Online PHP editor | refs for gRr2U

<?php require 'Slim/Slim.php'; require 'Slim/Middleware.php'; require 'connect.php'; require 'error_codes.php'; Slim::registerAutoloader(); date_default_timezone_set('Europe/Warsaw'); $app = new Slim(); $app->response()->header('Content-Type', 'application/json'); $app->add(new Slim_Middleware_SessionCookie(array('secret' => 'mp1024sec', 'expires' => '60 minutes', 'httponly' => true))); $db = null; $user = null; // LOGIN $authenticate = function ($app) { return function () use ($app) { global $user, $db; if (!isset($_SESSION['user'])) { $app->response->setStatus(401); } else { $db = getConnection(); $sql = 'select * from users where email=:email'; $stmt = $db->prepare($sql); $stmt->bindValue(':email', $_SESSION['user'], PDO::PARAM_STR); $stmt->execute(); $results = $stmt->fetchAll(PDO::FETCH_ASSOC); if(count($results) != 1) { $app->response->setStatus(401); } else { $user = $results[0]; unset($user['password']); } } }; }; $app->post('/register', 'register'); function register() { try { global $db, $app; $obj = json_decode($app->request->getBody()); if($obj->name != null && $obj->surname != null && $obj->email != null && filter_var($obj->email, FILTER_VALIDATE_EMAIL) && $obj->password != null) { // TODO check if user already exists in users and users_requests $sql = 'insert into users_requests(name, surname, email, password, expires, token) values(:name, :surname, :email, :password, :expires, :token)'; $db = getConnection(); $stmt = $db->prepare($sql); $stmt->bindValue(':name', $obj->name, PDO::PARAM_STR); $stmt->bindValue(':surname', $obj->surname, PDO::PARAM_STR); $stmt->bindValue(':email', $obj->email, PDO::PARAM_STR); $stmt->bindValue(':password', password_hash($obj->password, PASSWORD_DEFAULT), PDO::PARAM_STR); $stmt->bindValue(':expires', date('Y-m-d H:i:s', strtotime('+2 days'))); $token = md5(uniqid(mt_rand(), true)); $stmt->bindValue(':token', $token, PDO::PARAM_STR); $stmt->execute(); $db = null; // TODO send email to ADMIN echo json_encode(array('status' => 'success')); } else { paramError($app, 'user'); } } catch(PDOException $e) { pdoError($e, $app); } } $app->get('/login', 'getLogin'); function getLogin() { try { global $db, $app; if(isset($_SESSION['user'])) { $db = getConnection(); $sql = 'select * from users where email=:email'; $stmt = $db->prepare($sql); $stmt->bindValue(':email', $_SESSION['user'], PDO::PARAM_STR); $stmt->execute(); $results = $stmt->fetchAll(PDO::FETCH_ASSOC); if(count($results) != 1) { $app->response->setStatus(401); unauthorizedError(); return; } else { $user = $results[0]; unset($user['password']); unset($user['id']); echo json_encode(array('status' => 'success', 'user' => $user)); } } else { $app->response()->status(401); unauthorizedError(); } $db = null; } catch(PDOException $e) { pdoError($e, $app); } } $app->post('/login', 'postLogin'); function postLogin() { try { global $db, $app; $obj = json_decode($app->request()->getBody()); if($obj == null) { codeError($app, LOGIN_MISSING_USER); return; } else if($obj->email == null) { codeError($app, LOGIN_MISSING_EMAIL); return; } else if($obj->password == null) { codeError($app, LOGIN_MISSING_PASSWORD); return; } $sql = 'select * from users where email=:email'; $db = getConnection(); $stmt = $db->prepare($sql); $stmt->bindValue(':email', $obj->email, PDO::PARAM_STR); $stmt->execute(); $results = $stmt->fetchAll(PDO::FETCH_ASSOC); if(count($results) != 1) { codeError($app, LOGIN_USER_NOT_FOUND); return; } $user = $results[0]; if(!password_verify($obj->password, $user['password'])) { codeError($app, LOGIN_WRONG_PASSWORD); return; } $_SESSION['user'] = $user['email']; unset($user['password']); unset($user['id']); $db = null; echo json_encode(array('status' => 'success', 'user' => $user)); } catch(PDOException $e) { pdoError($e, $app); } } $app->post('/logout', 'postLogout'); function postLogout() { unset($_SESSION['user']); echo json_encode(array('status' => 'success')); } // ANKIETY $app->get('/ankiety', $authenticate($app), 'getAnkiety'); function getAnkiety() { global $user, $db, $app; if($app->response()->status() == 401 || $user == null) { unauthorizedError(); return; } try { $sql = ''; $stmt = null; if($user['role'] === 'ADMIN') { $sql = 'select * from ankiety'; $stmt = $db->prepare($sql); } else if($user['role'] === 'USER') { $sql = 'select id, title, message from ankiety where userId=:id'; $stmt = $db->prepare($sql); $stmt->bindValue(':id', $user['id'], PDO::PARAM_INT); } $stmt->execute(); $results = $stmt->fetchAll(PDO::FETCH_ASSOC); $db = null; echo json_encode($results); } catch (PDOException $e) { pdoError($e, $app); } } $app->get('/ankiety/:id', $authenticate($app), 'getAnkietyId'); function getAnkietyId($id) { global $user, $db, $app; if($app->response()->status() == 401 || $user == null) { unauthorizedError(); return; } try { $sql = ''; $stmt = ''; if($user['role'] === 'ADMIN') { $sql = 'select * from ankiety where id=:id'; $stmt = $db->prepare($sql); $stmt->bindValue(':id', $id, PDO::PARAM_INT); } else if($user['role'] === 'USER') { $sql = 'select id, title, message from ankiety where id=:id and userId=:userId'; $stmt = $db->prepare($sql); $stmt->bindValue(':id', $id, PDO::PARAM_INT); $stmt->bindValue(':userId', $user['id'], PDO::PARAM_INT); } $stmt->execute(); $results = $stmt->fetchAll(PDO::FETCH_ASSOC); $db = null; if(count($results) === 1) echo json_encode($results[0]); else echo json_encode(array('status' => 'error', 'error' => 'ankieta not found')); } catch (PDOException $e) { pdoError($e, $app); } } $app->post('/ankiety', $authenticate($app), 'postAnkiety'); function postAnkiety() { global $user, $db, $app; if($app->response()->status() == 401 || $user == null) { unauthorizedError(); return; } try { $obj = json_decode($app->request()->getBody()); if(validateAnkieta($obj)) { $sql = ''; $stmt = ''; $sql = 'insert into ankiety(title, message, userId) values(:title, :message, :userId)'; $stmt = $db->prepare($sql); $stmt->bindValue(':title', $obj->title, PDO::PARAM_STR); $stmt->bindValue(':message', $obj->message, PDO::PARAM_STR); $stmt->bindValue(':userId', $user['id'], PDO::PARAM_INT); $stmt->execute(); $obj->id = $db->lastInsertId(); if($user['role'] === 'ADMIN') $obj->userId = $user['id']; echo json_encode($obj); } else { paramError($app, 'ankieta'); } $db = null; } catch (PDOException $e) { pdoError($e, $app); } } $app->put('/ankiety', $authenticate($app), 'putAnkiety'); function putAnkiety() { global $user, $db, $app; if($app->response()->status() == 401 || $user == null) { unauthorizedError(); return; } try { $obj = json_decode($app->request()->getBody()); if(validateAnkieta($obj)) { $sql = ''; $stmt = ''; if($user['role'] === 'ADMIN') { $sql = 'update ankiety set title=:title, message=:message where id=:id'; $stmt = $db->prepare($sql); $stmt->bindValue(':id', $obj->id, PDO::PARAM_INT); $stmt->bindValue(':title', $obj->title, PDO::PARAM_STR); $stmt->bindValue(':message', $obj->message, PDO::PARAM_STR); } else if($user['role'] === 'USER') { $sql = 'update ankiety set title=:title, message=:message where id=:id and userId=:userId'; $stmt = $db->prepare($sql); $stmt->bindValue(':id', $obj->id, PDO::PARAM_INT); $stmt->bindValue(':userId', $user['id'], PDO::PARAM_INT); $stmt->bindValue(':title', $obj->title, PDO::PARAM_STR); $stmt->bindValue(':message', $obj->message, PDO::PARAM_STR); } $stmt->execute(); $db = null; echo json_encode($obj); } else { paramError($app, 'ankieta'); } } catch (PDOException $e) { pdoError($e, $app); } } $app->delete('/ankiety/:id', $authenticate($app), 'deleteAnkietyId'); function deleteAnkietyId($id) { global $user, $db, $app; if($app->response->getStatus() == 401 || $user == null) { unauthorizedError(); return; } try { $sql = ''; $stmt = ''; if($user['role'] === 'ADMIN') { $sql = 'delete from ankiety where id=:id'; $stmt = $db->prepare($sql); $stmt->bindValue(':id', $id, PDO::PARAM_INT); } else if($user['role'] === 'USER') { $sql = 'delete from ankiety where id=:id and userId=:userId'; $stmt = $db->prepare($sql); $stmt->bindValue(':id', $id, PDO::PARAM_INT); $stmt->bindValue(':userId', $user['id'], PDO::PARAM_INT); } $stmt->execute(); $db = null; echo json_encode(array('status' => 'success')); } catch (PDOException $e) { pdoError($e, $app); } } // POSTY $app->get('/posty', 'getPosty'); function getPosty() { global $app; $limit = $app->request()->get('limit'); if($limit != null) { if(!filter_var($limit, FILTER_VALIDATE_INT, array('min_range' => 0))) { $app->response()->status(400); echo json_encode(array('status' => 'error', 'error' => POSTS_ILLEGAL_LIMIT)); return; } else { if($limit < 0) { $app->response()->status(400); echo json_encode(array('status' => 'error', 'error' => POSTS_ILLEGAL_LIMIT)); return; } } } $db = getConnection(); if(isset($_SESSION['user'])) { // request from panel $user = null; $sql = 'select * from users where email=:email'; $stmt = $db->prepare($sql); $stmt->bindValue(':email', $_SESSION['user'], PDO::PARAM_STR); $stmt->execute(); $results = $stmt->fetchAll(PDO::FETCH_ASSOC); if(count($results) != 1) { $app->response()->status(401); codeError($app, ILLEGAL_STATE); return; } else { $user = $results[0]; unset($user['password']); } if($user['role'] === 'ADMIN') { $sql = 'select p.id, p.message, p.timestamp, p.userId, u.name, u.surname, u.email, u.role from posts p join users u on p.userId = u.id order by p.timestamp desc'; if($limit != null) $sql .= ' limit :limit'; $stmt = $db->prepare($sql); if($limit != null) $stmt->bindValue(':limit', (int) $limit, PDO::PARAM_INT); $stmt->execute(); $results = $stmt->fetchAll(PDO::FETCH_ASSOC); echo json_encode($results); } else if($user['role'] === 'USER') { $sql = 'select p.id, p.message, p.timestamp, u.name, u.surname, u.email from posts p join users u on p.userId = u.id where p.userId=:userId order by p.timestamp desc'; if($limit != null) $sql .= ' limit :limit'; $stmt = $db->prepare($sql); $stmt->bindValue(':userId', $user['id'], PDO::PARAM_INT); if($limit != null) $stmt->bindValue(':limit', (int) $limit, PDO::PARAM_INT); $stmt->execute(); $results = $stmt->fetchAll(PDO::FETCH_ASSOC); echo json_encode($results); } } else { // request from 'outside' $sql = 'select p.id, p.message, p.timestamp, u.name, u.surname, u.email from posts p join users u on p.userId = u.id order by p.timestamp desc'; if($limit != null) $sql .= ' limit :limit'; $stmt = $db->prepare($sql); if($limit != null) $stmt->bindValue(':limit', (int) $limit, PDO::PARAM_INT); $stmt->execute(); $results = $stmt->fetchAll(PDO::FETCH_ASSOC); echo json_encode($results); } $db = null; } $app->post('/posty', $authenticate($app), 'postPosty'); function postPosty() { global $user, $db, $app; if($app->response()->status() == 401 || $user == null) { unauthorizedError(); return; } try { $obj = json_decode($app->request()->getBody()); if(validatePost($obj)) { $sql = ''; $stmt = ''; $sql = 'insert into posts(message, userId) values(:message, :userId)'; $stmt = $db->prepare($sql); $stmt->bindValue(':message', $obj->message, PDO::PARAM_STR); $stmt->bindValue(':userId', $user['id'], PDO::PARAM_INT); $stmt->execute(); $obj->id = $db->lastInsertId(); if($user['role'] === 'ADMIN') $obj->userId = $user['id']; echo json_encode($obj); } else { paramError($app, 'post'); } $db = null; } catch (PDOException $e) { pdoError($e, $app); } } $app->put('/posty', $authenticate($app), 'putPosty'); function putPosty() { global $user, $db, $app; if($app->response()->status() == 401 || $user == null) { unauthorizedError(); return; } try { $obj = json_decode($app->request()->getBody()); if(validatePost($obj)) { $sql = ''; $stmt = ''; if($user['role'] === 'ADMIN') { $sql = 'update posts set message=:message where id=:id'; $stmt = $db->prepare($sql); $stmt->bindValue(':id', $obj->id, PDO::PARAM_INT); $stmt->bindValue(':message', $obj->message, PDO::PARAM_STR); } else if($user['role'] === 'USER') { $sql = 'update posts set message=:message where id=:id and userId=:userId'; $stmt = $db->prepare($sql); $stmt->bindValue(':id', $obj->id, PDO::PARAM_INT); $stmt->bindValue(':userId', $user['id'], PDO::PARAM_INT); $stmt->bindValue(':message', $obj->message, PDO::PARAM_STR); } $stmt->execute(); $db = null; echo json_encode($obj); } else { paramError($app, 'post'); } } catch (PDOException $e) { pdoError($e, $app); } } $app->delete('/posty/:id', $authenticate($app), 'deletePostyId'); function deletePostyId() { global $user, $db, $app; if($app->response->getStatus() == 401 && $user == null) { unauthorizedError(); return; } try { $sql = ''; $stmt = ''; if($user['role'] === 'ADMIN') { $sql = 'delete from posts where id=:id'; $stmt = $db->prepare($sql); $stmt->bindValue(':id', $id, PDO::PARAM_INT); } else if($user['role'] === 'USER') { $sql = 'delete from posts where id=:id and userId=:userId'; $stmt = $db->prepare($sql); $stmt->bindValue(':id', $id, PDO::PARAM_INT); $stmt->bindValue(':userId', $user['id'], PDO::PARAM_INT); } $stmt->execute(); $db = null; echo json_encode(array('status' => 'success')); } catch (PDOException $e) { pdoError($e, $app); } } $app->run(); function pdoError($e, $app) { $response = ['error' => 'DB error: ' . $e->getMessage(), 'status' => 'error']; $app->response()->status(500); echo json_encode($response); } function paramError($app, $param) { $app->response()->status(400); echo json_encode(['error' => 'missing parameter: ' . $param, 'status' => 'error']); } function codeError($app, $code) { $app->response()->status(400); echo json_encode(['error' => $code, 'status' => 'error']); } function unauthorizedError() { echo json_encode(array('error' => 'unauthorized', 'status' => 'error')); } function validateAnkieta($ankieta) { if($ankieta->title != null && $ankieta->message != null) return true; return false; } function validatePost($post) { if($post->message != null) return true; return false; } ?>