From 8f4c5122c3d111f58a5283ae5f1d33c9404f5c5b Mon Sep 17 00:00:00 2001
From: Olivier PEREZ <olivier@olivierperez.fr>
Date: Thu, 2 Apr 2015 22:56:31 +0200
Subject: [PATCH] Add protection not to generate 2 identical IDs

---
 admin/stdout.log                              |  19 ---
 app/classes/Framadate/FramaDB.php             |  10 +-
 .../Framadate/Services/PollService.php        |   6 +-
 creation_sondage.php                          | 122 ------------------
 4 files changed, 13 insertions(+), 144 deletions(-)
 delete mode 100644 admin/stdout.log
 delete mode 100644 creation_sondage.php

diff --git a/admin/stdout.log b/admin/stdout.log
deleted file mode 100644
index 9bbf676..0000000
--- a/admin/stdout.log
+++ /dev/null
@@ -1,19 +0,0 @@
-20150228 182306 [EXPIRATION] Going to purge 13 poll(s)...
-20150228 182307 [EXPIRATION_SUCCESS] id: 4hivgatchum83trk, title:Essai Beta, format: D, admin: Olivier
-20150228 182307 [EXPIRATION_SUCCESS] id: 5pcnnw15pi2vkk3p, title:dsdfds, format: D, admin: kjlkj
-20150228 182307 [EXPIRATION_SUCCESS] id: bsr43n7u7e9wd149, title:Verre de l'amitié, format: D, admin: Hub
-20150228 182307 [EXPIRATION_SUCCESS] id: cnz4nzqy9s88fxp2, title:Sortie Bergère le 31 octobre 2014, format: D, admin: Sophie
-20150228 182307 [EXPIRATION_SUCCESS] id: gq1jz2f6hz93vdma, title:Signature Formats Ouverts Éducation, format: A, admin: Quentin
-20150228 182308 [EXPIRATION_SUCCESS] id: huubu9csxjai36t5, title:Révision des salaires des permantents framasoft, format: A, admin: Luc
-20150228 182308 [EXPIRATION_SUCCESS] id: jtk2bwokdzgk2u8g, title:Formation borne, format: D, admin: Maxime
-20150228 182308 [EXPIRATION_SUCCESS] id: k9qefueia6b78u6n, title:Déj ou bière, format: D, admin: Valentin
-20150228 182308 [EXPIRATION_SUCCESS] id: lk9hiju93fvodb7x, title:Réunion carnet hypothèse , format: D, admin: Jocelyn Aznar
-20150228 182308 [EXPIRATION_SUCCESS] id: qtu6l5rpp6umwhbr, title:Réunion Gitoyen d'octobre 2014, format: D, admin: olive
-20150228 182308 [EXPIRATION_SUCCESS] id: rz3kt5wajmyxhv4h, title:AJIL Paris novembre 2014, format: D, admin: olive
-20150228 182309 [EXPIRATION_SUCCESS] id: v9whjlr77txwa24b, title:Présentation du Projet Santé Trans' pour les UEEH, format: D, admin: Lou
-20150228 182309 [EXPIRATION_SUCCESS] id: wor85ej6td1b7v3c, title:test, format: D, admin: test
-20150228 182405 [DELETE_SLOT] id:kczrqvormnd34n23, slot:toto
-20150228 182437 [EXPIRATION] Going to purge 1 poll(s)...
-20150228 182437 [EXPIRATION_SUCCESS] id: yzno16w3x423kguz, title:Atelier audit JS, format: A, admin: Armony
-20150228 191645 [EXPIRATION] Going to purge 1 poll(s)...
-20150228 191645 [EXPIRATION_SUCCESS] id: 3tkz9zcfs7odkdk5, title:aaa, format: A, admin: moimoi
diff --git a/app/classes/Framadate/FramaDB.php b/app/classes/Framadate/FramaDB.php
index d9743be..0cd4478 100644
--- a/app/classes/Framadate/FramaDB.php
+++ b/app/classes/Framadate/FramaDB.php
@@ -82,13 +82,21 @@ class FramaDB {
     function findPollById($poll_id) {
         $prepared = $this->prepare('SELECT * FROM `' . Utils::table('poll') . '` WHERE id = ?');
 
-        $prepared->execute([$poll_id]);
+        $prepared->execute(array($poll_id));
         $poll = $prepared->fetch();
         $prepared->closeCursor();
 
         return $poll;
     }
 
+    public function existsById($poll_id) {
+        $prepared = $this->prepare('SELECT 1 FROM `' . Utils::table('poll') . '` WHERE id = ?');
+
+        $prepared->execute(array($poll_id));
+
+        return $prepared->rowCount() > 0;
+    }
+
     function updatePoll($poll) {
         $prepared = $this->prepare('UPDATE `' . Utils::table('poll') . '` SET title=?, admin_name=?, admin_mail=?, description=?, end_date=?, active=?, editable=? WHERE id = ?');
 
diff --git a/app/classes/Framadate/Services/PollService.php b/app/classes/Framadate/Services/PollService.php
index cf32713..70371eb 100644
--- a/app/classes/Framadate/Services/PollService.php
+++ b/app/classes/Framadate/Services/PollService.php
@@ -129,8 +129,10 @@ class PollService {
      */
     function createPoll(Form $form) {
 
-        // Generate poll IDs
-        $poll_id = $this->random(16);
+        // Generate poll IDs, loop while poll ID already exists
+        do {
+            $poll_id = $this->random(16);
+        } while ($this->connect->existsById($poll_id));
         $admin_poll_id = $poll_id . $this->random(8);
 
         // Insert poll + slots
diff --git a/creation_sondage.php b/creation_sondage.php
deleted file mode 100644
index 469ed75..0000000
--- a/creation_sondage.php
+++ /dev/null
@@ -1,122 +0,0 @@
-<?php
-/**
- * This software is governed by the CeCILL-B license. If a copy of this license
- * is not distributed with this file, you can obtain one at
- * http://www.cecill.info/licences/Licence_CeCILL-B_V1-en.txt
- *
- * Authors of STUdS (initial project): Guilhem BORGHESI (borghesi@unistra.fr) and Raphaël DROZ
- * Authors of Framadate/OpenSondate: Framasoft (https://github.com/framasoft)
- *
- * =============================
- *
- * Ce logiciel est régi par la licence CeCILL-B. Si une copie de cette licence
- * ne se trouve pas avec ce fichier vous pouvez l'obtenir sur
- * http://www.cecill.info/licences/Licence_CeCILL-B_V1-fr.txt
- *
- * Auteurs de STUdS (projet initial) : Guilhem BORGHESI (borghesi@unistra.fr) et Raphaël DROZ
- * Auteurs de Framadate/OpenSondage : Framasoft (https://github.com/framasoft)
- */
-namespace Framadate;
-
-if (session_id() == "") {
-    session_start();
-}
-
-include_once __DIR__ . '/app/inc/init.php';
-
-
-//Generer une chaine de caractere unique et aleatoire
-function random($car)
-{
-    $string = "";
-    $chaine = "abcdefghijklmnopqrstuvwxyz123456789";
-    srand((double)microtime()*1000000);
-    for($i=0; $i<$car; $i++) {
-      $string .= $chaine[rand()%strlen($chaine)];
-    }
-
-    return $string;
-}
-
-// Like function get_sondage_from_id()
-function check_poll_id($id)
-{
-    global $connect;
-
-    $sql = 'SELECT `id_sondage` FROM sondage`id_sondage` = ' . $connect->Param('id_sondage') ;
-    $sql     = $connect->Prepare($sql);
-    $poll = $connect->Execute($sql, [$id]);
-
-    if ($poll === false) {
-        return false;
-    }
-
-    $dbpoll = $poll->FetchObject(false);
-
-    return $dbpoll->id_sondage;
-}
-
-function ajouter_sondage()
-{
-    global $connect;
-    global $config;
-
-    $sondage = random(16);
-    while(check_poll_id($sondage) == $sondage) {
-        $sondage = random(16);
-    }
-    $sondage_admin = $sondage.random(8);
-
-    $date_fin = $_SESSION["champdatefin"]; // provided by create_classic_poll.php or create_date_poll.php
-    $_SESSION["champdatefin"]=""; //clean param cause 2 polls created by the same user in the same session can be affected by this param during the 2nd creation.
-    $sql = 'INSERT INTO sondage
-          (id_sondage, commentaires, mail_admin, nom_admin, titre, id_sondage_admin, date_fin, format, mailsonde)
-          VALUES (
-          '.$connect->Param('id_sondage').',
-          '.$connect->Param('commentaires').',
-          '.$connect->Param('mail_admin').',
-          '.$connect->Param('nom_admin').',
-          '.$connect->Param('titre').',
-          '.$connect->Param('id_sondage_admin').',
-          FROM_UNIXTIME('.$date_fin.'),
-          '.$connect->Param('format').',
-          '.$connect->Param('mailsonde').'
-          )';
-    $sql = $connect->Prepare($sql);
-    $res = $connect->Execute($sql, array($sondage, $_SESSION['commentaires'], $_SESSION['adresse'], $_SESSION['nom'], $_SESSION['titre'], $sondage_admin, $_SESSION['formatsondage'], $_SESSION['mailsonde']));
-
-    $sql = 'INSERT INTO sujet_studs values ('.$connect->Param('sondage').', '.$connect->Param('choix').')';
-    $sql = $connect->Prepare($sql);
-    $connect->Execute($sql, array($sondage, $_SESSION['toutchoix']));
-
-    if($config['use_smtp']==true){
-        $message = _("This is the message you have to send to the people you want to poll. \nNow, you have to send this message to everyone you want to poll.");
-        $message .= "\n\n";
-        $message .= stripslashes(html_entity_decode($_SESSION["nom"],ENT_QUOTES,"UTF-8"))." " . _("hast just created a poll called") . " : \"".stripslashes(htmlspecialchars_decode($_SESSION["titre"],ENT_QUOTES))."\".\n";
-        $message .= _("Thanks for filling the poll at the link above") . " :\n\n%s\n\n" . _("Thanks for your confidence.") . "\n".NOMAPPLICATION;
-
-        $message_admin = _("This message should NOT be sent to the polled people. It is private for the poll's creator.\n\nYou can now modify it at the link above");
-        $message_admin .= " :\n\n"."%s \n\n" . _("Thanks for your confidence.") . "\n".NOMAPPLICATION;
-
-        $message = sprintf($message, Utils::getUrlSondage($sondage));
-        $message_admin = sprintf($message_admin, Utils::getUrlSondage($sondage_admin, true));
-
-        if (Utils::isValidEmail($_SESSION['adresse'])) {
-            Utils::sendEmail( "$_SESSION[adresse]", "[".NOMAPPLICATION."][" . _("Author's message")  . "] " . _("Poll") . " : ".stripslashes(htmlspecialchars_decode($_SESSION["titre"],ENT_QUOTES)), $message_admin, $_SESSION['adresse'] );
-            Utils::sendEmail( "$_SESSION[adresse]", "[".NOMAPPLICATION."][" . _("For sending to the polled users") . "] " . _("Poll") . " : ".stripslashes(htmlspecialchars_decode($_SESSION["titre"],ENT_QUOTES)), $message, $_SESSION['adresse'] );
-        }
-    }
-    error_log(date('H:i:s d/m/Y:') . ' CREATION: '.$sondage."\t".$_SESSION[formatsondage]."\t".$_SESSION[nom]."\t".$_SESSION[adresse]."\t \t".$_SESSION[toutchoix]."\n", 3, 'admin/logs_studs.txt');
-    //Utils::cleaning_polls($connect, 'admin/logs_studs.txt');
-
-    // Don't keep days, hours and choices in memory (in order to make new polls)
-    for ($i = 0; $i < count($_SESSION["totalchoixjour"]); $i++) {
-        unset($_SESSION['horaires'.$i]);
-    }
-    unset($_SESSION["totalchoixjour"]);
-    unset($_SESSION['choices']);
-
-    header("Location:".Utils::getUrlSondage($sondage_admin, true));
-
-    exit();
-}