Account security

Server PHP/accountFunctions.php

@@ -18,8 +18,18 @@ function createAccount($email, $username, $password, $sock) {
   $check_username = "SELECT * FROM UserInfo WHERE Username = '$username'";
   $check_email = "SELECT * FROM UserInfo WHERE Email = '$email'";
 
+  $passwordHash = password_hash($password, PASSWORD_DEFAULT);
+
+  $defaultQ1 = "What_is_your_mother's_maiden_name?";
+  $defaultQ2 = "What_is_the_name_of_the_street_you_grew_up_on?";
+  $defaultQ3 = "What_was_the_name_of_your_first_pet?";
+
+  $defaultQ1 = mysqli_real_escape_string($connection, $defaultQ1);
+  $defaultQ2 = mysqli_real_escape_string($connection, $defaultQ2);
+  $defaultQ3 = mysqli_real_escape_string($connection, $defaultQ3);
+
   //Insert Query
-  $insert = "INSERT INTO UserInfo (Username, Pass, Email) VALUES ('$username', '$password', '$email')";
+  $insert = "INSERT INTO UserInfo (Username, Pass, Email, SQ1, SQ2, SQ3) VALUES ('$username', '$passwordHash', '$email', '$defaultQ1', '$defaultQ2', '$defaultQ3')";
 
   if (($username_exists = checkExists($connection, $check_username)) > 0) { //returns failcase of username existing.
     $message = "FAILUsername exists, please try again.";
@@ -35,6 +45,9 @@ function createAccount($email, $username, $password, $sock) {
       sendMessage($message, $sock);
       sendRegEmail($email);
     }
+    else {
+      echo("Error description: " . mysqli_error($connection));
+    }
   }
   disconnect($connection);
 }
@@ -49,7 +62,7 @@ function loginAccount($username, $password, $sock) {
   //Checks if username exists before attempting to login, will return error otherwise.
   if (($username_exists = checkExists($connection, $check_username)) > 0) {
       $checkPass = getObjString($connection, $check_password)->Pass;
-      if ($checkPass == $password) {
+      if (password_verify($password, $checkPass)) {
         $resultEmail = getObjString($connection, $check_email)->Email;
         $message = "SUCC{$resultEmail}"; //Successful if matches and writes back email belonging to user for UI
         sendMessage($message, $sock);
@@ -86,24 +99,22 @@ function logoutAccount($username, $sock) {
 //unfinished code to change a users password, need client input
 function changePassword($username, $password, $sock) {
   $connection = connectAccount();
-
-  // UI should now send a 'they did it' message and a new password
-  $newPass = nul; //new pass from UI goes here
-  $change_password = "UPDATE UserInfo SET Pass= 'newPass' WHERE Username = '$username'";
-  if (mysqli_query($connection, $change_password)) {
-    fwrite($sock, "SUCC\n");
+  $passwordHash = password_hash($password, PASSWORD_DEFAULT);
+  $query = "UPDATE UserInfo SET Pass='$passwordHash' WHERE Username = '$username'";
+  if (!mysqli_query($connection, $query)) {
+    $message = "FAILSomething went wrong. Either the username does not exist or there was an issue connecting to the database.\n\n";
+    sendMessage($message, $sock);
   }
   else {
-    fwrite($sock, "FAIL\n");
+    $message = "SUCCPassword was successfully changed!\n\n";
+    sendMessage($message, $sock);
   }
-
   disconnect($connection);
 }
 
 // unfinised account recovery using email method. outdated, unused, unloved
 function recoverAccount($email, $password, $sock) {
   $connection = connectAccount();
-
   //check if email exists before attempting to send recovery email, will return error otherwise.
   $check_email = "SELECT Email FROM UserInfo WHERE Email = '$email'";
   $change_password = "UPDATE UserInfo SET Pass= '$newPass' WHERE Email = '$email'";
@@ -131,17 +142,22 @@ function recoverAccount($email, $password, $sock) {
 // takes users email, returns users username.
 function rememberUsername ($email, $sock) {
   $connection = connectAccount();
-
   $find_user = "SELECT Username FROM UserInfo WHERE Email = '$email'";  //finds a username tied to a email
-  $resultUser = mysqli_query($connection, $find_user); //runs find_user
-  $obj = $resultUser->fetch_object();
-  $returnUser = $obj->Username; // returnUser == return value of find_user
-  $message = "SUCC{$returnUser}";
-  sendMessage($message, $socket);
-
+  if(checkExists($connection, $find_user) > 0) {
+    $returnUser = getObjString($connection, $find_user)->Username;
+//    $message = "SUCC1Email has been sent with your username. Make sure to check your spam folder!\n";
+    $message = "SUCCEmail has been sent with your username. Make sure to check your spam folder!\n";
+    sendMessage($message, $sock);
+    sendVerEmail($email, $returnUser);
+  }
+  else {
+    $message = "FAILNo username found with that email. Try again!\n";
+    sendMessage($message, $sock);
+  }
   disconnect($connection);
 }
 
+
 // recovery option for remembering a password, sends a recovery email
 function rememberPassword ($username, $email, $sock) {
   $connection = connectAccount();

Server PHP/flashCardFunctions.php

@@ -3,7 +3,6 @@
 include_once 'utilityFunctions.php';
 include_once 'groupFunctions.php';
 include_once 'whiteboardFunctions.php';
-include_once 'utilityFunctions.php';
 
 
 
@@ -13,11 +12,11 @@ function updateFlashCards($connection, $ip, $clients, $groupID, $sock) {
   //RETURN FRONT SIDE AND BACK SIDE
   for($i= 0; $i<2; $i++){
     if($i == 0){
-      $side == 'side1';
+      $side = 'side1';
       $code = 'FCFT';
     }
     else if($i == 1){
-      $side == 'side2';
+      $side = 'side2';
       $code = 'FCBK';
     }
     $return_FlashCards = "SELECT id, $side
@@ -37,10 +36,9 @@ function updateFlashCards($connection, $ip, $clients, $groupID, $sock) {
     } //closes query for loop
   } //closes front/back for loop
   disconnect($connection);
-
-
 }//Close function
 
+
 function addToCard($groupID, $num, $message, $user, $clientList, $sock, $side) {
   $side = "side" . "$side";
   $connection =  connectGroup();
@@ -53,6 +51,10 @@ function addToCard($groupID, $num, $message, $user, $clientList, $sock, $side) {
   $username = mysqli_real_escape_string($connection, $username);
   $message = mysqli_real_escape_string($connection, $message);
   $groupID = mysqli_real_escape_string($connection, $groupID);
+
+  $unescMessage = stripslashes($message);
+  $unescGroupID = stripslashes($groupID);
+
   $flashGroupID = "$groupID" . "FC";
   $return_ipList = "SELECT ipAddress FROM $groupID WHERE ipAddress IS NOT NULL";
   $resultIP = mysqli_query($connection, $return_ipList); //Returns list of current IP addresses i.e. current user list connected.
@@ -61,29 +63,29 @@ function addToCard($groupID, $num, $message, $user, $clientList, $sock, $side) {
 // Check to see if the id for this card exists already
   $check_card = "SELECT * FROM $flashGroupID WHERE (id='$num')";
   if (checkExists($connection, $check_card) > 0){
-    echo "Card exists already ";
+    echo "Card exists already \n";
     $update = "UPDATE $flashGroupID SET user= '$username', $side='$message' WHERE (id='$num')";
     mysqli_query($connection, $update);
     $NewID = "SELECT id FROM $flashGroupID WHERE (user='$username' AND $side='$message')";
     $returnID = getObjString($connection, $NewID)->id;
     $returnID = $returnID -1;
-    $clientMessage = "SUCC{$returnID}";
+    /*$clientMessage = "SUCC{$returnID}";
     sendMessage($clientMessage, $sock);
-    echo "$clientMessage \n";
+    //echo "$clientMessage \n";*/
 
-  while($rowIP = mysqli_fetch_array($resultIP)){
-    $keyIP = $rowIP[0];
-    $keySock = $clientList[$keyIP]->getSocket();
-    $FlashCards = "$groupID $returnID $message";
 
-    if($side == 'side1'){
-      $clientMessage = "FCFT$FlashCards";
-    }
-    else if($side == 'side2'){
-      $clientMessage = "FCBK$FlashCards";
-    }
-    sendMessage($clientMessage, $keySock);
-  } //Closes while loop
+    while($rowIP = mysqli_fetch_array($resultIP)){
+      $keyIP = $rowIP[0];
+      $keySock = $clientList[$keyIP]->getSocket();
+      $FlashCards = "$unescGroupID $returnID $unescMessage";
+      if($side == 'side1'){
+        $clientMessage = "FCFT$FlashCards";
+      }
+      else if($side == 'side2'){
+        $clientMessage = "FCBK$FlashCards";
+      }
+      sendMessage($clientMessage, $keySock);
+    } //Closes while loop
   }//Closes outer if statement
 
   else{
@@ -92,24 +94,25 @@ function addToCard($groupID, $num, $message, $user, $clientList, $sock, $side) {
     $returnID = getObjString($connection, $NewID)->id;
     $returnID = $returnID -1;
     //echo "returnID is: $returnID\n\n";
-    $clientMessage = "SUCC{$returnID}";
+    /*$clientMessage = "SUCC{$returnID}";
     //echo "clientMessage is: $clientMessage\n\n";
-    sendMessage($clientMessage, $sock);
+    sendMessage($clientMessage, $sock);*/
 
-while($rowIP = mysqli_fetch_array($resultIP)){
-  $keyIP = $rowIP[0];
-  $keySock = $clientList[$keyIP]->getSocket();
-  $FlashCards = "$groupID $returnID $message";
-  if($side == 'side1'){
-    $clientMessage == "FCFT$FlashCards";
-  }
-  else if($side == 'side2'){
-    $clientMessage == "FCBK$FlashCards";
-  }
-  sendMessage($clientMessage, $keySock);
-}// end while loop
+      while($rowIP = mysqli_fetch_array($resultIP)){
+        $keyIP = $rowIP[0];
+        $keySock = $clientList[$keyIP]->getSocket();
+        $FlashCards = "$unescGroupID $returnID $unescMessage";
+        if($side == 'side1'){
+          $clientMessage = "FCFT$FlashCards";
+        }
+        else if($side == 'side2'){
+          $clientMessage = "FCBK$FlashCards";
+        }
+        sendMessage($clientMessage, $keySock);
+      }// end while loop
   } // end else bracket
   disconnect($connection);
 }//close function
 
+
 ?>