Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- include "admin_session_start_rest.php";
- include "admin_database.php";
- $userDetails=$_SESSION['user'];
- $username=$userDetails['username']; //get post
- if(isset($_COOKIE['security_key'])&&!empty($_COOKIE['security_key'])){
- $security_key=$_COOKIE['security_key']; // get post
- }
- else{
- exit();
- }
- $auth=fnKeyValidator($conn,$username,$security_key);
- if($auth===true&&(isset($_POST["func"])&&!empty($_POST["func"]))){
- $func=$_POST["func"];
- echo($func);
- echo($_POST['crf']);
- echo($_SESSION["user"]["crf"]);
- if((isset($_POST['crf'])&&!empty($_POST['crf']))&&(isset($_SESSION["user"]["crf"])&&!empty($_SESSION["user"]["crf"]))){
- if($_POST['crf']==$_SESSION["user"]["crf"]){
- // correct security key -> all should be fine
- if($func==="create-user"){ // create user
- if((isset($_POST["studentName"])&&!empty($_POST["studentName"]))&&
- (isset($_POST["studentEmail"])&&!empty($_POST["studentEmail"]))&&
- (isset($_POST["studentProgram"])&&!empty($_POST["studentProgram"]))&&
- (isset($_POST["studentPassword"])&&!empty($_POST["studentPassword"]))){
- $studentName=$_POST["studentName"];
- $studentEmail=$_POST["studentEmail"];
- $studentProgram=$_POST["studentProgram"];
- $studentPassword=$_POST["studentPassword"];
- fnCreateUser($conn,$studentName,$studentEmail,$studentProgram,$studentPassword);
- $_SESSION["user"]["crf"]=fnGenerateRandomKey();
- $seckey=fnGenerateRandomKey();
- setcookie("security_key", $seckey,0, '/', "",false,false);
- fnUpdateAdminSecurityKey($conn,$_SESSION['user']['Name'],$seckey);
- }
- }
- else if($func==="delete-user"){ // delete user
- if(isset($_POST["Student_id"])&&!empty($_POST["Student_id"])){
- $Student_id=$_POST["Student_id"];
- fnDeleteUser($conn,$Student_id);
- $_SESSION["user"]["crf"]=fnGenerateRandomKey();
- $seckey=fnGenerateRandomKey();
- setcookie("security_key", $seckey,0, '/', "",false,false);
- fnUpdateAdminSecurityKey($conn,$_SESSION['user']['Name'],$seckey);
- }
- }
- else if($func==="edit-user"){ // edit user
- if((isset($_POST["Student_id"])&&!empty($_POST["Student_id"]))&&
- (isset($_POST["studentname"])&&!empty($_POST["studentname"]))&&
- (isset($_POST["studentemail"])&&!empty($_POST["studentemail"]))&&
- (isset($_POST["studentprogram"])&&!empty($_POST["studentprogram"]))){
- $Student_id=$_POST["Student_id"];
- $studentname=$_POST["studentname"];
- $studentemail=$_POST["studentemail"];
- $studentprogram=$_POST["studentprogram"];
- fnEditUser($conn,$Student_id,$studentname,$studentprogram,$studentemail);
- $_SESSION["user"]["crf"]=fnGenerateRandomKey();
- $seckey=fnGenerateRandomKey();
- setcookie("security_key", $seckey,0, '/', "",false,false);
- fnUpdateAdminSecurityKey($conn,$_SESSION['user']['Name'],$seckey);
- }
- }
- else if($func==="view-user"){ // view user based on id
- fnViewUser($conn,$user_id);
- $_SESSION["user"]["crf"]=fnGenerateRandomKey();
- $seckey=fnGenerateRandomKey();
- setcookie("security_key", $seckey,0, '/', "",false,false);
- fnUpdateAdminSecurityKey($conn,$_SESSION['user']['Name'],$seckey);
- }
- else if($func==="create-class"){ // create class
- echo("here");
- if((isset($_POST["className"])&&!empty($_POST["className"]))&&
- (isset($_POST["study_program_id"])&&!empty($_POST["study_program_id"]))&&
- (isset($_POST["teacher_id"])&&!empty($_POST["teacher_id"]))){
- $className=$_POST["className"];
- $study_program_id=$_POST["study_program_id"];
- $teacher_id=$_POST["teacher_id"];
- fnCreateClass($conn,$className,$teacher_id,$study_program_id);
- $_SESSION["user"]["crf"]=fnGenerateRandomKey();
- $seckey=fnGenerateRandomKey();
- setcookie("security_key", $seckey,0, '/', "",false,false);
- fnUpdateAdminSecurityKey($conn,$_SESSION['user']['Name'],$seckey);
- }
- }
- else if($func==="edit-class"){ // edit class
- echo("here");
- if((isset($_POST["class_id"])&&!empty($_POST["class_id"]))&&
- (isset($_POST["className"])&&!empty($_POST["className"]))&&
- (isset($_POST["study_program_id"])&&!empty($_POST["study_program_id"]))&&
- (isset($_POST["teacher_id"])&&!empty($_POST["teacher_id"]))){
- $class_id=$_POST["class_id"];
- $className=$_POST["className"];
- $study_program_id=$_POST["study_program_id"];
- $teacher_id=$_POST["teacher_id"];
- fnEditClass($conn,$class_id,$className,$study_program_id,$teacher_id);
- echo("here");
- $_SESSION["user"]["crf"]=fnGenerateRandomKey();
- $seckey=fnGenerateRandomKey();
- setcookie("security_key", $seckey,0, '/', "",false,false);
- fnUpdateAdminSecurityKey($conn,$_SESSION['user']['Name'],$seckey);
- }
- //fnEditClass($conn,$class_id,$className,$study_program_id,$teacher_id);
- }
- else if($func==="delete-class"){ // delete class
- if(isset($_POST["class_id"])&&!empty($_POST["class_id"])){
- $class_id=$_POST["class_id"];
- fnDeleteClass($conn,$class_id);
- $_SESSION["user"]["crf"]=fnGenerateRandomKey();
- $seckey=fnGenerateRandomKey();
- setcookie("security_key", $seckey,0, '/', "",false,false);
- fnUpdateAdminSecurityKey($conn,$_SESSION['user']['Name'],$seckey);
- }
- }
- else if($func==="assign-class"){ // assign student to class
- fnAssignClassToStudent($conn,$user_id,$class_id);
- $_SESSION["user"]["crf"]=fnGenerateRandomKey();
- $seckey=fnGenerateRandomKey();
- setcookie("security_key", $seckey,0, '/', "",false,false);
- fnUpdateAdminSecurityKey($conn,$_SESSION['user']['Name'],$seckey);
- }
- else if($func==="unassign-class"){ // assign student to class
- fnUnAssignClassToStudent($conn,$user_id,$class_id);
- $_SESSION["user"]["crf"]=fnGenerateRandomKey();
- $seckey=fnGenerateRandomKey();
- setcookie("security_key", $seckey,0, '/', "",false,false);
- fnUpdateAdminSecurityKey($conn,$_SESSION['user']['Name'],$seckey);
- }
- else if($func==="create-teacher"){ // assign student to class
- if((isset($_POST["teachername"])&&!empty($_POST["teachername"]))&&
- (isset($_POST["teacherusername"])&&!empty($_POST["teacherusername"]))&&
- (isset($_POST["teacheremail"])&&!empty($_POST["teacheremail"]))&&
- (isset($_POST["teacherpassword"])&&!empty($_POST["teacherpassword"]))){
- $studentName=$_POST["teachername"];
- $username=$_POST["teacherusername"];
- $email=$_POST["teacheremail"];
- $password=$_POST["teacherpassword"];
- fnCreateTeacher($conn,$studentName,$username,$email,$password);
- $_SESSION["user"]["crf"]=fnGenerateRandomKey();
- $seckey=fnGenerateRandomKey();
- setcookie("security_key", $seckey,0, '/', "",false,false);
- fnUpdateAdminSecurityKey($conn,$_SESSION['user']['Name'],$seckey);
- }
- }
- else if($func==="edit-teacher"){ // assign student to class
- if((isset($_POST["teachername"])&&!empty($_POST["teachername"]))&&
- (isset($_POST["teacheremail"])&&!empty($_POST["teacheremail"]))&&
- (isset($_POST["Teacher_id"])&&!empty($_POST["Teacher_id"]))){
- $teachername=$_POST["teachername"];
- $email=$_POST["teacheremail"];
- $Teacher_id=$_POST["Teacher_id"];
- fnEditTeacher($conn,$Teacher_id,$teachername,$email);
- $_SESSION["user"]["crf"]=fnGenerateRandomKey();
- $seckey=fnGenerateRandomKey();
- setcookie("security_key", $seckey,0, '/', "",false,false);
- fnUpdateAdminSecurityKey($conn,$_SESSION['user']['Name'],$seckey);
- }
- }
- else if($func==="delete-teacher"){ // delete class
- if(isset($_POST["Teacher_id"])&&!empty($_POST["Teacher_id"])){
- $Teacher_id=$_POST["Teacher_id"];
- fnDeleteTeacher($conn,$Teacher_id);
- $_SESSION["user"]["crf"]=fnGenerateRandomKey();
- $seckey=fnGenerateRandomKey();
- setcookie("security_key", $seckey,0, '/', "",false,false);
- fnUpdateAdminSecurityKey($conn,$_SESSION['user']['Name'],$seckey);
- }
- }
- else{
- fnIncorrectCall(); // incorrect call
- }
- }
- }
- //fnUpdateAdminSecurityKey($conn,$username,fnGenerateRandomKey()); uncomment after done developing
- }
- else{
- echo("Bad request"); // incorrect security key -> possible hacking
- }
- function fnGenerateRandomKey(){
- $randomKey = bin2hex(random_bytes(25));
- return $randomKey;
- }
- function fnUpdateAdminSecurityKey($conn,$username,$new_security_key){
- $sSqlQuery="UPDATE `admin` SET `security_key`=:new_security_key WHERE Name=:username"; // if exists insert user
- $stmt = $conn->prepare($sSqlQuery); // prepare statment
- $stmt->bindParam(':username', $username); // bind userinput(fronend) to mysql query string
- $stmt->bindParam(':new_security_key', $new_security_key); // bind userinput(fronend) to mysql query string
- $stmt->execute();
- }
- function has_presence($value){ // check if variable is not empty
- $trimmed_value=trim($value);
- return (isset($trimmed_value) && $trimmed_value !=="");
- }
- function fnCreateUser($conn,$studentName,$studentEmail,$studentProgram,$studentPassword){
- if(is_numeric($studentProgram)===true){ /// should be number ??
- $aStudyPrograms=fnGetStudyPrograms($conn); // gets all study programs
- for($x=0; $x<sizeof($aStudyPrograms); $x++){ //for loop to find if study program id exists
- $study_program_row=$aStudyPrograms[$x]; // asign row to variable
- if($study_program_row["Study_Program_id"]==$studentProgram){
- $studentPassword=fnPasswordHash($studentPassword);
- $sSqlQuery="INSERT INTO `student`(`Name`, `Study_Program_id`, `password`, `email`) VALUES (:studentName,:studentProgram,:studentPassword,:studentEmail)"; // if exists insert user
- $stmt = $conn->prepare($sSqlQuery); // prepare statment
- $stmt->bindParam(':studentName', $studentName); // bind userinput(fronend) to mysql query string
- $stmt->bindParam(':studentEmail', $studentEmail); // bind userinput(fronend) to mysql query string
- $stmt->bindParam(':studentProgram', $studentProgram); // bind userinput(fronend) to mysql query string
- $stmt->bindParam(':studentPassword', $studentPassword); // bind userinput(fronend) to mysql query string
- $stmt->execute(); //
- break;
- }
- else if($x+1==sizeof($aStudyPrograms)){ // incorrect study program id
- echo("Incorrect study program");
- }
- }
- }
- else{
- fnIncorrectCall(); // if study program id is not number incorrect call
- }
- }
- function fnCreateTeacher($conn,$studentName,$username,$email,$password){
- try{
- $sSqlQuery="INSERT INTO `teacher`(`Name`, `password`, `username`, `email`) VALUES (:studentName,:password,:username,:email)"; // if exists insert user
- $stmt = $conn->prepare($sSqlQuery);
- $password=fnPasswordHash($password); // prepare statment
- $stmt->bindParam(':studentName', $studentName); // bind userinput(fronend) to mysql query string
- $stmt->bindParam(':username', $username); // bind userinput(fronend) to mysql query string
- $stmt->bindParam(':email', $email); // bind userinput(fronend) to mysql query string
- $stmt->bindParam(':password', $password); // bind userinput(fronend) to mysql query string
- $stmt->execute(); //
- }
- catch (Exception $e) {
- }
- }
- function fnEditTeacher($conn,$Teacher_id,$teachername,$email){
- try{
- $sSqlQuery="UPDATE `teacher` SET `Name`=:teachername,`email`=:email WHERE Teacher_id=:Teacher_id"; // if exists insert user
- $stmt = $conn->prepare($sSqlQuery); // prepare statment
- $stmt->bindParam(':Teacher_id', $Teacher_id); // bind userinput(fronend) to mysql query string
- $stmt->bindParam(':teachername', $teachername); // bind userinput(fronend) to mysql query string
- $stmt->bindParam(':email', $email); // bind userinput(fronend) to mysql query string
- $stmt->execute(); //
- }
- catch (Exception $e) {
- echo($e);
- }
- }
- function fnPasswordHash($input){
- $peper="best project ever!";
- $hash= password_hash($input.$peper,PASSWORD_DEFAULT);
- return $hash;
- }
- function fnDeleteUser($conn,$user_id){
- if(is_numeric($user_id)){
- $sSqlQuery="DELETE FROM `student` WHERE student_id=:user_id;"; // query
- $stmt = $conn->prepare($sSqlQuery); //prepaer query
- $stmt->bindParam(':user_id', $user_id); // bind userinput(fronend) to mysql query string
- $stmt->execute(); //execute query
- }
- else{
- fnIncorrectCall();
- }
- }
- function fnDeleteTeacher($conn,$Teacher_id){
- if(is_numeric($Teacher_id)){
- $sSqlQuery="DELETE FROM `teacher` WHERE Teacher_id=:Teacher_id;"; // query
- $stmt = $conn->prepare($sSqlQuery); //prepaer query
- $stmt->bindParam(':Teacher_id', $Teacher_id); // bind userinput(fronend) to mysql query string
- $stmt->execute(); //execute query
- }
- else{
- fnIncorrectCall();
- }
- }
- function fnEditUser($conn,$user_id,$studentName,$study_program_id,$email){
- if(is_numeric($user_id)&&is_numeric($study_program_id)){
- $aStudyPrograms=fnGetStudyPrograms($conn); // gets all study programs
- for($x=0; $x<sizeof($aStudyPrograms); $x++){ //for loop to find if study program id exists
- $study_program_row=$aStudyPrograms[$x]; // asign row to variable
- if($study_program_row["Study_Program_id"]==$study_program_id){
- $sSqlQuery="UPDATE `student` SET `Name`=:studentName,`Study_Program_id`=:study_program_id,`email`=:email WHERE student_id=:user_id"; // query
- $stmt = $conn->prepare($sSqlQuery); //prepaer query
- $stmt->bindParam(':user_id', $user_id); // bind userinput(fronend) to mysql query string
- $stmt->bindParam(':studentName', $studentName); // bind userinput(fronend) to mysql query string
- $stmt->bindParam(':study_program_id', $study_program_id); // bind userinput(fronend) to mysql query string
- $stmt->bindParam(':email', $email); // bind userinput(fronend) to mysql query string
- $stmt->execute();
- break; // execute
- }
- else if($x+1==sizeof($aStudyPrograms)){ // incorrect study program id
- echo("Incorrect study program");
- }
- }
- }
- else{
- fnIncorrectCall();
- }
- }
- function fnViewUser($conn,$user_id){
- if(is_numeric($user_id)){
- $sSqlQuery="SELECT * FROM `student` WHERE student_id=:user_id"; // query
- $stmt = $conn->prepare($sSqlQuery); //prepaer query
- $stmt->bindParam(':user_id', $user_id); // bind userinput(fronend) to mysql query string
- $stmt->execute(); // execute
- $result = $stmt->fetchAll(PDO::FETCH_ASSOC); // fetch asssoc
- return $result; //echo as json
- }
- else{
- fnIncorrectCall();
- }
- }
- function fnCreateClass($conn,$className,$teacher_id,$study_program_id){
- if(is_numeric($study_program_id)===true&&is_numeric($teacher_id)===true){ // check if its number
- $aStudyPrograms=fnGetStudyPrograms($conn); // gets all study programs
- for($x=0; $x<sizeof($aStudyPrograms); $x++){ //for loop to find if study program id exists
- $study_program_row=$aStudyPrograms[$x]; // asign every row from db to variable
- if($study_program_row["Study_Program_id"]==$study_program_id){ // checks if it matches
- $aTeachers=fnGetTeachers($conn); // gets all teachers
- for($y=0; $y<sizeof($aTeachers); $y++){ //for loop to find if teacher id exists
- $teacher_row=$aTeachers[$y]; // asign every row from db to variable
- if($teacher_row["Teacher_id"]==$teacher_id){ // checks if it matches
- $sSqlQuery="INSERT INTO `class`(`Name`, `Teacher_id`, `Study_Program_id`) VALUES (:className,:teacher_id,:study_program_id)"; // query
- $stmt = $conn->prepare($sSqlQuery); //prepaer query
- $stmt->bindParam(':className', $className); // bind userinput(fronend) to mysql query string
- $stmt->bindParam(':teacher_id', $teacher_id); // bind userinput(fronend) to mysql query string
- $stmt->bindParam(':study_program_id', $study_program_id); // bind userinput(fronend) to mysql query string
- $stmt->execute();
- break;
- }
- else if($y+1==sizeof($aTeachers)){ // incorect teacher id
- echo("Incorrect teacher id");
- }
- }
- break;
- }
- else if($x+1==sizeof($aStudyPrograms)){
- echo("Incorrect study program"); // incorect study program id
- }
- }
- }
- }
- function fnEditClass($conn,$class_id,$className,$study_program_id,$teacher_id){
- if(is_numeric($class_id)&&is_numeric($study_program_id)){
- $aStudyPrograms=fnGetStudyPrograms($conn); // gets all study programs
- for($x=0; $x<sizeof($aStudyPrograms); $x++){ //for loop to find if study program id exists
- $study_program_row=$aStudyPrograms[$x]; // asign row to variable
- if($study_program_row["Study_Program_id"]==$study_program_id){
- $aTeachers=fnGetTeachers($conn); // gets all teachers
- for($y=0; $y<sizeof($aTeachers); $y++){ //for loop to find if teacher id exists
- $teacher_row=$aTeachers[$y]; // asign every row from db to variable
- if($teacher_row["Teacher_id"]==$teacher_id){
- $sSqlQuery="UPDATE `class` SET `Name`=:className,`Study_Program_id`=:study_program_id,`Teacher_id`=:teacher_id WHERE class_id=:class_id"; // query
- $stmt = $conn->prepare($sSqlQuery); //prepaer query
- $stmt->bindParam(':class_id', $class_id); // bind userinput(fronend) to mysql query string
- $stmt->bindParam(':className', $className); // bind userinput(fronend) to mysql query string
- $stmt->bindParam(':study_program_id', $study_program_id); // bind userinput(fronend) to mysql query string
- $stmt->bindParam(':teacher_id', $teacher_id); // bind userinput(fronend) to mysql query string
- $stmt->execute();
- break; // execute
- }
- else if($y+1==sizeof($aTeachers)){ // incorrect teacher program id
- echo("Incorrect teacher id");
- }
- }
- break;
- }
- else if($x+1==sizeof($aStudyPrograms)){ // incorrect study program id
- echo("Incorrect study program");
- }
- }
- }
- else{
- fnIncorrectCall();
- }
- }
- function fnDeleteClass($conn,$class_id){
- if(is_numeric($class_id)){
- $sSqlQuery="DELETE FROM `class` WHERE class_id=:class_id;"; // query
- $stmt = $conn->prepare($sSqlQuery); //prepaer query
- $stmt->bindParam(':class_id', $class_id); // bind userinput(fronend) to mysql query string
- $stmt->execute(); //execute query
- }
- else{
- fnIncorrectCall();
- }
- }
- function fnGetStudyPrograms($conn){
- $sSqlQuery="SELECT * FROM `study_program`"; //query
- $stmt = $conn->prepare($sSqlQuery); //prepare stmt
- $stmt->execute(); // execute
- $result = $stmt->fetchAll(PDO::FETCH_ASSOC); // fetch all
- return $result; // return
- }
- function fnGetTeachers($conn){
- $sSqlQuery="SELECT * FROM `teacher`"; //query
- $stmt = $conn->prepare($sSqlQuery); //prepare stmt
- $stmt->execute(); // execute
- $result = $stmt->fetchAll(PDO::FETCH_ASSOC); // fetch all
- return $result; // return
- }
- function fnIncorrectCall(){
- echo("Bad request//Incorrect api call");
- }
- function fnKeyValidator($conn,$username,$security_key){ // check if security_key from frontend matches security_key from database
- $Output=false; // basic return value
- $sSqlQuery="SELECT * FROM admin WHERE username =:username LIMIT 1"; // mysql query string
- $stmt = $conn->prepare($sSqlQuery); // prepare statment
- $stmt->bindParam(':username', $username); // bind userinput(fronend) to mysql query string
- $stmt->execute(); // executes mysql query string
- $result = $stmt->fetchAll(); // fetches all data
- if(sizeof($result)!=1){ // checks if there is only 1 record(should be just 1)
- $Output=false; // if there is more than 1 // error // returns false//
- }
- else{
- $result=$result[0]; // asign first index of array to variable
- $security_key_db=$result["security_key"]; // asign security_key from database to variable
- if($security_key===$security_key_db){ // comapre security_key from db with security_key from frontend
- $Output=true; // if its same set output to true
- }
- else{
- $Output=false; // if its not same set output to false
- }
- }
- return $Output; //return output
- }
- function fnGetAllAdmins($conn){
- $sSqlQuery="SELECT * FROM admin";
- $stmt = $conn->prepare($sSqlQuery); // prepare statment
- $stmt->execute();
- $result = $stmt->fetchAll(PDO::FETCH_ASSOC);
- return $result;
- }
- function fnGetClass($conn,$class_id){
- if(has_presence($class_id)===true){
- $sSqlQuery="SELECT * FROM class WHERE Class_id =:class_id LIMIT 1"; // mysql query string
- $stmt = $conn->prepare($sSqlQuery); // prepare statment
- $stmt->bindParam(':class_id', $class_id); // bind userinput(fronend) to mysql query string
- $stmt->execute();
- $result = $stmt->fetchAll(PDO::FETCH_ASSOC);
- return $result;
- }
- }
- function fnAssignClassToStudent($conn,$student_id,$class_id){
- $student=(fnViewUser($conn,$student_id));
- if(empty($student)===false){
- $class=fnGetClass($conn,$class_id);
- if(empty($class)===false){
- $sSqlQuery="INSERT INTO `student_has_class`(`Student_id`, `Class_id`) VALUES (:student_id,:class_id)"; // mysql query string
- $stmt = $conn->prepare($sSqlQuery); // prepare statment
- $stmt->bindParam(':student_id', $student_id); // bind userinput(fronend) to mysql query string
- $stmt->bindParam(':class_id', $class_id); // bind userinput(fronend) to mysql query string
- $stmt->execute();
- }
- }
- }
- function fnUnAssignClassToStudent($conn,$student_id,$class_id){
- $student=(fnViewUser($conn,$student_id));
- if(empty($student)===false){
- $class=fnGetClass($conn,$class_id);
- if(empty($class)===false){
- $sSqlQuery="DELETE FROM `student_has_class` WHERE Student_id=:student_id and class_id=:class_id"; // mysql query string
- $stmt = $conn->prepare($sSqlQuery); // prepare statment
- $stmt->bindParam(':student_id', $student_id); // bind userinput(fronend) to mysql query string
- $stmt->bindParam(':class_id', $class_id); // bind userinput(fronend) to mysql query string
- $stmt->execute();
- }
- }
- }
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement