sécurité

This commit is contained in:
Alexis HADJEM--BRANCHER 2024-06-16 17:25:25 +02:00
parent c526f65782
commit c9d69f8df5
4 changed files with 183 additions and 111 deletions

View File

@ -1,3 +1,4 @@
<!DOCTYPE html>
<html lang="fr">
<head>
<meta charset="utf-8">
@ -5,27 +6,24 @@
<link rel="stylesheet" href="../css/style.css">
<title>Connexion - Jeux Olympiques</title>
</head>
<body>
<?php
// Informations de connexion à la base de données
require_once 'common.php';
session_start();
if (!empty($_POST['login']) && !empty($_POST['password'])) {
$db = initDatabase();
$login = $_POST['login'];
$password = $_POST['password'];
$login = htmlspecialchars($_POST['login'], ENT_QUOTES, 'UTF-8');
$password = htmlspecialchars($_POST['password'], ENT_QUOTES, 'UTF-8');
// Use prepared statements to prevent SQL injection
$stmt = $db->prepare("SELECT * FROM user WHERE login = ?");
$stmt->bind_param("s", $login);
$stmt->execute();
$result = $stmt->get_result();
$result=mysqli_query($db,"SELECT * FROM user WHERE login = '$login' ");
if (mysqli_num_rows($result) > 0) {
$row = mysqli_fetch_assoc($result);
if ($result->num_rows > 0) {
$row = $result->fetch_assoc();
$hash = $row['mdp'];
$mail = $row['mail'];
$nom = $row['nom'];
@ -34,7 +32,6 @@ if (!empty($_POST['login']) && !empty($_POST['password'])) {
$role = $row['Role'];
if (password_verify($password, $hash)) {
if ($login) {
$_SESSION['login'] = $login;
$_SESSION['mail'] = $mail;
$_SESSION['nom'] = $nom;
@ -44,56 +41,36 @@ if (!empty($_POST['login']) && !empty($_POST['password'])) {
header('Location: ../index.php');
exit();
}
} else {
$error_verif2 = "Mot de passe incorrect";
}
} else {
$error_verif = "Ce login n'existe pas";
}
$stmt->close();
}
// Récupération des données du formulaire
?>
<header>
<h1 class='Hello'>Page de connexion</h1>
<nav>
<a href="../" class="categorie">Page d'accueil</a>
</nav>
</header>
<div class="connexion">
<u><i><h2>Connexion</h2></i></u><br>
<form action="" method="post">
<label for="login">Login :</label><br>
<input type="text" id="login" name="login" required value="<?php if (isset($_REQUEST['login'])) { echo $_REQUEST['login']; } ?>"><br>
<input type="text" id="login" name="login" required value="<?php if (isset($_POST['login'])) { echo htmlspecialchars($_POST['login'], ENT_QUOTES, 'UTF-8'); } ?>"><br>
<?php if (isset($error_verif)) { echo "<div class='error-message'>$error_verif</div>"; } ?>
<br><br><label for="password">Mot de passe :</label><br>
<input type="password" id="password" name="password" required placeholder="••••••••" value="<?php if (isset($_REQUEST['password'])) { echo $_REQUEST['password']; } ?>"><br>
<input type="password" id="password" name="password" required placeholder="••••••••" value="<?php if (isset($_POST['password'])) { echo htmlspecialchars($_POST['password'], ENT_QUOTES, 'UTF-8'); } ?>"><br>
<?php if (isset($error_verif2)) { echo "<div class='error-message'>$error_verif2</div>"; } ?>
<br><br><button type="submit" class="submit">Se connecter</button>
</form>
<p class="compteUser">Vous ne possédez pas de compte ? <br><a href="inscription.php">Inscrivez-vous !</a></p>
</div>
<footer>
<?php require_once('footer.php'); ?>
</footer>
</body>
</html>

View File

@ -4,46 +4,81 @@ session_start();
$db = initDatabase();
if (empty($_REQUEST['id_article'])) {
if (empty($_REQUEST['id_event'])) {
header('Location: evenement.php');
exit();
}
if (!empty($_GET['tit']) && !empty($_GET['content'])) {
$title = $_GET['title'];
$content = htmlspecialchars($_GET['content']);
if (empty($_GET['id_comment'])) { // nouveau ou modif ?
$sql = "INSERT INTO comment (id_article, title, content, id_user) "
."VALUES (".$_GET['id_article'].", '$title', '$content', ".$_SESSION['user']['id'].")";
} else {
$sql = "UPDATE comment SET title='$title', content='$content', id_user=". $_SESSION['user']['id']
." WHERE id = " . $_GET['id_comment'];
if (!empty($_GET['content'])) {
$content = htmlspecialchars($_GET['content'], ENT_QUOTES, 'UTF-8');
$id_event = intval($_GET['id_event']); // Ensure id_event is an integer
$login = $_SESSION['login']; // Assuming login is a string
if (empty($_GET['id_comment'])) { // new comment
// Use prepared statements for security
$recupid = mysqli_query($db, "SELECT MAX(id_comment) AS max_id FROM commentaire");
$row = mysqli_fetch_assoc($recupid);
$id = $row['max_id'] + 1;
$stmt = $db->prepare("INSERT INTO commentaire (id_comment, id_event, login, contenu) VALUES ($id,?, ?, ?)");
$stmt->bind_param('iss', $id_event, $login, $content);
} else { // update existing comment
$id_comment = intval($_GET['id_comment']); // Ensure id_comment is an integer
$stmt = $db->prepare("UPDATE commentaire SET contenu = ?, login = ? WHERE id_comment = ?");
$stmt->bind_param('ssi', $content, $login, $id_comment);
}
if (mysqli_query($db,$sql)) {
header('Location: article_view.php?id=' . $_GET['id_article']);
if ($stmt->execute()) {
header('Location: event.php?id=' . $id_event);
exit();
} else {
die("Erreur : $sql");
// Output SQL error for debugging
echo "Error: " . $stmt->error;
}
$stmt->close();
}
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<link rel="icon" href="../img/jo2024.jpg">
<link rel="stylesheet" href="../css/style.css">
<title>Évènements - Jeux Olympiques</title>
</head>
<body>
<header>
<h1 class='Hello'>Évènement</h1>
<nav>
<?php
include './templates/header.php';
if (isset($_SESSION['login'])) {
echo "<a href='../' class='categorie'>Page d'accueil</a>";
echo "<a href='profil.php'><img class='profil' src='https://dwarves.iut-fbleau.fr/~ghouar-t/SaeDEV2.2/img/photo-profil.png' alt='profil'></a>";
echo "<a href='deconnexion.php' class='categorie'>Déconnexion</a>";
} else {
echo "<a href='../' class='categorie'>Page d'accueil</a>";
echo "<a href='connexion.php' class='categorie'>Connexion</a>";
echo "<a href='inscription.php' class='categorie'>Inscription</a>";
}
?>
<body container>
</nav>
</header>
<div class="commentaire">
<h1>Ajouter/modifier un commentaire</h1>
<u><i><h1>Ajouter/modifier un commentaire</h1></i></u>
<form action="" method="get">
<fieldset>
<?php if (!empty($_REQUEST['id_comment'])) {
echo '<input name="id_comment" type="hidden" value="' . $_REQUEST['id_comment'] ."\" />\n";
} ?>
<input name="id_article" type="hidden" value="<?php echo $_REQUEST['id_article']; ?>" />
<div> <label> Texte <textarea name="content" cols="60" rows="6"></textarea></label></div>
<?php if (!empty($_GET['id_comment'])): ?>
<input name="id_comment" type="hidden" value="<?php echo htmlspecialchars($_GET['id_comment'], ENT_QUOTES, 'UTF-8'); ?>" />
<?php endif; ?>
<input name="id_event" type="hidden" value="<?php echo htmlspecialchars($_GET['id_event'], ENT_QUOTES, 'UTF-8'); ?>" />
<label>Commentaire<textarea name="content" cols="50" rows="6"></textarea></label>
<button type="submit" name="ok" value="1">Ajouter ce commentaire</button>
</fieldset>
</form>
<?php
include './templates/footer.php';
?>
</div>
<footer>
<?php include 'footer.php'; ?>
</footer>
</body>
</html>

View File

@ -76,13 +76,7 @@ $event = mysqli_stmt_get_result($stmt);
?>
</nav>
</header>
<?php
if (isset($_SESSION['role'])) {
if ($_SESSION['role']=='organizer') {
echo "<a href='creer_event.php' class='categorie'>Connexion</a>";
}
}
?>
<div class="ListeEvenement">
<div>
@ -114,6 +108,13 @@ if (isset($_SESSION['role'])) {
?>
</tbody>
</table>
<?php
if (isset($_SESSION['role'])) {
if ($_SESSION['role']=='organizer') {
echo "<a href='creer_event.php' class='categorie'>Créer un évènement</a>";
}
}
?>
</div>
<footer>
<?php require_once('footer.php'); ?>

59
php/index.php Normal file
View File

@ -0,0 +1,59 @@
<?php
session_start();
?>
<html lang="fr" >
<head>
<meta charset="utf-8">
<link rel="icon" href="img/jo2024.jpg" >
<link rel="stylesheet" href="css/style.css">
<title> Accueil - Jeux Olympiques</title>
</head>
<body>
<div id="content index">
<header>
<?php
if (isset($_SESSION['login'])) {
if ($_SESSION['genre']=='homme') {
echo "<h1 class='Hello'>Bienvenue Mr ". $_SESSION['nom']." ".$_SESSION['prenom']." sur le site des JO !</h1>";
}
if ($_SESSION['genre']=='femme') {
echo "<h1 class='Hello'>Bienvenue Mme ". $_SESSION['nom']." ".$_SESSION['prenom']." sur le site des JO !</h1>";
}
if($_SESSION['genre']=='autre') {
echo "<h1 class='Hello'>Bienvenue ". $_SESSION['nom']." ".$_SESSION['prenom']." sur le site des JO !</h1>";
}
echo "<nav>";
echo "<a href='php/evenement.php' class='categorie'>Évènements</a>";
echo "<a href='php/profil.php'><img class='profil' src='https://dwarves.iut-fbleau.fr/~ghouar-t/SaeDEV2.2/img/photo-profil.png' alt='profil'></a>";
echo "<a href='php/deconnexion.php' class='categorie'>Déconnexion</a>";
echo "</nav>";
}
else {
echo "<h1 class='Hello'>Bienvenue sur le site des JO ! </h1>";
echo "<nav>";
echo "<a href='php/evenement.php' class='categorie'>Évènements</a>";
echo "<a href='php/connexion.php' class='categorie'>Connexion</a>";
echo "<a href='php/inscription.php' class='categorie'>Inscription</a>";
echo "</nav>";
}
?>
</header>
<p class="coco"><b>Les Jeux Olympiques de Paris 2024 seront le plus grand événement jamais organisé en France. Ils se tiendront du 26 juillet au 11 août 2024, durant 16 jours hors du temps pendant lesquels Paris 2024 sera le cœur du monde. Les Jeux, cest du sport, mais tellement plus encore… Une combinaison de rendez-vous culturels, de programmation artistique, et de performances diverses qui créent une expérience unique en son genre. Les Jeux, cest un festival populaire et multiculturel qui sadresse au monde entier. Cest une aventure qui va embarquer la France entière pour une expérience inédite.</b></p>
</div>
<footer>
<?php require_once('php/footer.php'); ?>
</footer>
</body>
</html>