<?phperror_reporting(0);ini_set('display_errors', 0);const IS_MAIN = t

1. <?php
2.  
3. error_reporting(0);
4. ini_set('display_errors', 0);
5.  
6. const IS_MAIN = true;
7. require_once(__DIR__ . '/common.inc.php');
8. require_once(__DIR__ . '/session.inc.php');
9. require_once(__DIR__ . '/crypto.inc.php');
10.  
11. if (!isset($_POST)) {
12. die();
13. }
14.  
15. global $flag;
16.  
17. $data = null;
18. $in = file_get_contents('php://input');
19.  
20. if (strlen($in) > 0) {
21. $data = json_decode($in, true);
22. $data = str_ireplace(',', '_', $data);
23.  
24. if (isset($data['status']) && strpos($data['status'], 'eventStart') > -1) {
25. $data['timestamp'] = filter_var($data['timestamp'], FILTER_SANITIZE_NUMBER_INT);
26. $fname = $_SESSION['folder'] . $data['timestamp'] . '_' . $ANALYTICS_FILE_NAME;
27. $f = fopen($fname, 'wb');
28. session_write_close();
29.  
30. $newdata = Array(
31. $data['type'], // needs encryption for GDPR
32. $data['url'], // needs encryption for GDPR (to prevent user tracking)
33. $data['ua'], // needs encryption for GDPR (very important PII)
34. $data['timestamp'], // not important for GDPR but we'll still encrypt it for privacy, who knows those hackers...
35. $data['status'], // needs encryption for GDPR
36. $data['event_data']['type'], // needs encryption for GDPR
37. $data['event_data']['target'], // needs encryption for GDPR
38. $data['event_data']['x'], // (x, y) coordinates need encryption for GDPR (can't leak the location of clicks)
39. $data['event_data']['y'] // (x, y) coordinates need encryption for GDPR (can't leak the location of clicks)
40. );
41.  
42. // cache the file not to loose it if encryption fails
43. fwrite($f, json_encode($newdata));
44. fclose($f);
45.  
46. // hash the key (flag) as many times as we have data
47. // (the more data, the more we need to hash for security)
48. // bcrypt with many rounds is very secure
49. // we can always validate that metrics are intact and have not been forged by simply checking the hash later
50. $opts = Array('cost'=>(sizeof($data) > 4 ? sizeof($data) : 4));
51.  
52. $key = password_hash($flag, PASSWORD_BCRYPT, $opts);
53. // var_dump(sizeof($data)); // to ensure there's enough hash rounds
54.  
55. // use our new key to encrypt the analytics data for GDPR
56. $encrypted_data = Array(
57. encrypt($data['type'], $key),
58. encrypt($data['url'], $key),
59. encrypt($data['ua'], $key),
60. encrypt($data['timestamp'], $key),
61. encrypt($data['status'], $key),
62. encrypt($data['event_data']['type'], $key),
63. encrypt($data['event_data']['target'], $key),
64. encrypt($data['event_data']['x'], $key),
65. encrypt($data['event_data']['y'], $key)
66. );
67.  
68. $final = json_encode(
69. Array(
70. "key" => $key,
71. "data" => json_encode($encrypted_data),
72. )
73. );
74.  
75. // save the encrypted data
76. $f = fopen($fname, 'wb');
77. fwrite($f, $final);
78. fclose($f);
79.  
80. header("X-Analytics: " . substr($key, 7, strlen($key)), false, 200);
81. }
82. } else {
83. die_nicely();
84. }