Untitled
unknown
php
3 years ago
26 kB
9
Indexable
//set pin verify online
$app->post('/setpin_verify_online', function (Request $request, Response $response, array $args) {
// if ( sqlsrv_begin_transaction( $GLOBALS['conn'] ) === false ) {
// $result = (object) array('api_status' => 0, 'api_message' => 'กรุณาทำรายการใหม่อีกครั้ง', 'haspin' => false);
// returnJson($result);
// exit();
// }
try{
$postValue = $request->getParsedBody();
write_request_logs('/setpin_verify_online', $postValue);
write_logs_changedevice('/setpin_verify_online',$postValue,1);
$simimei = $postValue['simimei'];
$simimei = mssql_escape($simimei);
$simimei = splitSim($simimei);
$deviceimei = mssql_escape($postValue['deviceimei']);
$token = mssql_escape($postValue['token']);
$pin = mssql_escape($postValue['pin']);
$token_real = mssql_escape($postValue['token']);
$platform = mssql_escape($postValue['platform']);
$token = hash('md5', $token);
$options = [
'cost' => 11,
'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM),
];
$pin = password_hash($pin, PASSWORD_BCRYPT, $options);
$SQL = "SELECT * FROM cms_users WHERE device_imei = ? AND verify_status = 1 AND user_remove != 1 AND id_cms_privileges = 2";
$SQLQuery = sqlsrv_query($GLOBALS['conn'], $SQL, array($deviceimei));
while ($row = sqlsrv_fetch_array($SQLQuery, SQLSRV_FETCH_ASSOC)) {
$id = $row['id'];
$user = $row['username'];
$username_account = $row['username'];
$name = $row['name'];
$device_imei = $row['device_imei'];
$citizen = $row['identification_card'];
$current_platform = $row['platform'];
}
// $SQLCitizen = "SELECT * FROM cms_users WHERE id = ?";
$user = getuserauthenfromtoken($token_real);
if($id==''){
$id = $user['id'];
$username_account = $user['username'];
$name = $user['name'];
$device_imei = $user['device_imei'];
$citizen = $user['identification_card'];
}
$id = $user['id'];
if (!$citizen) {
output(0, SETPIN_UNKNOWN);
} else {
// if($deviceimei != $device_imei){
// $txtSqlEmptyDevImei = ",device_imei = ''";
// }else{
$txtSqlEmptyDevImei = '';
// }
$SQL = "UPDATE cms_users SET pin = '{$pin}' ,lock = 0,active=1, unlock = 0 ".$txtSqlEmptyDevImei." WHERE id = ?";
$SQLQuery = sqlsrv_query($GLOBALS['conn'], $SQL, array($id));
$rows_affected = sqlsrv_rows_affected($SQLQuery);
if ($rows_affected > 0) {
$deviceregister = createTokenFromTelDevice($deviceimei, $simimei);
$SQL = "UPDATE cms_users SET tb_device_status_id = 1, actived_date = GETDATE() WHERE id = '$id'";
sqlsrv_query($GLOBALS['conn'], $SQL, array($id));
$SQLUpdateOTP = "update tb_otp_fail set count_index = 0 where username = '$user';";
sqlsrv_query($GLOBALS['conn'], $SQLUpdateOTP);
$SQLUnLockUserOTP = "UPDATE tb_sendotp_fail SET count_index = 0 , count_send = 0 , count_fail = 0 , otp = 0 , time_check = null WHERE username = '$user'";
sqlsrv_query($GLOBALS['conn'], $SQLUnLockUserOTP);
$SQLUpdateBankAccount = "update tb_bankaccount_fail set count_index = 0 where username = '$user';";
sqlsrv_query($GLOBALS['conn'], $SQLUpdateBankAccount);
$SQLUpdateBirthday = "update tb_birthday_fail set count_index = 0 where username = '$user';";
sqlsrv_query($GLOBALS['conn'], $SQLUpdateBirthday);
$SQLUpdatePIN = "update tb_pin_fail set count_index = 0 where username = '$user';";
sqlsrv_query($GLOBALS['conn'], $SQLUpdatePIN);
$token_ref = guidv4(openssl_random_pseudo_bytes(16),$id);
if($deviceimei == $device_imei){
write_logs_changedevice('/setpin_verify_online',json_encode(array(
'api_status' => 1,
'api_message'=> 'ท่านได้ปลดล็อคการใช้งาน GHB ALL เรียบร้อยแล้ว',
'username' => $username_account,
'citizen' => $citizen,
'token_ref' => $token_ref,
'name' => $name,
'token' => $token_real,
'platform' => $platform
)),2);
output(1, 'ท่านได้ปลดล็อคการใช้งาน GHB ALL เรียบร้อยแล้ว', array(
'username' => $username_account,
'citizen' => $citizen,
'token_ref' => $token_ref,
'name' => $name,
'token' => $token_real,
'platform' => $platform
));
}else{
write_logs_changedevice('/setpin_verify_online',json_encode(array(
'api_status' =>2,
'api_message'=> 'ท่านได้ปลดล็อค PIN เรียบร้อยแล้ว กรุณาทำการย้ายเครื่อง',
'username' => $username_account,
'citizen' => $citizen,
'token_ref' => $token_ref,
'name' => $name,
'token' => $token_real,
'platform' => $platform
)),2);
output(2, 'ท่านได้ปลดล็อค PIN เรียบร้อยแล้ว กรุณาทำการย้ายเครื่อง', array(
'username' => $username_account,
'citizen' => $citizen,
'token_ref' => $token_ref,
'name' => $name,
'token' => $token_real,
'platform' => $platform
));
}
} else {
output(0, SETPIN_FAIL);
}
}
} catch (Exception $e) {
$result = (object) array('api_status' => 0, 'api_message' => 'ไม่สามารถทำรายการได้');
returnJson($result);
exit();
}
});
/* NDID */
$app->post('/setpin', function (Request $request, Response $response, array $args) {
$postValue = $request->getParsedBody();
write_request_logs('/setpin', $postValue);
$simimei = $postValue['simimei'];
$simimei = mssql_escape($simimei);
$simimei = splitSim($simimei);
$deviceimei = mssql_escape($postValue['deviceimei']);
$ndid = mssql_escape($postValue['ndid']);
$token = mssql_escape($postValue['token']);
$pin = mssql_escape($postValue['pin']);
$platform = mssql_escape($postValue['platform']);
$username = $postValue['username'];
$token = hash('md5', $token);
$options = [
'cost' => 11,
'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM),
];
$pin = password_hash($pin, PASSWORD_BCRYPT, $options);
if ($ndid) {
$SQLCitizen = "SELECT * FROM cms_users WHERE device_imei = ? AND verify_status = 0 AND user_remove != 1 AND id_cms_privileges = 2 AND tb_device_status_id = 19 AND ndid = 1";
} else {
$SQLcheck19 = "SELECT * FROM cms_users WHERE username = '{$username}' AND verify_status = 1 AND user_remove != 1 AND id_cms_privileges = 2 AND ndid != 1 AND tb_device_status_id in (19,8)";
// print_r($SQLcheck19);
// die;
$SQLCitizenQuery = sqlsrv_query($GLOBALS['conn'], $SQLcheck19);
if(count($SQLCitizenQuery)==0){
$SQLCitizen = "SELECT * FROM cms_users WHERE device_imei = '{$deviceimei}' AND verify_status = 1 AND user_remove != 1 AND id_cms_privileges = 2";
}else{
$SQLCitizen = "SELECT * FROM cms_users WHERE username = '{$username}' AND verify_status = 1 AND user_remove != 1 AND id_cms_privileges = 2 AND ndid != 1 AND tb_device_status_id in (19,8)";
}
}
//// ปิดการตรวจสอบ sim_imei android
// if ($platform == "android") {
// $SQLCitizen .= " AND sim_imei LIKE '$simimei%'";
// }
$SQLCitizenQuery = sqlsrv_query($GLOBALS['conn'], $SQLCitizen);
while ($row = sqlsrv_fetch_array($SQLCitizenQuery, SQLSRV_FETCH_ASSOC)) {
$id = $row['id'];
$user = $row['username'];
$name = $row['name'];
$citizen = $row['identification_card'];
$current_platform = $row['platform'];
$device_status = $row['tb_device_status_id'];
}
write_request_logs('/setpin', $SQLCitizen);
if (!$citizen) {
output(0, SETPIN_UNKNOWN);
} else {
$SQL = "UPDATE cms_users SET pin = '{$pin}' ,lock = 0, unlock = 0 WHERE id = ?";
$SQLQuery = sqlsrv_query($GLOBALS['conn'], $SQL, array($id));
$rows_affected = sqlsrv_rows_affected($SQLQuery);
if ($rows_affected > 0) {
$deviceregister = createTokenFromTelDevice($deviceimei, $simimei);
if ($ndid) {
$datetimeTransaction = date('Y-m-d H:i:s');
$citizen_md5 = md5($citizen);
$SQLInsertToken = "INSERT INTO tb_token (token, token_date, cms_users_id) VALUES('$citizen_md5', '$datetimeTransaction', $id)";
sqlsrv_query($GLOBALS['conn'], $SQLInsertToken);
$SQL = "UPDATE cms_users SET tb_device_status_id = 1, actived_date = GETDATE(), verify_status=1, platform='{$platform}', device_register='{$deviceregister}' WHERE id = ?";
sqlsrv_query($GLOBALS['conn'], $SQL, array($id));
} else {
if($device_status == 19 || $device_status == 8){
$SQL = "UPDATE cms_users SET tb_device_status_id = 1, device_imei ='$deviceimei', actived_date = GETDATE() WHERE id = ?";
sqlsrv_query($GLOBALS['conn'], $SQL, array($id));
}else{
$SQL = "UPDATE cms_users SET tb_device_status_id = 1, actived_date = GETDATE() WHERE id = ?";
sqlsrv_query($GLOBALS['conn'], $SQL, array($id));
}
}
$token_ref = guidv4(openssl_random_pseudo_bytes(16),$id);
output(1, 'Success', array(
'username' => $user,
'citizen' => $citizen,
'name' => $name,
'token_ref' => $token_ref,
'platform' => $platform,
'ndid' => !empty($ndid) ? 1 : 0
));
} else {
output(0, SETPIN_FAIL);
}
}
});
$app->post('/verifypin', function (Request $request, Response $response, array $args) {
$postValue = $request->getParsedBody();
$simimei = $postValue['simimei'];
$simimei = mssql_escape($simimei);
$simimei = splitSim($simimei);
$deviceimei = $postValue['deviceimei'];
$deviceimei = mssql_escape($deviceimei);
$deviceimei_new = $postValue['deviceimei_new'];
$deviceimei_new = mssql_escape($deviceimei_new);
$token = $postValue['token'];
$token = mssql_escape($token);
$pin = $postValue['pin'];
$pin = mssql_escape($pin);
$pin_ori = $postValue['pin'];
$pin_ori = mssql_escape($pin_ori);
$type = $postValue['type'];
$type = mssql_escape($type);
$token = hash('md5', $token);
$lock = false;
$platform = $postValue['platform'];
$platform = mssql_escape($platform);
$device_status = 0;
write_request_logs("verifypin", $postValue);
$SQLCitizen = "SELECT * FROM cms_users WHERE device_imei = '$deviceimei' AND verify_status = 1 AND user_remove != 1 AND id_cms_privileges = 2 ";
// ปิดการตรวจสอบ sim_imei android
// if ($platform == "android") {
// $SQLCitizen .= " AND sim_imei LIKE '$simimei%'";
// }
$SQLCitizenQuery = sqlsrv_query($GLOBALS['conn'], $SQLCitizen, array($deviceimei));
while ($row = sqlsrv_fetch_array($SQLCitizenQuery, SQLSRV_FETCH_ASSOC)) {
$id = $row['id'];
$user = $row['username'];
$name = $row['name'];
$bank_account = $row['bank_account'];
$citizen = $row['identification_card'];
$status = $row['status'];
$user_remove = $row['user_remove'];
$active = $row['active'];
$pin_query = $row['pin'];
$verify_status = $row['verify_status'];
$device_status = $row['tb_device_status_id'];
$current_platform = $row['platform'];
$email = trim($row['email']);
}
// if($device_status == 23){
// $api_status = 4;
// $api_message = "บัญชีของท่านถูกระงับการใช้งาน เนื่องจากกรอก Pin ผิด ท่านสามารถยืนยันตัวตน เพื่อใช้งาน";
// $result = (object) array('api_status' => $api_status, 'api_message' => $api_message, 'lock' => $lock);
// returnJson($result);
// exit();
// }
if ($type == '0') {
$verify_status = password_verify($pin, $pin_query);
if ($id == '' || $verify_status != 1) {
if($device_status == 13){
$SQLLockUser = "UPDATE tb_pin_fail SET count_index = 0 WHERE username = ? AND username != '' ";
sqlsrv_query($GLOBALS['conn'], $SQLLockUser, array($user));
}
$timetransaction = date("Y-m-d H:i:s");
$SQLInsertFail = "INSERT INTO tb_pin_fail (pin,username,name,bankaccount,datelogin,count_index) VALUES('$pin','$user','$name','$bank_account','$timetransaction',1);";
sqlsrv_query($GLOBALS['conn'], $SQLInsertFail);
$SQLCountFail = "SELECT count(username) AS count_fail FROM tb_pin_fail where username = ? AND count_index = 1 AND username != ''";
$SQLCountFailQuery = sqlsrv_query($GLOBALS['conn'], $SQLCountFail, array($user));
while ($row = sqlsrv_fetch_array($SQLCountFailQuery, SQLSRV_FETCH_ASSOC)) {
$count_fail = $row['count_fail'];
}
if($device_status == 22){
$result = COUNT_SENDOTP_PINLOCK22;
}else{
$result = COUNT_SENDOTP_PINLOCK;
}
// echo $result;
// die;
// $result = 6;
$result = $result - $count_fail;
if ($result <= 0) {
//$SQLLockUser = "UPDATE cms_users SET lock = 1 ,unlock = 0 , tb_device_status_id = 4 WHERE username = '$user';";
if($device_status == 22){
$device_status = 21;
}else{
$device_status = 20;
}
//check IAL
$SQLLockUser = "UPDATE cms_users SET lock = 1, unlock = 0, active=0, tb_device_status_id = ".$device_status." WHERE username = ? AND username != '' ";
sqlsrv_query($GLOBALS['conn'], $SQLLockUser, array($user));
$SQLGetToken = "select TOP 1 token from tb_token where cms_users_id = $id;";
$SQLQueryToken = sqlsrv_query($GLOBALS['conn'], $SQLGetToken);
while ($row_token = sqlsrv_fetch_array($SQLQueryToken, SQLSRV_FETCH_ASSOC)) {
$token_ial = $row_token['token'];
}
$lock = true;
$isConfirm = true;
$api_status = 0;
$api_message = sprintf(VERIFYPIN_INVALID_PIN, $result);
if($device_status == 20 || $device_status == 21){
$pathCheckIAL = BASE_URL."checkIALAuthen";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$pathCheckIAL);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"token=$token_ial");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$server_output = curl_exec($ch);
curl_close ($ch);
$server_output = json_decode($server_output,true);
$IALStatus = $server_output['api_status'];
// $IALStatus = 1;
if($IALStatus == 0){
$api_status = 0;
$api_message = "บัญชีของท่านถูกระงับการใช้งาน กรุณาติดต่อสาขา";
//lock = 2 หมายความว่าหน้า Login ให้เช็ค Popup 1 ปุ่ม บัญชีล็อคและ IAL ไม่ผ่าน ให้ User ไปที่สาขา
$SQLLockUser = "UPDATE cms_users SET lock = 2 WHERE username = ? AND username != '' ";
sqlsrv_query($GLOBALS['conn'], $SQLLockUser, array($user));
}else{
$api_status = 2;
$api_message = "บัญชีของท่านถูกระงับการใช้งาน เนื่องจากกรอก PIN ผิด ท่านสามารถยืนยันตัวตนเพื่อใช้งาน";
}
}elseif($device_status == 23){
$api_status = 0;
$api_message = "บัญชีของท่านถูกระงับการใช้งาน กรุณาติดต่อสาขา";
// $api_status = 2;
// $api_message = "บัญชีของท่านถูกระงับการใช้งาน เนื่องจากกรอก Pin ผิด ท่านสามารถยืนยันตัวตน เพื่อใช้งาน";
}
$token_ref = "";
$result = (object) array('api_status' => $api_status, 'api_message' => $api_message, 'lock' => $lock, 'token_ref' => $token_ref);
write_response_logs('/verifypin',$result);
returnJson($result);
exit();
}else{
$api_status = 0;
$api_message = sprintf(VERIFYPIN_INVALID_PIN, $result);
}
// if ($result <= 0) {
// $api_status = 4;
// $api_message = 'บัญชีของท่านถูกระงับการใช้งาน เนื่องจากกรอก Pin ผิด ท่านสามารถยืนยันตัวตน เพื่อใช้งาน หรือติดต่อ สาขา';
// } else {
// $api_status = 0;
// $api_message = sprintf(VERIFYPIN_INVALID_PIN, $result);
// }
} else {
$SQLLockUser = "UPDATE tb_pin_fail SET count_index = 0 WHERE username = ? AND username != '' ";
sqlsrv_query($GLOBALS['conn'], $SQLLockUser, array($user));
$SQLUnLockUserOTP = "UPDATE tb_otp_fail SET count_index = 0 WHERE username = ? AND username != '' ";
sqlsrv_query($GLOBALS['conn'], $SQLUnLockUserOTP, array($user));
$SQLUnLockUserBankAccount = "UPDATE tb_bankaccount_fail SET count_index = 0 WHERE username = ? AND username != '' ";
sqlsrv_query($GLOBALS['conn'], $SQLUnLockUserBankAccount, array($user));
$SQLUnLockUserBirthdate = "UPDATE tb_bankaccount_fail SET count_index = 0 WHERE username = ? AND username != '' ";
sqlsrv_query($GLOBALS['conn'], $SQLUnLockUserBirthdate, array($user));
if($deviceimei_new!=""&& $deviceimei_new != $deviceimei){
$SQL = "UPDATE cms_users SET device_imei = '".$deviceimei_new."' WHERE device_imei = '".$deviceimei."' AND user_remove != 1 AND device_imei != '' ";
$SQLQuery = sqlsrv_query($GLOBALS['conn'], $SQL);
}
if($device_status == 22 || $device_status == 23){
$SQLUnLockUser = "UPDATE cms_users SET lock = 0, unlock = 0,verify_status = 1, active=1, tb_device_status_id = 1 WHERE username = '$user' AND username != '' ";
sqlsrv_query($GLOBALS['conn'], $SQLUnLockUser);
}
$api_status = 1;
$api_message = "Success";
$token_ref = guidv4(openssl_random_pseudo_bytes(16),$id);
}
} else {
if (strlen($id) > 0) {
$api_status = 1;
$api_message = "Success";
$token_ref = guidv4(openssl_random_pseudo_bytes(16),$id);
} else {
$api_status = 0;
$api_message = VERIFYPIN_INVALID_PIN_FINGER;
//รหัสพินไม่ถูกต้องท่านสามารถใส่พินได้ทั้งหมด
$timetransaction = date("Y-m-d H:i:s");
$SQLInsertFail = "INSERT INTO tb_pin_fail (pin,username,name,bankaccount,datelogin,count_index) VALUES('$pin','$user','$name','$bank_account','$timetransaction',1);";
sqlsrv_query($GLOBALS['conn'], $SQLInsertFail);
}
}
/*if ($api_status == 1 && !empty($user) && !empty($postValue['osVersion']) && !empty($postValue['appVersion'])) {
$osVersion = mssql_escape($postValue['osVersion']);
$appVersion = mssql_escape($postValue['appVersion']);
$sqlCheckVersion = "SELECT cms_users_id FROM cms_users_version where cms_users_id = ?";
$sqlCheckVersionQ = sqlsrv_query($GLOBALS['conn'], $sqlCheckVersion, array($id));
$sqlCheckVersionQRow = sqlsrv_fetch_array($sqlCheckVersionQ, SQLSRV_FETCH_ASSOC);
$cms_users_id = $sqlCheckVersionQRow['cms_users_id'];
if (!empty($cms_users_id)) {
$updateOS = "UPDATE cms_users_version SET osVersion = N'{$osVersion}', appVersion = N'{$appVersion}', update_date = GETDATE() WHERE cms_users_id = '{$id}' ";
sqlsrv_query($GLOBALS['conn'], $updateOS);
} else {
$updateOS = "INSERT INTO cms_users_version (osVersion, appVersion, cms_users_id, update_date) VALUES( N'{$appVersion}', N'{$appVersion}', '$id', GETDATE())";
sqlsrv_query($GLOBALS['conn'], $updateOS);
}
}
if ($api_status == 1 && !empty($email)) {
$name = urlencode($name);
$email = urlencode($email);
$mailurl = "http://localhost/v2_0_0/public/PHPMailer/sendmail.php?name={$name}&email={$email}";
$api_message = @file_get_contents($mailurl);
flush();
}*/
if(empty($token_ref)){
$token_ref = "";
}
if($api_status==0){
$result = (object) array('api_status' => $api_status, 'api_message' => $api_message, 'lock' => $lock);
returnJson($result);
}else{
$result = (object) array('api_status' => $api_status, 'api_message' => $api_message, 'lock' => $lock, 'token_ref' => $token_ref);
returnJson($result);
}
});
$app->post('/validate/pin', function (Request $request, Response $response, array $args) {
$post = build_request($request->getParsedBody());
$pin = $post['pin'];
$user = getuserfromtoken($post['token']);
$uid = $user['id'];
$SQL = "SELECT pin FROM cms_users WHERE id = $uid";
$Query = sqlsrv_query($GLOBALS['conn'], $SQL);
$row = sqlsrv_fetch_array($Query, SQLSRV_FETCH_ASSOC);
if (password_verify($pin, $row['pin']) == 1) {
$result = array(
'api_status' => 1,
'api_message' => 'Success'
);
} else {
$result = array(
'api_status' => 0,
'api_message' => 'Failed'
);
}
return $response->withStatus(200)->withJson($result);
});
$app->post('/update/pin', function (Request $request, Response $response, array $args) {
$post = build_request($request->getParsedBody());
$pin = $post['pin'];
$user = getuserfromtoken($post['token']);
$uid = $user['id'];
$SQL = "SELECT pin FROM cms_users WHERE id = $uid";
$Query = sqlsrv_query($GLOBALS['conn'], $SQL);
$row = sqlsrv_fetch_array($Query, SQLSRV_FETCH_ASSOC);
$options = [
'cost' => 11,
'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM),
];
$pin = password_hash($pin, PASSWORD_BCRYPT, $options);
$SQL = "UPDATE cms_users SET pin = '" . $pin . "' WHERE id = $uid";
sqlsrv_query($GLOBALS['conn'], $SQL);
$result = array(
'api_status' => 1,
'api_message' => 'เปลี่ยนรหัส PIN ใหม่เรียบร้อยแล้ว'
);
return $response->withStatus(200)->withJson($result);
});
Editor is loading...