Started analysis.js refactoring

Author: ctl2

private/lib/getPostVar.php private/lib/getVariable.php

@@ -6,5 +6,10 @@ function getPostVar($varName) {
         if (!isset($_POST[$varName])) respond(false, "No $varName value received.");
         return $_POST[$varName];
     }
-    
+
+    function getSessionVar($key) {
+        if (!isset($_SESSION[$key])) respond(false, "No '$key' session variable.");
+        return $_SESSION[$key];
+    }
+
 ?>

private/lib/login.php

@@ -1,11 +1,13 @@
 <?php
 
+    session_start();
+
     require_once('respond.php');
 
     function login($username, $accountType) {
         $_SESSION["username"] = $username;
         $_SESSION["accountType"] = $accountType;
         respond(true, $accountType);
     }
-    
+
 ?>

private/lib/logout.php

@@ -1,4 +1,12 @@
 <?php
+
+    if (session_id() == "") session_start();
+
+    require_once("../lib/respond.php");
+
     session_unset();
     session_destroy();
+
+    respond(true, "");
+
 ?>

private/lib/setHeaders.php

@@ -0,0 +1,3 @@
+<?php
+    header('Set-Cookie: cross-site-cookie=name; SameSite=Strict; Secure');
+?>

private/login/login.php

@@ -1,18 +1,17 @@
 <?php
 
-    session_start();
-
     error_reporting(E_ALL);
     ini_set('display_errors', 1);
 
+    require_once("../lib/setHeaders.php");
     require_once("../lib/connectDB.php");
-    require_once("../lib/getPostVar.php");
+    require_once("../lib/getVariable.php");
     require_once("../lib/unboundQuery.php");
     require_once("../lib/respond.php");
     require_once("../lib/login.php");
 
-    function getAccountTypeResult($conn, $username, $password) {
-        $sql = "SELECT accountType FROM Accounts WHERE username='$username' AND password='$password'";
+    function getAccount($conn, $username) {
+        $sql = "SELECT password, accountType FROM Accounts WHERE username='$username'";
         return getQueryResult($conn, $sql);
     }
 
@@ -21,11 +20,15 @@ function getAccountTypeResult($conn, $username, $password) {
     $username = getPostVar("username");
     $password = getPostVar("password");
 
-    $accountTypeRows = getAccountTypeResult($conn, $username, $password);
+    $accountRows = getAccount($conn, $username);
+
+    if (mysqli_num_rows($accountRows) === 0) respond(false, 'Username was not recognised.');
+
+    $account = $accountRows->fetch_assoc();
 
-    if (mysqli_num_rows($accountTypeRows) === 0) respond(false, 'Account details were not recognised.');
+    if (!password_verify($password, "" . $account['password'])) respond(false, 'Password was not recognised.');
 
-    switch ($accountTypeRows->fetch_assoc()['accountType']) {
+    switch ($account['accountType']) {
         case "reader":
             login($username, "reader");
             break;

private/reader/getUnreadTextString.php

@@ -5,6 +5,7 @@
     error_reporting(E_ALL);
     ini_set('display_errors', 1);
 
+    require_once("../lib/setHeaders.php");
     require_once("../lib/connectDB.php");
     require_once("../lib/unboundQuery.php");
     require_once("../lib/respond.php");
@@ -42,7 +43,7 @@ function getUnreadTextString($conn, $reader) {
 
     $conn = connectDB();
 
-    $reader = $_SESSION['username'];
+    $reader = getSessionVar('username');
 
     $textString = getUnreadTextString($conn, $reader);
 

private/reader/uploadReadingData.php

@@ -4,17 +4,18 @@
 
     error_reporting(E_ALL);
     ini_set('display_errors', 1);
-
+    
+    require_once("../lib/setHeaders.php");
     require_once("../lib/connectDB.php");
-    require_once("../lib/getPostVar.php");
+    require_once("../lib/getVariable.php");
     require_once("../lib/boundQuery.php");
     require_once("../lib/respond.php");
 
-    function createReadingEntry($conn, $title, $version, $reader, $availWidth, $availHeight) {
+    function createReadingEntry($conn, $title, $version, $reader, $wpm, $innerWidth, $innerHeight) {
         // Make a bound query for a single insert into the Readings table
-        $sql = "INSERT INTO Readings (title, version, reader, availWidth, availHeight) VALUES (?, ?, ?, ?, ?)";
-        $typeString = "sssii";
-        $valueArray = array(&$title, &$version, &$reader, &$availWidth, &$availHeight);
+        $sql = "INSERT INTO Readings (title, version, reader, wpm, innerWidth, innerHeight) VALUES (?, ?, ?, ?, ?, ?)";
+        $typeString = "sssiii";
+        $valueArray = array(&$title, &$version, &$reader, &$wpm, &$innerWidth, &$innerHeight);
         makeBoundQuery($conn, $sql, $typeString, $valueArray);
     }
 
@@ -40,16 +41,17 @@ function createLogEntry($conn, $title, $version, $reader, $log) {
 
     $conn = connectDB();
 
-    if (!$title = $_SESSION["title"]) respond(false, "No 'title' session variable.");
-    if (!$version = $_SESSION["version"]) respond(false, "No 'version' session variable.");
-    $reader = $_SESSION['username'];
-    $availWidth = getPostVar("availWidth");
-    $availHeight = getPostVar("availHeight");
+    $title = getSessionVar("title");
+    $version = getSessionVar("version");
+    $username = getSessionVar("username");
+    $wpm = getPostVar("wpm");
+    $innerWidth = getPostVar("innerWidth");
+    $innerHeight = getPostVar("innerHeight");
     $log = json_decode(getPostVar("log"), true);
     // Group all queries into a single transaction
     if (!$conn->autocommit(false)) respond(false, "Failed to start transaction: $conn->error");
 
-    createReadingEntry($conn, $title, $version, $reader, $availWidth, $availHeight);
+    createReadingEntry($conn, $title, $version, $reader, $wpm, $availWidth, $availHeight);
     createLogEntry($conn, $title, $version, $reader, $log);
 
     if (!$conn->commit()) respond(false, "Commit failed: $conn->error");

private/register/register.php

@@ -2,8 +2,9 @@
 
     session_start();
 
+    require_once("../lib/setHeaders.php");
     require_once("../lib/connectDB.php");
-    require_once("../lib/getPostVar.php");
+    require_once("../lib/getVariable.php");
     require_once("../lib/boundQuery.php");
     require_once("../lib/respond.php");
     require_once("../lib/login.php");
@@ -17,16 +18,18 @@ function isTaken($conn, $username) {
     }
 
     function createReaderAccount($conn, $username, $password, $dob, $gender, $isImpaired) {
+        $passwordHash = password_hash($password, PASSWORD_DEFAULT);
         $sql = "INSERT INTO Readers (username, password, dob, gender, isImpaired) VALUES (?, ?, ?, ?, ?)";
         $typeString = "ssssi";
-        $valueArray = array(&$username, &$password, &$dob, &$gender, &$isImpaired);
+        $valueArray = array(&$username, &$passwordHash, &$dob, &$gender, &$isImpaired);
         makeBoundQuery($conn, $sql, $typeString, $valueArray);
     }
 
     function createResearcherAccount($conn, $username, $password) {
+        $passwordHash = password_hash($password, PASSWORD_DEFAULT);
         $sql = "INSERT INTO Researchers (username, password) VALUES (?, ?)";
         $typeString = "ss";
-        $valueArray = array(&$username, &$password);
+        $valueArray = array(&$username, &$passwordHash);
         makeBoundQuery($conn, $sql, $typeString, $valueArray);
     }
 

private/researcher/getAvailableTexts.php

@@ -5,7 +5,9 @@
     error_reporting(E_ALL);
     ini_set('display_errors', 1);
 
+    require_once("../lib/setHeaders.php");
     require_once("../lib/connectDB.php");
+    require_once("../lib/getVariable.php");
     require_once("../lib/unboundQuery.php");
     require_once("../lib/respond.php");
 
@@ -42,7 +44,7 @@ function getAvailableTexts($conn, $username) {
 
     $conn = connectDB();
 
-    $username = $_SESSION["username"];
+    $username = getSessionVar("username");
     $texts = getAvailableTexts($conn, $username);
 
     respond(true, json_encode($texts));

private/researcher/getReaders.php

@@ -3,31 +3,35 @@
     error_reporting(E_ALL);
     ini_set('display_errors', 1);
 
+    require_once("../lib/setHeaders.php");
     require_once("../lib/connectDB.php");
-    require_once("../lib/getPostVar.php");
+    require_once("../lib/getVariable.php");
     require_once("../lib/unboundQuery.php");
     require_once("../lib/respond.php");
 
-    function getReaders($conn, $title, $version) {
-        // Retrieve the usernames of all reader accounts that have been assigned the given text
+    function getReadings($conn, $title, $version) {
+        // Retrieve data on all reader accounts that have been assigned the given text
         $sql = "
-            SELECT DISTINCT username, dob, gender, isImpaired
+            SELECT DISTINCT SHA2(username, 224) AS usernameHash, dob, gender, isImpaired, wpm, readDate
             FROM Readers
-            INNER JOIN Windows ON username = reader
-            WHERE title='$title' AND version='$version'
+            INNER JOIN Readings ON reader = username
+            WHERE title = '$title' AND version = '$version'
         ";
         $readerRows = getQueryResult($conn, $sql);
         // Process the result object
         $readerArray = array();
-        $curDate = date_create();
         while ($readerRow = $readerRows->fetch_assoc()) {
-            $reader = array(
-                "username" => $readerRow["username"],
-                "age" => (int) date_interval_format(date_diff($curDate, date_create($readerRow["dob"])), "%y"),
+            // Calculate the reader's age at the time of reading
+            $readDate = date_create($readerRow["readDate"]);
+            $birthDate = date_create($readerRow["dob"]);
+            $age = date_diff($readDate, $birthDate);
+            // Record data
+            $readerArray[$readerRow["usernameHash"]] = array(
+                "wpm" => $readerRow["wpm"],
+                "age" => (int) date_interval_format($age, "%y"), // Get the year part without leading/trailing zeroes
                 "gender" => $readerRow["gender"],
-                "isImpaired" => (bool) $readerRow["isImpaired"],
+                "isImpaired" => (bool) $readerRow["isImpaired"]
             );
-            array_push($readerArray, $reader);
         }
         // Return the result array
         return $readerArray;

private/researcher/getTextString.php

@@ -3,8 +3,9 @@
     error_reporting(E_ALL);
     ini_set('display_errors', 1);
 
+    require_once("../lib/setHeaders.php");
     require_once("../lib/connectDB.php");
-    require_once("../lib/getPostVar.php");
+    require_once("../lib/getVariable.php");
     require_once("../lib/getTextString.php");
     require_once("../lib/respond.php");
 

private/researcher/getWindows.php

@@ -3,17 +3,18 @@
     error_reporting(E_ALL);
     ini_set('display_errors', 1);
 
+    require_once("../lib/setHeaders.php");
     require_once("../lib/connectDB.php");
-    require_once("../lib/getPostVar.php");
+    require_once("../lib/getVariable.php");
     require_once("../lib/unboundQuery.php");
     require_once("../lib/respond.php");
 
-    function getWindows($conn, $title, $version, $reader) {
+    function getWindows($conn, $title, $version, $readerHash) {
         // Get all measurements from the given reading session
         $sql = "
             SELECT focalChar, leftmostChar, rightmostChar, duration
             FROM Windows
-            WHERE title='$title' AND version='$version' AND reader='$reader'
+            WHERE title = '$title' AND version = '$version' AND SHA2(reader, 224) = '$readerHash'
             ORDER BY sequenceNumber
         ";
         $dataRows = getQueryResult($conn, $sql);
@@ -33,9 +34,9 @@ function getWindows($conn, $title, $version, $reader) {
 
     $title = getPostVar("title");
     $version = getPostVar("version");
-    $reader = getPostVar("reader");
+    $readerHash = getPostVar("readerHash");
 
-    $windows = getWindows($conn, $title, $version, $reader);
+    $windows = getWindows($conn, $title, $version, $readerHash);
 
     respond(true, json_encode($windows));
 

private/researcher/uploadText.php

@@ -2,8 +2,9 @@
 
     session_start();
 
+    require_once("../lib/setHeaders.php");
     require_once("../lib/connectDB.php");
-    require_once("../lib/getPostVar.php");
+    require_once("../lib/getVariable.php");
     require_once("../lib/boundQuery.php");
     require_once("../lib/respond.php");
 
@@ -56,6 +57,7 @@ function createCharactersEntry($conn, $title, $version, $text) {
     // Connect to the database
     $conn = connectDB();
     // Retrieve mandatory arguments
+    $username = getSessionVar("username");
     $isNew = getPostVar('isNew');
     $text = getPostVar('text');
     $title = getPostVar('title');
@@ -69,7 +71,7 @@ function createCharactersEntry($conn, $title, $version, $text) {
     if (!$conn->autocommit(false)) respond(false, "Failed to start transaction: $conn->error");
     // Make queries
     if ($isNew == true) {
-        createTextEntry($conn, $title, $_SESSION['username']);
+        createTextEntry($conn, $title, $username);
     }
     createVersionEntry($conn, $title, $version, $isPublic, $targetAgeMin, $targetAgeMax, $targetGender);
     createCharactersEntry($conn, $title, $version, $text);

private/setup/data.php

@@ -14,7 +14,7 @@ function addReader($conn, $username, $password, $dob, $gender, $isImpaired) {
     function addResearcher($conn, $username, $password) {
         $sql = $conn->prepare("INSERT INTO Researchers(username, password) VALUES (?, ?)");
         $sql->bind_param("ss", $username, $password);
-        add($conn, "Reviewers", $sql);
+        add($conn, "Researchers", $sql);
     }
 
     function add($conn, $table, $sql) {
@@ -44,7 +44,7 @@ function add($conn, $table, $sql) {
     $conn = connectDB();
 
     for ($i = 0; $i < 100; $i++) {
-        addResearcher($conn, "reviewer" . $i, "reviewer" . $i);
+        addResearcher($conn, "researcher$i", password_hash("researcher$i", PASSWORD_DEFAULT));
     }
 
     for ($i = 0; $i < 100; $i++) {
@@ -55,7 +55,7 @@ function add($conn, $table, $sql) {
             $gender = "f";
         }
         $isImpaired = rand(0,1);
-        addReader($conn, "reader" . $i, "reader" . $i, $dob, $gender, $isImpaired);
+        addReader($conn, "reader$i", password_hash("reader$i", PASSWORD_DEFAULT), $dob, $gender, $isImpaired);
     }