name those variables!

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,38 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: "[BUG]"
+labels: bug_unconfirmed
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Desktop (please complete the following information):**
+ - OS: [e.g. iOS]
+ - Browser [e.g. chrome, safari]
+ - Version [e.g. 22]
+
+**Smartphone (please complete the following information):**
+ - Device: [e.g. iPhone6]
+ - OS: [e.g. iOS8.1]
+ - Browser [e.g. stock browser, safari]
+ - Version [e.g. 22]
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: enhancement
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/workflows/codeinspector.yml

@@ -0,0 +1,21 @@
+on: [push]
+
+jobs:
+  check-quality:
+    runs-on: ubuntu-latest
+    name: A job to check my code quality
+    steps:
+    - name: Check code meets quality standards
+      id: code-inspector
+      uses: codeinspectorio/github-action@master
+      with:
+        repo_token: ${{ secrets.GITHUB_TOKEN }}
+        code_inspector_access_key: ${{ secrets.CODE_INSPECTOR_ACCESS_KEY }}
+        code_inspector_secret_key: ${{ secrets.CODE_INSPECTOR_SECRET_KEY }}
+        min_quality_grade: 'WARNING'
+        min_quality_score: '50'
+        max_defects_rate: '0.0001'
+        max_complex_functions_rate: '0.0001'
+        max_long_functions_rate: '0.0001'
+        project_name: ''
+        max_timeout_sec: '600'

.gitignore

@@ -1,2 +1,8 @@
 */.DS_Store
 .DS_Store
+db.inc.php
+*/db.inc.php
+index.html
+*/index.html
+test.php
+*test.php

FEATURES.MD

@@ -0,0 +1,17 @@
+# FEATURES
+
+## Password Login
+
+## PHP Session
+
+## Logout
+
+## Forget Password
+
+## Password Complexibility Check
+
+## Admin Functions
+
+## Activate E-Mail
+
+## More to come

LICENSE

@@ -0,0 +1,661 @@
+                    GNU AFFERO GENERAL PUBLIC LICENSE
+                       Version 3, 19 November 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU Affero General Public License is a free, copyleft license for
+software and other kinds of works, specifically designed to ensure
+cooperation with the community in the case of network server software.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+our General Public Licenses are intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  Developers that use our General Public Licenses protect your rights
+with two steps: (1) assert copyright on the software, and (2) offer
+you this License which gives you legal permission to copy, distribute
+and/or modify the software.
+
+  A secondary benefit of defending all users' freedom is that
+improvements made in alternate versions of the program, if they
+receive widespread use, become available for other developers to
+incorporate.  Many developers of free software are heartened and
+encouraged by the resulting cooperation.  However, in the case of
+software used on network servers, this result may fail to come about.
+The GNU General Public License permits making a modified version and
+letting the public access it on a server without ever releasing its
+source code to the public.
+
+  The GNU Affero General Public License is designed specifically to
+ensure that, in such cases, the modified source code becomes available
+to the community.  It requires the operator of a network server to
+provide the source code of the modified version running there to the
+users of that server.  Therefore, public use of a modified version, on
+a publicly accessible server, gives the public access to the source
+code of the modified version.
+
+  An older license, called the Affero General Public License and
+published by Affero, was designed to accomplish similar goals.  This is
+a different license, not a version of the Affero GPL, but Affero has
+released a new version of the Affero GPL which permits relicensing under
+this license.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU Affero General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Remote Network Interaction; Use with the GNU General Public License.
+
+  Notwithstanding any other provision of this License, if you modify the
+Program, your modified version must prominently offer all users
+interacting with it remotely through a computer network (if your version
+supports such interaction) an opportunity to receive the Corresponding
+Source of your version by providing access to the Corresponding Source
+from a network server at no charge, through some standard or customary
+means of facilitating copying of software.  This Corresponding Source
+shall include the Corresponding Source for any work covered by version 3
+of the GNU General Public License that is incorporated pursuant to the
+following paragraph.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the work with which it is combined will remain governed by version
+3 of the GNU General Public License.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU Affero General Public License from time to time.  Such new versions
+will be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU Affero General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU Affero General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU Affero General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published
+    by the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If your software can interact with users remotely through a computer
+network, you should also make sure that it provides a way for users to
+get its source.  For example, if your program is a web application, its
+interface could display a "Source" link that leads users to an archive
+of the code.  There are many ways you could offer source, and different
+solutions will be better for different programs; see section 13 for the
+specific requirements.
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU AGPL, see
+<https://www.gnu.org/licenses/>.

README.MD

@@ -1,4 +1,10 @@
 # Login Page POC
+[![GitHub license](https://img.shields.io/github/license/td00/loginpagefoo)](https://github.com/td00/loginpagefoo/blob/main/LICENSE)
+[![GitHub forks](https://img.shields.io/github/forks/td00/loginpagefoo)](https://github.com/td00/loginpagefoo/network)
+[![GitHub issues](https://img.shields.io/github/issues/td00/loginpagefoo)](https://github.com/td00/loginpagefoo/issues)
+
+[Docker Image](https://github.com/td00/loginpagefoo-docker) (![GitHub Workflow Status](https://img.shields.io/github/workflow/status/td00/loginpagefoo-docker/Docker))
+
 Some poc of a login / register setup with php & mysql
 
 ## Setup:

activate.php

@@ -7,13 +7,14 @@
 </head> 
 <body>
 <?php
-include 'db.inc.php';
+include 'db.inc.php'; //first we need a db
+//this time no session, cause you don't need that session here. (and cause i stole my code from my forgot password script)
  
-if(!isset($_GET['userid']) || !isset($_GET['code'])) {
+if(!isset($_GET['userid']) || !isset($_GET['code'])) { //if theres a code or userid missing, say so & die 
  die('<div class="alert alert-warning" role="alert">No code delivered. nothing to do here.</div>');
 }
  
-$userid = $_GET['userid'];
+$userid = $_GET['userid']; //storing the userid & code provided in variables
 $code = $_GET['code'];
  
 
@@ -26,25 +27,25 @@ if($user === null || $user['activationcode'] === null) {
  die('<div class="alert alert-danger" role="alert">
  No User matching your request.</div>');
 }
- 
+ //check if the 24h window is still open for this code
 if($user['activationcode_time'] === null || strtotime($user['activationcode_time']) < (time()-24*3600) ) {
  die('<div class="alert alert-danger" role="alert">
  Ooops. This code isnt valid anymore.</div>');
 }
  
  
-
+//check if the codes match
 if(sha1($code) != $user['activationcode']) {
  die('<div class="alert alert-danger" role="alert">
  Not the valid activationcode!</div>');
 }
- 
+ //activate user:
 if(isset($_GET['send'])) {
   $statement = $pdo->prepare("UPDATE users SET activated = 1, activationcode = NULL, activationcode_time = NULL WHERE id = :userid");
  $result = $statement->execute(array('userid'=> $userid ));
  
- if($result) {
- die('Activated. Going to <a href="secure.php">secure</a> now.<meta http-equiv="refresh" content="1; URL=update.php?page=secure.php">');
+ if($result) { //if successfull: die & go to start.php via update.php
+ die('Activated. Going to <a href="start.php">start</a> now.<meta http-equiv="refresh" content="1; URL=update.php?page=start.php">');
  }
 }
 ?>

activatedarea.php

@@ -0,0 +1,33 @@
+
+<html>
+<head>
+<title>Activated Area</title>
+<link rel="stylesheet" href="ressources/css/bootstrap.min.css" crossorigin="anonymous">
+</head>
+<body>
+<script src="ressources/js/bootstrap.min.js"></script>
+<?php
+session_start(); //check for a session
+if($_SESSION['activated'] == 0) { //check if the account is activated, if not, die with an error
+    die ("Not activated yet");
+}
+echo "heres the fun world"; //just a placeholder
+?>
+<br /> <br />
+<div class="jumbotron jumbotron-fluid">
+  <div class="container">
+<?php
+echo "Hi ".$_SESSION['username']."!";
+if(isset($_GET['notimplemented'])) { //if "?notimplemented=1" is received, print the following error code:
+    echo '<div class="alert alert-danger" role="alert">Feature not yet implemented!</div>';
+}
+//some html links to other pages
+?>
+<br /><br />
+<a href="changeprofilepicture.php"><button class="btn btn-primary">Change Profile Picture</button>
+<br /><br />
+<a href="?notimplemented=1"><button class="btn btn-primary disabled">Change Description</button></a>
+<br /> <br /><br />
+<a href="start.php"><button class="btn btn-info">Back</button></a>
+</div>
+</div>

activation.php

@@ -7,11 +7,11 @@
 </head> 
 <body>
 <?php 
-session_start();
-include 'db.inc.php';
+session_start(); //session & stuff, you know it
+include 'db.inc.php'; //and a db connection, you know it...
  
-function random_string() {
- if(function_exists('random_bytes')) {
+function random_string() { //first we need a function, lets call it "random_string, shall we?
+ if(function_exists('random_bytes')) { //then check if other functions exist to create random chars
  $bytes = random_bytes(16);
  $str = bin2hex($bytes); 
  } else if(function_exists('openssl_random_pseudo_bytes')) {
@@ -20,42 +20,42 @@ function random_string() {
  } else if(function_exists('mcrypt_create_iv')) {
  $bytes = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);
  $str = bin2hex($bytes); 
- } else {
+ } else { //failing to this string:
 //this should be a unique string. if we use this in prod we should change this.
  $str = md5(uniqid('thisisnotreallyrandombutthisstringheresomakethislongandmaybewith12345numberskthxbye', true));
  } 
- return $str;
+ return $str; //returning the string generated with one or another method
 }
  
-$sessionuser = $_SESSION['username'];
-$showForm = true;
+$sessionuser = $_SESSION['username']; //get the usernamne from the session
+$showForm = true; //print the "form" (in this case just a button)
  
-if(isset($_GET['send']) ) {
- if(!isset($sessionuser) || empty($sessionuser)) {
+if(isset($_GET['send']) ) { //you know the drill. if theres a "?=send=1" this little script comes to action
+ if(!isset($sessionuser) || empty($sessionuser)) { //checks if you've got a valid session if not, it prints it out.
  $error = '<span class="badge badge-pill badge-danger"><b>No Valid User in Session. Please Login Again!</b></span>';
- } else {
- $statement = $pdo->prepare("SELECT * FROM users WHERE username = :username");
+ } else { //if theres a valid session do this:
+ $statement = $pdo->prepare("SELECT * FROM users WHERE username = :username"); //sql statement username = $sessionuser
  $result = $statement->execute(array('username' => $sessionuser));
  $user = $statement->fetch(); 
  
- if($user === false) {
+ if($user === false) { //in some cases users have a valid session, but the account was deleted in the background, this has that case covered: 
     $error = '<span class="badge badge-pill badge-warning"><b>no user found</b></span>';
  }
- if($user['username'] == ""){
+ if($user['username'] == ""){ //if you've managed to create a user without username, print an error.
     $error = '<span class="badge badge-pill badge-warning"><b>no user found</b></span>';
  }
- if($user['activated'] == "1"){
+ if($user['activated'] == "1"){ //if your account is already activated:
      $error = '<span class="badge badge-pill badge-warning"><b>user already activated!</b></span>';
  } else {
- //check if theres a code already
- $activationcode = random_string();
- $statement = $pdo->prepare("UPDATE users SET activationcode = :activationcode, activationcode_time = NOW() WHERE id = :userid");
- $result = $statement->execute(array('activationcode' => sha1($activationcode), 'userid' => $user['id']));
- 
- $mailrcpt = $user['email'];
- $mailsubject = "Activate the Account of ".$user['username'];
- $from = "From: Account Activation Service <activatemyaccount@loginpagefoo.td00.de>"; //place a real address if we use this in production
- $url_activationcode = 'https://loginpagefoo.td00.de/activate.php?userid='.$user['id'].'&code='.$activationcode; //this shouldnt be my domain in prod..
+ $activationcode = random_string(); //store a random string in this variable
+ $statement = $pdo->prepare("UPDATE users SET activationcode = :activationcode, activationcode_time = NOW() WHERE id = :userid"); //prepare the statement
+ $result = $statement->execute(array('activationcode' => sha1($activationcode), 'userid' => $user['id'])); //activationcode in db is sha1 of real activationcode
+ //now lets compose a mail:
+ $mailrcpt = $user['email'];  //mail goes to user that should be validated.
+ $mailsubject = "Activate the Account of ".$user['username']; //the subject
+ $from = "From: Account Activation Service <activatemyaccount@".$_SERVER['HTTP_HOST'].">"; //send mail from "activatemyaccount@%urlyourusingtoaccessthisscript%"
+ $url_activationcode = 'https://'.$_SERVER['HTTP_HOST'].'/activate.php?userid='.$user['id'].'&code='.$activationcode; //url for activation is https://%urlyourusingtoaccessthisscript%/activate.php?userid=$userid&code=$activationcode
+ //thats the content of the mail:
  $text = 'Hallo '.$user['username'].', 
 please use the following URL to activate your account in the next 24h:
 '.$url_activationcode.'
@@ -64,16 +64,16 @@ If this mail comes unsolicited, please just ignore the mail.
  
 cheers
 loginpagefoo script';
- 
- mail($mailrcpt, $mailsubject, $text, $from);
+ mail($mailrcpt, $mailsubject, $text, $from); //sending the mail with the build-in mail function.
  
  echo 'Link send. Going back to <a href="profile.php">profile</a> page. <meta http-equiv="refresh" content="0; URL=profile.php">'; 
+ //afterwards going back to profile, and dont render the form again.
  $showForm = false;
  }
  }
 }
  
-if($showForm):
+if($showForm): //you guessed it: html & the form:
 ?>
  
 <h1>Activate user</h1>
@@ -89,5 +89,5 @@ if(isset($error) && !empty($error)) {
 </form>
  
 <?php
-endif; 
+endif; //thats all
 ?>

adminarea.php

@@ -0,0 +1,24 @@
+
+<html>
+<head>
+<title>Admin Area</title>
+<link rel="stylesheet" href="ressources/css/bootstrap.min.css" crossorigin="anonymous">
+</head>
+<body>
+<script src="ressources/js/bootstrap.min.js"></script>
+<?php
+session_start();
+//just a page to list all admin functions:
+if($_SESSION['isadmin'] == 0) { //but first a check if you've got admin rights. if not, destroy the session and go back to start.
+    die ('No rights for you! <meta http-equiv="refresh" content="0; URL=logout.php">');
+} //this is purely a cosmetic effect. no harm could be done from here. it's merely a html page with a little check if you've got the right rights.
+echo '<div class="alert alert-danger" role="alert">heres the admin world</div>';
+
+echo '<a href="adminarea_useradmin.php"><button class="btn btn-primary">User Admin</button></a>';
+echo '<br /> <br />';
+echo '<a href="adminarea_sessions.php"><button class="btn btn-primary">Session Admin</button></a>';
+echo '<br /> <br />';
+echo '<a href="adminarea_admins.php"><button class="btn btn-danger">Admin Admin</button></a>';
+echo '<br /> <br />';
+echo '<a href="start.php"><button class="btn btn-info">Back</button></a>';
+?>

adminarea_admins.php

@@ -0,0 +1,69 @@
+
+<html>
+<head>
+<title>Admin Area</title>
+<link rel="stylesheet" href="ressources/css/bootstrap.min.css" crossorigin="anonymous">
+</head>
+<body>
+<script src="ressources/js/bootstrap.min.js"></script>
+<?php
+session_start();
+if($_SESSION['isadmin'] == 0) {
+    die ('No rights for you! <meta http-equiv="refresh" content="0; URL=logout.php">');
+}
+echo '<div class="alert alert-danger" role="alert">heres the admin world</div>';
+echo '<a href="adminarea_admins_give.php"><button class="btn btn-success">GIVE</button></a>';
+echo '<a href="adminarea_admins_take.php"><button class="btn btn-danger">TAKE</button></a>';
+echo "<br />";
+echo $output;
+echo "<br />";
+echo "//implement a user search here."; //yeah! Do what the comment says!
+echo '<br />';
+
+$showForm = false;
+ 
+if(isset($_GET['user']) ) {
+ if(!isset($_POST['username']) || empty($_POST['username'])) {
+ $error = "<b>Enter the username</b>";
+ } else {
+ $statement = $pdo->prepare("SELECT * FROM users WHERE username = :username");
+ $result = $statement->execute(array('username' => $_POST['username']));
+ $user = $statement->fetch(); 
+ 
+ if($user === false) {
+ $error = "<b>no user found</b>";
+ } else {
+    echo $user['isadmin'];
+    $showForm = false;
+
+ }
+ }
+}
+
+if($showForm):
+?>
+ 
+<h1>Search for Admin Rights!</h1>
+Please enter the username below.<br><br>
+
+<?php
+if(isset($error) && !empty($error)) {
+ echo $error;
+}
+?>
+ <script src="ressources/js/bootstrap.min.js"></script>
+<form action="?user=1" method="post">
+<div class="form-group">
+<label for="username">Username</label>
+<input type="text" name="username" id="username" class="form-control" value="<?php echo isset($_POST['username']) ? htmlentities($_POST['username']) : ''; ?>"><br>
+</div>
+<button type="submit" class="btn btn-primary">Search User Rights</button>
+</form>
+ 
+<?php
+endif; 
+?>
+<?php
+echo '<br /> <br />';
+echo '<a href="adminarea.php"><button class="btn btn-info">Back</button></a>';
+?>

adminarea_admins_give.php

@@ -0,0 +1,72 @@
+
+<html>
+<head>
+<title>Admin Area</title>
+<link rel="stylesheet" href="ressources/css/bootstrap.min.css" crossorigin="anonymous">
+</head>
+<body>
+<script src="ressources/js/bootstrap.min.js"></script>
+<?php
+session_start();
+include 'backgroundupdate.php';
+
+if($_SESSION['isadmin'] == 0) {
+    die ('No rights for you! <meta http-equiv="refresh" content="0; URL=logout.php">');
+}
+echo '<div class="alert alert-danger" role="alert">heres the admin world</div>';
+
+$showForm = true;
+ 
+if(isset($_GET['user']) ) {
+ if(!isset($_POST['username']) || empty($_POST['username'])) {
+ $error = "<b>Enter the username</b>";
+ } else {
+ $statement = $pdo->prepare("SELECT * FROM users WHERE username = :username");
+ $result = $statement->execute(array('username' => $_POST['username']));
+ $user = $statement->fetch(); 
+ 
+ if($user === false) {
+ $error = "<b>no user found</b>";
+ } else {
+
+
+ //check if theres a code already
+ $statement = $pdo->prepare("UPDATE users SET isadmin = '1' WHERE id = :userid");
+ $result = $statement->execute(array('userid' => $user['id']));
+ 
+
+ echo '<div class="alert alert-success" role="alert">Successfully granted ';
+ echo $user['username'];
+ echo ' ADMIN rights.</div>';
+ $showForm = false;
+ }
+ }
+}
+ 
+if($showForm):
+?>
+ 
+<h1>Give Admin Rights!</h1>
+Please enter the username below.<br><br>
+ 
+<?php
+if(isset($error) && !empty($error)) {
+ echo $error;
+}
+?>
+ <script src="ressources/js/bootstrap.min.js"></script>
+<form action="?user=1" method="post">
+<div class="form-group">
+<label for="username">Username</label>
+<input type="text" name="username" id="username" class="form-control" value="<?php echo isset($_POST['username']) ? htmlentities($_POST['username']) : ''; ?>"><br>
+</div>
+<button type="submit" class="btn btn-primary">Grant User Rights</button>
+</form>
+ 
+<?php
+endif; 
+?>
+<?php
+echo '<br /> <br />';
+echo '<a href="adminarea.php"><button class="btn btn-info">Back</button></a>';
+?>

adminarea_admins_take.php

@@ -0,0 +1,71 @@
+
+<html>
+<head>
+<title>Admin Area</title>
+<link rel="stylesheet" href="ressources/css/bootstrap.min.css" crossorigin="anonymous">
+</head>
+<body>
+<script src="ressources/js/bootstrap.min.js"></script>
+<?php
+session_start();
+include 'backgroundupdate.php';
+if($_SESSION['isadmin'] == 0) {
+    die ('No rights for you! <meta http-equiv="refresh" content="0; URL=logout.php">');
+}
+echo '<div class="alert alert-danger" role="alert">heres the admin world</div>';
+
+$showForm = true;
+ 
+if(isset($_GET['user']) ) {
+ if(!isset($_POST['username']) || empty($_POST['username'])) {
+ $error = "<b>Enter the username</b>";
+ } else {
+ $statement = $pdo->prepare("SELECT * FROM users WHERE username = :username");
+ $result = $statement->execute(array('username' => $_POST['username']));
+ $user = $statement->fetch(); 
+ 
+ if($user === false) {
+ $error = "<b>no user found</b>";
+ } else {
+
+
+ //check if theres a code already
+ $statement = $pdo->prepare("UPDATE users SET isadmin = '0' WHERE id = :userid");
+ $result = $statement->execute(array('userid' => $user['id']));
+ 
+
+ echo '<div class="alert alert-success" role="alert">Successfully took the ADMIN rights from ';
+ echo $user['username'];
+ echo '</div>';
+ $showForm = false;
+ }
+ }
+}
+ 
+if($showForm):
+?>
+ 
+<h1>Give Admin Rights!</h1>
+Please enter the username below.<br><br>
+ 
+<?php
+if(isset($error) && !empty($error)) {
+ echo $error;
+}
+?>
+ <script src="ressources/js/bootstrap.min.js"></script>
+<form action="?user=1" method="post">
+<div class="form-group">
+<label for="username">Username</label>
+<input type="text" name="username" id="username" class="form-control" value="<?php echo isset($_POST['username']) ? htmlentities($_POST['username']) : ''; ?>"><br>
+</div>
+<button type="submit" class="btn btn-primary">Take User Rights</button>
+</form>
+ 
+<?php
+endif; 
+?>
+<?php
+echo '<br /> <br />';
+echo '<a href="adminarea.php"><button class="btn btn-info">Back</button></a>';
+?>

adminarea_useradmin.php

@@ -0,0 +1,58 @@
+
+<html>
+<head>
+<title>Admin Area</title>
+<link rel="stylesheet" href="ressources/css/bootstrap.min.css" crossorigin="anonymous">
+</head>
+<body>
+<script src="ressources/js/bootstrap.min.js"></script>
+<?php
+session_start();
+include 'backgroundupdate.php';
+
+
+if($_SESSION['isadmin'] == 0) {
+    die ('No rights for you! <meta http-equiv="refresh" content="0; URL=logout.php">');
+}
+
+echo '<div class="alert alert-danger" role="alert">heres the admin world</div>';
+
+
+
+//create connection
+$connection = mysqli_connect($mysqlhost, $dbuser, $dbpass, $dbname);
+
+//test if connection failed
+if(mysqli_connect_errno()){
+    die("connection failed: "
+        . mysqli_connect_error()
+        . " (" . mysqli_connect_errno()
+        . ")");
+}
+
+//get results from database
+$result = mysqli_query($connection,"SELECT * FROM users");
+$all_property = array();  //declare an array for saving property
+
+//showing property
+echo '<table class="table table-striped">
+        <tr class="data-heading">';  //initialize table tag
+while ($property = mysqli_fetch_field($result)) {
+    echo '<td>' . $property->name . '</td>';  //get field name for header
+    array_push($all_property, $property->name);  //save those to array
+}
+echo '</tr>'; //end tr tag
+
+//showing all data
+while ($row = mysqli_fetch_array($result)) {
+    echo "<tr>";
+    foreach ($all_property as $item) {
+        echo '<td>' . $row[$item] . '</td>'; //get items using property value
+    }
+    echo '</tr>';
+}
+echo "</table>";
+
+echo '<br /> <br />';
+echo '<a href="adminarea.php"><button class="btn btn-info">Back</button></a>';
+?>

backgroundupdate.php

@@ -0,0 +1,19 @@
+<?php
+session_start(); //first we need a session to store the data into
+
+include 'db.inc.php'; //and a db connection
+$username = $_SESSION['username']; //then we get the username from the session
+
+$statement = $pdo->prepare("SELECT * FROM users WHERE username = :username"); //building a statement & getting the whole line of username = $username
+$result = $statement->execute(array('username' => $username));
+$user = $statement->fetch(); //putting the stuff in an array and afterwards store it in the session:
+$_SESSION['userid'] = $user['id'];
+$_SESSION['email'] = $user['email'];
+$_SESSION['username'] = $user['username'];
+$_SESSION['givenName'] = $user['givenName'];
+$_SESSION['lastName'] = $user['lastName'];
+$_SESSION['activated'] = $user['activated'];
+$_SESSION['updated_at'] = $user['updated_at'];
+$_SESSION['isadmin'] = $user['isadmin'];
+$_SESSION['profilepicture'] = $user['profilepicture'];
+?>

changepass.php

@@ -0,0 +1,109 @@
+
+<?php 
+echo "not implemented yet!";
+   /*
+   session_start();
+include 'db.inc.php';
+ 
+if(isset($_GET['changed'])) {
+    $username = $_POST['username'];
+    $oldpassword = $_POST['oldpassword'];
+    $password = $_POST('password');
+    $password_confirm = $_POST('password_confirm');
+    
+    $statement = $pdo->prepare("SELECT * FROM users WHERE username = :username");
+    $result = $statement->execute(array('username' => $username));
+    $user = $statement->fetch();
+     
+    if ($user !== false && password_verify($oldpassword, $user['password'])) {
+        if(isset($_GET['send'])) {
+            $password = $_POST['password'];
+            $password_confirm = $_POST['password_confirm'];
+             //regexes for passvalidation:
+               $REuppercase = preg_match('@[A-Z]@', $password);
+               $RElowercase = preg_match('@[a-z]@', $password);
+               $REnumber    = preg_match('@[0-9]@', $password);
+               $REspecialChars = preg_match('@[^\w]@', $password);
+            if($password != $password_confirm) {
+            echo "password or confirmed password wrong";
+            }
+            if(!$REuppercase || !$RElowercase || !$REnumber || !$REspecialChars || strlen($password) < 8) {
+               echo '<color="red">Password needs to be more complex.</color><br />';
+               echo '<i>Please implement at least 8 chars, upper & downer caser, one number & one special char.</i><br />';
+               $error = true;
+           }  else { 
+            $passwordhash = password_hash($password, PASSWORD_DEFAULT);
+            $statement = $pdo->prepare("UPDATE users SET password = :passwordhash, passwordcode = NULL, passwordcode_time = NULL WHERE id = :userid");
+            $result = $statement->execute(array('passwordhash' => $passwordhash, 'userid'=> $userid ));
+            
+            if($result) {
+            die('Changed password. Going to <a href="start.php">start</a> now.<meta http-equiv="refresh" content="1; URL=start.php">');
+            }
+            }
+           }
+        die('<div class="alert alert-success" role="alert"> successfull. go to: <a href="start.php">start page</a></div> <meta http-equiv="refresh" content="0; URL=start.php">');
+    } else {
+        $errorMessage = '<div class="alert alert-danger" role="alert">somethings wrong (maybe wrong password or wrong user)</div><br>';
+    }
+    
+}
+
+?>
+<!DOCTYPE html> 
+<html> 
+<head>
+<link rel="stylesheet" href="ressources/css/bootstrap.min.css" crossorigin="anonymous">
+   
+  <title>Change Password</title>    
+</head> 
+<body>
+ 
+<?php 
+if(isset($errorMessage)) {
+    echo $errorMessage;
+}
+
+?>
+ <script src="ressources/js/bootstrap.min.js"></script>
+ <div class="jumbotron jumbotron-fluid">
+  <div class="container">
+
+<form action="?changed=1" method="post">
+<div class="form-group">
+<label for="username">Username</label>
+<input type="text" class="form-control" size="40" id="username" placeholder="Username" name="username"><br><br>
+</div>
+ <div class="form-group">
+<label for="oldpassword">Current Password</label>
+<input type="password" class="form-control" size="40" id="oldpassword" placeholder="Your old password" name="oldpassword"><br>
+ </div>
+ <div class="form-group">
+<label for="password">New Password</label>
+<input type="password" class="form-control" size="40" id="password" placeholder="Your new password" name="password"><br>
+ </div>
+ <div class="form-group">
+<label for="password_confirm">Confirm New^ Password</label>
+<input type="password" class="form-control" size="40" id="password_confirm" placeholder="Your new password" name="password_confirm"><br>
+ </div>
+ <button type="submit" class="btn btn-primary">Change Password</button>
+</form> 
+<br />
+<br />
+<a href="forgotpass.php"><button class="btn btn-warning">I forgot my password</button></a>
+<br /> <br />
+</div>
+</div>
+</div>
+
+</main><!-- /.container -->
+
+<!-- Bootstrap core JavaScript
+================================================== -->
+<!-- Placed at the end of the document so the pages load faster -->
+<script src="https://code.jquery.com/jquery-3.2.1.slim.min.js" integrity="sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN" crossorigin="anonymous"></script>
+<script>window.jQuery || document.write('<script src="../../../../assets/js/vendor/jquery-slim.min.js"><\/script>')</script>
+<script src="../../../../assets/js/vendor/popper.min.js"></script>
+<script src="../../../../dist/js/bootstrap.min.js"></script>
+</body>
+</html>
+*/

changeprofilepicture.php

@@ -0,0 +1,68 @@
+
+<html>
+<head>
+<title>Activated Area</title>
+<link rel="stylesheet" href="ressources/css/bootstrap.min.css" crossorigin="anonymous">
+</head>
+<body>
+<script src="ressources/js/bootstrap.min.js"></script>
+<?php
+session_start();
+include 'db.inc.php';
+if($_SESSION['activated'] == 0) {
+    die ("Not activated yet");
+}
+echo "heres the fun world";
+?>
+<?php
+
+//TODO: regex to parse file extensions here:
+
+//function to insert url into table here:
+if(isset($_GET['new'])) {
+    $imageurl = $_POST['imageurl'];
+    $userid = $_SESSION['userid'];
+    
+    if($imageurl == "https://web.td00.de/woddle.gif") {
+        echo "<br> returning to default picture";
+        $statement = $pdo->prepare("UPDATE users SET profilepicture = :imageurl WHERE id = :userid");
+    $result = $statement->execute(array('imageurl' => $imageurl, 'userid'=> $userid ));
+ 
+    if($result) {
+    die('<br>Changed Profile Picture. Going to <a href="update.php?page=profile.php">profile</a> now.<meta http-equiv="refresh" content="1; URL=update.php?page=profile.php">');
+    }
+}
+     else { 
+    $statement = $pdo->prepare("UPDATE users SET profilepicture = :imageurl WHERE id = :userid");
+    $result = $statement->execute(array('imageurl' => $imageurl, 'userid'=> $userid ));
+ 
+    if($result) {
+    die('<br>Changed Profile Picture. Going to <a href="update.php?page=profile.php">profile</a> now.<meta http-equiv="refresh" content="1; URL=update.php?page=profile.php">');
+    }
+    }
+   }
+
+?>
+<br /> <br />
+<div class="jumbotron jumbotron-fluid">
+  <div class="container">
+      <i>Right now you need to upload the picture somewhere and input the URL here.</i><br />
+      <b>Please be aware that only the following filetypes will work!</b>
+      <li>jpg</li>
+      <li>gif</li>
+      <li>png</li>
+      <br /><br /><br />
+      <script src="ressources/js/bootstrap.min.js"></script>
+
+<form action="?new=1&amp;userid=<?php echo htmlentities($userid); ?>&amp;code=<?php echo htmlentities($code); ?>" method="post">
+<div class="form-group">
+<label for="imageurl">URL to new image</label>
+<input type="url" pattern="https://.*" id="imageurl" class="form-control" name="imageurl"><br><br>
+ </div>
+
+ <button type="submit" class="btn btn-primary">Submit new Image</button>
+</form>
+<br /> <br /><br />
+<a href="activatedarea.php"><button class="btn btn-info">Back</button></a>
+</div>
+</div>

db.inc.example.php

@@ -0,0 +1,9 @@
+<?php
+$mysqlhost = 'localhost'; //the db host
+$dbname = 'usertable'; //the db name
+$dbuser = 'usertable'; //the db user
+$dbpass = 'password'; //the db password
+$pdo = new PDO('mysql:host='.$mysqlhost.';dbname='.$dbname.'', $dbuser , $dbpass); //building the string
+//$pdo = new PDO('mysql:host=localhost;dbname=usertable', 'usertable', 'password');
+?>
+

db.inc.php

@@ -1,9 +0,0 @@
-<?php
-$mysqlhost = 'localhost';
-$dbname = 'usertable';
-$dbuser = 'usertable';
-$dbpass = 'password';
-$pdo = new PDO('mysql:host='.$mysqlhost.';dbname='.$dbname.'', $dbuser , $dbpass);
-//$pdo = new PDO('mysql:host=localhost;dbname=usertable', 'usertable', 'password');
-?>
-

forgotpass.php

@@ -7,6 +7,11 @@
 </head> 
 <body>
 <?php 
+/*
+this is basically the same as "activaion.php"
+
+some differences will be documented, the rest not.
+*/
 include 'db.inc.php';
  
 function random_string() {
@@ -30,7 +35,7 @@ function random_string() {
 $showForm = true;
  
 if(isset($_GET['send']) ) {
- if(!isset($_POST['email']) || empty($_POST['email'])) {
+ if(!isset($_POST['email']) || empty($_POST['email'])) { //here we wanna know more about the user, cause we cant get those infos from the session
  $error = "<b>Enter your email address</b>";
  } else {
  $statement = $pdo->prepare("SELECT * FROM users WHERE email = :email");
@@ -47,8 +52,8 @@ if(isset($_GET['send']) ) {
  
  $mailrcpt = $user['email'];
  $mailsubject = "New password for your User";
- $from = "From: Password Reset Service <resetmypw@loginpagefoo.td00.de>"; //place a real address if we use this in production
- $url_passwordcode = 'https://loginpagefoo.td00.de/resetpass.php?userid='.$user['id'].'&code='.$passwordcode; //this shouldnt be my domain in prod..
+ $from = "From: Password Reset Service <resetmypw@".$_SERVER['HTTP_HOST'].">"; 
+ $url_passwordcode = 'https://'.$_SERVER['HTTP_HOST'].'/resetpass.php?userid='.$user['id'].'&code='.$passwordcode; 
  $text = 'Hallo '.$user['username'].',
 please use the following URL to change your password in the next 24h:
 '.$url_passwordcode.'
@@ -57,7 +62,6 @@ If this mail comes unsolicited, please just ignore the mail.
  
 cheers
 loginpagefoo script';
- 
  mail($mailrcpt, $mailsubject, $text, $from);
  
  echo 'Link send. Going back to <a href="login.php">login</a> page. <meta http-equiv="refresh" content="0; URL=login.php">'; 

forlaterpurposemaybe.html

@@ -32,7 +32,7 @@
             <a class="nav-link" href="register.php">Register<span class="sr-only">(current)</span></a>
           </li>
              <li class="nav-item dropdown">
-            <a class="nav-link active dropdown-toggle" href="secure.php" id="dropdown01" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">Functions</a>
+            <a class="nav-link active dropdown-toggle" href="start.php" id="dropdown01" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">Functions</a>
             <div class="dropdown-menu" aria-labelledby="dropdown01">
               <a class="dropdown-item" href="profile.php">Profile</a>
               <a class="dropdown-item" href="#">Another action</a>

fullinstalldocker.sql

@@ -13,8 +13,10 @@ CREATE TABLE `users` (
   `updated_at` TIMESTAMP on update CURRENT_TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP ,
   `activationcode` VARCHAR(255) NULL ,
   `activationcode_time` TIMESTAMP NULL ,
+  `isadmin` VARCHAR(1) NULL ,
   `activated` VARCHAR(1) NOT NULL ,
   `passwordcode` VARCHAR(255) NULL ,
   `passwordcode_time` TIMESTAMP NULL ,
+  `profilepicture` VARCHAR(255) NULL DEFAULT 'https://web.td00.de/woddle.gif' ,
   PRIMARY KEY (`id`), UNIQUE (`email`), UNIQUE (`username`)
 ) ENGINE = InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;

index.html

@@ -1,118 +0,0 @@
-
-<!doctype html>
-<html lang="en">
-  <head>
-    <meta charset="utf-8">
-    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
-    <meta name="description" content="">
-    <meta name="author" content="">
-
-
-    <title>Login POC</title>
-
-
-    <link href="ressources/css/bootstrap.min.css" rel="stylesheet">
-    <link href="ressources/css/start.css" rel="stylesheet">
-  </head>
-
-  <body>
-
-    <div class="d-flex flex-column flex-md-row align-items-center p-3 px-md-4 mb-3 bg-white border-bottom box-shadow">
-      <h5 class="my-0 mr-md-auto font-weight-normal">Crappy Login POC</h5>
-      <nav class="my-2 my-md-0 mr-md-3">
-
-        <a class="p-2 text-dark" href="https://github.com/td00/loginpagefoo">Git</a>
-        <a class="p-2 text-dark" href="register.php">Register</a>
-      </nav>
-      <a class="btn btn-outline-primary" href="login.php">Sign In</a>
-    </div>
-
-    <div class="pricing-header px-3 py-3 pt-md-5 pb-md-4 mx-auto text-center">
-      <h1 class="display-4">loginpagefoo POC (PHP & MySQL)</h1>
-      <p class="lead">Just a crappy POC written in PHP using PHP, HTML & MySQL.</p>
-    </div>
-
-    <div class="container">
-      <div class="card-deck mb-3 text-center">
-        <div class="card mb-4 box-shadow">
-          <div class="card-header">
-            <h4 class="my-0 font-weight-normal">Register</h4>
-          </div>
-          <div class="card-body">
-            <ul class="list-unstyled mt-3 mb-4">
-              <li>If you don't have a user already.</li>
-            </ul>
-            <a href="register.php"><button type="button" class="btn btn-lg btn-block btn-primary">Sign up for free</button></a>
-          </div>
-        </div>
-        <div class="card mb-4 box-shadow">
-          <div class="card-header">
-            <h4 class="my-0 font-weight-normal">Login</h4>
-          </div>
-          <div class="card-body">
-            <ul class="list-unstyled mt-3 mb-4">
-              <li>If you want to access your profile</li>
-            </ul>
-            <a href="login.php"><button type="button" class="btn btn-lg btn-block btn-primary">Login</button></a>
-          </div>
-        </div>
-        <div class="card mb-4 box-shadow">
-          <div class="card-header">
-            <h4 class="my-0 font-weight-normal">Reset Password</h4>
-          </div>
-          <div class="card-body">
-              <ul class="list-unstyled mt-3 mb-4">
-              <li>When your login details went missing</li>
-            </ul>
-            <a href="forgotpass.php"<button type="button" class="btn btn-lg btn-block btn-outline-primary">Forgot Password</button></a>
-          </div>
-        </div>
-      </div>
-      <h1 class="display-4">This page is using cookies for the Session ID and information. If you continue to use the site, you'll accept this.</h1>
-      <footer class="pt-4 my-md-5 pt-md-5 border-top">
-        <div class="row">
-          <div class="col-12 col-md">
-            <img class="mb-2" src="https://web.td00.de/woddle.gif" alt="" >
-            <small class="d-block mb-3 text-muted">&copy; NO RIGHTS RESERVED! 2020</small>
-          </div>
-          <div class="col-6 col-md">
-            <h5>Features</h5>
-            <ul class="list-unstyled text-small">
-              <li><a class="text-muted" href="#">Password Login</a></li>
-              <li><a class="text-muted" href="#">PHP Session</a></li>
-              <li><a class="text-muted" href="#">Logout</a></li>
-              <li><a class="text-muted" href="#">Forget password</a></li>
-              <li><a class="text-muted" href="#">Password complexibility check</a></li>
-              <li><a class="text-muted" href="#">More to come</a></li>
-            </ul>
-          </div>
-      
-          <div class="col-6 col-md">
-            <h5>About</h5>
-            <ul class="list-unstyled text-small">
-              <li><a class="text-muted" href="https://thiesmueller.de">Me</a></li>
-              <li><a class="text-muted" href="https://github.com/td00/loginpagefoo">Git</a></li>
-              <li><a class="text-muted" href="https://thiesmueller.de/dsgvo/datenschmutz.html">Privacy</a></li>
-              <li><a class="text-muted" href="https://thiesmueller.de/impress/">Imprint</a></li>
-            </ul>
-          </div>
-        </div>
-      </footer>
-    </div>
-
-
-    <!-- Bootstrap core JavaScript
-    ================================================== -->
-    <!-- Placed at the end of the document so the pages load faster -->
-    <script src="https://code.jquery.com/jquery-3.2.1.slim.min.js" integrity="sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN" crossorigin="anonymous"></script>
-    <script>window.jQuery || document.write('<script src="../../../../assets/js/vendor/jquery-slim.min.js"><\/script>')</script>
-    <script src="ressources/js/bootstrap.min.js"></script>
-    <script>
-      Holder.addTheme('thumb', {
-        bg: '#55595c',
-        fg: '#eceeef',
-        text: 'Thumbnail'
-      });
-    </script>
-  </body>
-</html>

login.php

@@ -1,30 +1,39 @@
 
 <?php 
-session_start();
-include 'db.inc.php';
+/*
+author: Thies Müller
+contact: contactme@td00.de
+source: https://github.com/td00/loginpagefoo
+license: AGPL 3.0
+*/
+session_start(); //here the session starts again
+include 'db.inc.php'; //we need a db connection here too!
  
-if(isset($_GET['login'])) {
-    $username = $_POST['username'];
-    $password = $_POST['password'];
+if(isset($_GET['login'])) { //same as register. looks for "?login=1" in the url
+    $username = $_POST['username']; //gets the username as variable
+    $password = $_POST['password']; //and the password
     
-    $statement = $pdo->prepare("SELECT * FROM users WHERE username = :username");
+    $statement = $pdo->prepare("SELECT * FROM users WHERE username = :username"); //looking in the database for "usernane"
     $result = $statement->execute(array('username' => $username));
     $user = $statement->fetch();
         
-    if ($user !== false && password_verify($password, $user['password'])) {
-        $_SESSION['userid'] = $user['id'];
+    if ($user !== false && password_verify($password, $user['password'])) { //if user exist & posted hash of password = saved password hash do the following:
+        $_SESSION['userid'] = $user['id']; //adding some user infos in the session
         $_SESSION['email'] = $user['email'];
         $_SESSION['username'] = $user['username'];
         $_SESSION['givenName'] = $user['givenName'];
         $_SESSION['lastName'] = $user['lastName'];
         $_SESSION['activated'] = $user['activated'];
         $_SESSION['updated_at'] = $user['updated_at'];
-        die('<div class="alert alert-success" role="alert"> successfull. go to: <a href="secure.php">secure page</a></div> <meta http-equiv="refresh" content="0; URL=secure.php">');
+        $_SESSION['isadmin'] = $user['isadmin'];
+        $_SESSION['profilepicture'] = $user['profilepicture'];
+        die('<div class="alert alert-success" role="alert"> successfull. go to: <a href="start.php">start page</a></div> <meta http-equiv="refresh" content="0; URL=start.php">'); //successful login, thats all.
     } else {
-        $errorMessage = '<div class="alert alert-danger" role="alert">somethings wrong (maybe wrong password or wrong user)</div><br>';
+        $errorMessage = '<div class="alert alert-danger" role="alert">somethings wrong (maybe wrong password or wrong user)</div><br>'; //if password not match or username doesn't exist print this line
     }
     
 }
+//now lets get some html started for the webpage!
 ?>
 <!DOCTYPE html> 
 <html> 
@@ -36,9 +45,10 @@ if(isset($_GET['login'])) {
 <body>
  
 <?php 
-if(isset($errorMessage)) {
+if(isset($errorMessage)) { //if there is an error Message print it
     echo $errorMessage;
 }
+//an now the form is starting (also with bootstrap for some eyecandy)
 ?>
  <script src="ressources/js/bootstrap.min.js"></script>
  <div class="jumbotron jumbotron-fluid">

logout.php

@@ -2,10 +2,11 @@
 <html>
 <head>
 <title>Logout</title>
-<meta http-equiv="refresh" content="3; URL=/">
+<meta http-equiv="refresh" content="0; URL=start.php">
 </head>
 <body>
 <?php
+//just start a session and destroy it. afterwards go back to the start page (thats what the http-equiv refresh does)
 session_start();
 session_destroy();
  

profile.php

@@ -1,4 +1,21 @@
 
+<?php
+session_start(); //start a session
+if(!isset($_SESSION['userid'])) { //if there isnt a session print a please login page and go to login page
+    die('<div class="alert alert-primary" role="alert">Please <a href="login.php">login</a></div><meta http-equiv="refresh" content="2; URL=login.php">');
+}
+ //for easier use we shove some of the session array into variables.
+$userid = $_SESSION['userid'];
+$username = $_SESSION['username'];
+$useremail = $_SESSION['email'];
+$usergn = $_SESSION['givenName'];
+$userln = $_SESSION['lastName'];
+$activated = $_SESSION['activated'];
+$isadmin = $_SESSION['isadmin'];
+$profilepicture = $_SESSION['profilepicture'];
+
+//lets build a page:
+?>
 <html>
 <head>
 <title>Profile Page</title>
@@ -6,21 +23,22 @@
 </head>
 <body>
 <script src="ressources/js/bootstrap.min.js"></script>
+<div class="float-right">
+    <br />
+    <br />
     <?php
-session_start();
-if(!isset($_SESSION['userid'])) {
-    die('<div class="alert alert-primary" role="alert">Please <a href="login.php">login</a></div><meta http-equiv="refresh" content="2; URL=login.php">');
-}
+    echo '<img src="'.$profilepicture.'" height=90 width=90 />';
     
-$userid = $_SESSION['userid'];
-$username = $_SESSION['username'];
-$useremail = $_SESSION['email'];
-$usergn = $_SESSION['givenName'];
-$userln = $_SESSION['lastName'];
-$activated = $_SESSION['activated'];
+    ?>
+</div>
 
+
+<?php
+
+ //print a info bar with the username
 echo '<div class="alert alert-info" role="alert">Profile of '.$username.'</div>';
 echo "<br/>";
+//lets build a table with infos:
 echo '<table class="table table-dark table-striped" style="width:30%">';
 echo "<tr>";
 echo "<td>";
@@ -67,27 +85,42 @@ echo "</tr>";
 <br /> <br /><br />
 <table class="table table-dark table-striped" style="width:30%">
 <?php
+//another table just for "activated" & "isadmin"
 echo "<tr>";
 echo "<td>";
 echo "User Status:";
 echo "</td>";
 echo "<td>";
-if ($activated == 0) {
+if ($activated == 0) { //if not activated print it in red and render a activation link
     echo '<p class="text-danger">Not Activated!</p><br>';
     echo 'Click <a href="activation.php">here</a> to activate';
 }
-if ($activated == 1) {
+if ($activated == 1) { //if activated print so, but in green
     echo '<p class="text-success">Activated!</p>';
 }
 echo "</td>";
 echo "</tr>";
+echo "<tr>";
+echo "<td>";
+echo "User Level:";
+echo "</td>";
+echo "<td>";
+if ($isadmin == 0) { //if not admin, print "User" in green
+    echo '<p class="text-success">User</p><br>';
+}
+if ($isadmin == 1) { //if admin, print so but in red
+    echo '<p class="text-danger">Admin</p>';
+}
+echo "</td>";
+echo "</tr>";
+//some html:
 ?>
+
 </table>
 <br>
-
 <br/>
 <br>
-<a href="secure.php"><button class="btn btn-info">Back</button></a>
+<a href="start.php"><button class="btn btn-info">Back</button></a>
 <br/>
 <br>
 <!--<a href="rawdata.php"><button class="btn btn-black">Raw Data</button></a>-->

rawdata.php

@@ -1,14 +1,28 @@
 <?php
+//this just prints Session data line for line. Its just a quick page to check if everythings in place
 session_start();
+echo "userid:";
 echo $_SESSION['userid'];
 echo "<br />";
+echo "username:";
 echo $_SESSION['username'];
 echo "<br />";
+echo "email:";
 echo $_SESSION['email'];
 echo "<br />";
+echo "givenname:";
 echo $_SESSION['givenName'];
 echo "<br />";
+echo "lastname:";
 echo $_SESSION['lastName'];
 echo "<br />";
+echo "activated:";
 echo $_SESSION['activated'];
+echo "<br />";
+echo "last updated:";
+echo $_SESSION['updated_at'];
+echo "<br />";
+echo "isadmin:";
+echo $_SESSION['isadmin'];
+
 ?>

register.php

@@ -1,7 +1,19 @@
 
 <?php 
-session_start();
-include 'db.inc.php';
+
+/*
+author: Thies Müller
+contact: contactme@td00.de
+source: https://github.com/td00/loginpagefoo
+license: AGPL 3.0
+*/
+session_start(); //everytime we want to use $_SESSION or features regarding a valid session we need to start this
+include 'db.inc.php'; //this is used to establish database connections thruout the app
+
+/*
+after this were building the default html page
+We're using some bootstrap stuff here and later on for design purposes. Otherwise this pages would look like shit.
+*/
 ?>
 <!DOCTYPE html> 
 <html> 
@@ -14,80 +26,83 @@ include 'db.inc.php';
 <body>
  
 <?php
-$showFormular = true;
+
+$showFormular = true; //default: render the form
 
 
 
-if(isset($_GET['register'])) {
-    $error = false;
-    $email = $_POST['email'];
-    $username = $_POST['username'];
-    $givenName = $_POST['givenName'];
-    $lastName = $_POST['lastName'];
-    $password = $_POST['password'];
-    $password_confirm = $_POST['password_confirm'];
+if(isset($_GET['register'])) { //checking if "?register=1" is set in the url. used to have the registration on the same page
+    $error = false; //per default no error.
+    $email = $_POST['email']; //get the variable for the email
+    $username = $_POST['username']; //same for username
+    $givenName = $_POST['givenName']; //same for givenName
+    $lastName = $_POST['lastName']; //same for lastName
+    $password = $_POST['password']; //same for password
+    $password_confirm = $_POST['password_confirm']; //same for password_confirm
     //regexes for passvalidation:
-    $REuppercase = preg_match('@[A-Z]@', $password);
-    $RElowercase = preg_match('@[a-z]@', $password);
-    $REnumber    = preg_match('@[0-9]@', $password);
-    $REspecialChars = preg_match('@[^\w]@', $password);
-    if(!filter_var($email, FILTER_VALIDATE_EMAIL)) {
-        echo '<div class="alert alert-danger" role="alert">Please use valid email</div><br>';
-        $error = true;
+    $REuppercase = preg_match('@[A-Z]@', $password); //search for capital letters
+    $RElowercase = preg_match('@[a-z]@', $password); //search for lowercase letters
+    $REnumber    = preg_match('@[0-9]@', $password); //search for numbers
+    $REspecialChars = preg_match('@[^\w]@', $password); //search for the rest
+    if(!filter_var($email, FILTER_VALIDATE_EMAIL)) { //just check if this is a valid email. using phps own functions here.
+        echo '<div class="alert alert-danger" role="alert">Please use valid email</div><br>'; //if the email is invalid, fail with an error
+        $error = true; //here is the error defined
     }     
-    if(strlen($password) == 0) {
+    if(strlen($password) == 0) { //prohibit empty passwords
         echo '<div class="alert alert-danger" role="alert">Please enter password</div><br>';
         $error = true;
     }
-    if($password != $password_confirm) {
+    if($password != $password_confirm) { //check if passwords are alike
         echo '<div class="alert alert-danger" role="alert">passwords doesnt match</div><br>';
         $error = true;
     }
-    if(!$REuppercase || !$RElowercase || !$REnumber || !$REspecialChars || strlen($password) < 8) {
+    if(!$REuppercase || !$RElowercase || !$REnumber || !$REspecialChars || strlen($password) < 8) { //here the regexes (defined up) are checked against the password
         echo '<div class="alert alert-warning" role="alert">Password needs to be more complex.<br />';
         echo '<i>Please implement at least 8 chars, upper & downer caser, one number & one special char.</i></div><br />';
         $error = true;
     }
     
 
-    if(!$error) { 
-        $statement = $pdo->prepare("SELECT * FROM users WHERE email = :email");
+    if(!$error) { //if no error uccored until now do the following:
+        $statement = $pdo->prepare("SELECT * FROM users WHERE email = :email"); //check if the email address is already registered
         $result = $statement->execute(array('email' => $email));
         $user = $statement->fetch();
         
-        if($user !== false) {
+        if($user !== false) { //if the query above does return something in the $user array, print an error
             echo '<div class="alert alert-danger" role="alert">already a user here</div><br>';
             $error = true;
         }    
     }
 
     if(!$error) { 
-        $statement = $pdo->prepare("SELECT * FROM users WHERE username = :username");
+        $statement = $pdo->prepare("SELECT * FROM users WHERE username = :username"); //check if the username is already registered
         $result = $statement->execute(array('username' => $username));
         $user = $statement->fetch();
         
-        if($user !== false) {
+        if($user !== false) { //if the query above does return something in the $user array, print an error
             echo 'already a user here<br>';
             $error = true;
         }    
     }
     
-    if(!$error) {    
-        $password_hash = password_hash($password, PASSWORD_DEFAULT);
+    if(!$error) {    //if no error occured until now, proceed
+        $password_hash = password_hash($password, PASSWORD_DEFAULT); //lets hash the password with the default php function. this suffices for now.
         
-        $statement = $pdo->prepare("INSERT INTO users (email, username, givenName, activated, lastName, password) VALUES (:email, :username, :givenName, '0', :lastName, :password)");
+        //this is the giant mysql statement placing everything from the user input in the database:
+        //(also we're placing "isadmin"="0" & "activated"="0" at this point.)
+        $statement = $pdo->prepare("INSERT INTO users (email, username, givenName, activated, isadmin, lastName, password) VALUES (:email, :username, :givenName, '0', '0', :lastName, :password)");
         $result = $statement->execute(array('email' => $email, 'username' => $username, 'givenName' => $givenName, 'lastName' => $lastName, 'password' => $password_hash));
         
         if($result) {        
-            echo '<div class="alert alert-success" role="alert">successfull registered. <a href="login.php">Login</a></div><meta http-equiv="refresh" content="1; URL=login.php">';
-            $showFormular = false;
+            echo '<div class="alert alert-success" role="alert">successfull registered. <a href="login.php">Login</a></div><meta http-equiv="refresh" content="1; URL=login.php">'; //if this was successfull, go to the login page.
+            $showFormular = false; //also dont print the form again, if we're registered.
         } else {
-            echo 'Error. Please try again!<br>';
+            echo 'Error. Please try again!<br>'; //else, print the form and try again
         }
     } 
 }
  
-if($showFormular) {
+if($showFormular) { //this prints the form which begins after the closing brackets of php
 ?>
 <script src="ressources/js/bootstrap.min.js"></script>
 <div class="jumbotron jumbotron-fluid">
@@ -128,7 +143,7 @@ if($showFormular) {
 </form>
  </div></div>
 <?php
-} 
+} //we need to close the if statement again.
 ?>
  
 </body>

resetpass.php

@@ -9,6 +9,12 @@
 <?php
 include 'db.inc.php';
  
+/*
+more or less the same as activate.php
+
+but some minor differences, find the documentation over there
+
+*/
 if(!isset($_GET['userid']) || !isset($_GET['code'])) {
  die('<div class="alert alert-warning" role="alert">No code delivered. nothing to do here.</div>');
 }
@@ -43,7 +49,7 @@ if(sha1($code) != $user['passwordcode']) {
  
 if(isset($_GET['send'])) {
  $password = $_POST['password'];
- $password_confirm = $_POST['password_confirm'];
+ $password_confirm = $_POST['password_confirm']; //we need to do the whole "is your password secure enough" thingy again here:
   //regexes for passvalidation:
     $REuppercase = preg_match('@[A-Z]@', $password);
     $RElowercase = preg_match('@[a-z]@', $password);
@@ -60,7 +66,7 @@ if(isset($_GET['send'])) {
  $passwordhash = password_hash($password, PASSWORD_DEFAULT);
  $statement = $pdo->prepare("UPDATE users SET password = :passwordhash, passwordcode = NULL, passwordcode_time = NULL WHERE id = :userid");
  $result = $statement->execute(array('passwordhash' => $passwordhash, 'userid'=> $userid ));
- 
+ //done. the rest is the same
  if($result) {
  die('Changed password. Going to <a href="login.php">login</a> now.<meta http-equiv="refresh" content="1; URL=login.php">');
  }

secure.php

@@ -1,22 +0,0 @@
-
-<html>
-<head>
-<title>Secure Area</title>
-<link rel="stylesheet" href="ressources/css/bootstrap.min.css" crossorigin="anonymous">
-</head>
-<body>
-<script src="ressources/js/bootstrap.min.js"></script>
-<?php
-session_start();
-if(!isset($_SESSION['userid'])) {
-    die('Please <a href="login.php">login</a>');
-}
-$username = $_SESSION['username'];
-echo "Hi ".$username."!";
-?>
-<br><br>
-<a href="profile.php"><button class="btn btn-primary">Profile</button></a>
-<br><br><br><br>
-<a href="logout.php"><button class="btn btn-danger">LOGOUT</button></a>
-</body>
-</html>

start.php

@@ -0,0 +1,215 @@
+<?php
+session_start(); //get a session started.
+//here we dont need a db connection, just some data from the session
+$userid = $_SESSION['userid'];
+$isadmin = $_SESSION['isadmin']; 
+$activated = $_SESSION['activated'];
+//now lets build the website (its just a bootstrap example page)
+?>
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+    <meta name="description" content="">
+    <meta name="author" content="">
+
+
+    <title>Login POC</title>
+
+
+    <link href="ressources/css/bootstrap.min.css" rel="stylesheet">
+    <link href="ressources/css/start.css" rel="stylesheet">
+  </head>
+
+  <body>
+
+    <div class="d-flex flex-column flex-md-row align-items-center p-3 px-md-4 mb-3 bg-white border-bottom box-shadow">
+      <h5 class="my-0 mr-md-auto font-weight-normal">Crappy Login POC</h5>
+      <nav class="my-2 my-md-0 mr-md-3">
+
+        <a class="p-2 text-dark" href="https://github.com/td00/loginpagefoo">Git</a>
+        <?php
+      if($userid > 0){ //if the user is logged in (has a userid above 0) then print this:
+        echo 'Hi <a href="profile.php">'.$_SESSION['username'].'</a>';  
+      }else{ //if there isn't a user session print a register button instead
+      echo '<a class="p-2 text-dark" href="register.php">Register</a>';
+    }
+      ?>
+      </nav>
+      <?php
+      if($userid > 0){ //if the user is logged in (has a userid above 0) print a logout button
+        echo '<a class="btn btn-outline-primary" href="logout.php">Sign Out</a>';  
+      }else{ //if there isn't a user session print a login button
+      echo '<a class="btn btn-outline-primary" href="login.php">Sign In</a>';
+    }
+      ?>
+    </div>
+    <?php
+    if(isset($_GET['activation_req'])) { //looks for "?activation_req=1" in the url and prints the warning below
+    echo '<div class="alert alert-danger" role="alert">Your account isnt activated yet!</div><br>';
+}?>
+    <div class="pricing-header px-3 py-3 pt-md-5 pb-md-4 mx-auto text-center">
+      <h1 class="display-4">loginpagefoo POC (PHP & MySQL)</h1>
+      <p class="lead">Just a crappy POC written in PHP using PHP, HTML & MySQL.</p>
+    </div>
+
+    <div class="container">
+      <div class="card-deck mb-3 text-center">
+      <?php
+      if($userid > 0){ // you get the drift, if the user is logged in print this
+        ?>
+        <div class="card mb-4 box-shadow">
+      <div class="card-header">
+        <h4 class="my-0 font-weight-normal">Profile</h4>
+      </div>
+      <div class="card-body">
+        <ul class="list-unstyled mt-3 mb-4">
+          <li>Your Profile</li>
+        </ul>
+        <a href="profile.php"><button type="button" class="btn btn-lg btn-block btn-primary">Profile</button></a>
+      </div>
+    </div>
+        <?php  
+      }else{ //if not print this
+      ?>
+      <div class="card mb-4 box-shadow">
+      <div class="card-header">
+        <h4 class="my-0 font-weight-normal">Register</h4>
+      </div>
+      <div class="card-body">
+        <ul class="list-unstyled mt-3 mb-4">
+          <li>If you don't have a user already.</li>
+        </ul>
+        <a href="register.php"><button type="button" class="btn btn-lg btn-block btn-primary">Sign up for free</button></a>
+      </div>
+    </div>
+      <?php
+    }
+      ?>
+        <?php
+      if($userid > 0){ //same
+        ?>
+        <div class="card mb-4 box-shadow">
+      <div class="card-header">
+        <h4 class="my-0 font-weight-normal">Already activated?</h4>
+      </div>
+      <div class="card-body">
+        <ul class="list-unstyled mt-3 mb-4">
+          <li>Show the Activated Area</li>
+        </ul>
+        <?php
+        if ($activated == 0) { //check if the user is activated. if not, disable the button.
+    echo '<a href="?activation_req=1"><button class="btn btn-primary disabled">Activated Area</button></a>';
+}
+if ($activated == 1) { //if enabled, than activate the button & give it a real function.
+    echo '<a href="activatedarea.php"><button class="btn btn-lg btn-block btn-primary">Activated Area</button></a>';
+}?>
+      </div>
+    </div>
+        <?php  
+      }else{ //else print a login field
+      ?>
+        <div class="card mb-4 box-shadow">
+          <div class="card-header">
+            <h4 class="my-0 font-weight-normal">Login</h4>
+          </div>
+          <div class="card-body">
+            <ul class="list-unstyled mt-3 mb-4">
+              <li>If you want to access your profile</li>
+            </ul>
+            <a href="login.php"><button type="button" class="btn btn-lg btn-block btn-primary">Login</button></a>
+          </div>
+        </div>
+      <?php
+    }
+      ?>
+       <?php
+      if($userid > 0){//yeah, you guessed. same as above
+        ?>
+        <div class="card mb-4 box-shadow">
+          <div class="card-header">
+            <h4 class="my-0 font-weight-normal">Reset Password</h4>
+          </div>
+          <div class="card-body">
+              <ul class="list-unstyled mt-3 mb-4">
+              <li>The only way to change your password right now.. :/<br /> Needs a valid Mail Address.</li>
+            </ul>
+            <a href="forgotpass.php"<button type="button" class="btn btn-lg btn-block btn-outline-primary">Forgot (Change) Password</button></a>
+          </div>
+        </div>
+      </div>
+        <?php  
+      }else{ //...
+      ?>
+        <div class="card mb-4 box-shadow">
+          <div class="card-header">
+            <h4 class="my-0 font-weight-normal">Reset Password</h4>
+          </div>
+          <div class="card-body">
+              <ul class="list-unstyled mt-3 mb-4">
+              <li>When your login details went missing</li>
+            </ul>
+            <a href="forgotpass.php"<button type="button" class="btn btn-lg btn-block btn-outline-primary">Forgot Password</button></a>
+          </div>
+        </div>
+      </div>
+      <?php
+    }
+      ?>
+      <?php
+if ($isadmin == 0) { //checks if admin privileges are granted. if not, just print a linebreak
+    echo '<br>';
+}
+if ($isadmin == 1) { //if admin rights are granted, print a admin area button
+    echo '<a href="adminarea.php"><button class="btn btn-danger">Admin Area</button></a>';
+}
+//footer and stuff 
+?>
+      <footer class="pt-4 my-md-5 pt-md-5 border-top">
+        <div class="row">
+          <div class="col-12 col-md">
+            <img class="mb-2" src="https://web.td00.de/woddle.gif" alt="" >
+            <small class="d-block mb-3 text-muted">&copy; NO RIGHTS RESERVED! 2020</small>
+          </div>
+          <div class="col-6 col-md">
+            <h5>Features</h5>
+            <ul class="list-unstyled text-small">
+              <li><a class="text-muted" href="https://github.com/td00/loginpagefoo/blob/main/FEATURES.MD#password-login">Password Login</a></li>
+              <li><a class="text-muted" href="https://github.com/td00/loginpagefoo/blob/main/FEATURES.MD#password-login">PHP Session</a></li>
+              <li><a class="text-muted" href="https://github.com/td00/loginpagefoo/blob/main/FEATURES.MD#password-login">Logout</a></li>
+              <li><a class="text-muted" href="https://github.com/td00/loginpagefoo/blob/main/FEATURES.MD#password-login">Forget password</a></li>
+              <li><a class="text-muted" href="https://github.com/td00/loginpagefoo/blob/main/FEATURES.MD#password-login">Password complexibility check</a></li>
+              <li><a class="text-muted" href="https://github.com/td00/loginpagefoo/blob/main/FEATURES.MD#password-login">More to come</a></li>
+            </ul>
+          </div>
+      
+          <div class="col-6 col-md">
+            <h5>About</h5>
+            <ul class="list-unstyled text-small">
+              <li><a class="text-muted" href="https://thiesmueller.de">Me</a></li>
+              <li><a class="text-muted" href="https://github.com/td00/loginpagefoo">Git</a></li>
+              <li><a class="text-muted" href="https://thiesmueller.de/dsgvo/datenschmutz.html">Privacy</a></li>
+              <li><a class="text-muted" href="https://thiesmueller.de/impress/">Imprint</a></li>
+            </ul>
+          </div>
+        </div>
+      </footer>
+    </div>
+
+
+    <!-- Bootstrap core JavaScript
+    ================================================== -->
+    <!-- Placed at the end of the document so the pages load faster -->
+    <script src="https://code.jquery.com/jquery-3.2.1.slim.min.js" integrity="sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN" crossorigin="anonymous"></script>
+    <script>window.jQuery || document.write('<script src="../../../../assets/js/vendor/jquery-slim.min.js"><\/script>')</script>
+    <script src="ressources/js/bootstrap.min.js"></script>
+    <script>
+      Holder.addTheme('thumb', {
+        bg: '#55595c',
+        fg: '#eceeef',
+        text: 'Thumbnail'
+      });
+    </script>
+  </body>
+</html>

update.php

@@ -1,27 +1,15 @@
 <?php
-session_start();
+/*
+This is just a little helper script if you dont want to include a whole backgroundupdate in the page, but after the action you want to go over the update path.
 
-include 'db.inc.php';
-$username = $_SESSION['username'];
-
-$statement = $pdo->prepare("SELECT * FROM users WHERE username = :username");
-$result = $statement->execute(array('username' => $username));
-$user = $statement->fetch();
-$_SESSION['userid'] = $user['id'];
-$_SESSION['email'] = $user['email'];
-$_SESSION['username'] = $user['username'];
-$_SESSION['givenName'] = $user['givenName'];
-$_SESSION['lastName'] = $user['lastName'];
-$_SESSION['activated'] = $user['activated'];
-$_SESSION['updated_at'] = $user['updated_at'];
-
-
-echo 'Session newly validated!<br />';
-
-if(isset($_GET['page'])) {
-    echo "Going to ".$_GET['page'];
-    echo '<meta http-equiv="refresh" content="0; URL='.$_GET['page'].'">';
-} else {
+example: update.php?page=start.php does an update of your session and then redirects you directly to start.php
+*/
+include 'backgroundupdate.php'; //getting the real update script in the background
+echo "freshly updated the session data<br />"; //printing a short message
+if(isset($_GET['page'])) { //checks if "?page=" is set in the url
+    echo "Going to ".$_GET['page']; //printing the next hop
+    echo '<meta http-equiv="refresh" content="0; URL='.$_GET['page'].'">'; //going to the page specified in the url.
+} else { //if there isn't anything in the header, just die already!
     die(); 
 }
 ?>

usertable.sql

@@ -10,7 +10,9 @@ CREATE TABLE `users` (
   `activationcode` VARCHAR(255) NULL ,
   `activationcode_time` TIMESTAMP NULL ,
   `activated` VARCHAR(1) NOT NULL ,
+  `isadmin` VARCHAR(1) NULL ,
   `passwordcode` VARCHAR(255) NULL ,
   `passwordcode_time` TIMESTAMP NULL ,
+  `profilepicture` VARCHAR(255) NULL DEFAULT 'https://web.td00.de/woddle.gif' ,
   PRIMARY KEY (`id`), UNIQUE (`email`), UNIQUE (`username`)
 ) ENGINE = InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;