Manager/pages/register.php

<?php
	function displayPage(string $message)
	{
		global $RUNTIME;
		$HTML = new HTML();
		$HTML->setHTMLTitle("Registrieren");
		$HTML->importHTML("register.html");

		$HTML->ReplaceLayoutInhalt("%%MESSAGE%%", $message);
		$HTML->ReplaceLayoutInhalt("%%tosURL%%", $RUNTIME['TOOLS']['TOS'] ); 
		$HTML->ReplaceLayoutInhalt("%%INVCODE%%", htmlspecialchars($_REQUEST['code'])); 
	
		$HTML->build();
		echo $HTML->ausgabe();
		die();
	}

	if(!isset($_REQUEST['code']))
		die("MISSING INVITE CODE!");

	if(strlen($_REQUEST['code']) != 32 || !preg_match('/^[a-f0-9]+$/', $_REQUEST['code'])) {
		die("INVALID INVITE CODE!");
	}

	$statementInviteCode = $RUNTIME['PDO']->prepare("SELECT 1 FROM InviteCodes WHERE InviteCode = ? LIMIT 1");
	$statementInviteCode->execute([$_REQUEST['code']]);

	if($statementInviteCode->rowCount() == 0) {
		die("INVALID INVITE CODE!");
	}

	if($_SERVER['REQUEST_METHOD'] != 'POST') {		
		displayPage("");
	}

	include_once('app/FormValidator.php');

	$validator = new FormValidator(array(
		'tos' => array('required' => true, 'equals' => 'on'),
		'username' => array('required' => true, 'regex' => '/^[^\\/<>\s]{1,64}( [^\\/<>\s]{1,64})?$/'),
		'password' => array('required' => true, 'regex' => '/^.{1,1000}$/'),
		'email' => array('required' => true, 'regex' => '/^\S{1,64}@\S{1,250}.\S{2,64}$/'),
		'avatar' => array('required' => true)
	));

	if(!$validator->isValid($_POST)) {
		if(!isset($_POST['tos']) || $_POST['tos'] !== true) {
			displayPage("Du musst die Nutzungsbedingungen lesen und Akzeptieren.");
		}
		else {
			displayPage("Ups da stimmt was nicht. Versuche es bitte noch mal.");
		}

		die();
	}

	$name = trim($_POST['username']);
	$nameParts;
	if($name != "") {
		$nameParts = explode(" ", $name);
		if(count($nameParts) == 1) {
			$name .= " Resident";
			$nameParts = explode(" ", $name);
		}
			
		$statementAvatarName = $RUNTIME['PDO']->prepare("SELECT 1 FROM UserAccounts WHERE FirstName = :FirstName AND LastName = :LastName LIMIT 1");
		$statementAvatarName->execute(['FirstName' => $nameParts[0], 'LastName' => $nameParts[1]]); 
		if($statementAvatarName->rowCount() > 0) {
			displayPage("Der gewählte Name ist bereits vergeben.");
		}
	}

	$pass = trim($_POST['password']);
	if(strlen($pass) < $RUNTIME['PASSWORD_MIN_LENGTH']) {
		displayPage('Dein Passwort muss mindestens '.$RUNTIME['PASSWORD_MIN_LENGTH'].' Zeichen lang sein.');
	}

	$email = trim($_POST['email']);

	$avatar;
	if(isset($RUNTIME['DEFAULTAVATAR'][$_POST['avatar']]['UUID'])) {
		$avatar	= trim($_POST['avatar']);
	}
	else {
		displayPage("Der gewählte Standardavatar existiert nicht.");
	}

	include 'app/OpenSim.php';
	$opensim = new OpenSim();

	$avatarUUID = $opensim->gen_uuid();
	$salt = bin2hex(random_bytes(16));
	$passwordHash = md5(md5($pass).':'.$salt);

	$statementInviteDeleter = $RUNTIME['PDO']->prepare('DELETE FROM InviteCodes WHERE InviteCode = :code'); 
	$statementInviteDeleter->execute(['code' => $_REQUEST['code']]);
	if($statementInviteDeleter->rowCount() == 0) {
		header('Location: index.php');
		die();
	}

	try {
		$RUNTIME['PDO']->beginTransaction();

		$statementAuth = $RUNTIME['PDO']->prepare('INSERT INTO `auth` (`UUID`, `passwordHash`, `passwordSalt`, `webLoginKey`, `accountType`) VALUES (:UUID, :HASHVALUE, :SALT, :WEBKEY, :ACCTYPE)'); 
		$statementAuth->execute(['UUID' => $avatarUUID, 'HASHVALUE' => $passwordHash, 'SALT' => $salt, 'WEBKEY' => "00000000-0000-0000-0000-000000000000", 'ACCTYPE' => "UserAccount"]);

		$statementAccounts = $RUNTIME['PDO']->prepare('INSERT INTO `UserAccounts` (`PrincipalID`, `ScopeID`, `FirstName`, `LastName`, `Email`, `ServiceURLs`, `Created`, `UserLevel`, `UserFlags`, `UserTitle`, `active`) VALUES (:PrincipalID, :ScopeID, :FirstName, :LastName, :Email, :ServiceURLs, :Created, :UserLevel, :UserFlags, :UserTitle, :active )'); 
		$statementAccounts->execute(['PrincipalID' => $avatarUUID, 'ScopeID' => "00000000-0000-0000-0000-000000000000", 'FirstName' => $nameParts[0], 'LastName' => $nameParts[1], 'Email' => $email, 'ServiceURLs' => "HomeURI= GatekeeperURI= InventoryServerURI= AssetServerURI= ", 'Created' => time(), 'UserLevel' => 0, 'UserFlags' => 0, 'UserTitle' => "", 'active' => 1]);

		$statementProfile = $RUNTIME['PDO']->prepare('INSERT INTO `userprofile` (`useruuid`, `profilePartner`, `profileImage`, `profileURL`, `profileFirstImage`, `profileAllowPublish`, `profileMaturePublish`, `profileWantToMask`, `profileWantToText`, `profileSkillsMask`, `profileSkillsText`, `profileLanguages`, `profileAboutText`, `profileFirstText`) VALUES (:useruuid, :profilePartner, :profileImage, :profileURL, :profileFirstImage, :profileAllowPublish, :profileMaturePublish, :profileWantToMask, :profileWantToText, :profileSkillsMask, :profileSkillsText, :profileLanguages, :profileAboutText, :profileFirstText)'); 
		$statementProfile->execute(['useruuid' => $avatarUUID, 'profilePartner' => "00000000-0000-0000-0000-000000000000", 'profileImage' => "00000000-0000-0000-0000-000000000000", 'profileURL' => '', 'profileFirstImage' => "00000000-0000-0000-0000-000000000000", "profileAllowPublish" => "0", "profileMaturePublish" => "0", "profileWantToMask" => "0", "profileWantToText" => "", "profileSkillsMask" => "0", "profileSkillsText" => "", "profileLanguages" => "", "profileAboutText" => "", "profileFirstText" => ""]);

		$statementInventoryFolder = $RUNTIME['PDO']->prepare('INSERT INTO `inventoryfolders` (`folderName`, `type`, `version`, `folderID`, `agentID`, `parentFolderID`) VALUES (:folderName, :folderTyp, :folderVersion, :folderID, :agentID, :parentFolderID)'); 
		$Inventory 				= array('Calling Cards' => 2, 'Objects' => 6, 'Landmarks' => 3, 'Clothing' => 5, 'Gestures' => 21, 'Body Parts' => 13, 'Textures' =>  0, 'Scripts' => 10, 'Photo Album' => 15, 'Lost And Found' => 16, 'Trash' => 14, 'Notecards' =>  7, 'My Inventory' =>  8, 'Sounds' =>  1, 'Animations' => 20);
		$InventoryRootFolder 	= $opensim->gen_uuid();
		foreach ($Inventory as $FolderName => $InventoryType)
		{
			$FolderUUID = $opensim->gen_uuid();
			if ($InventoryType == 8)
			{
				$FolderUUID = $InventoryRootFolder;
				$FolderParent = "00000000-0000-0000-0000-000000000000";
			}else{
				$FolderParent = $InventoryRootFolder;
			}
			$statementInventoryFolder->execute(['agentID' => $avatarUUID, 'folderName' => $FolderName, 'folderTyp' => $InventoryType, 'folderVersion' => 1, 'folderID' => $FolderUUID, 'parentFolderID' => $FolderParent]);
		}

		$RUNTIME['PDO']->commit();
	} catch (Exception $pdoException) {
		$RUNTIME['PDO']->rollBack();
		error_log('Could not create Account: '.$pdoException->getMessage());
		displayPage('Fehler bei der Erstellung deines Accounts. Bitte versuche es später erneut.');
	}

	session_unset(); // Unset pre-session variables, next request will generate a new CSRF token
	$_SESSION['USERNAME'] = trim($name);
	$_SESSION['FIRSTNAME'] = trim($nameParts[0]);
	$_SESSION['LASTNAME'] = trim($nameParts[1]);
	$_SESSION['EMAIL'] = $email;
	$_SESSION['PASSWORD'] = $passwordHash;
	$_SESSION['SALT'] = $salt;
	$_SESSION['UUID'] = $avatarUUID;
	$_SESSION['LEVEL'] = 0;
	$_SESSION['DISPLAYNAME'] = strtoupper($name);
	$_SESSION['LOGIN'] = 'true';

	header('Location: index.php?page=dashboard');
	die();
?>
now the register works 2020-08-02 05:22:25 +00:00			`<?php`
Add input validation to Register page 2023-08-23 16:16:34 +00:00			`function displayPage(string $message)`
			`{`
Small fixes 2023-08-23 16:16:34 +00:00			`global $RUNTIME;`
Add input validation to Register page 2023-08-23 16:16:34 +00:00			`$HTML = new HTML();`
			`$HTML->setHTMLTitle("Registrieren");`
Fix include/template paths 2023-08-23 16:16:35 +00:00			`$HTML->importHTML("register.html");`
Add input validation to Register page 2023-08-23 16:16:34 +00:00
			`$HTML->ReplaceLayoutInhalt("%%MESSAGE%%", $message);`
			`$HTML->ReplaceLayoutInhalt("%%tosURL%%", $RUNTIME['TOOLS']['TOS'] );`
Always encode user input before including in HTML 2023-08-23 16:16:34 +00:00			`$HTML->ReplaceLayoutInhalt("%%INVCODE%%", htmlspecialchars($_REQUEST['code']));`
Add input validation to Register page 2023-08-23 16:16:34 +00:00
			`$HTML->build();`
			`echo $HTML->ausgabe();`
			`die();`
			`}`

now the register works 2020-08-02 05:22:25 +00:00			`if(!isset($_REQUEST['code']))`
			`die("MISSING INVITE CODE!");`

Change validation regexes to be more strict 2023-08-23 16:16:36 +00:00			`if(strlen($_REQUEST['code']) != 32 \|\| !preg_match('/^[a-f0-9]+$/', $_REQUEST['code'])) {`
Add input validation to Register page 2023-08-23 16:16:34 +00:00			`die("INVALID INVITE CODE!");`
			`}`
now the register works 2020-08-02 05:22:25 +00:00
Small fixes 2023-08-23 16:16:34 +00:00			`$statementInviteCode = $RUNTIME['PDO']->prepare("SELECT 1 FROM InviteCodes WHERE InviteCode = ? LIMIT 1");`
			`$statementInviteCode->execute([$_REQUEST['code']]);`

			`if($statementInviteCode->rowCount() == 0) {`
			`die("INVALID INVITE CODE!");`
			`}`

Enforce POST when sending register form 2023-08-23 16:16:35 +00:00			`if($_SERVER['REQUEST_METHOD'] != 'POST') {`
Add input validation to Register page 2023-08-23 16:16:34 +00:00			`displayPage("");`
			`}`
now the register works 2020-08-02 05:22:25 +00:00
Reflect directory structure changes 2023-08-23 16:16:35 +00:00			`include_once('app/FormValidator.php');`
now the register works 2020-08-02 05:22:25 +00:00
Add input validation to Register page 2023-08-23 16:16:34 +00:00			`$validator = new FormValidator(array(`
Fix various small errors 2023-08-23 16:16:34 +00:00			`'tos' => array('required' => true, 'equals' => 'on'),`
Change validation regexes to be more strict 2023-08-23 16:16:36 +00:00			`'username' => array('required' => true, 'regex' => '/^[^\\/<>\s]{1,64}( [^\\/<>\s]{1,64})?$/'),`
			`'password' => array('required' => true, 'regex' => '/^.{1,1000}$/'),`
			`'email' => array('required' => true, 'regex' => '/^\S{1,64}@\S{1,250}.\S{2,64}$/'),`
Add input validation to Register page 2023-08-23 16:16:34 +00:00			`'avatar' => array('required' => true)`
			`));`
now the register works 2020-08-02 05:22:25 +00:00
Unset pre-session on login and registration 2023-08-23 16:16:34 +00:00			`if(!$validator->isValid($_POST)) {`
Enforce POST when sending register form 2023-08-23 16:16:35 +00:00			`if(!isset($_POST['tos']) \|\| $_POST['tos'] !== true) {`
Add input validation to Register page 2023-08-23 16:16:34 +00:00			`displayPage("Du musst die Nutzungsbedingungen lesen und Akzeptieren.");`
			`}`
			`else {`
			`displayPage("Ups da stimmt was nicht. Versuche es bitte noch mal.");`
now the register works 2020-08-02 05:22:25 +00:00			`}`

Add input validation to Register page 2023-08-23 16:16:34 +00:00			`die();`
			`}`
now the register works 2020-08-02 05:22:25 +00:00
Enforce POST when sending register form 2023-08-23 16:16:35 +00:00			`$name = trim($_POST['username']);`
Add minimum password length requirement 2023-08-23 16:16:36 +00:00			`$nameParts;`
			`if($name != "") {`
Add input validation to Register page 2023-08-23 16:16:34 +00:00			`$nameParts = explode(" ", $name);`
Add minimum password length requirement 2023-08-23 16:16:36 +00:00			`if(count($nameParts) == 1) {`
Add input validation to Register page 2023-08-23 16:16:34 +00:00			`$name .= " Resident";`
			`$nameParts = explode(" ", $name);`
now the register works 2020-08-02 05:22:25 +00:00			`}`
Add input validation to Register page 2023-08-23 16:16:34 +00:00
Only fetch required rows from database 2023-08-23 16:16:34 +00:00			`$statementAvatarName = $RUNTIME['PDO']->prepare("SELECT 1 FROM UserAccounts WHERE FirstName = :FirstName AND LastName = :LastName LIMIT 1");`
Add input validation to Register page 2023-08-23 16:16:34 +00:00			`$statementAvatarName->execute(['FirstName' => $nameParts[0], 'LastName' => $nameParts[1]]);`
Add minimum password length requirement 2023-08-23 16:16:36 +00:00			`if($statementAvatarName->rowCount() > 0) {`
Add input validation to Register page 2023-08-23 16:16:34 +00:00			`displayPage("Der gewählte Name ist bereits vergeben.");`
now the register works 2020-08-02 05:22:25 +00:00			`}`
			`}`
Add minimum password length requirement 2023-08-23 16:16:36 +00:00
			`$pass = trim($_POST['password']);`
			`if(strlen($pass) < $RUNTIME['PASSWORD_MIN_LENGTH']) {`
			`displayPage('Dein Passwort muss mindestens '.$RUNTIME['PASSWORD_MIN_LENGTH'].' Zeichen lang sein.');`
Add input validation to Register page 2023-08-23 16:16:34 +00:00			`}`
Add minimum password length requirement 2023-08-23 16:16:36 +00:00
			`$email = trim($_POST['email']);`

			`$avatar;`
			`if(isset($RUNTIME['DEFAULTAVATAR'][$_POST['avatar']]['UUID'])) {`
			`$avatar = trim($_POST['avatar']);`
			`}`
			`else {`
Add input validation to Register page 2023-08-23 16:16:34 +00:00			`displayPage("Der gewählte Standardavatar existiert nicht.");`
			`}`
Only include and construct OpenSim when needed 2023-08-23 16:16:35 +00:00
Fix include/template paths 2023-08-23 16:16:35 +00:00			`include 'app/OpenSim.php';`
Only include and construct OpenSim when needed 2023-08-23 16:16:35 +00:00			`$opensim = new OpenSim();`

			`$avatarUUID = $opensim->gen_uuid();`
Revert password hashing for OpenSim compatibility 2023-08-23 16:16:36 +00:00			`$salt = bin2hex(random_bytes(16));`
			`$passwordHash = md5(md5($pass).':'.$salt);`
Prevent invite codes being reusable in some cases 2023-08-23 16:16:36 +00:00
			`$statementInviteDeleter = $RUNTIME['PDO']->prepare('DELETE FROM InviteCodes WHERE InviteCode = :code');`
			`$statementInviteDeleter->execute(['code' => $_REQUEST['code']]);`
			`if($statementInviteDeleter->rowCount() == 0) {`
			`header('Location: index.php');`
			`die();`
			`}`

			`try {`
			`$RUNTIME['PDO']->beginTransaction();`

			$statementAuth = $RUNTIME['PDO']->prepare('INSERT INTO `auth` (`UUID`, `passwordHash`, `passwordSalt`, `webLoginKey`, `accountType`) VALUES (:UUID, :HASHVALUE, :SALT, :WEBKEY, :ACCTYPE)');
			`$statementAuth->execute(['UUID' => $avatarUUID, 'HASHVALUE' => $passwordHash, 'SALT' => $salt, 'WEBKEY' => "00000000-0000-0000-0000-000000000000", 'ACCTYPE' => "UserAccount"]);`

			$statementAccounts = $RUNTIME['PDO']->prepare('INSERT INTO `UserAccounts` (`PrincipalID`, `ScopeID`, `FirstName`, `LastName`, `Email`, `ServiceURLs`, `Created`, `UserLevel`, `UserFlags`, `UserTitle`, `active`) VALUES (:PrincipalID, :ScopeID, :FirstName, :LastName, :Email, :ServiceURLs, :Created, :UserLevel, :UserFlags, :UserTitle, :active )');
			`$statementAccounts->execute(['PrincipalID' => $avatarUUID, 'ScopeID' => "00000000-0000-0000-0000-000000000000", 'FirstName' => $nameParts[0], 'LastName' => $nameParts[1], 'Email' => $email, 'ServiceURLs' => "HomeURI= GatekeeperURI= InventoryServerURI= AssetServerURI= ", 'Created' => time(), 'UserLevel' => 0, 'UserFlags' => 0, 'UserTitle' => "", 'active' => 1]);`

Fix erroneous SQL queries (ignored pre-PHP 8) 2023-08-23 16:16:36 +00:00			$statementProfile = $RUNTIME['PDO']->prepare('INSERT INTO `userprofile` (`useruuid`, `profilePartner`, `profileImage`, `profileURL`, `profileFirstImage`, `profileAllowPublish`, `profileMaturePublish`, `profileWantToMask`, `profileWantToText`, `profileSkillsMask`, `profileSkillsText`, `profileLanguages`, `profileAboutText`, `profileFirstText`) VALUES (:useruuid, :profilePartner, :profileImage, :profileURL, :profileFirstImage, :profileAllowPublish, :profileMaturePublish, :profileWantToMask, :profileWantToText, :profileSkillsMask, :profileSkillsText, :profileLanguages, :profileAboutText, :profileFirstText)');
			$statementProfile->execute(['useruuid' => $avatarUUID, 'profilePartner' => "00000000-0000-0000-0000-000000000000", 'profileImage' => "00000000-0000-0000-0000-000000000000", 'profileURL' => '', 'profileFirstImage' => "00000000-0000-0000-0000-000000000000", "profileAllowPublish" => "0", "profileMaturePublish" => "0", "profileWantToMask" => "0", "profileWantToText" => "", "profileSkillsMask" => "0", "profileSkillsText" => "", "profileLanguages" => "", "profileAboutText" => "", "profileFirstText" => ""]);
Prevent invite codes being reusable in some cases 2023-08-23 16:16:36 +00:00
			$statementInventoryFolder = $RUNTIME['PDO']->prepare('INSERT INTO `inventoryfolders` (`folderName`, `type`, `version`, `folderID`, `agentID`, `parentFolderID`) VALUES (:folderName, :folderTyp, :folderVersion, :folderID, :agentID, :parentFolderID)');
			`$Inventory = array('Calling Cards' => 2, 'Objects' => 6, 'Landmarks' => 3, 'Clothing' => 5, 'Gestures' => 21, 'Body Parts' => 13, 'Textures' => 0, 'Scripts' => 10, 'Photo Album' => 15, 'Lost And Found' => 16, 'Trash' => 14, 'Notecards' => 7, 'My Inventory' => 8, 'Sounds' => 1, 'Animations' => 20);`
			`$InventoryRootFolder = $opensim->gen_uuid();`
			`foreach ($Inventory as $FolderName => $InventoryType)`
Add input validation to Register page 2023-08-23 16:16:34 +00:00			`{`
Prevent invite codes being reusable in some cases 2023-08-23 16:16:36 +00:00			`$FolderUUID = $opensim->gen_uuid();`
			`if ($InventoryType == 8)`
			`{`
			`$FolderUUID = $InventoryRootFolder;`
			`$FolderParent = "00000000-0000-0000-0000-000000000000";`
			`}else{`
			`$FolderParent = $InventoryRootFolder;`
			`}`
			`$statementInventoryFolder->execute(['agentID' => $avatarUUID, 'folderName' => $FolderName, 'folderTyp' => $InventoryType, 'folderVersion' => 1, 'folderID' => $FolderUUID, 'parentFolderID' => $FolderParent]);`
Add input validation to Register page 2023-08-23 16:16:34 +00:00			`}`
Prevent invite codes being reusable in some cases 2023-08-23 16:16:36 +00:00
			`$RUNTIME['PDO']->commit();`
			`} catch (Exception $pdoException) {`
			`$RUNTIME['PDO']->rollBack();`
			`error_log('Could not create Account: '.$pdoException->getMessage());`
			`displayPage('Fehler bei der Erstellung deines Accounts. Bitte versuche es später erneut.');`
Add input validation to Register page 2023-08-23 16:16:34 +00:00			`}`
Prevent invite codes being reusable in some cases 2023-08-23 16:16:36 +00:00
Unset pre-session on login and registration 2023-08-23 16:16:34 +00:00			`session_unset(); // Unset pre-session variables, next request will generate a new CSRF token`
Add minimum password length requirement 2023-08-23 16:16:36 +00:00			`$_SESSION['USERNAME'] = trim($name);`
			`$_SESSION['FIRSTNAME'] = trim($nameParts[0]);`
			`$_SESSION['LASTNAME'] = trim($nameParts[1]);`
			`$_SESSION['EMAIL'] = $email;`
Add input validation to Register page 2023-08-23 16:16:34 +00:00			`$_SESSION['PASSWORD'] = $passwordHash;`
Revert password hashing for OpenSim compatibility 2023-08-23 16:16:36 +00:00			`$_SESSION['SALT'] = $salt;`
Add input validation to Register page 2023-08-23 16:16:34 +00:00			`$_SESSION['UUID'] = $avatarUUID;`
			`$_SESSION['LEVEL'] = 0;`
Add minimum password length requirement 2023-08-23 16:16:36 +00:00			`$_SESSION['DISPLAYNAME'] = strtoupper($name);`
Add input validation to Register page 2023-08-23 16:16:34 +00:00			`$_SESSION['LOGIN'] = 'true';`
Always redirect after making changes 2023-08-23 16:16:34 +00:00
			`header('Location: index.php?page=dashboard');`
Add input validation to Register page 2023-08-23 16:16:34 +00:00			`die();`
now the register works 2020-08-02 05:22:25 +00:00			`?>`