From 5f8c7f81667e809f27c8dc9a6ce9de999f39c846 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vojt=C4=9Bch=20Sajdl?= <vojtech@sajdl.com>
Date: Wed, 29 Nov 2017 14:40:34 +0100
Subject: [PATCH] Checking validity of data - install script

---
 config.php.template |   2 +-
 install.php         | 112 +++++++++++++++++++++++++++++---------------
 2 files changed, 76 insertions(+), 38 deletions(-)

diff --git a/config.php.template b/config.php.template
index d523af9..72c8874 100644
--- a/config.php.template
+++ b/config.php.template
@@ -11,7 +11,7 @@ define("INSTALL_OVERRIDE", false);
 $mysqli = new mysqli("##server##","##user##","##password##","##database##");
 
 if ($mysqli->connect_errno) {
-    printf("Connect failed: %s\n", $mysqli->connect_error);
+    printf("Connection failed: %s\n", $mysqli->connect_error);
     exit();
 }
 
diff --git a/install.php b/install.php
index 1c01e6f..0ac4bbd 100644
--- a/install.php
+++ b/install.php
@@ -5,44 +5,83 @@ define("NAME", 'Status page'); //Website name
 render_header("Install");?>
 <h1 class="text-center">Installation</h1>
 <?php
-if(isset($_POST['url']))
+
+if (isset($_POST['server']))
+{
+	$mysqli = new mysqli($_POST['server'],$_POST['dbuser'],$_POST['dbpassword'],$_POST['database']);
+
+	if ($mysqli->connect_errno) {
+	    $message = "Connection failed: %s\n", $mysqli->connect_error;
+	}
+}
+
+if (filter_var($_POST['url'], FILTER_VALIDATE_URL) === false)
+{
+	$message = "Please set valid url!"
+}
+
+//Ostatní má checky existence ve funkci pro pridani 
+if (0 == strlen(trim($_POST['servername']))  || 0 == strlen(trim($_POST['url']))  || 0 == strlen(trim($_POST['mailer']))  
+	|| 0 == strlen(trim($_POST['mailer_email']))  || 0 == strlen(trim($_POST['server']))  || 0 == strlen(trim($_POST['database'])) 
+	|| 0 == strlen(trim($_POST['dbuser']))  || 0 == strlen(trim($_POST['dbpassword'])))
+{
+	$message = "Please enter all data!";
+}
+
+if(isset($_POST['server']) && !isset($message))
 {	
 	define("INSTALL_OVERRIDE", true);
-	error_reporting(E_ALL);
-	require("classes/constellation.php");
-	$config = file_get_contents("config.php.template");
-	$config = str_replace("##name##", $_POST['servername'], $config);
-	$config = str_replace("##url##", $_POST['url'], $config);
-	$config = str_replace("##mailer##", $_POST['mailer'], $config);
-	$config = str_replace("##mailer_email##", $_POST['mailer_email'], $config);
-	$config = str_replace("##server##", $_POST['server'], $config);
-	$config = str_replace("##database##", $_POST['database'], $config);
-	$config = str_replace("##user##", $_POST['dbuser'], $config);
-	$config = str_replace("##password##", $_POST['dbpassword'], $config);
-	$config = str_replace("##name##", $_POST['servername'], $config);
-	file_put_contents("config.php", $config);
-	require("config.php");
+
+	//No need to include config, as we have connection from testing it... :)
+	//There may be better way to do this...
 	$sql = file_get_contents("install.sql");
 	$array = explode(";", $sql);
-	//TODO: Checkovat pls
+	
 	foreach ($array as $value) {
-		$mysqli->query($value);
+		$q_res = $mysqli->query($value);
+		if ($q_res === false)
+		{
+			$message = "Error while creating database. Please check permission for your account or MYSQL version.<br>Error: ".$mysqli->error;
+			break;
+		}
 	}
 
-	User::add();
-	if (isset($message))
+	if (!isset($message))
 	{
-		echo "<p class=\"alert alert-danger\">$message</p>";
-		render_footer();
-		die;
+		require("classes/constellation.php");
+
+		User::add();
 	}
 
-	unlink("config.php.temlpate");
-	unlink("install.sql");
-	unlink(__FILE__);
+	if (!isset($message))
+	{
+		//Create config
+		$config = file_get_contents("config.php.template");
+		$config = str_replace("##name##", $_POST['servername'], $config);
+		$config = str_replace("##url##", $_POST['url'], $config);
+		$config = str_replace("##mailer##", $_POST['mailer'], $config);
+		$config = str_replace("##mailer_email##", $_POST['mailer_email'], $config);
+		$config = str_replace("##server##", $_POST['server'], $config);
+		$config = str_replace("##database##", $_POST['database'], $config);
+		$config = str_replace("##user##", $_POST['dbuser'], $config);
+		$config = str_replace("##password##", $_POST['dbpassword'], $config);
+		$config = str_replace("##name##", $_POST['servername'], $config);
+		file_put_contents("config.php", $config);
 
-	header("Location: /");
-}else{
+		unlink("config.php.temlpate");
+		unlink("install.sql");
+		unlink(__FILE__);
+
+		header("Location: /");
+	}
+}
+
+if (isset($message))
+{
+?>
+<p class="alert alert-danger"><?php echo $message; ?></p>
+<?php 
+} 
 ?>
 <form method="post" action="install.php" class="clearfix install">
 	<section class="install-section clearfix">
@@ -50,13 +89,13 @@ if(isset($_POST['url']))
 		<summary>We need a name for your status page and a url, so we can mail users link for forgotten password etc.</summary>
 
 			<div class="form-group clearfix">
-				<div class="col-sm-6"><label for="servername">Name: </label><input type="text" name="servername" id="servername" placeholder="Name" class="form-control" required></div>
-				<div class="col-sm-6"><label for="url">Url: </label><input type="url" name="url" id="url" placeholder="Url" class="form-control" required></div>
+				<div class="col-sm-6"><label for="servername">Name: </label><input type="text" name="servername" value="<?php echo htmlspecialchars($_POST['servername'], ENT_QUOTES);?>" id="servername" placeholder="Name" class="form-control" required></div>
+				<div class="col-sm-6"><label for="url">Url: </label><input type="url" name="url" value="<?php echo htmlspecialchars($_POST['url'], ENT_QUOTES);?>" id="url" placeholder="Url" class="form-control" required></div>
 			</div>
 			<summary>Also an email address for mailer would be nice :)</summary>
 			<div class="form-group clearfix">
-				<div class="col-sm-6"><label for="mailer">Name: </label><input type="text" name="mailer" id="mailer" placeholder="Name" class="form-control" required></div>
-				<div class="col-sm-6"><label for="mailer_email">Email: </label><input type="email" name="mailer_email" id="mailer_email" placeholder="Email" class="form-control" required></div>
+				<div class="col-sm-6"><label for="mailer">Name: </label><input type="text" name="mailer" value="<?php echo htmlspecialchars($_POST['mailer'], ENT_QUOTES);?>" id="mailer" placeholder="Name" class="form-control" required></div>
+				<div class="col-sm-6"><label for="mailer_email">Email: </label><input type="email" name="mailer_email" value="<?php echo htmlspecialchars($_POST['mailer_email'], ENT_QUOTES);?>" id="mailer_email" placeholder="Email" class="form-control" required></div>
 			</div>
 	</section>
 	<section class="install-section clearfix">
@@ -64,12 +103,12 @@ if(isset($_POST['url']))
 		<summary>We need database connection to be able to create tables. Please check that your account has the permission needed to do that.</summary>
 
 			<div class="form-group clearfix">
-				<div class="col-sm-6"><label for="server">Server: </label><input type="text" name="server" id="server" placeholder="Server" class="form-control" required></div>
-				<div class="col-sm-6"><label for="database">Database: </label><input type="text" name="database" id="database" placeholder="Database" class="form-control" required></div>
+				<div class="col-sm-6"><label for="server">Server: </label><input type="text" name="server" value="<?php echo htmlspecialchars($_POST['server'], ENT_QUOTES);?>" id="server" placeholder="Server" class="form-control" required></div>
+				<div class="col-sm-6"><label for="database">Database: </label><input type="text" name="database" value="<?php echo htmlspecialchars($_POST['database'], ENT_QUOTES);?>" id="database" placeholder="Database" class="form-control" required></div>
 			</div>
 			<div class="form-group clearfix">
-				<div class="col-sm-6"><label for="dbuser">User: </label><input type="text" name="dbuser" id="dbuser" placeholder="User" class="form-control" required></div>
-				<div class="col-sm-6"><label for="dbpassword">Password: </label><input type="password" name="dbpassword" id="dbpassword" placeholder="Password" class="form-control" required></div>
+				<div class="col-sm-6"><label for="dbuser">User: </label><input type="text" name="dbuser" value="<?php echo htmlspecialchars($_POST['dbuser'], ENT_QUOTES);?>" id="dbuser" placeholder="User" class="form-control" required></div>
+				<div class="col-sm-6"><label for="dbpassword">Password: </label><input type="password" name="dbpassword" value="<?php echo htmlspecialchars($_POST['dbpassword'], ENT_QUOTES);?>" id="dbpassword" placeholder="Password" class="form-control" required></div>
 			</div>
 	</section>
 	<section class="install-section clearfix">
@@ -93,5 +132,4 @@ if(isset($_POST['url']))
 	</section>
 </form>
 <?php
-render_footer();
-}
\ No newline at end of file
+render_footer();
\ No newline at end of file