Php/OpenVPN-Admin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

„include/grids.php“ ändern

Browse Source 
Code Style
This commit is contained in:
BlubbFish 2020-01-14 21:09:14 +01:00
parent fa692cf4f9
commit 88e65bc35f
1 changed files with 49 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

153
include/grids.php
View File

@ -1,134 +1,108 @@
<?php <?php
session_start(); session_start();
if(!isset($_SESSION['admin_id'])) {
if(!isset($_SESSION['admin_id']))
exit -1; exit -1;
}
require(dirname(__FILE__) . '/connect.php'); require(dirname(__FILE__) . '/connect.php');
require(dirname(__FILE__) . '/functions.php'); require(dirname(__FILE__) . '/functions.php');
// ---------------- SELECT ---------------- // ---------------- SELECT ----------------
if(isset($_GET['select'])){ if(isset($_GET['select'])){
if($_GET['select'] == "user"){ // Select the users
// Select the users
if($_GET['select'] == "user"){
$req = $bdd->prepare('SELECT * FROM user'); $req = $bdd->prepare('SELECT * FROM user');
$req->execute(); $req->execute();
if($data = $req->fetch()) { if($data = $req->fetch()) {
do { do {
$list[] = array("user_id" => $data['user_id'], $list[] = array(
"user_pass" => $data['user_pass'], "user_id" => $data['user_id'],
"user_mail" => $data['user_mail'], "user_pass" => $data['user_pass'],
"user_phone" => $data['user_phone'], "user_mail" => $data['user_mail'],
"user_online" => $data['user_online'], "user_phone" => $data['user_phone'],
"user_enable" => $data['user_enable'], "user_online" => $data['user_online'],
"user_start_date" => $data['user_start_date'], "user_enable" => $data['user_enable'],
"user_end_date" => $data['user_end_date']); "user_start_date" => $data['user_start_date'],
"user_end_date" => $data['user_end_date']
);
} while($data = $req->fetch()); } while($data = $req->fetch());
echo json_encode($list); echo json_encode($list);
} }
// If it is an empty answer, we need to encore an empty json object
else{ else{
$list = array(); echo json_encode(array()); // If it is an empty answer, we need to encore an empty json object
echo json_encode($list);
} }
} }
else if($_GET['select'] == "log" && isset($_GET['offset'], $_GET['limit'])){ // Select the logs
// Select the logs
else if($_GET['select'] == "log" && isset($_GET['offset'], $_GET['limit'])){
$offset = intval($_GET['offset']); $offset = intval($_GET['offset']);
$limit = intval($_GET['limit']); $limit = intval($_GET['limit']);
// Creation of the LIMIT for build different pages // Creation of the LIMIT for build different pages
$page = "LIMIT $offset, $limit"; $page = "LIMIT $offset, $limit";
// ... filtering by the bootstrap table plugin // ... filtering by the bootstrap table plugin
$filter = isset($_GET['filter']) ? json_decode($_GET['filter'],true) : []; // this is passed by the bootstrap table filter plugin (if a filter was chosen by the user): these are the concrete set filters with their value $filter = isset($_GET['filter']) ? json_decode($_GET['filter'],true) : []; // this is passed by the bootstrap table filter plugin (if a filter was chosen by the user): these are the concrete set filters with their value
$where = !empty($filter)?'WHERE TRUE':''; $where = !empty($filter)?'WHERE TRUE':'';
$allowed_query_filters = ['user_id', 'log_trusted_ip','log_trusted_port','log_remote_ip','log_remote_port']; // these are valid filters that could be used (defined here for sql security reason) $allowed_query_filters = ['user_id', 'log_trusted_ip','log_trusted_port','log_remote_ip','log_remote_port']; // these are valid filters that could be used (defined here for sql security reason)
$query_filters_existing = []; $query_filters_existing = [];
foreach($filter as $unsanitized_filter_key => $unsanitized_filter_val) { foreach($filter as $unsanitized_filter_key => $unsanitized_filter_val) {
if(in_array($unsanitized_filter_key, $allowed_query_filters)) { // if this condition does not match: ignore it, because this parameter should not be passed if(in_array($unsanitized_filter_key, $allowed_query_filters)) { // if this condition does not match: ignore it, because this parameter should not be passed
// if $unsanitized_filter_key is in array $allowed_query_filters its a valid key and can not be harmful, so it can be considered sanitized // if $unsanitized_filter_key is in array $allowed_query_filters its a valid key and can not be harmful, so it can be considered sanitized
$where .= " AND $unsanitized_filter_key = ?"; $where .= " AND $unsanitized_filter_key = ?";
$query_filters_existing[] = $unsanitized_filter_key; $query_filters_existing[] = $unsanitized_filter_key;
} }
} }
// Select the logs // Select the logs
$req_string = "SELECT *, (SELECT COUNT(*) FROM log $where) AS nb FROM log $where ORDER BY log_id DESC $page"; $req_string = "SELECT *, (SELECT COUNT(*) FROM log $where) AS nb FROM log $where ORDER BY log_id DESC $page";
$req = $bdd->prepare($req_string); $req = $bdd->prepare($req_string);
// dynamically bind the params // dynamically bind the params
foreach(array_merge($query_filters_existing,$query_filters_existing) as $i => $query_filter) // array_merge -> duplicated the array contents; this is needed because our where clause is bound two times (in subquery + the outer query) foreach(array_merge($query_filters_existing,$query_filters_existing) as $i => $query_filter) { // array_merge -> duplicated the array contents; this is needed because our where clause is bound two times (in subquery + the outer query)
$req->bindValue($i+1, $filter[$query_filter]); $req->bindValue($i+1, $filter[$query_filter]);
}
$req->execute(); $req->execute();
$list = array(); $list = array();
$data = $req->fetch(); $data = $req->fetch();
if($data) { if($data) {
$nb = $data['nb']; $nb = $data['nb'];
do { do {
// Better in Kb or Mb // Better in Kb or Mb
$received = ($data['log_received'] > 1000000) ? $data['log_received']/1000000 . " Mo" : $data['log_received']/1000 . " Ko"; $received = ($data['log_received'] > 1000000) ? $data['log_received']/1000000 . " Mo" : $data['log_received']/1000 . " Ko";
$sent = ($data['log_send'] > 1000000) ? $data['log_send']/1000000 . " Mo" : $data['log_send']/1000 . " Ko"; $sent = ($data['log_send'] > 1000000) ? $data['log_send']/1000000 . " Mo" : $data['log_send']/1000 . " Ko";
// We add to the array the new line of logs // We add to the array the new line of logs
array_push($list, array( array_push($list, array(
"log_id" => $data['log_id'], "log_id" => $data['log_id'],
"user_id" => $data['user_id'], "user_id" => $data['user_id'],
"log_trusted_ip" => $data['log_trusted_ip'], "log_trusted_ip" => $data['log_trusted_ip'],
"log_trusted_port" => $data['log_trusted_port'], "log_trusted_port" => $data['log_trusted_port'],
"log_remote_ip" => $data['log_remote_ip'], "log_remote_ip" => $data['log_remote_ip'],
"log_remote_port" => $data['log_remote_port'], "log_remote_port" => $data['log_remote_port'],
"log_start_time" => $data['log_start_time'], "log_start_time" => $data['log_start_time'],
"log_end_time" => $data['log_end_time'], "log_end_time" => $data['log_end_time'],
"log_received" => $received, "log_received" => $received,
"log_send" => $sent)); "log_send" => $sent)
);
} while ($data = $req->fetch()); } while ($data = $req->fetch());
} }
else { else {
$nb = 0; $nb = 0;
} }
// We finally print the result // We finally print the result
$result = array('total' => intval($nb), 'rows' => $list); $result = array('total' => intval($nb), 'rows' => $list);
echo json_encode($result); echo json_encode($result);
} }
else if($_GET['select'] == "admin"){ // Select the admins
// Select the admins
else if($_GET['select'] == "admin"){
$req = $bdd->prepare('SELECT * FROM admin'); $req = $bdd->prepare('SELECT * FROM admin');
$req->execute(); $req->execute();
if($data = $req->fetch()) { if($data = $req->fetch()) {
do{ do{
$list[] = array( $list[] = array(
"admin_id" => $data['admin_id'], "admin_id" => $data['admin_id'],
"admin_pass" => $data['admin_pass'] "admin_pass" => $data['admin_pass']
); );
} while($data = $req->fetch()); } while($data = $req->fetch());
echo json_encode($list); echo json_encode($list);
} }
else{ else{
$list = array(); echo json_encode(array());
echo json_encode($list);
} }
} }
} }
else if(isset($_POST['add_user'], $_POST['user_id'], $_POST['user_pass'])){ // ---------------- ADD USER ----------------
// ---------------- ADD USER ----------------
else if(isset($_POST['add_user'], $_POST['user_id'], $_POST['user_pass'])){
// Put some default values // Put some default values
$id = $_POST['user_id']; $id = $_POST['user_id'];
$pass = hashPass($_POST['user_pass']); $pass = hashPass($_POST['user_pass']);
@ -138,12 +112,10 @@
$enable = 1; $enable = 1;
$start = null; $start = null;
$end = null; $end = null;
$req = $bdd->prepare('INSERT INTO user (user_id, user_pass, user_mail, user_phone, user_online, user_enable, user_start_date, user_end_date) VALUES (?, ?, ?, ?, ?, ?, ?, ?)');
$req = $bdd->prepare('INSERT INTO user (user_id, user_pass, user_mail, user_phone, user_online, user_enable, user_start_date, user_end_date)
VALUES (?, ?, ?, ?, ?, ?, ?, ?)');
$req->execute(array($id, $pass, $mail, $phone, $online, $enable, $start, $end)); $req->execute(array($id, $pass, $mail, $phone, $online, $enable, $start, $end));
$res = array(
$res = array("user_id" => $id, "user_id" => $id,
"user_pass" => $pass, "user_pass" => $pass,
"user_mail" => $mail , "user_mail" => $mail ,
"user_phone" => $phone, "user_phone" => $phone,
@ -152,84 +124,60 @@
"user_start_date" => $start, "user_start_date" => $start,
"user_end_date" => $end "user_end_date" => $end
); );
echo json_encode($res); echo json_encode($res);
} }
else if(isset($_POST['set_user'])){ // ---------------- UPDATE USER ----------------
// ---------------- UPDATE USER ----------------
else if(isset($_POST['set_user'])){
$valid = array("user_id", "user_pass", "user_mail", "user_phone", "user_enable", "user_start_date", "user_end_date"); $valid = array("user_id", "user_pass", "user_mail", "user_phone", "user_enable", "user_start_date", "user_end_date");
$field = $_POST['name']; $field = $_POST['name'];
$value = $_POST['value']; $value = $_POST['value'];
$pk = $_POST['pk']; $pk = $_POST['pk'];
if (!isset($field) || !isset($pk) || !in_array($field, $valid)) { if (!isset($field) || !isset($pk) || !in_array($field, $valid)) {
return; return;
} }
if ($field === 'user_pass') { if ($field === 'user_pass') {
$value = hashPass($value); $value = hashPass($value);
} }
else if (($field === 'user_start_date' || $field === 'user_end_date') && $value === '') { else if (($field === 'user_start_date' || $field === 'user_end_date') && $value === '') {
$value = null; $value = null;
} }
// /!\ SQL injection: field was checked with in_array function // /!\ SQL injection: field was checked with in_array function
$req_string = 'UPDATE user SET ' . $field . ' = ? WHERE user_id = ?'; $req_string = 'UPDATE user SET ' . $field . ' = ? WHERE user_id = ?';
$req = $bdd->prepare($req_string); $req = $bdd->prepare($req_string);
$req->execute(array($value, $pk)); $req->execute(array($value, $pk));
} }
else if(isset($_POST['del_user'], $_POST['del_user_id'])){ // ---------------- REMOVE USER ----------------
// ---------------- REMOVE USER ----------------
else if(isset($_POST['del_user'], $_POST['del_user_id'])){
$req = $bdd->prepare('DELETE FROM user WHERE user_id = ?'); $req = $bdd->prepare('DELETE FROM user WHERE user_id = ?');
$req->execute(array($_POST['del_user_id'])); $req->execute(array($_POST['del_user_id']));
} }
else if(isset($_POST['add_admin'], $_POST['admin_id'], $_POST['admin_pass'])){ // ---------------- ADD ADMIN ----------------
// ---------------- ADD ADMIN ----------------
else if(isset($_POST['add_admin'], $_POST['admin_id'], $_POST['admin_pass'])){
$req = $bdd->prepare('INSERT INTO admin(admin_id, admin_pass) VALUES (?, ?)'); $req = $bdd->prepare('INSERT INTO admin(admin_id, admin_pass) VALUES (?, ?)');
$req->execute(array($_POST['admin_id'], hashPass($_POST['admin_pass']))); $req->execute(array($_POST['admin_id'], hashPass($_POST['admin_pass'])));
} }
else if(isset($_POST['set_admin'])){ // ---------------- UPDATE ADMIN ----------------
// ---------------- UPDATE ADMIN ----------------
else if(isset($_POST['set_admin'])){
$valid = array("admin_id", "admin_pass"); $valid = array("admin_id", "admin_pass");
$field = $_POST['name']; $field = $_POST['name'];
$value = $_POST['value']; $value = $_POST['value'];
$pk = $_POST['pk']; $pk = $_POST['pk'];
if (!isset($field) || !isset($pk) || !in_array($field, $valid)) { if (!isset($field) || !isset($pk) || !in_array($field, $valid)) {
return; return;
} }
if ($field === 'admin_pass') { if ($field === 'admin_pass') {
$value = hashPass($value); $value = hashPass($value);
} }
$req_string = 'UPDATE admin SET ' . $field . ' = ? WHERE admin_id = ?'; $req_string = 'UPDATE admin SET ' . $field . ' = ? WHERE admin_id = ?';
$req = $bdd->prepare($req_string); $req = $bdd->prepare($req_string);
$req->execute(array($value, $pk)); $req->execute(array($value, $pk));
} }
else if(isset($_POST['del_admin'], $_POST['del_admin_id'])){ // ---------------- REMOVE ADMIN ----------------
// ---------------- REMOVE ADMIN ----------------
else if(isset($_POST['del_admin'], $_POST['del_admin_id'])){
$req = $bdd->prepare('DELETE FROM admin WHERE admin_id = ?'); $req = $bdd->prepare('DELETE FROM admin WHERE admin_id = ?');
$req->execute(array($_POST['del_admin_id'])); $req->execute(array($_POST['del_admin_id']));
} }
else if(isset($_POST['update_config'])){ // ---------------- UPDATE CONFIG ----------------
// ---------------- UPDATE CONFIG ----------------
else if(isset($_POST['update_config'])){
$pathinfo = pathinfo($_POST['config_file']); $pathinfo = pathinfo($_POST['config_file']);
$config_full_uri = $_POST['config_file']; // the complete path to the file, including the file (name) its self and the fully qualified path $config_full_uri = $_POST['config_file']; // the complete path to the file, including the file (name) its self and the fully qualified path
$config_full_path = $pathinfo['dirname']; // path to file (without filename its self) $config_full_path = $pathinfo['dirname']; // path to file (without filename its self)
$config_name = basename($_POST['config_file']); // config file name only (without path) $config_name = basename($_POST['config_file']); // config file name only (without path)
$config_parent_dir = basename($config_full_path); // name of the dir that contains the config file (without path) $config_parent_dir = basename($config_full_path); // name of the dir that contains the config file (without path)
/* /*
* create backup for history * create backup for history
*/ */
@ -237,12 +185,10 @@
mkdir($dir, 0777, true); mkdir($dir, 0777, true);
$ts = time(); $ts = time();
copy("../$config_full_uri", "../$config_full_path/history/${ts}_${config_name}"); copy("../$config_full_uri", "../$config_full_path/history/${ts}_${config_name}");
/* /*
* write config * write config
*/ */
$conf_success = file_put_contents('../'.$_POST['config_file'], $_POST['config_content']); $conf_success = file_put_contents('../'.$_POST['config_file'], $_POST['config_content']);
echo json_encode([ echo json_encode([
'debug' => [ 'debug' => [
'config_file' => $_POST['config_file'], 'config_file' => $_POST['config_file'],
@ -251,5 +197,4 @@
'config_success' => $conf_success !== false, 'config_success' => $conf_success !== false,
]); ]);
} }
?> ?>