One Hat Cyber Team

Edit File: odbc_test.php

<?php 
	error_reporting(1);
	date_default_timezone_set('Asia/Kuala_Lumpur');

$GLOBALS['mysqli'] = new mysqli("127.0.0.1:3307", "root", "12qwaszx", "dbedgpens");
	if ($mysqli->connect_errno) {
		echo "Failed to connect to MySQL: (" . $mysqli_link->connect_errno . ") " . $mysqli_link->connect_error;
		exit();
	}

$mysqli_link = new mysqli("127.0.0.1:3307", "root", "12qwaszx", "dbedgpens");
	if ($mysqli_link->connect_errno) {
		echo "Failed to connect to MySQL: (" . $mysqli_link->connect_errno . ") " . $mysqli_link->connect_error;
	}

$GLOBALS['mysqli2'] = new mysqli("127.0.0.1:3307", "root", "12qwaszx", "dbssosukphg");
	if ($mysqli2->connect_errno) {
		echo "Failed to connect to MySQL: (" . $mysqli_link->connect_errno . ") " . $mysqli_link->connect_error;
		exit();
	}

if (!empty($_SERVER['HTTP_CLIENT_IP']))   
		$GLOBALS['ip_address'] = $_SERVER['HTTP_CLIENT_IP'];
	elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))  
		$GLOBALS['ip_address'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
	else
		$GLOBALS['ip_address'] = $_SERVER['REMOTE_ADDR'];

//----------------------------------------------------------------------------------
	// Delete a session and return.
	//----------------------------------------------------------------------------------
	function deleteSession($session){

global $mysqli;
		// $query="DELETE FROM utiliti_session WHERE iduser!=1 AND session = '$session'";
		$query="DELETE FROM utiliti_session WHERE session = '$session'";
		$mysqli->query($query);

return;
	}

//----------------------------------------------------------------------------------
	// Update session time if it exists.
	//----------------------------------------------------------------------------------
	function updateSession($session){

global $mysqli;
		checkSession();

$query="SELECT * FROM utiliti_session WHERE session='$session'";
		$result=$mysqli->query($query);
		$row=$result->fetch_assoc();

if ($row){
			$time=getdate(time());
			$s="update utiliti_session set masa='".$time['year']."-".$time['mon']."-".$time['mday']." ".$time['hours'].":".$time['minutes'].":".$time['seconds']."' where session='$session'";
			if(!$r=$mysqli->query($s)) echo $s."<br>Fail to updating the session ".$r;

}else{
			$session=false;
		}

return $session;
	}

//----------------------------------------------------------------------------------
	// Log user in. If user already has a session then security risk. Throw them out.
	//----------------------------------------------------------------------------------
	function login($passedusername,$passedpassword){

global $mysqli2;
		checkSession();
		$passedpassword= md5($passedpassword);

$stmt  			= $mysqli2->stmt_init();
		$stmt->prepare("SELECT 
							a.*, 
							b.sekatan_cubaan 
						FROM 
							tpengguna a 
						LEFT JOIN 
							tsekatan b ON b.sekatan_pengguna = a.pengguna_kp 
						LEFT JOIN 
							tlogin c ON c.pengguna_id = a.pengguna_id
						WHERE 
							a.pengguna_kp = ? 
						AND 
							c.sistem_id = '19' 
						");
		$pengguna_kp 		= $passedusername;
		$stmt->bind_param("s",$pengguna_kp);
		$stmt->execute();
		$result 		= $stmt->get_result();
		$stmt->close();

$session 	= array();
		$row=$result->fetch_assoc();

if ($row){

$userid 	= $row['pengguna_id'];
			$nama 		= strtoupper($row['pengguna_nama']);
			$password 	= $row['pengguna_pass'];
			$flagUser 	= $row['aktif_id'];
			$sekatan 	= (int)$row['sekatan_cubaan'];

if($password==$passedpassword){
				if($flagUser == 3){
					$session[0] 	= "Ops! Something Wrong.<br>Please Contact System Administrators.";
					$session[1] 	= false;
					$session[3] 	= 1;
				}else if($flagUser == 2){
					$session[0] 	= "Pengguna Tidak Aktif.";
					$session[1] 	= false;
					$session[3] 	= 1;
				}else {//ok to proceed.

if($sekatan >= 3){
						$session[0] 	= "Akaun Anda Disekat. Sila Hubungi Admin Untuk Buka Sekatan.";
						$session[1] 	= false;
						$session[3] 	= 1;
					}else{
						$session[0]		= "Welcome Back. {$nama}";
						$session[1]		= checkUser($userid); //check to see if user is already logged in
						$session[3] 	= 0;

if ($session[1]){
							deleteSession($session[1]);//Force the user out if already logged in
							$session[1]=setSession($userid);
						}else{
							$session[1]=setSession($userid);
						}
					}
				}
			}else{
				$session[0] 	= sekatan($passedusername);
				$session[1] 	= false;
				$session[3] 	= 1;
			}
		}else{
			$session[0] 	= sekatan($passedusername);
			$session[1] 	= false;
			$session[3] 	= 1;
		}

return $session;
	}

//----------------------------------------------------------------------------------
	// Semak Sekatan.
	//----------------------------------------------------------------------------------
	function sekatan($passedusername){

global $mysqli2;
		global $ip_address;

$stmt  			= $mysqli2->stmt_init();
		$stmt->prepare("SELECT  * FROM tsekatan WHERE sekatan_pengguna=? and sekatan_tarikh=CURDATE()");
		$pengguna_kp 		= $passedusername;
		$stmt->bind_param("s",$pengguna_kp);
		$stmt->execute();
		$result 		= $stmt->get_result();
		$row=$result->fetch_assoc();

if($row){

$sekatan_tarikh=$row['sekatan_tarikh'];
            $sekatan_cubaan=$row['sekatan_cubaan'];

if($sekatan_cubaan >= 3){
				$msg 	= "Akaun Anda Disekat. Sila Hubungi Admin Untuk Buka Sekatan.";
			}else{
				$stmt  			= $mysqli2->stmt_init();
				$stmt->prepare("UPDATE tsekatan SET sekatan_cubaan=sekatan_cubaan+1 WHERE sekatan_pengguna=? and sekatan_tarikh=? ");
				$pengguna_kp 		= $passedusername;
				$stmt->bind_param("ss",$pengguna_kp,$sekatan_tarikh);
				$stmt->execute();
				$msg 	= "Please Try Again!";
			}

}else{
			$stmt  			= $mysqli2->stmt_init();
			$stmt->prepare("INSERT INTO tsekatan(sekatan_pengguna,sekatan_ip,sekatan_cubaan,sekatan_tarikh) values (?,'{$ip_address}',1, CURDATE())");
			$pengguna_kp 		= $passedusername;
			$stmt->bind_param("s",$pengguna_kp);
			$stmt->execute();
			$msg 	= "Please Try Again!";
		}

return $msg;
	}

//----------------------------------------------------------------------------------
	// Set a session and insert session into session table.
	//----------------------------------------------------------------------------------
	function setSession($userid){

global $mysqli;
		$time=getdate(time());

$length=80;// set this to the length of session variable desired
		$session="";
		mt_srand(time());
		$sessionstring="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";

$achar=strlen($sessionstring)-1;

for ($i=0;$i<$length;$i++){
			$session.=$sessionstring[mt_rand(0,$achar)];
		}
		$session=$userid.$session;

$query = "INSERT INTO utiliti_session (session,idUser,masa) VALUES 	('$session','$userid','".$time['year']."-".$time['mon']."-".$time['mday']." ".$time['hours'].":".$time['minutes'].":".$time['seconds']."')";
		$mysqli->query($query) or die(mysqli_error($mysqli));

return $session;
	}

//--------------------------------------------------------------------------------
	// Check the user to see if they are already logged in.
	//--------------------------------------------------------------------------------
	function checkUser($userid){

global $mysqli;
		$query="SELECT * FROM utiliti_session WHERE idUser = '$userid'";
		$result=$mysqli->query($query);
		$row=$result->fetch_assoc();

if ($row){
			$session=$row['session'];
		}else{
			$session = false;
		}

return $session;
	}

//----------------------------------------------------------------------------------
	// Log the user out when they click on the log-out button
	//----------------------------------------------------------------------------------
	function logout($session){

global $mysqli;

$query="SELECT * FROM utiliti_session WHERE session = '$session'";
		$result=$mysqli->query($query);
		$row=$result->fetch_assoc();

if ($row){
			$userid=$row['idUser'];
			deleteSession($session);
			return true;
		}else{
			return false;
		}
	}

//----------------------------------------------------------------------------------
	// Check session and return.
	//----------------------------------------------------------------------------------
	function checkSession(){

global $mysqli;
		$expirationtime=time()-1800; // set this to seconds of inactivity before forced logout (30mins)
	//	$expirationtime=time()-6000; // set this to seconds of inactivity before forced logout (100mins)

$time=getdate($expirationtime);

$query = "SELECT idUser,session,masa From utiliti_session WHERE masa < '".$time['year']."-".$time['mon']."-".$time['mday']." ".$time['hours'].":".$time['minutes'].":".$time['seconds']."'";
		$result=$mysqli->query($query) or die(mysqli_error($mysqli));

while($row=$result->fetch_assoc()){
			deleteSession($row[1]);
		}

return;
	}

function get_user($sess){

global $mysqli;
		$query="SELECT * FROM utiliti_session WHERE session='$sess'";
		$result=$mysqli->query($query);
		$row=$result->fetch_assoc();

// $stmt->prepare("SELECT * FROM utiliti_session WHERE session=?");
		// $running_sql 	= $sess;
		// $stmt->bind_param("s",$iduser,$running_sql,$descr);
		// $stmt->execute();
		// $result = $stmt->get_result();
		// $row 	= $result->fetch_assoc(MYSQLI_ASSOC);
		// $stmt->close();
		return $row;
    }

function get_user_full($sess){

global $mysqli;
		$query="SELECT * FROM utiliti_session WHERE session='$sess'";
		$result=$mysqli->query($query);
		$row=$result->fetch_assoc();

$query="SELECT * FROM user_list WHERE idUser='{$row['idUser']}'";
		$result=$mysqli->query($query);
		$row=$result->fetch_assoc();

return $row;
    }
    
	function mysqli_prepare_audit($sql,$param_type,$param_data,$param_do = null,$query_type = null){
		/*	
			Hamdi : 2020-03-20
			This Function Only for Insert/Update/Delete use.
		*/
		global $mysqli;
		$user 			= get_user($_SESSION['session']);
		$conn 			= $mysqli;
		$stmt  			= $conn->stmt_init();
		$stmt->prepare($sql);
		$comb_param 	= "";
		$length_type 	= strlen($param_type);
		$length_data	= count($param_data);
		$type_auto 		= "";

foreach ($param_data as $a => $b) {
			$comb_param1 	.= "\${$a}=\"{$b}\",";
			$comb_param2 	.= "\${$a}=\"{$b}\",\n";
			$type_auto 		.= "s";
		}

if($length_type != $length_data || $param_type == 'auto')
			$param_type 	= $type_auto;

$data 			= array();
		$comb_param1 	= substr($comb_param1, 0, -1);
		$comb_param2 	= $sql.";\n".substr($comb_param2, 0, -2);
		"\$stmt->bind_param(\"".$param_type."\",".$comb_param1.");";
		eval("\$stmt->bind_param(\"".$param_type."\",".$comb_param1.");");

if (!$stmt->execute()) {
    		echo 'error executing statement: ' . $stmt->error;
			$stmt->close();
		}else{
			$data[0] 	= $mysqli->insert_id;
			$stmt->close();
			audit_insert($comb_param2,$param_do);
		}

return $data;
	}

function mysqli_prepare_all($sql,$param_type,$param_data){
		/*	
			Hamdi : 2020-12-07
			This Function for All Query.
		*/
		global $mysqli;
		// $user 			= get_user($_SESSION['session']);
		$conn 			= $mysqli;
		$stmt  			= $conn->stmt_init();
		$stmt->prepare($sql);
		$comb_param 	= "";
		$length_type 	= strlen($param_type);
		$length_data	= count($param_data);
		$type_auto 		= "";

foreach ($param_data as $a => $b) {
			$comb_param1 	.= "\${$a}=\"{$b}\",";
			$comb_param2 	.= "\${$a}=\"{$b}\",\n";
			$type_auto 		.= "s";
		}

if($length_type != $length_data || $param_type == 'auto')
			$param_type 	= $type_auto;

$stmt->execute() or trigger_error($stmt->error, E_USER_ERROR);
		($result = $stmt->get_result()) or trigger_error($stmt->error, E_USER_ERROR);
 		$stmt->close();

return $result;
	}

function audit_insert($running_sql,$descr = null){

global $mysqli;

if(!empty($_SESSION['session']))
			$user 		= get_user($_SESSION['session']);
		else
			$user 		= "";
		$stmt  			= $mysqli->stmt_init();
		$stmt->prepare("insert into audit_trail (idUser,running_sql,descr) values (?,?,?)");
		$iduser 		= $user['idUser'];
		// $running_sql 	= $comb_param2;
		$descr 			= (empty($descr)) ? '' : $descr ;
		$stmt->bind_param("sss",$iduser,$running_sql,$descr);
		$stmt->execute();
		$stmt->close();
	}

function mysql_date($date){
		explode('-', $date);
		return $date[3]."-".$date[2]."-".$date[1];
	}

// function mysqli_prepare_audit2(){

// 	global $mysqli;
	// 	$stmt  			= $mysqli->stmt_init();
	// 	$stmt->prepare($sql);
	// 	$comb_param 	= "";
	// 	$length_type 	= strlen($param_type);
	// 	$length_data	= count($param_data);
	// 	$type_auto 		= "";

// 	foreach ($param_data as $a => $b) {
	// 		$comb_param1 	.= "\${$a}=\"{$b}\",";
	// 		$comb_param2 	.= "\${$a}=\"{$b}\",\n";
	// 		$type_auto 		.= "s";
	// 	}

// 	if($length_type != $length_data || $param_type == 'auto')
	// 		$param_type 	= $type_auto;

// 	$data 			= array();
	// 	$comb_param1 	= substr($comb_param1, 0, -1);
	// 	$comb_param2 	= $sql.";\n".substr($comb_param2, 0, -2);
	// 	"\$stmt->bind_param(\"".$param_type."\",".$comb_param1.");";
	// 	eval("\$stmt->bind_param(\"".$param_type."\",".$comb_param1.");");

// 	$stmt->execute();

// 	// execute the stored Procedure
	// 	$result = $connect->query('call IsUserPresent(@uid, @userCount)');

// 	// getting the value of the OUT parameter
	// 	$r = $connect->query('SELECT @userCount as userCount');
	// 	$row = $r->fetch_assoc();

// }

function test_loop($id){
		// $s2="SELECT * from user_list";
			
  //           $stmt = $mysqli->prepare($s2);
		// 	$stmt->bind_param("s",$id);
		//     $stmt->execute();
		//     $result = $stmt->get_result();
		// $stmt->close();

// echo    $jum = $stmt->num_rows;
		// echo $id;
		// echo "<br>";
		// global $mysqli;
		// 		$s2="SELECT * from user_list where idUser = 1";
			
  //           $stmt = $mysqli->prepare($s2);
		// 	$stmt->bind_param("s",$id);
		//     $stmt->execute();
		//     $result = $stmt->get_result();
		// echo    $jum = $result->num_rows;
		// $stmt->close();
// print_r($result);
		// $sql 			= "SELECT lokasi,tujuan,flaglulus,catatan FROM tugasluar WHERE (idPekerja=? AND (? BETWEEN tarikhMula AND tarikhTamat))";
		// $param_data 	= array(
		// 					"idPekerja" 	=> $idPekerja,
		// 					"tarikhUrusan" 	=> $tarikhUrusan,
		// 				 	);
		// $result 		= mysqli_prepare_all($sql,"auto",$param_data);
		// echo $result->num_rows;

// $sql 			= "SELECT * FROM user_list WHERE (idUser=? AND (? BETWEEN dateCreated AND dateModified))";
		$sql 			= "SELECT * FROM user_list WHERE idUser=? ";
		$param_data 	= array(
							"idUser" 	=> $id
						 	);
		$result 		= mysqli_prepare_all($sql,"auto",$param_data);
		echo $result->num_rows;
		// $zsd = ;
		print_r($result->fetch_assoc());
		// echo $zsd['emailUser'];
		// print_r();
	}