2.11.19 Add API key to user profile

.secrets.baseline

@@ -90,6 +90,10 @@
     {
       "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
     },
+    {
+      "path": "detect_secrets.filters.common.is_baseline_file",
+      "filename": ".secrets.baseline"
+    },
     {
       "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
       "min_level": 2
@@ -391,7 +395,7 @@
         "filename": "src/set-up-database.php",
         "hashed_secret": "8fa8f4fcd1b98862f0a26551f87e01a95fcaa6a4",
         "is_verified": false,
-        "line_number": 1214
+        "line_number": 1215
       }
     ],
     "src/view-user-privilege-level.php": [
@@ -413,5 +417,5 @@
       }
     ]
   },
-  "generated_at": "2024-09-23T22:12:59Z"
+  "generated_at": "2024-09-29T22:16:02Z"
 }

src/classes/SQLQueryHandler.php

@@ -5,9 +5,9 @@
 if (!defined('__SITE_ROOT__')){if (!defined('__SITE_ROOT__')){define('__SITE_ROOT__', dirname(dirname(__FILE__)));}}
 
 class SQLQueryHandler {
-	protected $encodeOutput = FALSE;
-	protected $stopSQLInjection = FALSE;
-	protected $mLimitOutput = FALSE;
+	protected $encodeOutput = false;
+	protected $stopSQLInjection = false;
+	protected $mLimitOutput = false;
 	protected $mSecurityLevel = 0;
 
 	// private objects
@@ -18,21 +18,22 @@ private function doSetSecurityLevel($pSecurityLevel){
 		$this->mSecurityLevel = $pSecurityLevel;
 
 		switch ($this->mSecurityLevel){
+			default: // Default case: This code is insecure, we are not encoding output
 	   		case "0": // This code is insecure, we are not encoding output
 			case "1": // This code is insecure, we are not encoding output
-				$this->encodeOutput = FALSE;
-				$this->stopSQLInjection = FALSE;
-				$this->mLimitOutput = FALSE;
+				$this->encodeOutput = false;
+				$this->stopSQLInjection = false;
+				$this->mLimitOutput = false;
 	   		break;
 
 			case "2":
 			case "3":
 			case "4":
 	   		case "5": // This code is fairly secure
 	  			// If we are secure, then we encode all output.
-	   			$this->encodeOutput = TRUE;
-	   			$this->stopSQLInjection = TRUE;
-	   			$this->mLimitOutput = TRUE;
+	   			$this->encodeOutput = true;
+	   			$this->stopSQLInjection = true;
+	   			$this->mLimitOutput = true;
 	   		break;
 	   	}// end switch
 	}// end function
@@ -42,7 +43,7 @@ public function __construct($pSecurityLevel){
 		$this->doSetSecurityLevel($pSecurityLevel);
 
 		//initialize encoder
-		require_once (__SITE_ROOT__.'/classes/EncodingHandler.php');
+		require_once __SITE_ROOT__.'/classes/EncodingHandler.php';
 		$this->mEncoder = new EncodingHandler();
 
 		/* Initialize MySQL Connection handler */
@@ -74,7 +75,7 @@ public function escapeDangerousCharacters($pData){
 
 	public function getPageHelpTexts($pPageName){
 
-		if ($this->stopSQLInjection == TRUE){
+		if ($this->stopSQLInjection){
 			$pPageName = $this->mMySQLHandler->escapeDangerousCharacters($pPageName);
 		}// end if
 
@@ -96,7 +97,7 @@ public function getPageHelpTexts($pPageName){
 
 	public function getPageLevelOneHelpIncludeFiles($pPageName){
 
-		if ($this->stopSQLInjection == TRUE){
+		if ($this->stopSQLInjection){
 			$pPageName = $this->mMySQLHandler->escapeDangerousCharacters($pPageName);
 		}// end if
 
@@ -115,8 +116,8 @@ public function getPageLevelOneHelpIncludeFiles($pPageName){
 
 	public function getLevelOneHelpIncludeFile($pIncludeFileKey){
 
-		if ($this->stopSQLInjection == TRUE){
-			$pPageName = $this->mMySQLHandler->escapeDangerousCharacters($pIncludeFileKey);
+		if ($this->stopSQLInjection){
+			$pIncludeFileKey = $this->mMySQLHandler->escapeDangerousCharacters($pIncludeFileKey);
 		}// end if
 
 		$lQueryString  = "
@@ -139,42 +140,42 @@ public function getCapturedData(){
 			FROM captured_data
 			ORDER BY capture_date DESC";
 
-		if ($this->mLimitOutput == TRUE){
+		if ($this->mLimitOutput){
 	    	$lQueryString .= " LIMIT 20";
 	    }// end if
 
 		return $this->mMySQLHandler->executeQuery($lQueryString);
 	}//end public function getCapturedData()
 
-	public function insertVoteIntoUserPoll(/*Text*/ $pToolName, /*Text*/ $pUserName){
-
-		if ($this->stopSQLInjection == TRUE){
-			$pToolName = $this->mMySQLHandler->escapeDangerousCharacters($pToolName);
+	public function insertVoteIntoUserPoll(/*Text*/ $pToolName, /*Text*/ $pUserName){
+
+		if ($this->stopSQLInjection){
+			$pToolName = $this->mMySQLHandler->escapeDangerousCharacters($pToolName);
 			$pUserName = $this->mMySQLHandler->escapeDangerousCharacters($pUserName);
-		}// end if
-
-		$lQueryString  = "
-			INSERT INTO user_poll_results(tool_name, username, date) VALUES ('".
+		}// end if
+
+		$lQueryString  = "
+			INSERT INTO user_poll_results(tool_name, username, date) VALUES ('".
 				$pToolName . "', '".
 				$pUserName  . "', " .
-				" now() );";
-
-		return $this->mMySQLHandler->executeQuery($lQueryString);
-	}//end public function insertVoteIntoUserPoll
-
-	public function getUserPollVotes(){
-
-		$lQueryString  = "
+				" now() );";
+
+		return $this->mMySQLHandler->executeQuery($lQueryString);
+	}//end public function insertVoteIntoUserPoll
+
+	public function getUserPollVotes(){
+
+		$lQueryString  = "
 			SELECT tool_name, COUNT(tool_name) as tool_count
 			FROM user_poll_results
-			GROUP BY tool_name";
-
-		return $this->mMySQLHandler->executeQuery($lQueryString);
+			GROUP BY tool_name";
+
+		return $this->mMySQLHandler->executeQuery($lQueryString);
 	}//end public function insertVoteIntoUserPoll
 
 	public function insertBlogRecord($pBloggerName, $pBlogEntry){
 
-		if ($this->stopSQLInjection == TRUE){
+		if ($this->stopSQLInjection){
 			$pBloggerName = $this->mMySQLHandler->escapeDangerousCharacters($pBloggerName);
 			$pBlogEntry = $this->mMySQLHandler->escapeDangerousCharacters($pBlogEntry);
 		}// end if
@@ -190,7 +191,7 @@ public function insertBlogRecord($pBloggerName, $pBlogEntry){
 
 	public function getBlogRecord($pBloggerName){
 
-		if ($this->stopSQLInjection == TRUE){
+		if ($this->stopSQLInjection){
 			$pBloggerName = $this->mMySQLHandler->escapeDangerousCharacters($pBloggerName);
 		}// end if
 
@@ -208,7 +209,7 @@ public function getPenTestTool($pPostedToolID){
   		 * Note: While escaping works ok in some case, it is not the best defense.
  		 * Using stored procedures is a much stronger defense.
  		 */
-		if ($this->stopSQLInjection == TRUE){
+		if ($this->stopSQLInjection){
 			$pPostedToolID = $this->mMySQLHandler->escapeDangerousCharacters($pPostedToolID);
 		}// end if
 
@@ -238,7 +239,7 @@ public function getHitLogEntries(){
 		* is static.
 	*/
 		$lLimitString = "";
-		if ($this->mLimitOutput == TRUE){
+		if ($this->mLimitOutput){
 		$lLimitString .= " LIMIT 20";
 	}// end if
 
@@ -251,7 +252,7 @@ public function getYouTubeVideo($pRecordIdentifier){
 	* Note: While escaping works ok in some case, it is not the best defense.
 		* Using stored procedures is a much stronger defense.
 	*/
-	if ($this->stopSQLInjection == TRUE){
+	if ($this->stopSQLInjection){
 		$pRecordIdentifier = $this->mMySQLHandler->escapeDangerousCharacters($pRecordIdentifier);
 	}// end if
 
@@ -269,7 +270,7 @@ public function getUsernames(){
 
 	public function accountExists($pUsername){
 
-		if ($this->stopSQLInjection == TRUE){
+		if ($this->stopSQLInjection){
 			$pUsername = $this->mMySQLHandler->escapeDangerousCharacters($pUsername);
 		}// end if
 
@@ -279,16 +280,16 @@ public function accountExists($pUsername){
 		$lQueryResult = $this->mMySQLHandler->executeQuery($lQueryString);
 
 		if (isset($lQueryResult->num_rows)){
-			return ($lQueryResult->num_rows > 0);
+			return $lQueryResult->num_rows > 0;
 		}else{
-			return FALSE;
+			return false;
 		}// end if
 
 	}//end public function getUsernames
 
 	public function authenticateAccount($pUsername, $pPassword){
 
-		if ($this->stopSQLInjection == TRUE){
+		if ($this->stopSQLInjection){
 			$pUsername = $this->mMySQLHandler->escapeDangerousCharacters($pUsername);
 			$pPassword = $this->mMySQLHandler->escapeDangerousCharacters($pPassword);
 		}// end if
@@ -302,9 +303,9 @@ public function authenticateAccount($pUsername, $pPassword){
 		$lQueryResult = $this->mMySQLHandler->executeQuery($lQueryString);
 
 		if (isset($lQueryResult->num_rows)){
-			return ($lQueryResult->num_rows > 0);
+			return $lQueryResult->num_rows > 0;
 		}else{
-			return FALSE;
+			return false;
 		}// end if
 
 	}//end public function getUsernames
@@ -314,7 +315,7 @@ public function getNonSensitiveAccountInformation($pUsername){
 		 * Note: While escaping works ok in some case, it is not the best defense.
 		* Using stored procedures is a much stronger defense.
 		*/
-		if ($this->stopSQLInjection == TRUE){
+		if ($this->stopSQLInjection){
 			$pUsername = $this->mMySQLHandler->escapeDangerousCharacters($pUsername);
 		}// end if
 
@@ -326,24 +327,24 @@ public function getNonSensitiveAccountInformation($pUsername){
 		return $this->mMySQLHandler->executeQuery($lQueryString);
 	}//end public function getNonSensitiveAccountInformation
 
-	public function getUserAccountByID($pUserID){
-
-		if ($this->stopSQLInjection == TRUE){
-			$pUserID = $this->mMySQLHandler->escapeDangerousCharacters($pUserID);
-		}// end if
-
-		$lQueryString = "SELECT * FROM accounts WHERE cid='" . $pUserID . "'";
-
-		return $this->mMySQLHandler->executeQuery($lQueryString);
-	}//end public function getUserAccountByID
+	public function getUserAccountByID($pUserID){
+
+		if ($this->stopSQLInjection){
+			$pUserID = $this->mMySQLHandler->escapeDangerousCharacters($pUserID);
+		}// end if
+
+		$lQueryString = "SELECT * FROM accounts WHERE cid='" . $pUserID . "'";
+
+		return $this->mMySQLHandler->executeQuery($lQueryString);
+	}//end public function getUserAccountByID
 
 	public function getUserAccount($pUsername, $pPassword){
    		/*
   		 * Note: While escaping works ok in some case, it is not the best defense.
  		 * Using stored procedures is a much stronger defense.
  		 */
 
-		if ($this->stopSQLInjection == TRUE){
+		if ($this->stopSQLInjection){
 			$pUsername = $this->mMySQLHandler->escapeDangerousCharacters($pUsername);
 			$pPassword = $this->mMySQLHandler->escapeDangerousCharacters($pPassword);
 		}// end if
@@ -359,21 +360,22 @@ public function getUserAccount($pUsername, $pPassword){
 	/* -----------------------------------------
 	 * Insert Queries
 	 * ----------------------------------------- */
-	public function insertNewUserAccount($pUsername, $pPassword, $pSignature){
+	public function insertNewUserAccount($pUsername, $pPassword, $pSignature, $pAPIToken){
    		/*
   		 * Note: While escaping works ok in some case, it is not the best defense.
  		 * Using stored procedures is a much stronger defense.
  		 */
-		if ($this->stopSQLInjection == TRUE){
+		if ($this->stopSQLInjection){
 			$pUsername = $this->mMySQLHandler->escapeDangerousCharacters($pUsername);
 			$pPassword = $this->mMySQLHandler->escapeDangerousCharacters($pPassword);
 			$pSignature = $this->mMySQLHandler->escapeDangerousCharacters($pSignature);
 		}// end if
 
-		$lQueryString = "INSERT INTO accounts (username, password, mysignature) VALUES ('" .
+		$lQueryString = "INSERT INTO accounts (username, password, mysignature, api_token) VALUES ('" .
 			$pUsername ."', '" .
 			$pPassword . "', '" .
-			$pSignature .
+			$pSignature . "', '" .
+			$pAPIToken .
 			"')";
 
 		if ($this->mMySQLHandler->executeQuery($lQueryString)){
@@ -391,7 +393,7 @@ public function insertCapturedData(
 		$pClientReferrer,
 		$pCapturedData
 	){
-		if ($this->stopSQLInjection == TRUE){
+		if ($this->stopSQLInjection){
 			$pClientIP = $this->mMySQLHandler->escapeDangerousCharacters($pClientIP);
 			$pClientHostname = $this->mMySQLHandler->escapeDangerousCharacters($pClientHostname);
 			$pClientPort = $this->mMySQLHandler->escapeDangerousCharacters($pClientPort);
@@ -426,7 +428,7 @@ public function updateUserAccount($pUsername, $pPassword, $pSignature){
 		 * Note: While escaping works ok in some case, it is not the best defense.
 		* Using stored procedures is a much stronger defense.
 		*/
-		if ($this->stopSQLInjection == TRUE){
+		if ($this->stopSQLInjection){
 			$pUsername = $this->mMySQLHandler->escapeDangerousCharacters($pUsername);
 			$pPassword = $this->mMySQLHandler->escapeDangerousCharacters($pPassword);
 			$pSignature = $this->mMySQLHandler->escapeDangerousCharacters($pSignature);
@@ -452,7 +454,7 @@ public function updateUserAccount($pUsername, $pPassword, $pSignature){
 	 * Delete Queries
 	* ----------------------------------------- */
 	public function deleteUser($pUsername){
-		if ($this->stopSQLInjection == TRUE){
+		if ($this->stopSQLInjection){
 			$pUsername = $this->mMySQLHandler->escapeDangerousCharacters($pUsername);
 		}// end if
 

src/includes/constants.php

@@ -2,7 +2,7 @@
 	/* ------------------------------------------
 	 * @VERSION
 	 * ------------------------------------------*/
-	$C_VERSION = "2.11.18";
+	$C_VERSION = "2.11.19";
 	$C_VERSION_STRING = "Version: " . $C_VERSION;
 	$C_MAX_HINT_LEVEL = 1;
 

src/includes/process-login-attempt.php

@@ -51,7 +51,7 @@ function logLoginAttempt($lMessage){
 	   	$lAuthenticationAttemptResult = $cUNSURE;
 	   	$lAuthenticationAttemptResultFound = false;
 	   	$lKeepGoing = true;
-	   	$lQueryResult=NULL;
+	   	$lQueryResult=null;
 
    		logLoginAttempt("User {$lUsername} attempting to authenticate");