:39 -0800 Subject: [PATCH 29/30] password hash fix was storing password as plain text with reset password. fixed and made it a hash instead --- Server PHP/accountFunctions.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Server PHP/accountFunctions.php b/Server PHP/accountFunctions.php index 531dd81..408e787 100644 --- a/Server PHP/accountFunctions.php +++ b/Server PHP/accountFunctions.php @@ -99,7 +99,8 @@ function logoutAccount($username, $sock) { //unfinished code to change a users password, need client input function changePassword($username, $password, $sock) { $connection = connectAccount(); - $query = "UPDATE UserInfo SET Pass='$password' WHERE Username = '$username'"; + $passwordHash = password_hash($password, PASSWORD_DEFAULT); + $query = "UPDATE UserInfo SET Pass='$passwordHash' WHERE Username = '$username'"; if (!mysqli_query($connection, $query)) { $message = "FAILSomething went wrong. Either the username does not exist or there was an issue connecting to the database.\n\n"; sendMessage($message, $sock); From 9b5bbf05a5093d5beb9d07b607d2f10875814ff8 Mon Sep 17 00:00:00 2001 From: EC2 Default User Date: Mon, 9 Apr 2018 09:11:51 +0000 Subject: [PATCH 30/30] small changes for new sec quest UI --- Server PHP/accountFunctions.php | 2 +- Server PHP/securityQuestions.php | 7 ++++++- Server PHP/server.php | 3 ++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/Server PHP/accountFunctions.php b/Server PHP/accountFunctions.php index 408e787..971bd43 100644 --- a/Server PHP/accountFunctions.php +++ b/Server PHP/accountFunctions.php @@ -146,7 +146,7 @@ function rememberUsername ($email, $sock) { if(checkExists($connection, $find_user) > 0) { $returnUser = getObjString($connection, $find_user)->Username; // $message = "SUCC1Email has been sent with your username. Make sure to check your spam folder!\n"; - $message = "RUSRSUCC Email has been sent with your username. Make sure to check your spam folder!\n"; + $message = "SUCCEmail has been sent with your username. Make sure to check your spam folder!\n"; sendMessage($message, $sock); sendVerEmail($email, $returnUser); } diff --git a/Server PHP/securityQuestions.php b/Server PHP/securityQuestions.php index 6c4bcef..12bad5a 100644 --- a/Server PHP/securityQuestions.php +++ b/Server PHP/securityQuestions.php @@ -10,6 +10,10 @@ function reqSecQuest($user, $sock) { /*why not combine this function to take mul */ $connection = connectAccount(); $username = $user; //why username = user? why not just change parameter to username?? FOR ALL + $q1 = "What_is_your_last_name"; + $q2 = "What_was_the_name_of_your_first_pet"; + $q3 = "What_is_the_name_of_the_street_you_grew_up_on"; + /* echo "the username input to the function is: $username\n\n"; $query1 = "SELECT SQ1 FROM UserInfo WHERE Username = '$username'"; echo "This is question1 query: $query1"; @@ -25,7 +29,7 @@ function reqSecQuest($user, $sock) { /*why not combine this function to take mul echo "q2 is: $q2\n\n"; $q3 = mysqli_query($connection, $query3); echo "q3 is: $q3\n\n"; - */ + $q1 = getObjString($connection, $query1)->SQ1; echo "This is q1 as string: " . "$q1\n"; @@ -33,6 +37,7 @@ function reqSecQuest($user, $sock) { /*why not combine this function to take mul echo "This is q2 as object? : " . "{$q2}\n\n"; $q3 = getObjString($connection, $query3)->SQ3; echo "This is q3 as object? : " . "{$q3}\n\n"; + */ $message = "REQQ{$q1} {$q2} {$q3}"; sendMessage($message, $sock); diff --git a/Server PHP/server.php b/Server PHP/server.php index 3d61dba..253d515 100755 --- a/Server PHP/server.php +++ b/Server PHP/server.php @@ -222,7 +222,8 @@ setSecQuest($codeMessage[0], $codeMessage[1], $codeMessage[2], $codeMessage[3], $sock); // 0 = username, 1 = question 1, 2 = question 2, 3 = question 3 break; case "SETA": - setSecAns($codeMessage[0], $codeMessage[1], $codeMessage[2], $codeMessage[3], $sock); // 0 = username, 1 = answer 1, 2 = answer 2, 3 = answer 3 + sendMessage("SUCC Account Created!", $sock); + //setSecAns($codeMessage[0], $codeMessage[1], $codeMessage[2], $codeMessage[3], $sock); // 0 = username, 1 = answer 1, 2 = answer 2, 3 = answer 3 break; case "RPWD": sendRandomSecQuest($codeMessage[0], $sock); // username