first commit

Dockerfile

@@ -0,0 +1,13 @@
+FROM php:8.0-apache
+
+RUN docker-php-ext-install mysqli && docker-php-ext-install pdo_mysql
+
+EXPOSE 80
+
+WORKDIR /var/www/html
+
+COPY www /var/www/html
+
+RUN chmod 777 /var/www/html/images/poster_film/
+
+RUN chown -R www-data:www-data .

README.md

@@ -0,0 +1,34 @@
+# NSI HOMEWORKS
+
+**simple html/css/php/mysql website devellop for my school homework.
+It's probably fully vulnerable if you wan't to play with him x)))
+I do it in 2 weeks.**
+
+## applications ports
+	- administrator credentials : [email protected]:v3ryS3cr3t@dm1nP4ssw0rd
+	- apache server : http://localhost:8001
+	- phpmyadmin : http://localhost:8002
+if you want to connect manually to the database you can execute this command :
+```docker exec -it nsi_sql mysql -uroot -proot```
+
+## how to launch the docker
+
+*You must have docker and docker-compose installed*
+
+### Linux
+
+```sh
+git clone http://githubrepo
+cd mediatheque_website
+docker-compose -f docker-compose.yml up -d
+```
+
+### Windows 
+
+TODO.
+
+## todo
+
+*check security issues
+correct some bugs
+(but i'm too tired to do that, was just a homework about mysql at the beginning)*

db/init.sql

@@ -0,0 +1,51 @@
+CREATE DATABASE IF NOT EXISTS mediatheque;
+USE mediatheque;
+
+CREATE TABLE IF NOT EXISTS users(id_users INT NOT NULL AUTO_INCREMENT, PRIMARY KEY(id_users), nom VARCHAR(100), prenom VARCHAR(100), email VARCHAR(100), password VARCHAR(128) /*size of sha512 hash*/, addresse VARCHAR(100), tel VARCHAR(100), admin BOOLEAN);
+CREATE TABLE IF NOT EXISTS categorie(id_categorie INT NOT NULL AUTO_INCREMENT, PRIMARY KEY(id_categorie), nom_categorie VARCHAR(100));
+CREATE TABLE IF NOT EXISTS realisateur(id_realisateur INT NOT NULL AUTO_INCREMENT, PRIMARY KEY(id_realisateur), nom_realisateur VARCHAR(100), prenom_realisateur VARCHAR(100), nationalite_realisateur VARCHAR(100), annee_naissance INT);
+CREATE TABLE IF NOT EXISTS film(id_film INT NOT NULL AUTO_INCREMENT, PRIMARY KEY(id_film), nom_film VARCHAR(100), annee_film INT, description VARCHAR(4096), id_realisateur INT, FOREIGN KEY(id_realisateur) REFERENCES realisateur(id_realisateur), id_categorie INT, FOREIGN KEY(id_categorie) REFERENCES categorie(id_categorie));
+CREATE TABLE IF NOT EXISTS emprunt(id_emprunt INT NOT NULL AUTO_INCREMENT, PRIMARY KEY(id_emprunt), id_film INT, FOREIGN KEY(id_film) REFERENCES film(id_film), id_users INT, FOREIGN KEY(id_users) REFERENCES users(id_users), date_emprunt DATE, date_retour DATE);
+
+-- insert an administrator account
+
+INSERT INTO users(nom, prenom, email, password, addresse, tel, admin)
+VALUES("Sylvain", "Durif", "[email protected]", "12e92ecc3d2ef29462c93bbab18f5b50513c5492d9fe205d23d9a97d6976fd2109cac9ef903981bc50136e59cfdf762047e19154308b085abfa66663529c4a33", "30 rue de la flemme 1337 hackerland", "13 37 13 37 13", True);
+
+
+-- INSERT CATEGORIES
+
+INSERT INTO categorie(nom_categorie) VALUES("action");
+INSERT INTO categorie(nom_categorie) VALUES("aventure");
+INSERT INTO categorie(nom_categorie) VALUES("romantique");
+INSERT INTO categorie(nom_categorie) VALUES("famille");
+INSERT INTO categorie(nom_categorie) VALUES("comedie");
+INSERT INTO categorie(nom_categorie) VALUES("anime");
+INSERT INTO categorie(nom_categorie) VALUES("drame");
+INSERT INTO categorie(nom_categorie) VALUES("horreur");
+INSERT INTO categorie(nom_categorie) VALUES("enfant");
+INSERT INTO categorie(nom_categorie) VALUES("policier");
+
+
+
+-- INSERT REALISATEUR
+
+INSERT INTO realisateur(nom_realisateur, prenom_realisateur, nationalite_realisateur, annee_naissance)
+VALUES("FEE", "Brian", "American", 1975);
+
+-- INSERT FILM 
+
+INSERT INTO film(nom_film, annee_film, description, id_realisateur, id_categorie)
+VALUES("cars 3", 2017, "Cars 3 is a 2017 American computer-animated sports comedy-adventure film produced by Pixar Animation Studios and released by Walt Disney Pictures.", (select id_realisateur from realisateur where prenom_realisateur="Brian" and nom_realisateur="FEE"), (select id_categorie from categorie where nom_categorie="comedie") );
+
+
+
+-- INSERT REALISATEUR
+
+INSERT INTO realisateur(nom_realisateur, prenom_realisateur, nationalite_realisateur, annee_naissance)
+VALUES("WAN", "James", "Australian", 1977);
+
+-- INSERT FILM 
+
+INSERT INTO film(nom_film, annee_film, description, id_realisateur, id_categorie)
+VALUES("Fast and Furious 7", 2015, "Furious 7 (also called Fast and Furious 7) is a 2015 American action film directed by James Wan and written by Chris Morgan. It is the sequel to Fast & Furious 6, and serves as the seventh installment in the Fast & Furious franchise.", (select id_realisateur from realisateur where prenom_realisateur="James" and nom_realisateur="WAN"), (select id_categorie from categorie where nom_categorie="action") );

docker-compose.yml

@@ -0,0 +1,39 @@
+version: '3.5'
+
+services:
+  database:
+    container_name: nsi_sql
+    image: mysql:5.7
+    restart: unless-stopped
+    ports:
+        - 3307:3306
+    volumes:
+        - ./db/init.sql:/docker-entrypoint-initdb.d/chall_init.sql
+    environment:
+        MYSQL_ROOT_PASSWORD: root
+
+  webapp:
+    container_name: webapp
+    restart: unless-stopped
+    build:
+      context: .
+      dockerfile: ./Dockerfile
+    ports:
+      - 8500:80
+    volumes:
+      - ./www/:/var/www/html
+    depends_on:
+      - database
+
+  phpmyadmin:
+    image: phpmyadmin
+    container_name: phpmyadmin_nsi
+    restart: unless-stopped
+    ports:
+      - 8080:80
+    environment:
+      PMA_HOST: database
+      PMA_USER: root
+      PMA_PASSWORD: root
+    depends_on:
+      - database

run.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+sudo docker-compose -f docker-compose.yml up -d

www/book_film.php

@@ -0,0 +1,86 @@
+<?php
+	session_start();
+
+	include("includes/conf.php");
+
+	function film_exist($id, $BD) {
+		$query = $BD->prepare(
+		<<<SQL
+			SELECT * FROM film where id_film=:id;
+		SQL);
+
+		$query->execute(array(':id' => $id));
+		$row = $query->rowCount();
+
+		if($row > 0) {
+			return True;
+		} else {
+			return False;
+		}
+	}
+
+
+	if(!isset($_SESSION['logged']) || !$_SESSION['logged'] == True){
+		echo json_encode(array(
+			"error" => True, 
+			"message" => "you're not logged :("
+		));
+		die();
+	}
+
+	if(isset($_GET["id"]) && (int)$_GET['id'] != 0) {
+		$query = $BD->prepare(
+			<<<SQL
+				SELECT * FROM emprunt where id_film=:id;
+			SQL);
+
+		$query->execute(array(':id' => (int) $_GET['id'] ));
+		$row = $query->rowCount();
+		if($row > 0 || !film_exist((int) $_GET['id'], $BD)) {
+		echo json_encode(array(
+			"error" => True, 
+			"message" => "film not available"
+		));
+		die();
+		}
+
+
+		$query = $BD->prepare(
+			<<<SQL
+				INSERT INTO emprunt(id_film, id_users, date_emprunt, date_retour)
+				VALUES(:id, :id_users, :date_emprunt, :date_retour);
+			SQL);
+		$query->execute(array(
+			':id' => (int) $_GET['id'],
+			':id_users' => $_SESSION['id_user'],
+			':date_emprunt' => date("Y-m-d"),
+			':date_retour' => date("Y-m-d", strtotime(date('Y-m-d'). ' + 10 days')) 
+			// actual date + 10 days.
+		));
+		echo json_encode(array(
+			"error" => False, 
+			"message" => "film booked :)"
+		));
+		die();
+
+
+	} else {
+		echo json_encode(array(
+			"error" => True, 
+			"message" => "we don't have this film"
+		));
+		die();
+
+	}
+
+	/*
+	idee :
+
+	ajouter une colonne booleene pour savoir si le film est reservé ou non dans la tables film
+
+	plutot que de tjr faire une requete vers la table emprunt
+
+	ce serai plus simple pour savoir si un film est dispo ou non sur la page film.php
+	*/
+
+?>

www/includes/404.php

@@ -0,0 +1,5 @@
+<?php
+	for($i = 0; $i < 20; $i++ ) {
+		echo "<center>404 page not found.</center>";
+	}
+?>

www/includes/add_films_and_realisators.php

@@ -0,0 +1,92 @@
+<?php
+
+	if(!isset($_SESSION['logged']) || !$_SESSION['logged'] == True){
+		echo "<center>you're not logged :(</center>";
+		die();
+	}
+
+	if(!isset($_SESSION['admin']) || !$_SESSION['admin'] == True) {
+		echo "you must be administrator to uploads new films.";
+		die();
+	}
+	/* insert table film :
+
+	INSERT INTO film(nom_film, annee_film, description, id_realisateur, id_categorie)
+	VALUES("cars 3", 2017, "Cars 3 is a 2017 American computer-animated sports comedy-adventure film produced by Pixar Animation Studios and released by Walt Disney Pictures.", id, (select id_categorie from categorie where nom_categorie=:nom_categorie) );
+	
+	
+	-- GET THE NEXT AUTO INCREMENT VALUE --
+	-- SAVE IMAGE AS NEXT AUTO_INCREMENT VALUE -- 
+	SELECT `auto_increment` FROM INFORMATION_SCHEMA.TABLES
+	WHERE table_name = 'tablename'
+
+	https://stackoverflow.com/questions/6761403/how-to-get-the-next-auto-increment-id-in-mysql
+
+	$BD->lastInsertId();
+
+
+	créer 2 pages php :
+		- une page qui traite les données pour l'upload d'un film
+		- une page qui traite les données pour l'uplaoad d'un realisateur
+	*/
+?>
+
+<div class="w3-half">
+	<div class="w3-container w3-round-xlarge w3-margin w3-blue w3-card-4">
+			<center><h3> new film </h3></center>
+	</div>
+
+	<center>
+	<form action="/upload_films.php" method="post" enctype="multipart/form-data">
+		<input class="w3-input w3-border w3-margin" style="width: 90%;" type="text" name="nom_film" placeholder="film name">
+		<input class="w3-input w3-border w3-margin" style="width: 90%;" type="text" name="annee_film" placeholder="film year">
+		<textarea class="w3-border" placeholder="description" name="description"></textarea>
+		<select class="w3-select w3-border w3-margin-top" style="width: 90%;" name="realisateur">
+		<!--<select class="w3-input w3-margin-right" name="categorie" style="width: 30%;display: inline-block;">-->
+			<option name="">all categories</option>
+		<?php
+			$sql_request = "SELECT * FROM realisateur";
+			$query = $BD->query($sql_request);
+			// echo "<h3> categorie disponible : <h3>";
+			while ($resultat = $query->fetch()) {
+				echo "<option value=\"".$resultat["id_realisateur"]."\">".htmlentities($resultat["nom_realisateur"])." ".htmlentities($resultat["prenom_realisateur"])."</option>";
+			}
+		?>
+		</select>
+		<select class="w3-select w3-border w3-margin" name="categorie" style="width: 90%">
+			<option name="">all categories</option>
+		<?php
+			$sql_request = "SELECT * FROM categorie";
+			$query = $BD->query($sql_request);
+			// echo "<h3> categorie disponible : <h3>";
+			while ($resultat = $query->fetch()) {
+				echo "<option name=\"".$resultat["nom_categorie"]."\">".$resultat["nom_categorie"]."</option>";
+			}
+
+		?>
+		</select>
+		</center>
+		<label class="w3-btn w3-gray w3-round" style="margin-left: 5%;" for="upload_input">upload a film poster</label>
+		<input type="file" class="w3-margin" id="upload_input" name="image_film"> 
+		<center>
+		<input type="submit" class="w3-input w3-blue w3-round-large w3-card-4 w3-margin" style="width: 40%;border-color: #2196F3;" value="upload this film">
+	</form>
+	</center>
+</div>
+
+<div class="w3-half">
+	<div class="w3-container w3-round-xlarge w3-margin w3-blue w3-card-4">
+			<center><h3> new realisator </h3></center>
+	</div>
+
+	<center>
+	<form action="/upload_realisators.php" method="post">
+		<input class="w3-input w3-border w3-margin" style="width: 90%;" type="text" name="prenom" placeholder="surname">
+		<input class="w3-input w3-border w3-margin" style="width: 90%;" type="text" name="nom" placeholder="name">
+		<input class="w3-input w3-border w3-margin" style="width: 90%;" type="text" name="nationalite" placeholder="nationality">
+		<input class="w3-input w3-border w3-margin" style="width: 90%;" type="int" name="annee_birth" placeholder="birth year">
+		<input type="submit" class="w3-input w3-blue w3-round-large w3-card-4" style="width: 40%;border-color: #2196F3;" value="add new realisator">
+
+	</form>
+	</center>
+</div>

www/includes/conf.php

@@ -0,0 +1,21 @@
+<?php
+
+	$BD_HOST = "database";
+	$BD_BASE = "mediatheque";
+	$BD_USER = "root";
+	$BD_PASSWORD = "root";
+
+
+	// white list are more secure than black list ;)
+	$pages = ["login", "register", "films", "add_films_and_realisators", "home", "my_films"];
+
+	try 
+	{
+		$BD = new PDO("mysql:host=".$BD_HOST.";dbname=".$BD_BASE.";charset=UTF8", $BD_USER, $BD_PASSWORD);		//connection à MySQL
+	} 
+	catch(Exception $e)		//pb de connection à la base
+	{
+		echo "<center style='color:red'> Problème de connexion à la base de données. </center>";
+		exit();
+	}
+?>