threadr.lostcave.ddnss.de/threadr/signup/redirect.php

<?php
  //permitted chars for password salt
  $permitted_chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ&/()[]$:?_';

  //generates password salt
  function generate_salt($input, $strength = 5) {
    $input_length = strlen($input);
    $random_string = '';
    for($i = 0; $i < $strength; $i++) {
      $random_character = $input[random_int(0, $input_length - 1)];
      $random_string .= $random_character;
    }
    return $random_string;
  }

  $random_salt = generate_salt($permitted_chars);
  $password_hash_method = "sha256";

  $pdo = new PDO('mysql:host=localhost;dbname=web', 'webstuff', 'Schei// auf Pa$$w0rter!');
  //TODO: Add check for existing users
  //$query = "SELECT name FROM users WHERE name = :username;"; ← Do NOT use.

  //error indicator for later use
  $error = false;

  $error_message = "";
  if ($_POST['username']=='' || $_POST['password']=='' || $_POST['password_confirmation']=='') {
    $error = true;
    //TODO: Return redirect header, change index to php for handling highlighting of affected boxes
    $error_message = "Error: Not all values populated.";
  }
  if ($_POST['password'] != $_POST['password_confirmation']) {
    $error = true;
    //TODO: see above
    $error_message = "Error: How much does password?"; //Sorry, I *had* to do it.
  }
  //run only after basic user sanity checks
  if (!$error) {
    //add user
    $statement = $pdo->prepare('INSERT INTO users (name, authentication_string, authentication_salt, authentication_algorithm) VALUES (:name, :authentication_string, :authentication_salt, :authentication_algorithm)');
    //$result = $statement->execute(array('name' => $_POST['name'], 'authentication_string' => hash($password_hash_method, $_POST['password'] . $random_salt), 'authentication_salt' => $random_salt, 'authentication_algorithm' => $password_hash_method));
    if (!$result) {
      $error_message = "Error: SQL error.\n" . $statement->queryString . "\n" . $statement->errorInfo()[2];
    }
  }
  //You know, just in case... (To be removed after proper error handling is in place)
  //echo $error_message;
?>
    </form>
  </body>
</html>
started implementation of signup 2020-02-19 16:10:06 +01:00			`<?php`
			`//permitted chars for password salt`
			`$permitted_chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ&/()[]$:?_';`

			`//generates password salt`
			`function generate_salt($input, $strength = 5) {`
			`$input_length = strlen($input);`
			`$random_string = '';`
			`for($i = 0; $i < $strength; $i++) {`
			`$random_character = $input[random_int(0, $input_length - 1)];`
			`$random_string .= $random_character;`
			`}`
			`return $random_string;`
			`}`

			`$random_salt = generate_salt($permitted_chars);`
			`$password_hash_method = "sha256";`

			`$pdo = new PDO('mysql:host=localhost;dbname=web', 'webstuff', 'Schei// auf Pa$$w0rter!');`
			`//TODO: Add check for existing users`
			`//$query = "SELECT name FROM users WHERE name = :username;"; ← Do NOT use.`

			`//error indicator for later use`
			`$error = false;`

			`$error_message = "";`
			`if ($_POST['username']=='' \|\| $_POST['password']=='' \|\| $_POST['password_confirmation']=='') {`
			`$error = true;`
			`//TODO: Return redirect header, change index to php for handling highlighting of affected boxes`
			`$error_message = "Error: Not all values populated.";`
			`}`
			`if ($_POST['password'] != $_POST['password_confirmation']) {`
			`$error = true;`
			`//TODO: see above`
			`$error_message = "Error: How much does password?"; //Sorry, I had to do it.`
			`}`
			`//run only after basic user sanity checks`
			`if (!$error) {`
			`//add user`
			`$statement = $pdo->prepare('INSERT INTO users (name, authentication_string, authentication_salt, authentication_algorithm) VALUES (:name, :authentication_string, :authentication_salt, :authentication_algorithm)');`
disarmed a bomb 2020-02-19 16:23:08 +01:00			`//$result = $statement->execute(array('name' => $_POST['name'], 'authentication_string' => hash($password_hash_method, $_POST['password'] . $random_salt), 'authentication_salt' => $random_salt, 'authentication_algorithm' => $password_hash_method));`
started implementation of signup 2020-02-19 16:10:06 +01:00			`if (!$result) {`
			`$error_message = "Error: SQL error.\n" . $statement->queryString . "\n" . $statement->errorInfo()[2];`
			`}`
			`}`
			`//You know, just in case... (To be removed after proper error handling is in place)`
disarmed a bomb 2020-02-19 16:23:08 +01:00			`//echo $error_message;`
started implementation of signup 2020-02-19 16:10:06 +01:00			`?>`
			`</form>`
			`</body>`
			`</html>`