Untitled
unknown
php
3 years ago
26 kB
4
Indexable
//set pin verify online $app->post('/setpin_verify_online', function (Request $request, Response $response, array $args) { // if ( sqlsrv_begin_transaction( $GLOBALS['conn'] ) === false ) { // $result = (object) array('api_status' => 0, 'api_message' => 'กรุณาทำรายการใหม่อีกครั้ง', 'haspin' => false); // returnJson($result); // exit(); // } try{ $postValue = $request->getParsedBody(); write_request_logs('/setpin_verify_online', $postValue); write_logs_changedevice('/setpin_verify_online',$postValue,1); $simimei = $postValue['simimei']; $simimei = mssql_escape($simimei); $simimei = splitSim($simimei); $deviceimei = mssql_escape($postValue['deviceimei']); $token = mssql_escape($postValue['token']); $pin = mssql_escape($postValue['pin']); $token_real = mssql_escape($postValue['token']); $platform = mssql_escape($postValue['platform']); $token = hash('md5', $token); $options = [ 'cost' => 11, 'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM), ]; $pin = password_hash($pin, PASSWORD_BCRYPT, $options); $SQL = "SELECT * FROM cms_users WHERE device_imei = ? AND verify_status = 1 AND user_remove != 1 AND id_cms_privileges = 2"; $SQLQuery = sqlsrv_query($GLOBALS['conn'], $SQL, array($deviceimei)); while ($row = sqlsrv_fetch_array($SQLQuery, SQLSRV_FETCH_ASSOC)) { $id = $row['id']; $user = $row['username']; $username_account = $row['username']; $name = $row['name']; $device_imei = $row['device_imei']; $citizen = $row['identification_card']; $current_platform = $row['platform']; } // $SQLCitizen = "SELECT * FROM cms_users WHERE id = ?"; $user = getuserauthenfromtoken($token_real); if($id==''){ $id = $user['id']; $username_account = $user['username']; $name = $user['name']; $device_imei = $user['device_imei']; $citizen = $user['identification_card']; } $id = $user['id']; if (!$citizen) { output(0, SETPIN_UNKNOWN); } else { // if($deviceimei != $device_imei){ // $txtSqlEmptyDevImei = ",device_imei = ''"; // }else{ $txtSqlEmptyDevImei = ''; // } $SQL = "UPDATE cms_users SET pin = '{$pin}' ,lock = 0,active=1, unlock = 0 ".$txtSqlEmptyDevImei." WHERE id = ?"; $SQLQuery = sqlsrv_query($GLOBALS['conn'], $SQL, array($id)); $rows_affected = sqlsrv_rows_affected($SQLQuery); if ($rows_affected > 0) { $deviceregister = createTokenFromTelDevice($deviceimei, $simimei); $SQL = "UPDATE cms_users SET tb_device_status_id = 1, actived_date = GETDATE() WHERE id = '$id'"; sqlsrv_query($GLOBALS['conn'], $SQL, array($id)); $SQLUpdateOTP = "update tb_otp_fail set count_index = 0 where username = '$user';"; sqlsrv_query($GLOBALS['conn'], $SQLUpdateOTP); $SQLUnLockUserOTP = "UPDATE tb_sendotp_fail SET count_index = 0 , count_send = 0 , count_fail = 0 , otp = 0 , time_check = null WHERE username = '$user'"; sqlsrv_query($GLOBALS['conn'], $SQLUnLockUserOTP); $SQLUpdateBankAccount = "update tb_bankaccount_fail set count_index = 0 where username = '$user';"; sqlsrv_query($GLOBALS['conn'], $SQLUpdateBankAccount); $SQLUpdateBirthday = "update tb_birthday_fail set count_index = 0 where username = '$user';"; sqlsrv_query($GLOBALS['conn'], $SQLUpdateBirthday); $SQLUpdatePIN = "update tb_pin_fail set count_index = 0 where username = '$user';"; sqlsrv_query($GLOBALS['conn'], $SQLUpdatePIN); $token_ref = guidv4(openssl_random_pseudo_bytes(16),$id); if($deviceimei == $device_imei){ write_logs_changedevice('/setpin_verify_online',json_encode(array( 'api_status' => 1, 'api_message'=> 'ท่านได้ปลดล็อคการใช้งาน GHB ALL เรียบร้อยแล้ว', 'username' => $username_account, 'citizen' => $citizen, 'token_ref' => $token_ref, 'name' => $name, 'token' => $token_real, 'platform' => $platform )),2); output(1, 'ท่านได้ปลดล็อคการใช้งาน GHB ALL เรียบร้อยแล้ว', array( 'username' => $username_account, 'citizen' => $citizen, 'token_ref' => $token_ref, 'name' => $name, 'token' => $token_real, 'platform' => $platform )); }else{ write_logs_changedevice('/setpin_verify_online',json_encode(array( 'api_status' =>2, 'api_message'=> 'ท่านได้ปลดล็อค PIN เรียบร้อยแล้ว กรุณาทำการย้ายเครื่อง', 'username' => $username_account, 'citizen' => $citizen, 'token_ref' => $token_ref, 'name' => $name, 'token' => $token_real, 'platform' => $platform )),2); output(2, 'ท่านได้ปลดล็อค PIN เรียบร้อยแล้ว กรุณาทำการย้ายเครื่อง', array( 'username' => $username_account, 'citizen' => $citizen, 'token_ref' => $token_ref, 'name' => $name, 'token' => $token_real, 'platform' => $platform )); } } else { output(0, SETPIN_FAIL); } } } catch (Exception $e) { $result = (object) array('api_status' => 0, 'api_message' => 'ไม่สามารถทำรายการได้'); returnJson($result); exit(); } }); /* NDID */ $app->post('/setpin', function (Request $request, Response $response, array $args) { $postValue = $request->getParsedBody(); write_request_logs('/setpin', $postValue); $simimei = $postValue['simimei']; $simimei = mssql_escape($simimei); $simimei = splitSim($simimei); $deviceimei = mssql_escape($postValue['deviceimei']); $ndid = mssql_escape($postValue['ndid']); $token = mssql_escape($postValue['token']); $pin = mssql_escape($postValue['pin']); $platform = mssql_escape($postValue['platform']); $username = $postValue['username']; $token = hash('md5', $token); $options = [ 'cost' => 11, 'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM), ]; $pin = password_hash($pin, PASSWORD_BCRYPT, $options); if ($ndid) { $SQLCitizen = "SELECT * FROM cms_users WHERE device_imei = ? AND verify_status = 0 AND user_remove != 1 AND id_cms_privileges = 2 AND tb_device_status_id = 19 AND ndid = 1"; } else { $SQLcheck19 = "SELECT * FROM cms_users WHERE username = '{$username}' AND verify_status = 1 AND user_remove != 1 AND id_cms_privileges = 2 AND ndid != 1 AND tb_device_status_id in (19,8)"; // print_r($SQLcheck19); // die; $SQLCitizenQuery = sqlsrv_query($GLOBALS['conn'], $SQLcheck19); if(count($SQLCitizenQuery)==0){ $SQLCitizen = "SELECT * FROM cms_users WHERE device_imei = '{$deviceimei}' AND verify_status = 1 AND user_remove != 1 AND id_cms_privileges = 2"; }else{ $SQLCitizen = "SELECT * FROM cms_users WHERE username = '{$username}' AND verify_status = 1 AND user_remove != 1 AND id_cms_privileges = 2 AND ndid != 1 AND tb_device_status_id in (19,8)"; } } //// ปิดการตรวจสอบ sim_imei android // if ($platform == "android") { // $SQLCitizen .= " AND sim_imei LIKE '$simimei%'"; // } $SQLCitizenQuery = sqlsrv_query($GLOBALS['conn'], $SQLCitizen); while ($row = sqlsrv_fetch_array($SQLCitizenQuery, SQLSRV_FETCH_ASSOC)) { $id = $row['id']; $user = $row['username']; $name = $row['name']; $citizen = $row['identification_card']; $current_platform = $row['platform']; $device_status = $row['tb_device_status_id']; } write_request_logs('/setpin', $SQLCitizen); if (!$citizen) { output(0, SETPIN_UNKNOWN); } else { $SQL = "UPDATE cms_users SET pin = '{$pin}' ,lock = 0, unlock = 0 WHERE id = ?"; $SQLQuery = sqlsrv_query($GLOBALS['conn'], $SQL, array($id)); $rows_affected = sqlsrv_rows_affected($SQLQuery); if ($rows_affected > 0) { $deviceregister = createTokenFromTelDevice($deviceimei, $simimei); if ($ndid) { $datetimeTransaction = date('Y-m-d H:i:s'); $citizen_md5 = md5($citizen); $SQLInsertToken = "INSERT INTO tb_token (token, token_date, cms_users_id) VALUES('$citizen_md5', '$datetimeTransaction', $id)"; sqlsrv_query($GLOBALS['conn'], $SQLInsertToken); $SQL = "UPDATE cms_users SET tb_device_status_id = 1, actived_date = GETDATE(), verify_status=1, platform='{$platform}', device_register='{$deviceregister}' WHERE id = ?"; sqlsrv_query($GLOBALS['conn'], $SQL, array($id)); } else { if($device_status == 19 || $device_status == 8){ $SQL = "UPDATE cms_users SET tb_device_status_id = 1, device_imei ='$deviceimei', actived_date = GETDATE() WHERE id = ?"; sqlsrv_query($GLOBALS['conn'], $SQL, array($id)); }else{ $SQL = "UPDATE cms_users SET tb_device_status_id = 1, actived_date = GETDATE() WHERE id = ?"; sqlsrv_query($GLOBALS['conn'], $SQL, array($id)); } } $token_ref = guidv4(openssl_random_pseudo_bytes(16),$id); output(1, 'Success', array( 'username' => $user, 'citizen' => $citizen, 'name' => $name, 'token_ref' => $token_ref, 'platform' => $platform, 'ndid' => !empty($ndid) ? 1 : 0 )); } else { output(0, SETPIN_FAIL); } } }); $app->post('/verifypin', function (Request $request, Response $response, array $args) { $postValue = $request->getParsedBody(); $simimei = $postValue['simimei']; $simimei = mssql_escape($simimei); $simimei = splitSim($simimei); $deviceimei = $postValue['deviceimei']; $deviceimei = mssql_escape($deviceimei); $deviceimei_new = $postValue['deviceimei_new']; $deviceimei_new = mssql_escape($deviceimei_new); $token = $postValue['token']; $token = mssql_escape($token); $pin = $postValue['pin']; $pin = mssql_escape($pin); $pin_ori = $postValue['pin']; $pin_ori = mssql_escape($pin_ori); $type = $postValue['type']; $type = mssql_escape($type); $token = hash('md5', $token); $lock = false; $platform = $postValue['platform']; $platform = mssql_escape($platform); $device_status = 0; write_request_logs("verifypin", $postValue); $SQLCitizen = "SELECT * FROM cms_users WHERE device_imei = '$deviceimei' AND verify_status = 1 AND user_remove != 1 AND id_cms_privileges = 2 "; // ปิดการตรวจสอบ sim_imei android // if ($platform == "android") { // $SQLCitizen .= " AND sim_imei LIKE '$simimei%'"; // } $SQLCitizenQuery = sqlsrv_query($GLOBALS['conn'], $SQLCitizen, array($deviceimei)); while ($row = sqlsrv_fetch_array($SQLCitizenQuery, SQLSRV_FETCH_ASSOC)) { $id = $row['id']; $user = $row['username']; $name = $row['name']; $bank_account = $row['bank_account']; $citizen = $row['identification_card']; $status = $row['status']; $user_remove = $row['user_remove']; $active = $row['active']; $pin_query = $row['pin']; $verify_status = $row['verify_status']; $device_status = $row['tb_device_status_id']; $current_platform = $row['platform']; $email = trim($row['email']); } // if($device_status == 23){ // $api_status = 4; // $api_message = "บัญชีของท่านถูกระงับการใช้งาน เนื่องจากกรอก Pin ผิด ท่านสามารถยืนยันตัวตน เพื่อใช้งาน"; // $result = (object) array('api_status' => $api_status, 'api_message' => $api_message, 'lock' => $lock); // returnJson($result); // exit(); // } if ($type == '0') { $verify_status = password_verify($pin, $pin_query); if ($id == '' || $verify_status != 1) { if($device_status == 13){ $SQLLockUser = "UPDATE tb_pin_fail SET count_index = 0 WHERE username = ? AND username != '' "; sqlsrv_query($GLOBALS['conn'], $SQLLockUser, array($user)); } $timetransaction = date("Y-m-d H:i:s"); $SQLInsertFail = "INSERT INTO tb_pin_fail (pin,username,name,bankaccount,datelogin,count_index) VALUES('$pin','$user','$name','$bank_account','$timetransaction',1);"; sqlsrv_query($GLOBALS['conn'], $SQLInsertFail); $SQLCountFail = "SELECT count(username) AS count_fail FROM tb_pin_fail where username = ? AND count_index = 1 AND username != ''"; $SQLCountFailQuery = sqlsrv_query($GLOBALS['conn'], $SQLCountFail, array($user)); while ($row = sqlsrv_fetch_array($SQLCountFailQuery, SQLSRV_FETCH_ASSOC)) { $count_fail = $row['count_fail']; } if($device_status == 22){ $result = COUNT_SENDOTP_PINLOCK22; }else{ $result = COUNT_SENDOTP_PINLOCK; } // echo $result; // die; // $result = 6; $result = $result - $count_fail; if ($result <= 0) { //$SQLLockUser = "UPDATE cms_users SET lock = 1 ,unlock = 0 , tb_device_status_id = 4 WHERE username = '$user';"; if($device_status == 22){ $device_status = 21; }else{ $device_status = 20; } //check IAL $SQLLockUser = "UPDATE cms_users SET lock = 1, unlock = 0, active=0, tb_device_status_id = ".$device_status." WHERE username = ? AND username != '' "; sqlsrv_query($GLOBALS['conn'], $SQLLockUser, array($user)); $SQLGetToken = "select TOP 1 token from tb_token where cms_users_id = $id;"; $SQLQueryToken = sqlsrv_query($GLOBALS['conn'], $SQLGetToken); while ($row_token = sqlsrv_fetch_array($SQLQueryToken, SQLSRV_FETCH_ASSOC)) { $token_ial = $row_token['token']; } $lock = true; $isConfirm = true; $api_status = 0; $api_message = sprintf(VERIFYPIN_INVALID_PIN, $result); if($device_status == 20 || $device_status == 21){ $pathCheckIAL = BASE_URL."checkIALAuthen"; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL,$pathCheckIAL); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS,"token=$token_ial"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $server_output = curl_exec($ch); curl_close ($ch); $server_output = json_decode($server_output,true); $IALStatus = $server_output['api_status']; // $IALStatus = 1; if($IALStatus == 0){ $api_status = 0; $api_message = "บัญชีของท่านถูกระงับการใช้งาน กรุณาติดต่อสาขา"; //lock = 2 หมายความว่าหน้า Login ให้เช็ค Popup 1 ปุ่ม บัญชีล็อคและ IAL ไม่ผ่าน ให้ User ไปที่สาขา $SQLLockUser = "UPDATE cms_users SET lock = 2 WHERE username = ? AND username != '' "; sqlsrv_query($GLOBALS['conn'], $SQLLockUser, array($user)); }else{ $api_status = 2; $api_message = "บัญชีของท่านถูกระงับการใช้งาน เนื่องจากกรอก PIN ผิด ท่านสามารถยืนยันตัวตนเพื่อใช้งาน"; } }elseif($device_status == 23){ $api_status = 0; $api_message = "บัญชีของท่านถูกระงับการใช้งาน กรุณาติดต่อสาขา"; // $api_status = 2; // $api_message = "บัญชีของท่านถูกระงับการใช้งาน เนื่องจากกรอก Pin ผิด ท่านสามารถยืนยันตัวตน เพื่อใช้งาน"; } $token_ref = ""; $result = (object) array('api_status' => $api_status, 'api_message' => $api_message, 'lock' => $lock, 'token_ref' => $token_ref); write_response_logs('/verifypin',$result); returnJson($result); exit(); }else{ $api_status = 0; $api_message = sprintf(VERIFYPIN_INVALID_PIN, $result); } // if ($result <= 0) { // $api_status = 4; // $api_message = 'บัญชีของท่านถูกระงับการใช้งาน เนื่องจากกรอก Pin ผิด ท่านสามารถยืนยันตัวตน เพื่อใช้งาน หรือติดต่อ สาขา'; // } else { // $api_status = 0; // $api_message = sprintf(VERIFYPIN_INVALID_PIN, $result); // } } else { $SQLLockUser = "UPDATE tb_pin_fail SET count_index = 0 WHERE username = ? AND username != '' "; sqlsrv_query($GLOBALS['conn'], $SQLLockUser, array($user)); $SQLUnLockUserOTP = "UPDATE tb_otp_fail SET count_index = 0 WHERE username = ? AND username != '' "; sqlsrv_query($GLOBALS['conn'], $SQLUnLockUserOTP, array($user)); $SQLUnLockUserBankAccount = "UPDATE tb_bankaccount_fail SET count_index = 0 WHERE username = ? AND username != '' "; sqlsrv_query($GLOBALS['conn'], $SQLUnLockUserBankAccount, array($user)); $SQLUnLockUserBirthdate = "UPDATE tb_bankaccount_fail SET count_index = 0 WHERE username = ? AND username != '' "; sqlsrv_query($GLOBALS['conn'], $SQLUnLockUserBirthdate, array($user)); if($deviceimei_new!=""&& $deviceimei_new != $deviceimei){ $SQL = "UPDATE cms_users SET device_imei = '".$deviceimei_new."' WHERE device_imei = '".$deviceimei."' AND user_remove != 1 AND device_imei != '' "; $SQLQuery = sqlsrv_query($GLOBALS['conn'], $SQL); } if($device_status == 22 || $device_status == 23){ $SQLUnLockUser = "UPDATE cms_users SET lock = 0, unlock = 0,verify_status = 1, active=1, tb_device_status_id = 1 WHERE username = '$user' AND username != '' "; sqlsrv_query($GLOBALS['conn'], $SQLUnLockUser); } $api_status = 1; $api_message = "Success"; $token_ref = guidv4(openssl_random_pseudo_bytes(16),$id); } } else { if (strlen($id) > 0) { $api_status = 1; $api_message = "Success"; $token_ref = guidv4(openssl_random_pseudo_bytes(16),$id); } else { $api_status = 0; $api_message = VERIFYPIN_INVALID_PIN_FINGER; //รหัสพินไม่ถูกต้องท่านสามารถใส่พินได้ทั้งหมด $timetransaction = date("Y-m-d H:i:s"); $SQLInsertFail = "INSERT INTO tb_pin_fail (pin,username,name,bankaccount,datelogin,count_index) VALUES('$pin','$user','$name','$bank_account','$timetransaction',1);"; sqlsrv_query($GLOBALS['conn'], $SQLInsertFail); } } /*if ($api_status == 1 && !empty($user) && !empty($postValue['osVersion']) && !empty($postValue['appVersion'])) { $osVersion = mssql_escape($postValue['osVersion']); $appVersion = mssql_escape($postValue['appVersion']); $sqlCheckVersion = "SELECT cms_users_id FROM cms_users_version where cms_users_id = ?"; $sqlCheckVersionQ = sqlsrv_query($GLOBALS['conn'], $sqlCheckVersion, array($id)); $sqlCheckVersionQRow = sqlsrv_fetch_array($sqlCheckVersionQ, SQLSRV_FETCH_ASSOC); $cms_users_id = $sqlCheckVersionQRow['cms_users_id']; if (!empty($cms_users_id)) { $updateOS = "UPDATE cms_users_version SET osVersion = N'{$osVersion}', appVersion = N'{$appVersion}', update_date = GETDATE() WHERE cms_users_id = '{$id}' "; sqlsrv_query($GLOBALS['conn'], $updateOS); } else { $updateOS = "INSERT INTO cms_users_version (osVersion, appVersion, cms_users_id, update_date) VALUES( N'{$appVersion}', N'{$appVersion}', '$id', GETDATE())"; sqlsrv_query($GLOBALS['conn'], $updateOS); } } if ($api_status == 1 && !empty($email)) { $name = urlencode($name); $email = urlencode($email); $mailurl = "http://localhost/v2_0_0/public/PHPMailer/sendmail.php?name={$name}&email={$email}"; $api_message = @file_get_contents($mailurl); flush(); }*/ if(empty($token_ref)){ $token_ref = ""; } if($api_status==0){ $result = (object) array('api_status' => $api_status, 'api_message' => $api_message, 'lock' => $lock); returnJson($result); }else{ $result = (object) array('api_status' => $api_status, 'api_message' => $api_message, 'lock' => $lock, 'token_ref' => $token_ref); returnJson($result); } }); $app->post('/validate/pin', function (Request $request, Response $response, array $args) { $post = build_request($request->getParsedBody()); $pin = $post['pin']; $user = getuserfromtoken($post['token']); $uid = $user['id']; $SQL = "SELECT pin FROM cms_users WHERE id = $uid"; $Query = sqlsrv_query($GLOBALS['conn'], $SQL); $row = sqlsrv_fetch_array($Query, SQLSRV_FETCH_ASSOC); if (password_verify($pin, $row['pin']) == 1) { $result = array( 'api_status' => 1, 'api_message' => 'Success' ); } else { $result = array( 'api_status' => 0, 'api_message' => 'Failed' ); } return $response->withStatus(200)->withJson($result); }); $app->post('/update/pin', function (Request $request, Response $response, array $args) { $post = build_request($request->getParsedBody()); $pin = $post['pin']; $user = getuserfromtoken($post['token']); $uid = $user['id']; $SQL = "SELECT pin FROM cms_users WHERE id = $uid"; $Query = sqlsrv_query($GLOBALS['conn'], $SQL); $row = sqlsrv_fetch_array($Query, SQLSRV_FETCH_ASSOC); $options = [ 'cost' => 11, 'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM), ]; $pin = password_hash($pin, PASSWORD_BCRYPT, $options); $SQL = "UPDATE cms_users SET pin = '" . $pin . "' WHERE id = $uid"; sqlsrv_query($GLOBALS['conn'], $SQL); $result = array( 'api_status' => 1, 'api_message' => 'เปลี่ยนรหัส PIN ใหม่เรียบร้อยแล้ว' ); return $response->withStatus(200)->withJson($result); });
Editor is loading...