mcamiano/joomlaOneTimePad.php

## joomlaOneTimePad.php
<?php
/**
 * @package One-time pad signal script
 * @description Feedback signal via HTTP GET or POST using a one-time pad communicated through a separate process, as an alternative to the convoluted Joomla! 1.5.x XMLRPC feature.
 * @version 1.0
 * @copyright Copyright 2010 by Mitchell Amiano All Rights Reserved.
 * @license http://www.gnu.org/licenses/gpl-2.0.html GNU/GPL
 * */

  // place this script in a non-Web accessible location, then require it from a wrapper script

  require("configuration.php");  // Joomla config for database, user details
  $jconfig = new JConfig();

  $Forwarding_url = "http://some.joomla.domain.agilemarkup.com/index.php/some-landing-page";

  $error_message = "Request Failed.";

  $mysqli = new mysqli(
    $jconfig->host,
    $jconfig->user,
    $jconfig->password,
    $jconfig->db
  ) or die( $error_message. " (no database access)" );

  if (mysqli_connect_errno()) {
      printf("Connect failed: %s\n", mysqli_connect_error());
      exit();
  }

  // Using $_REQUEST makes the script ambivalent to whether a POST or a GET with query parameters.
  // but...
  // GET should never make changes to a resource.  but...
  // If the source system only allows GET requests, HTTP idempotence for GET request could be violated as a special case.
  // Some survey tools, for instance, (only) allow a GET request to signal the end of a survey process.
  //
  $username    = $subnum     = $onetimepad = "";
  $status="Submitted";

  if (isset($_REQUEST['username'])) {
    $username=mysqli_real_escape_string( $mysqli, substr($_REQUEST['username'],0,60));
  }
  if (isset($_REQUEST['subnum'])) {
    $subnum=mysqli_real_escape_string( $mysqli, substr($_REQUEST['subnum'],0,5));
  }
  if (isset($_REQUEST['pad'])) {
    $onetimepad=mysqli_real_escape_string( $mysqli, substr($_REQUEST['pad'],0,100));
  }

  $lengths = [ strlen($username), strlen($subnum), strlen($onetimepad) ];
  $max_param_length = 100;

  if ( count($lengths) != count(array_filter($lengths, function ($element) use ($max_param_length) { return ($element > 0 && $element < $max_param_length); } )) ) {
    printf("$error_message" . " (improper parameters)" );
    exit();
  }
  // compute a prefix and a suffix that are more or less secret.
  // (these should not be in a Web-visible script)
  $onetimepad="ComputedPrefix".$onetimepad."ComputedSuffix";

  // Due to the one-time pad, only one update is allowed per row.
  // Subsequent requests will have no effect and return the same result.
  $stmt_string = "UPDATE jos_some_component_table set subnum=?, status=? WHERE username=? AND subnum=?";
  $stmt = $mysqli->prepare($stmt_string);
  $stmt->bind_param("ssss", $subnum, $status, $username, $onetimepad);
  $stmt->execute();

  if (strlen($mysqli->error)==0) {

    $stmt->close();
    $mysqli->close();
    header("Location: ".$Forwarding_url);

  } else {

    ?><div style="margin-top: 12ex; margin-left:auto; margin-right: auto; width: 30em; height: 20ex; position: relative; text-align: center;">
      <strong>Sorry, but the status was not updated.</strong>
      <br/>
      <p>Your feedback form <em>WAS</em> still submitted.</p>
      <br/>
      <p>Click on <a href="<?php echo $Forwarding_url;?>" title="landing page">Some Landing Page</a> to return to the project site.
      </div>
    <?php

    // send an email note to the Joomla administrator
    $headers = 'From: ' . $mailfrom . "\r\n" .  'Reply-To: ' . $mailfrom . "\r\n" .  'X-Mailer: PHP/' . phpversion();
    $body = htmlspecialchars("The feedback form was completed for ". $username.", submission #".$subnum.", but the site was not updated to reflect the fact that it was completed. \nThe 'one-time-pad' was '".$onetimepad."'\n The referrer was ". mysqli_real_escape_string($_SERVER['HTTP_REFERER'])."\n Please ask the Web administrator to look into this.");
    mail( $mailfrom, "Status not updated for ".htmlspecialchars($username).", #".htmlspecialchars($subnum), $body, $headers);

    $mysqli->close();
  }
?>
	<?php
	/**
	* @package One-time pad signal script
	* @description Feedback signal via HTTP GET or POST using a one-time pad communicated through a separate process, as an alternative to the convoluted Joomla! 1.5.x XMLRPC feature.
	* @version 1.0
	* @copyright Copyright 2010 by Mitchell Amiano All Rights Reserved.
	* @license http://www.gnu.org/licenses/gpl-2.0.html GNU/GPL
	* */

	// place this script in a non-Web accessible location, then require it from a wrapper script

	require("configuration.php"); // Joomla config for database, user details
	$jconfig = new JConfig();

	$Forwarding_url = "http://some.joomla.domain.agilemarkup.com/index.php/some-landing-page";

	$error_message = "Request Failed.";

	$mysqli = new mysqli(
	$jconfig->host,
	$jconfig->user,
	$jconfig->password,
	$jconfig->db
	) or die( $error_message. " (no database access)" );

	if (mysqli_connect_errno()) {
	printf("Connect failed: %s\n", mysqli_connect_error());
	exit();
	}

	// Using $_REQUEST makes the script ambivalent to whether a POST or a GET with query parameters.
	// but...
	// GET should never make changes to a resource. but...
	// If the source system only allows GET requests, HTTP idempotence for GET request could be violated as a special case.
	// Some survey tools, for instance, (only) allow a GET request to signal the end of a survey process.
	//
	$username = $subnum = $onetimepad = "";
	$status="Submitted";

	if (isset($_REQUEST['username'])) {
	$username=mysqli_real_escape_string( $mysqli, substr($_REQUEST['username'],0,60));
	}
	if (isset($_REQUEST['subnum'])) {
	$subnum=mysqli_real_escape_string( $mysqli, substr($_REQUEST['subnum'],0,5));
	}
	if (isset($_REQUEST['pad'])) {
	$onetimepad=mysqli_real_escape_string( $mysqli, substr($_REQUEST['pad'],0,100));
	}

	$lengths = [ strlen($username), strlen($subnum), strlen($onetimepad) ];
	$max_param_length = 100;

	if ( count($lengths) != count(array_filter($lengths, function ($element) use ($max_param_length) { return ($element > 0 && $element < $max_param_length); } )) ) {
	printf("$error_message" . " (improper parameters)" );
	exit();
	}
	// compute a prefix and a suffix that are more or less secret.
	// (these should not be in a Web-visible script)
	$onetimepad="ComputedPrefix".$onetimepad."ComputedSuffix";

	// Due to the one-time pad, only one update is allowed per row.
	// Subsequent requests will have no effect and return the same result.
	$stmt_string = "UPDATE jos_some_component_table set subnum=?, status=? WHERE username=? AND subnum=?";
	$stmt = $mysqli->prepare($stmt_string);
	$stmt->bind_param("ssss", $subnum, $status, $username, $onetimepad);
	$stmt->execute();

	if (strlen($mysqli->error)==0) {

	$stmt->close();
	$mysqli->close();
	header("Location: ".$Forwarding_url);

	} else {

	?><div style="margin-top: 12ex; margin-left:auto; margin-right: auto; width: 30em; height: 20ex; position: relative; text-align: center;">
	<strong>Sorry, but the status was not updated.</strong>
	<br/>
	<p>Your feedback form <em>WAS</em> still submitted.</p>
	<br/>
	<p>Click on <a href="<?php echo $Forwarding_url;?>" title="landing page">Some Landing Page</a> to return to the project site.
	</div>
	<?php

	// send an email note to the Joomla administrator
	$headers = 'From: ' . $mailfrom . "\r\n" . 'Reply-To: ' . $mailfrom . "\r\n" . 'X-Mailer: PHP/' . phpversion();
	$body = htmlspecialchars("The feedback form was completed for ". $username.", submission #".$subnum.", but the site was not updated to reflect the fact that it was completed. \nThe 'one-time-pad' was '".$onetimepad."'\n The referrer was ". mysqli_real_escape_string($_SERVER['HTTP_REFERER'])."\n Please ask the Web administrator to look into this.");
	mail( $mailfrom, "Status not updated for ".htmlspecialchars($username).", #".htmlspecialchars($subnum), $body, $headers);

	$mysqli->close();
	}
	?>