publiccode.si/static/cgi/sign.php

<?php

$codemod = 2138367;   // modificator with which the confirmation ID will be obfuscated
$output = "";
$selfurl = "http://pmpc-test.mehl.mx/cgi/sign.php";  // absolute URL of this PHP script
$db = "../userdata/signatures.json";  // Signature database path

// Get info from form
$action = isset($_GET['action']) ? $_GET['action'] : false;
$honeypot = isset($_GET['url']) ? $_GET['url'] : false;

if (! empty($honeypot)) {
  $output .= "Invalid input. Error code: 5|°4m";
  show_page($output, 1);
}

if(empty($action)) {
  $output .= "No action defined.";
  show_page($output, 1);
} else if ($action === "sign") {
  $name = isset($_GET['name']) ? $_GET['name'] : false;
  $email = isset($_GET['email']) ? $_GET['email'] : false;
  $country = isset($_GET['country']) ? $_GET['country'] : false;
  $zip = isset($_GET['zip']) ? $_GET['zip'] : false;
  $permPriv = isset($_GET['permissionPriv']) ? $_GET['permissionPriv'] : false;
  $permNews = isset($_GET['permissionNews']) ? $_GET['permissionNews'] : false;
  $permPub = isset($_GET['permissionPub']) ? $_GET['permissionPub'] : false;
  
  // Check for missing required fields
  if(empty($name) || empty($email) || empty($permPriv)) {
    $output .= "At least one required variable is empty.";
    show_page($output, 1);
  }
} else if ($action === "confirm") {
  $confirmcode = isset($_GET['code']) ? $_GET['code'] : false;
  $confirmid = isset($_GET['id']) ? $_GET['id'] : false;
  
  // Check for missing required fields
  if(empty($confirmcode) || empty($confirmid)) {
    $output .= "Confirmation code or ID is missing.";
    show_page($output, 1);
  }
} else {
  $output .= "Invalid action.";
  show_page($output, 1);
}
// Continue only if action = sign/confirmation

// Validate input
//TODO

// Read database (should only be called if really needed)
function read_db($db) {
  global $data;   // declare $data a global variable to access it outside this function
  if (! file_exists($db)) {
    touch($db);
  }
  $file = file_get_contents($db, true);
  $data = json_decode($file, true);
  unset($file);
}


/// SIGNING ///
if ($action === "sign") {
  read_db($db);
  
  // Test whether email is a duplicate
  $total = count($data);
  for ($row = 0; $row < $total; $row++) {
    if ($email === $data[$row]['email']) {
      $output .= "We already received a signature with this email address.";
      show_page($output, 1);
    }
  }
  
  // Take sequential ID
  $id = $total;
  // Create a random string for email verification
  $code = rand(1000000000,9999999999) . uniqid();
  $codeid = $id + $codemod;   // this is to obfuscate the real ID of the user if we don't want to publish this number

  // Append new signature to array
  $newsig = array("id" => $id,
                  "name" => $name, 
                  "email" => $email,
                  "country" => $country,
                  "zip" => $zip,
                  "permPriv" => $permPriv,
                  "permNews" => $permNews,
                  "permPub" => $permPub,
                  "code" => $code,
                  "confirmed" => "no");
  $data[] = $newsig;  // newsig is a separated variable for debugging purposes

  // Encode to JSON again and write to file
  $allsig = json_encode($data, JSON_PRETTY_PRINT);
  file_put_contents($db, $allsig, LOCK_EX);
  unset($allsig);
  
  // Send email asking for confirmation
  $to       = $email;
  $subject  = "One step left to sign the \"Public Money - Public Code\" letter";
  $message  = "Thank you for signing the open \"Public Money - Public Code\" letter! \r\n\r\n" .
              "In order to confirm your signature, please visit following link:\r\n" . 
              "$selfurl?action=confirm&id=$codeid&code=$code \r\n\r\n" .
              "If your confirmation succeeds, your signature will appear on the website within the next few hours.";
  $headers  = "From: noreply@fsfe.org" . "\r\n" .
              "Message-ID: <confirmation-$code@fsfe.org>" . "\r\n" .
              "X-Mailer: PHP/" . phpversion();

  mail($to, $subject, $message, $headers);
  
  $output .= "Thank you for signing our open letter! <br /><br />";
  $output .= "We just sent an email to your address ($email) for you to confirm your signature.";
  show_page($output, 0);

} else if ($action === "confirm") {
  /// CONFIRMATION ///
  
  $id = $confirmid - $codemod;              // substract the obfuscation number from the given ID
  
  if ($id < 0) {
    $output .= "Invalid signature ID.";
    show_page($output, 1);
  }
  
  read_db($db);
  
  if (empty($data[$id])) {
    $output .= "The signature ID does not exist.";
    show_page($output, 1);
  }
  
  $email = $data[$id]['email'];             // Get the user's email in case we need it
  $code = $data[$id]['code'];               // The confirmation code according to the DB
  $confirmed = $data[$id]['confirmed'];     // The current confirmation status
  
  // Check whether the confirmation code is what we saved in the DB
  if ($confirmed === "no") {
    if ($confirmcode === $code) {
      // Set the user's confirmation key to "yes"
      $data[$id]['confirmed'] = "yes";
      // Encode to JSON again and write to file
      $allsig = json_encode($data, JSON_PRETTY_PRINT);
      file_put_contents($db, $allsig, LOCK_EX);
      unset($allsig);
      
      $output .= "Your email address has been confirmed. <br /><br />";
      $output .= "Thank you for signing the open letter! Your signature will appear on the website within the next hours.";
      show_page($output, 0);
      
    } else {
      $output .= "The provided confirmation code is incorrect.";
      show_page($output, 1);
    }
  } else if ($confirmed === "yes") {
    $output .= "This email address is already confirmed. It can take a few hours until your signature appears online.";
    show_page($output, 1);
  } else {
    $output .= "This signature ID does not exist or the confirmation status is broken.";
    show_page($output, 1);
  }
  
} // END confirm

// --- PRINT OUTPUT IN TEMPLATE FILE ---

function replace_page($template, $placeholder, $content){
    $vars = array($placeholder=>$content);
    return str_replace(array_keys($vars), $vars, $template);
}

function show_page($output, $exit) {
  if ($exit === 0) {
    $headline = "Success";
    $notice = "";
  } else if ($exit === 1) {
    $headline = "Error";
    $notice = "This error could have happened because one or more fields contained invalid information. Please try again. If you think that you see this error by mistake, please contact us.";
  } else {
    $headline = "Thank you";
  }
  $template = file_get_contents('../template/index.html', true);
  $page = replace_page($template, ':HEADLINE:', $headline);
  $page = replace_page($page, ':BODY1:', $output);
  $page = replace_page($page, ':BODY2:', $notice);
  echo $page;
  unset($data);
  exit($exit);
}
?>
create pretty HTML form in a new section 2017-03-21 22:11:24 +01:00			`<?php`

added working email confirmation routine 2017-03-22 02:01:06 +01:00			`$codemod = 2138367; // modificator with which the confirmation ID will be obfuscated`
put all output of the signature script on a template page with placeholders 2017-03-23 23:30:03 +01:00			`$output = "";`
			`$selfurl = "http://pmpc-test.mehl.mx/cgi/sign.php"; // absolute URL of this PHP script`
			`$db = "../userdata/signatures.json"; // Signature database path`
make PHP script create a user database, search for duplicate mails, send a test mail 2017-03-22 00:06:08 +01:00
			`// Get info from form`
first validation of input 2017-03-22 01:07:43 +01:00			`$action = isset($_GET['action']) ? $_GET['action'] : false;`
improve spam robot detection, derived from fsfe.org/order 2017-03-23 23:56:56 +01:00			`$honeypot = isset($_GET['url']) ? $_GET['url'] : false;`

			`if (! empty($honeypot)) {`
			`$output .= "Invalid input. Error code: 5\|°4m";`
			`show_page($output, 1);`
			`}`

first validation of input 2017-03-22 01:07:43 +01:00			`if(empty($action)) {`
put all output of the signature script on a template page with placeholders 2017-03-23 23:30:03 +01:00			`$output .= "No action defined.";`
			`show_page($output, 1);`
first validation of input 2017-03-22 01:07:43 +01:00			`} else if ($action === "sign") {`
			`$name = isset($_GET['name']) ? $_GET['name'] : false;`
			`$email = isset($_GET['email']) ? $_GET['email'] : false;`
			`$country = isset($_GET['country']) ? $_GET['country'] : false;`
			`$zip = isset($_GET['zip']) ? $_GET['zip'] : false;`
add further checkboxes to form and improve styling 2017-03-23 21:37:01 +01:00			`$permPriv = isset($_GET['permissionPriv']) ? $_GET['permissionPriv'] : false;`
			`$permNews = isset($_GET['permissionNews']) ? $_GET['permissionNews'] : false;`
			`$permPub = isset($_GET['permissionPub']) ? $_GET['permissionPub'] : false;`
first validation of input 2017-03-22 01:07:43 +01:00
			`// Check for missing required fields`
add further checkboxes to form and improve styling 2017-03-23 21:37:01 +01:00			`if(empty($name) \|\| empty($email) \|\| empty($permPriv)) {`
put all output of the signature script on a template page with placeholders 2017-03-23 23:30:03 +01:00			`$output .= "At least one required variable is empty.";`
			`show_page($output, 1);`
first validation of input 2017-03-22 01:07:43 +01:00			`}`
			`} else if ($action === "confirm") {`
added working email confirmation routine 2017-03-22 02:01:06 +01:00			`$confirmcode = isset($_GET['code']) ? $_GET['code'] : false;`
			`$confirmid = isset($_GET['id']) ? $_GET['id'] : false;`
first validation of input 2017-03-22 01:07:43 +01:00
			`// Check for missing required fields`
added working email confirmation routine 2017-03-22 02:01:06 +01:00			`if(empty($confirmcode) \|\| empty($confirmid)) {`
put all output of the signature script on a template page with placeholders 2017-03-23 23:30:03 +01:00			`$output .= "Confirmation code or ID is missing.";`
			`show_page($output, 1);`
first validation of input 2017-03-22 01:07:43 +01:00			`}`
			`} else {`
put all output of the signature script on a template page with placeholders 2017-03-23 23:30:03 +01:00			`$output .= "Invalid action.";`
			`show_page($output, 1);`
first validation of input 2017-03-22 01:07:43 +01:00			`}`
put all output of the signature script on a template page with placeholders 2017-03-23 23:30:03 +01:00			`// Continue only if action = sign/confirmation`
make PHP script create a user database, search for duplicate mails, send a test mail 2017-03-22 00:06:08 +01:00
			`// Validate input`
put all output of the signature script on a template page with placeholders 2017-03-23 23:30:03 +01:00			`//TODO`
make PHP script create a user database, search for duplicate mails, send a test mail 2017-03-22 00:06:08 +01:00
put all output of the signature script on a template page with placeholders 2017-03-23 23:30:03 +01:00			`// Read database (should only be called if really needed)`
			`function read_db($db) {`
			`global $data; // declare $data a global variable to access it outside this function`
			`if (! file_exists($db)) {`
			`touch($db);`
			`}`
			`$file = file_get_contents($db, true);`
			`$data = json_decode($file, true);`
			`unset($file);`
first validation of input 2017-03-22 01:07:43 +01:00			`}`
put all output of the signature script on a template page with placeholders 2017-03-23 23:30:03 +01:00
make PHP script create a user database, search for duplicate mails, send a test mail 2017-03-22 00:06:08 +01:00
first validation of input 2017-03-22 01:07:43 +01:00			`/// SIGNING ///`
			`if ($action === "sign") {`
database has to be loaded earlier 2017-03-23 23:39:27 +01:00			`read_db($db);`

first validation of input 2017-03-22 01:07:43 +01:00			`// Test whether email is a duplicate`
			`$total = count($data);`
			`for ($row = 0; $row < $total; $row++) {`
			`if ($email === $data[$row]['email']) {`
put all output of the signature script on a template page with placeholders 2017-03-23 23:30:03 +01:00			`$output .= "We already received a signature with this email address.";`
			`show_page($output, 1);`
first validation of input 2017-03-22 01:07:43 +01:00			`}`
make PHP script create a user database, search for duplicate mails, send a test mail 2017-03-22 00:06:08 +01:00			`}`
put all output of the signature script on a template page with placeholders 2017-03-23 23:30:03 +01:00
			`// Take sequential ID`
			`$id = $total;`
			`// Create a random string for email verification`
			`$code = rand(1000000000,9999999999) . uniqid();`
			`$codeid = $id + $codemod; // this is to obfuscate the real ID of the user if we don't want to publish this number`
make PHP script create a user database, search for duplicate mails, send a test mail 2017-03-22 00:06:08 +01:00
put all output of the signature script on a template page with placeholders 2017-03-23 23:30:03 +01:00			`// Append new signature to array`
			`$newsig = array("id" => $id,`
			`"name" => $name,`
			`"email" => $email,`
			`"country" => $country,`
			`"zip" => $zip,`
			`"permPriv" => $permPriv,`
			`"permNews" => $permNews,`
			`"permPub" => $permPub,`
			`"code" => $code,`
			`"confirmed" => "no");`
			`$data[] = $newsig; // newsig is a separated variable for debugging purposes`
make PHP script create a user database, search for duplicate mails, send a test mail 2017-03-22 00:06:08 +01:00
put all output of the signature script on a template page with placeholders 2017-03-23 23:30:03 +01:00			`// Encode to JSON again and write to file`
			`$allsig = json_encode($data, JSON_PRETTY_PRINT);`
			`file_put_contents($db, $allsig, LOCK_EX);`
			`unset($allsig);`

			`// Send email asking for confirmation`
			`$to = $email;`
			`$subject = "One step left to sign the \"Public Money - Public Code\" letter";`
			`$message = "Thank you for signing the open \"Public Money - Public Code\" letter! \r\n\r\n" .`
			`"In order to confirm your signature, please visit following link:\r\n" .`
			`"$selfurl?action=confirm&id=$codeid&code=$code \r\n\r\n" .`
			`"If your confirmation succeeds, your signature will appear on the website within the next few hours.";`
			`$headers = "From: noreply@fsfe.org" . "\r\n" .`
			`"Message-ID: <confirmation-$code@fsfe.org>" . "\r\n" .`
			`"X-Mailer: PHP/" . phpversion();`
make PHP script create a user database, search for duplicate mails, send a test mail 2017-03-22 00:06:08 +01:00
put all output of the signature script on a template page with placeholders 2017-03-23 23:30:03 +01:00			`mail($to, $subject, $message, $headers);`

			`$output .= "Thank you for signing our open letter! <br /><br />";`
			`$output .= "We just sent an email to your address ($email) for you to confirm your signature.";`
			`show_page($output, 0);`
make PHP script create a user database, search for duplicate mails, send a test mail 2017-03-22 00:06:08 +01:00
added working email confirmation routine 2017-03-22 02:01:06 +01:00			`} else if ($action === "confirm") {`
			`/// CONFIRMATION ///`

			`$id = $confirmid - $codemod; // substract the obfuscation number from the given ID`
database has to be loaded earlier 2017-03-23 23:39:27 +01:00
put all output of the signature script on a template page with placeholders 2017-03-23 23:30:03 +01:00			`if ($id < 0) {`
			`$output .= "Invalid signature ID.";`
			`show_page($output, 1);`
			`}`

			`read_db($db);`

			`if (empty($data[$id])) {`
			`$output .= "The signature ID does not exist.";`
			`show_page($output, 1);`
			`}`

added working email confirmation routine 2017-03-22 02:01:06 +01:00			`$email = $data[$id]['email']; // Get the user's email in case we need it`
			`$code = $data[$id]['code']; // The confirmation code according to the DB`
			`$confirmed = $data[$id]['confirmed']; // The current confirmation status`

			`// Check whether the confirmation code is what we saved in the DB`
			`if ($confirmed === "no") {`
			`if ($confirmcode === $code) {`
			`// Set the user's confirmation key to "yes"`
			`$data[$id]['confirmed'] = "yes";`
			`// Encode to JSON again and write to file`
			`$allsig = json_encode($data, JSON_PRETTY_PRINT);`
			`file_put_contents($db, $allsig, LOCK_EX);`
			`unset($allsig);`

database has to be loaded earlier 2017-03-23 23:39:27 +01:00			`$output .= "Your email address has been confirmed. <br /><br />";`
put all output of the signature script on a template page with placeholders 2017-03-23 23:30:03 +01:00			`$output .= "Thank you for signing the open letter! Your signature will appear on the website within the next hours.";`
			`show_page($output, 0);`

added working email confirmation routine 2017-03-22 02:01:06 +01:00			`} else {`
database has to be loaded earlier 2017-03-23 23:39:27 +01:00			`$output .= "The provided confirmation code is incorrect.";`
put all output of the signature script on a template page with placeholders 2017-03-23 23:30:03 +01:00			`show_page($output, 1);`
added working email confirmation routine 2017-03-22 02:01:06 +01:00			`}`
put all output of the signature script on a template page with placeholders 2017-03-23 23:30:03 +01:00			`} else if ($confirmed === "yes") {`
			`$output .= "This email address is already confirmed. It can take a few hours until your signature appears online.";`
			`show_page($output, 1);`
added working email confirmation routine 2017-03-22 02:01:06 +01:00			`} else {`
put all output of the signature script on a template page with placeholders 2017-03-23 23:30:03 +01:00			`$output .= "This signature ID does not exist or the confirmation status is broken.";`
			`show_page($output, 1);`
added working email confirmation routine 2017-03-22 02:01:06 +01:00			`}`

put all output of the signature script on a template page with placeholders 2017-03-23 23:30:03 +01:00			`} // END confirm`

			`// --- PRINT OUTPUT IN TEMPLATE FILE ---`

			`function replace_page($template, $placeholder, $content){`
			`$vars = array($placeholder=>$content);`
			`return str_replace(array_keys($vars), $vars, $template);`
make PHP script create a user database, search for duplicate mails, send a test mail 2017-03-22 00:06:08 +01:00			`}`

put all output of the signature script on a template page with placeholders 2017-03-23 23:30:03 +01:00			`function show_page($output, $exit) {`
			`if ($exit === 0) {`
			`$headline = "Success";`
			`$notice = "";`
			`} else if ($exit === 1) {`
			`$headline = "Error";`
			`$notice = "This error could have happened because one or more fields contained invalid information. Please try again. If you think that you see this error by mistake, please contact us.";`
			`} else {`
			`$headline = "Thank you";`
			`}`
			`$template = file_get_contents('../template/index.html', true);`
			`$page = replace_page($template, ':HEADLINE:', $headline);`
			`$page = replace_page($page, ':BODY1:', $output);`
			`$page = replace_page($page, ':BODY2:', $notice);`
			`echo $page;`
			`unset($data);`
			`exit($exit);`
			`}`
create pretty HTML form in a new section 2017-03-21 22:11:24 +01:00			`?>`