This repository was archived by the owner on Nov 26, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathemailverify.php
204 lines (153 loc) · 6.52 KB
/
emailverify.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
<?php
require_once('include/csp.php');
require_once('include/inisets.php');
require_once('include/secrets.php');
require_once('include/initializeDb.php');
/* Only one way this page goes, take input from GET request, validate */
/* If valid, then switch email to verified */
/* Otherwise, display an error message */
/* TODO: This code may be vulnerable to XSS
and probably a bunch of other attacks
Needs serious security review */
try
{
if (isset($_GET["email"]) && isset($_GET["token"]) && isset($_GET["user_id"]) && isset($_GET["date"]))
{
testToken();
}
else
{
$err_msg = "An unknown error (1) occurred trying to verify the email using that link. Please try to log in again and request another email.";
}
}
catch(Exception $e)
{
error_log("Error in top level error handler of emailverify.php: " . $e->getMessage());
//header("HTTP/1.0 500 Server Error", true, 500);
exit();
}
function testToken()
{
global $user_id, $email, $csrf_salt, $err_msg;
/* sanitize these values brought in before I do any processing based upon them */
//echo "<!-- getemail = " . $_GET["email"] . " --> \n";
$user_id = filter_var($_GET["user_id"], FILTER_VALIDATE_INT);
$email = filter_var($_GET["email"], FILTER_SANITIZE_EMAIL);
$dateint = filter_var($_GET["date"], FILTER_VALIDATE_INT);
//echo "<!-- email = " . $email . " --> \n";
if (($user_id <= 0) || (strlen($email) <= 0) || ($dateint == false))
{
$err_msg = "Unable to verify based upon the information provided (2). Please try to log in again and request another email.";
throw new Exception("Unable to verify based upon the information provided (2). Please try to log in again and request another email");
exit();
}
/* first checks to make sure the expiration date has not passed */
$expdate = new DateTime("@" . $dateint, new DateTimeZone("UTC")); /* specify the @ sign to denote passing in a Unix TS integer */
$today = new DateTime(NULL, new DateTimeZone("UTC"));
if ($expdate < $today)
{
$err_msg = "The email verification link has expired. Please try to log in again and request another email.";
throw new Exception("Date token expired in emailverify.php.");
exit(); /* this should not be run, but just in case, we do not want to continue */
}
$datetext = $expdate->format("U");
$input = $_SERVER["SERVER_NAME"] . urlencode($email) . $datetext . $user_id . "emailverify.php" . $csrf_salt;
$token = substr(hash("sha256", $input), 0, 18); /* pull out only the 1st 18 digits of the hash */
//echo "<!-- input = " . $input . " --> \n";
//echo "<!-- token = " . $token . " --> \n";
//echo "<!-- gettoken = " . $_GET["token"] . " --> \n";
if ($token == $_GET["token"])
{
initializeDb();
verifyEmail();
}
else
{
/* */
$err_msg = "Unable to verify based upon the information provided (3). Please try to log in again and request another email.";
throw new Exception("Unable to verify based upon the information provided (3). Please try to log in again and request another email");
exit(); /* this should not be run, but just in case, we do not want to continue */
}
}
function verifyEmail()
{
try
{
global $dbh, $user_id, $success_msg, $err_msg, $email;
$stmt = $dbh->prepare("CALL verifyEmail(:user_id, :email);");
$stmt->bindValue(':email', $email);
$stmt->bindValue(':user_id', $user_id);
$stmt->execute();
if ($stmt->errorCode() != "00000")
{
$erinf = $stmt->errorInfo();
error_log("UPDATE failed in emailverify.php: " . $stmt->errorCode() . " " . $erinf[2]);
$err_msg = "An unknown error (4) occurred trying to verify the email using that link. Please try to log in again and request another email.";
$success_msg = NULL;
throw new Exception("UPDATE failed in emailverify.php");
exit();
}
else
{
$success_msg = sprintf("Email address %s successfully verified.", htmlspecialchars($email));
$err_msg = NULL;
}
$stmt->closeCursor();
/* TODO: detect email change and add verification email */
}
catch (PDOException $e)
{
error_log("Database error during UPDATE query in emailverify.php: " . $e->getMessage());
$err_msg = "An unknown error (5) occurred trying to verify the email using that link. Please try to log in again and request another email.";
$success_msg = NULL;
throw new Exception("Database error during UPDATE query in emailverify.php");
exit();
}
catch(Exception $e)
{
error_log("Error during UPDATE query in emailverify.php: " . $e->getMessage());
$err_msg = "An unknown error (6) occurred trying to verify the email using that link. Please try to log in again and request another email.";
$success_msg = NULL;
/* We most likely got here from the SQL error above, so just bubble up the exception */
throw new Exception("Error during UPDATE query in emailverify.php");
exit();
}
}
?>
<!DOCTYPE html>
<html lang="en" >
<head>
<meta charset="UTF-8">
<title>Movement Match - Organization</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet prefetch"
href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.css"
integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u"
crossorigin="anonymous">
<link rel="stylesheet" href="css/style.css">
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.0/jquery.min.js"
integrity="sha384-nrOSfDHtoPMzJHjVTdCopGqIqeYETSXhZDFyniQ8ZHcVy08QesyHcnOUpMpqnmWq"
crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js"
integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa"
crossorigin="anonymous"></script>
<!-- <script src="js/login.js"></script> -->
</head>
<body>
<?php require('include/unauth_nav_bar.php'); ?>
<div class="container-fluid">
<center>
<div class="page-header">
<h2>Verify Email</h2>
</div>
</center>
<div class="alert alert-success" <?php if (!isset($success_msg)) echo "hidden='true'"; ?> id="success_msg" >
<?php if (isset($success_msg)) echo $success_msg; ?>
</div>
<div class="alert alert-danger" <?php if (!isset($err_msg)) echo "hidden='true'"; ?> id="err_msg" >
<?php if (isset($err_msg)) echo $err_msg; ?>
</div>
<?php require('include/footer.php'); ?>
</div> <!-- Container fluid -->
</body>
</html>