diff options
-rw-r--r-- | README.md | 13 | ||||
-rw-r--r-- | config.php.example | 18 | ||||
-rw-r--r-- | dbinit.sql | 1 | ||||
-rwxr-xr-x | login.php | 84 | ||||
-rwxr-xr-x | register.php | 21 | ||||
-rw-r--r-- | verify.php | 105 |
6 files changed, 193 insertions, 49 deletions
@@ -1,5 +1,7 @@ -# arfnet2-csti -ARFNET2 Client, Service, Ticket and Invoice management system +# arfnet2-cstims +ARFNET2 Client, Service, Ticket and Invoice Management System + +Depends on PHPMailer ``` User types: @@ -23,11 +25,14 @@ FILES: logout.php -> login.php stops session + verify.php -> login.php + from a link, has the base64 code generated at registration sent to email for verification + client.php -> { order.php, openticket.php } shows ordered services and opened tickets helpdesk.php view, self-assign and close tickets - accounting.php + accountant.php view invoices and change status admin.php -> { manageusers.php, manageservices.php, managetickets.php } shows users, services, tickets and invoices @@ -58,7 +63,7 @@ FILES: SQL: Tables: users User logins - id autoincrement, username, password (hash), email, email verification code, user type { client, helpdesk, accountant, admin }, register date + id autoincrement, username, password (hash), email, email verification code, status { verified, unverified }, type { client, helpdesk, accountant, admin }, register date services Available services and management notes etc id autoincrement, name, type, billing, description orders diff --git a/config.php.example b/config.php.example index 5057641..6520aaa 100644 --- a/config.php.example +++ b/config.php.example @@ -6,6 +6,12 @@ define('DB_SERVER', 'hostname'); define('DB_USERNAME', 'username'); define('DB_PASSWORD', 'password'); define('DB_NAME', 'dbname'); + +define('MAIL_SERVER', 'mail.example.com'); +define('MAIL_PORT', 587); +define('MAIL_USER', 'user'); +define('MAIL_PASSWORD', 'password'); +define('MAIL_FROM', 'system@example.com'); /* Attempt to connect to MySQL database */ $link = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME); @@ -14,4 +20,16 @@ $link = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME); if($link === false){ die("ERROR: Could not connect. " . mysqli_connect_error()); } + +$mailer = new PHPMailer(); +$mailer->isSMTP(); +$mailer->SMTPDebug = SMTP::DEBUG_SERVER; +$mailer->Host = MAIL_SERVER; +$mailer->Port = MAIL_PORT; +$mailer->SMTPAuth = true; +$mailer->Username = MAIL_USER; +$mailer->Password = MAIL_PASSWORD; +$mailer->setFrom(MAIL_FROM); +$mailer->isHTML(false); + ?> @@ -6,6 +6,7 @@ CREATE TABLE `arfnet2`.`users` ( `password` VARCHAR(255) NOT NULL , `email` VARCHAR(127) NOT NULL , `verifycode` VARCHAR(31) NOT NULL , + `status` ENUM('verified','unverified') NOT NULL DEFAULT 'unverified' , `type` ENUM('client','helpdesk','accountant','admin') NOT NULL , `regdate` TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP , PRIMARY KEY (`id`) @@ -3,8 +3,8 @@ session_start();
// Check if the user is already logged in, if yes then redirect him to welcome page
-if(isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] === true){
- header("location: welcome.php");
+if (isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] === true) {
+ header("location: /".$_SESSION["type"].".php");
exit;
}
@@ -18,35 +18,29 @@ $username_err = $password_err = ""; // Processing form data when form is submitted
if($_SERVER["REQUEST_METHOD"] == "POST"){
// Validate username
- if(empty(trim($_POST["username"]))){
- $username_err = "Please enter username.";
- } else{
- if (preg_match("[a-zA-Z0-9_]+", $_POST["username"]) == 1) {
- $username_err = "Invalid username.";
- }
- else {
- $username = trim($_POST["username"]);
- }
- }
+ if (empty($_POST["username"]))
+ $username_err = "Enter a username.";
+ else if (preg_match("/[a-zA-Z0-9_]+/", $_POST["username"]) != 1)
+ $username_err = "Invalid username.";
+ else
+ $username = $_POST["username"];
- // Validated password
- if(empty(trim($_POST["password"]))){
- $password_err = "Please enter your password.";
- } else{
- if (preg_match("[a-zA-Z0-9_]+", $_POST["password"]) == 1) {
- $username_err = "Invalid password.";
- }
- else {
- $password = trim($_POST["password"]);
- }
- }
+ // Validate password
+ if (empty($_POST["password"]))
+ $password_err = "Enter a password.";
+ else if (strlen($_POST["password"]) < 8)
+ $password_err = "Password must have at least 8 characters.";
+ else if (preg_match("/[a-zA-Z0-9!@^*$%&)(=+çñÇ][}{\-.,_:;]+/", $_POST["password"]) != false)
+ $password_err = "Password must be in the format [a-zA-Z0-9!@^*$%&)(=+çñÇ][}{-.,_:;].";
+ else
+ $password = $_POST["password"];
// Validate credentials
- if(empty($username_err) && empty($password_err)){
+ if (empty($username_err) && empty($password_err)) {
// Prepare a select statement
- $sql = "SELECT id, username, password FROM users WHERE username = ?";
+ $sql = "SELECT id, username, password, status, type FROM users WHERE username = ?";
- if($stmt = mysqli_prepare($link, $sql)){
+ if ($stmt = mysqli_prepare($link, $sql)) {
// Bind variables to the prepared statement as parameters
mysqli_stmt_bind_param($stmt, "s", $param_username);
@@ -54,29 +48,33 @@ if($_SERVER["REQUEST_METHOD"] == "POST"){ $param_username = $username;
// Attempt to execute the prepared statement
- if(mysqli_stmt_execute($stmt)){
+ if (mysqli_stmt_execute($stmt)){
// Store result
mysqli_stmt_store_result($stmt);
// Check if username exists, if yes then verify password
- if(mysqli_stmt_num_rows($stmt) == 1){
+ if (mysqli_stmt_num_rows($stmt) == 1) {
// Bind result variables
- mysqli_stmt_bind_result($stmt, $id, $username, $hashed_password);
- if(mysqli_stmt_fetch($stmt)){
- if(password_verify($password, $hashed_password)){
- // Password is correct, so start a new session
- session_start();
-
- // Store data in session variables
- $_SESSION["loggedin"] = true;
- $_SESSION["id"] = $id;
- $_SESSION["username"] = $username;
+ mysqli_stmt_bind_result($stmt, $id, $username, $hashed_password, $status, $type);
+ if (mysqli_stmt_fetch($stmt)){
+ if (password_verify($password, $hashed_password)) {
+ // Password is correct, check verification
+ if ($status == "verified") {
+ session_start();
- // Redirect user to welcome page
- header("location: welcome.php");
- } else{
- // Display an error message if password is not valid
- $password_err = "The password you entered was not valid.";
+ // Store data in session variables
+ $_SESSION["loggedin"] = true;
+ $_SESSION["id"] = $id;
+ $_SESSION["username"] = $username;
+ $_SESSION["type"] = $type;
+
+ // Redirect user to appropiate page
+ header("location: /".$type.".php");
+ } else {
+ $username_err = "Unverified account, check your email.";
+ }
+ } else {
+ $password_err = "Incorrect password.";
}
}
} else{
diff --git a/register.php b/register.php index 37565c5..3ef957a 100755 --- a/register.php +++ b/register.php @@ -1,13 +1,28 @@ <?php
+// Dependency
+
+function send_verification_email($rcpt, $code) {
+ global $mailer;
+ $mailer->addAddress($rcpt);
+ $mailer->Subject = 'ARFNET Email Verification';
+ $mailer->Body = "Welcome to ARFNET\n\nUse the following link to verify your email address\n\n"
+ ."https://".DOMAIN."/verify.php?code=".$code
+ ."\n\n--\nARFNET Client, Service, Ticket and Invoice Management System\nhttps://arf20.com";
+ if (!$mailer->send()) {
+ echo 'Mailer Error [ask arf20]: ' . $mailer->ErrorInfo;
+ }
+}
+
// Include config file
require_once "config.php";
// Define variables and initialize with empty values
$username = $password = $confirm_password = $email = "";
$username_err = $password_err = $confirm_password_err = $email_err = "";
+$verification_mail_sent = false;
// Processing form data when form is submitted
-if ($_SERVER["REQUEST_METHOD"] == "POST"){
+if ($_SERVER["REQUEST_METHOD"] == "POST") {
// Validate username
if (empty($_POST["username"]))
$username_err = "Enter a username.";
@@ -84,7 +99,8 @@ if ($_SERVER["REQUEST_METHOD"] == "POST"){ // Attempt to execute the prepared statement
if (mysqli_stmt_execute($stmt)) {
// Send verification email
-
+ send_verification_email($email, $param_verifycode);
+ $verification_mail_sent = true;
// Redirect to login page
header("location: login.php");
} else {
@@ -142,6 +158,7 @@ if ($_SERVER["REQUEST_METHOD"] == "POST"){ <input type="submit" class="btn btn-primary" value="Submit">
</div>
<p><a href="login.php">Login</a>.</p>
+ <?php if ($verification_mail_sent) echo 'Verification email sent.'; ?>
</form>
</div>
</main>
diff --git a/verify.php b/verify.php new file mode 100644 index 0000000..5382f4f --- /dev/null +++ b/verify.php @@ -0,0 +1,105 @@ +<?php +// Initialize the session +session_start(); + +// Check if the user is already logged in, if yes then redirect him to welcome page +if (isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] === true) { + header("location: /".$_SESSION["type"].".php"); + exit; +} + +// Include config file +require_once "config.php"; + +// Define variables and initialize with empty values +$code = ""; +$code_err = ""; +$verification_success = false; + +// Processing form data when form is submitted +if ($_SERVER["REQUEST_METHOD"] == "GET") { + $code_err = "Invalid code."; + if (isset($_GET["code"]) && (strlen($_GET["code"]) == 16)) { + $code_err = ""; + $code = $_GET["code"]; + } + + // Validate credentials + if (empty($code_err)) { + // Prepare a select statement + $sql = "SELECT id, username, status, type FROM users WHERE verifycode = ?"; + + if ($stmt = mysqli_prepare($link, $sql)) { + // Bind variables to the prepared statement as parameters + mysqli_stmt_bind_param($stmt, "s", $param_code); + + // Set parameters + $param_code = $code; + + // Attempt to execute the prepared statement + if (mysqli_stmt_execute($stmt)) { + // Store result + mysqli_stmt_store_result($stmt); + + // Check if username exists, if yes then verify password + if (mysqli_stmt_num_rows($stmt) == 1) { + // Bind result variables + mysqli_stmt_bind_result($stmt, $id, $username, $status, $type); + if (mysqli_stmt_fetch($stmt)){ + if ($status == "unverified") { + // set verified + $sql = "UPDATE users SET status = 'verified' WHERE id = ?"; + if ($stmt = mysqli_prepare($link, $sql)) { + mysqli_stmt_bind_param($stmt, "s", $param_id); + $param_id = $id; + if (mysqli_stmt_execute($stmt) && mysqli_stmt_affected_rows($stmt) == 1) { + $verification_success = true; + } else { + echo "SQL error, ask arf20."; + } + } + } else { + $code_err = "Already verified."; + } + } + } else { + // Display an error message if username doesn't exist + $code_err = "Code does not exist."; + } + } else{ + echo "Oops! Something went wrong. Please try again later."; + } + + // Close statement + mysqli_stmt_close($stmt); + } + } + + // Close connection + mysqli_close($link); +} +?> + +<!DOCTYPE html> +<html lang="en"> + <head> + <meta charset="UTF-8"> + <title>CSTIMS Login</title> + <link rel="stylesheet" type="text/css" href="/style.css"> + </head> + <body> + <header><a href="https://arf20.com/"> + <img src="arfnet_logo.png" width="64"><span class="title"><strong>ARFNET</strong></span> + </a></header> + <hr> + <main> + <div class="wrapper"> + <h2>CSTIMS Verification</h2> + <?php + if ($verification_success) echo "Verification successful, welcome to ARFNET $username."; + else echo "Verification failed: ".$code_err; + ?> + </div> + </main> + </body> +</html> |