Only allow GET and POST HTTP request and die otherwise.

Fix the form handling while at it.

Signed-off-by: Jérôme Benoit <jerome.benoit@piment-noir.org>

diff --git a/config.php b/config.php
index dd03f8fe8179625523bb6b3d64cd023d1d3cdeb7..35fc43c84f52a4e7d71b047256f0274131d8cce2 100644 (file)
--- a/config.php
+++ b/config.php
@@ -1,6 +1,7 @@
  <?php
 
  return array(
+     'root_url' => 'http://localhost/~fraggle/airpolytech',
      'host' => 'localhost',
      'username' => 'fraggle',
      'password' => '$Love79!',

diff --git a/footer.html b/footer.html
index 70960fbe40af43253568bb242ce1df5a6a3fd93d..e06db19764b8f05ca0989dc004da04cd3d26054c 100644 (file)
--- a/footer.html
+++ b/footer.html
@@ -1,5 +1,5 @@
 <div id="footer">
-    &copy;2018 - Piment Noir
+    &copy;2018 - <a href="https://piment-noir.org">Piment Noir</a>
 </div>
 </body>
 </html>

diff --git a/formlogin.php b/formlogin.php
index 99db0232679e156a8f93feb1a31bdff6b4d31615..f3b876560a87501162f8427a4b97d07f7ac0e473 100644 (file)
--- a/formlogin.php
+++ b/formlogin.php
@@ -1,9 +1,9 @@
 <?php
 $form_email = filter_input(INPUT_POST, "email", FILTER_VALIDATE_EMAIL);
-$form_password = filter_input(INPUT_POST, "password", FILTER_VALIDATE_STRING);
+$form_password = filter_input(INPUT_POST, "password", FILTER_SANITIZE_STRING);
 
-if (!form_email) {
-    echo "The email " .$form_email . " is not valid";
+if (!$form_email) {
+    echo "The email is not valid";
 } else {
     $sql_pquery = "select count() from Client where EmailCI = ?";
 }

diff --git a/header.html b/header.html
index 8e523a2fb4fc0afca9b53c59efb3ebdc6a7c2282..5721c7d0efc57e3c54306763ec782f931df78f76 100644 (file)
--- a/header.html
+++ b/header.html
@@ -8,7 +8,3 @@
 <link rel="stylesheet" type="text/css" href="styles/airpolytech.css" />
 </head>
 <body>
-<div id="header">
-    <!-- Put headers stuff here -->
-    Bienvenue sur Air Polytech !
-</div>

diff --git a/header.php b/header.php
index e81db379e5b1139c34fbfe2cc531fe1b2e400697..ac394bfae0d8429433b195a446774f661996514c 100644 (file)
--- a/header.php
+++ b/header.php
@@ -1,5 +1,18 @@
 <?php
 include('header.html');
+/**
+ * Let's use an array as the list of tunables.
+ * Put in a variable the inclusion of this file:
+ * $config_var = include('config.php');
+ */
+$configs = include('config.php');
+?>
+<div id="header">
+    <!-- Put headers stuff here -->
+    <a href="<?php echo $configs['root_url'] ?>/index.php?page=home">Bienvenue sur Air Polytech !</a>
+</div>
+<?php
+
 function display_menu() {
     switch ($page) {
         case "home":

diff --git a/index.php b/index.php
index 125f62049964198da07139d78e5286c4990abb5b..9d22f3e15361790b8c2fe89561b28cc88ebd0cf2 100644 (file)
--- a/index.php
+++ b/index.php
@@ -2,12 +2,7 @@
 require('header.php');
 
 include('lib/db.php');
-/**
- * Let's use an array as the list of tunables.
- * Put in a variable the inclusion of this file:
- * $config_var = include('config.php');
- */
-$configs = include('config.php');
+include('lib/utils.php');
 
 /**
  * [session_start start a unique session for the current browser client]
@@ -21,6 +16,9 @@ if (!isset($page)) {
     $page = "";
 }
 
+/**
+ * form MUST have an hidden field named 'form' to enable proper routing
+ */
 $form = filter_input(INPUT_POST, 'form', FILTER_SANITIZE_URL);
 $isForm = true;
 if (!isset($form)) {
@@ -28,6 +26,34 @@ if (!isset($form)) {
     $form = "";
 }
 
+function get_action_type() {
+    global $isPage, $isForm;
+
+    if ($isPage && !$isForm && is_get_request()) {
+        return "page";
+    } elseif ($isForm && !$isPage && is_post_request()) {
+        return "form";
+    } elseif (!$isPage && !$isForm && is_get_request()){
+        return "empty";
+    } else {
+        return "unknown";
+    }
+}
+
+function get_url_action() {
+    global $page, $form;
+
+    if (get_action_type() === "page") {
+        return $page;
+    } elseif (get_action_type() === "form") {
+        return $form;
+    } elseif (get_action_type() === "empty") {
+        return "";
+    } elseif (get_action_type() === "unknown") {
+        die('Cannot get a valid action from URL parameters');
+    }
+}
+
 /**
  * [validate_url_action validate if the current page is a valid site actions]
  * @param  [string] $page [the viewed page name]
@@ -48,20 +74,6 @@ function validate_url_action($action_name)
     return $configs['actions'][0];
 }
 
-function get_action_type() {
-    global $page, $form, $isPage, $isForm;
-
-    if ($isPage && !$isForm) {
-        return "page";
-    } elseif ($isForm && !$isPage) {
-        return "form";
-    } elseif (!$isPage && !$isForm){
-        return "empty";
-    } else {
-        return "unknown";
-    }
-}
-
 function display_action($action_name)
 {
     global $configs, $isPage, $isForm;
@@ -69,12 +81,14 @@ function display_action($action_name)
     $found_action = false;
     foreach ($configs['actions'] as $action) {
         if (strcmp($action_name, $action) === 0) {
+            // HTTP GET case
             if (get_action_type() === "page" || get_action_type() === "empty") {
                 include($action . ".php");
+            // HTTP POST case
             } elseif (get_action_type() === "form") {
                 include("form" . $action . ".php");
             } else {
-                echo "Impossible error";
+                echo "Unknown error in action displaying";
             }
             $found_action = true;
             break;
@@ -85,20 +99,6 @@ function display_action($action_name)
     }
 }
 
-function get_url_action() {
-    global $page, $form, $isPage, $isForm;
-
-    if (get_action_type() === "page") {
-        return $page;
-    } elseif (get_action_type() === "form") {
-        return $form;
-    } elseif (get_action_type() === "empty") {
-        return "";
-    } elseif (get_action_type() === "unknown") {
-        die('Cannot get a valid action from URL parameters');
-    }
-}
-
 $url_action = get_url_action();
 $action = validate_url_action($url_action);
 display_action($action);

diff --git a/lib/utils.php b/lib/utils.php
index e6e0365a410f6c45f460e2c455a1026623f6d678..d937db729cb9f78b9bd54109c811136289de9e18 100644 (file)
--- a/lib/utils.php
+++ b/lib/utils.php
@@ -1,9 +1,17 @@
 <?php
-function isPostRequest() {
+function is_post_request() {
     if (filter_input(INPUT_SERVER, 'REQUEST_METHOD') === 'POST') {
         return true;
     } else {
         return false;
     }
 }
+
+function is_get_request() {
+    if (filter_input(INPUT_SERVER, 'REQUEST_METHOD') === 'GET') {
+        return true;
+    } else {
+        return false;
+    }
+}
 ?>

diff --git a/login.php b/login.php
index f797a7eac23fbc25c1ba7eb15a1e2f4a061d00bf..e976fc9a3dc14a597f052234effa54b17156efa2 100644 (file)
--- a/login.php
+++ b/login.php
@@ -1,4 +1,5 @@
-<form action="index.php?form=login" method="post">
+<form action="index.php" method="post">
+ <input type="hidden" name="form" value="login" />
  <p>Email : <input type="text" name="email" /></p>
  <p>Mot de passe : <input type="text" name="password" /></p>
  <p><input type="submit" value="OK"></p>

diff --git a/styles/airpolytech.css b/styles/airpolytech.css
index 3093507bf55365b94c7203b89e200cd79273d052..00dd294e4999b18970cce9b2b3a180fe97682386 100644 (file)
--- a/styles/airpolytech.css
+++ b/styles/airpolytech.css
@@ -6,6 +6,21 @@ body {
     margin: 8px;
 }
 
+a, a:link a:active {
+    text-decoration: none;
+    color: #B11508;
+}
+
+a:visited {
+    text-decoration: none;
+    color: #B11508;
+}
+
+a:hover {
+    text-decoration: none;
+    color: #909090;
+}
+
 #footer {
     text-align: center;
 }