From c10affa6a475d99acb1f0358b08aff646a49e55c Mon Sep 17 00:00:00 2001
From: xevidos <xevidos@gmail.com>
Date: Wed, 13 Feb 2019 13:43:48 -0500
Subject: [PATCH] Updated API for PDO.

---
 api.php | 85 +++++++++++++++++++++++++++++++++------------------------
 1 file changed, 49 insertions(+), 36 deletions(-)

diff --git a/api.php b/api.php
index 97c706d..a4f32c1 100644
--- a/api.php
+++ b/api.php
@@ -8,12 +8,10 @@
 
 require_once( './config.php' );
 require_once( './common.php' );
-require_once( './components/sql/class.sql.php' );
 
 class api {
 	
 	private $sql = null;
-	
 	public $user = null;
 	
 	public function __construct() {
@@ -23,30 +21,51 @@ class api {
 			"user",
 		);
 		
+		if( isset( $_POST["action"] ) ) {
+			
+			$request = $_POST;
+		} elseif( isset( $_GET["action"] ) ) {
+			
+			$request = $_GET;
+		} else {
+			
+			$this->return( "error", "Error, action was expected but not recieved." );
+		}
+		
 		foreach( $requirements as $requirement ) {
 			
-			if( ! isset( $_POST[$requirement] ) ) {
+			if( ! isset( $request[$requirement] ) ) {
 				
 				$this->return( "error", "Error, '$requirement' was expected but not recieved." );
 			}
 		}
 		
-		if( isset( $_POST["action"] ) ) {
+		if( isset( $request["action"] ) ) {
 			
-			$action = $_POST["action"];
+			$action = $request["action"];
 			
 			if( $action === "get_token" ) {
 				
-				if( isset( $_POST["user"] ) && isset( $_POST["password"] ) ) {
+				if( isset( $request["user"] ) && isset( $request["password"] ) ) {
 					
-					$this->get_token( $_POST["user"], $_POST["password"] );
+					$this->get_token( $request["user"], $request["password"] );
 				}
 				exit();
 			}
 			
-			$this->user = $_POST["user"];
-			$_SESSION["user"] = $_POST["user"];
-			$_SESSION["token"] = $_POST["token"];
+			if( ! isset( $request["token"] ) ) {
+				
+				$this->return( "error", "Error, token was expected but not recieved." );
+			}
+			
+			if( ! isset( $request["atts"] ) ) {
+				
+				$this->return( "error", "Error, atts were expected but not recieved." );
+			}
+			
+			$this->user = $request["user"];
+			$_SESSION["user"] = $request["user"];
+			$_SESSION["token"] = $request["token"];
 			
 			
 			
@@ -58,11 +77,11 @@ class api {
 				//require_once( "./components/settings/class.settings.php" );
 				//require_once( "./components/user/class.user.php" );
 				
-				$atts = json_decode( $_POST["atts"], true );
+				$atts = json_decode( $request["atts"], true );
 				
 				if ( json_last_error() !== JSON_ERROR_NONE ) {
 					
-					$atts = $_POST["atts"];
+					$atts = $request["atts"];
 				}
 				call_user_func( array( $this, $action ), $atts );
 			} else {
@@ -75,15 +94,18 @@ class api {
 	
 	function check_session() {
 		
+		global $sql;
 		$pass = false;
-		$sql = "SELECT * FROM users WHERE username=? AND token=?;";
-		$bind = "ss";
-		$bind_variables = array( $_SESSION["user"], $_SESSION["token"] );
-		$return = sql::sql( $sql, $bind, $bind_variables, formatJSEND( "error", "Error checking access." ) );
+		$query = "SELECT * FROM users WHERE username=? AND token=?;";
+		$bind_variables = array( $_SESSION["user"], sha1( $_SESSION["token"] ) );
+		$return = $sql->query( $query, $bind_variables, 0, "rowCount" );
 		
-		if( mysqli_num_rows( $return ) > 0 ) {
+		if( $return > 0 ) {
 			
 			$pass = true;
+		} else {
+			
+			$pass = false;
 		}
 		
 		return( $pass );
@@ -127,32 +149,23 @@ class api {
 	
 	function get_token( $username, $password ) {
 		
+		global $sql;
 		$pass = false;
-		$sql = "SELECT * FROM users WHERE username=? AND password=PASSWORD( ? );";
-		$bind = "ss";
+		$query = "SELECT * FROM users WHERE username=? AND password=?;";
 		$bind_variables = array( $username, $this->encrypt( $password ) );
-		$return = sql::sql( $sql, $bind, $bind_variables, "Error fetching user information." );
+		$return = $sql->query( $query, $bind_variables, array() );
 		
-		if( mysqli_num_rows( $return ) > 0 ) {
+		if( ! empty( $return ) ) {
 			
 			$pass = true;
-			$user = mysqli_fetch_assoc( $return );
+			$user = $return[0];
 			$_SESSION['user'] = $username;
 			
-			if( $user["token"] == null ) {
-				
-				$token = mb_strtoupper( strval( bin2hex( openssl_random_pseudo_bytes( 16 ) ) ) );
-				$_SESSION['token'] = $token;
-				$sql = "UPDATE users SET token=PASSWORD( ? ) WHERE username=?;";
-				$bind = "ss";
-				$bind_variables = array( $token, $username );
-				sql::sql( $sql, $bind, $bind_variables, "Error updating user information." );
-				
-			} else {
-				
-				$token = $user["token"];
-				$_SESSION['token'] = $token;
-			}
+			$token = mb_strtoupper( strval( bin2hex( openssl_random_pseudo_bytes( 16 ) ) ) );
+			$_SESSION['token'] = $token;
+			$query = "UPDATE users SET token=? WHERE username=?;";
+			$bind_variables = array( sha1( $token ), $username );
+			$sql->query( $query, $bind_variables, 0, "rowCount" );
 		}
 		
 		if( $pass ) {