Add files via upload

README.md

@@ -1,2 +1,25 @@
-# Credit-card-vault
-Credit-card vault with encryption standards &  Hash fuctions
+# creditcardvault
+
+A Credit Card Vault application that collects Credit Card information from a customer and stores them securely in a database
+Safely collect private data from your customers using cryptography
+
+CreditCardVault is a simple Php application demo aiming to provide better security for data collected through landing pages. This demo encrypts cardnumber and cvv of the subscribers, making it very hard for an attacker to leak private data, even if he/she gains access to the database. An Admin user is allowed to perform all CRUD operations on the Subscribers data.
+
+# Requirements
+
+    An Apache web server
+    Php 7.1 or more
+    Mysql or MariaDB
+
+# Installation
+
+Download or pull from git.
+
+    First you need to initialize the database
+    Go to config.php and alter the $host = "myhostname" , $username= "myusername" , $password= "mypassword"
+    Navigate to install.php in the frontend and it will setup a vault_2 database with 2 new tables table users and table subscribers.
+    You may remove /data folder and install.php as they are no longer necessary nnow.
+    Now navigate to register.php register a user and make the user admin at the backend.
+    You now have full access to the application.
+    Any person  can now register as a user and add his/her credit card information
+    The admin can also create users with different user_types.

admin/create_user.php

@@ -0,0 +1,69 @@
+<?php 
+include('../functions.php');
+
+if (!isAdmin()) {
+	$_SESSION['msg'] = "You must log in first";
+	header('location: ../login.php');
+}
+
+if (isset($_GET['logout'])) {
+	session_destroy();
+	unset($_SESSION['user']);
+	header("location: ../login.php");
+}
+?>
+<!DOCTYPE html>
+<html>
+<head>
+	<title>Create user</title>
+	<link rel="stylesheet" type="text/css" href="../styles.css">
+	<style>
+		.header {
+			background: #003366;
+		}
+		button[name=register_btn] {
+			background: #003366;
+		}
+	</style>
+</head>
+<body>
+    <!--Admin can specify user type to normal user or admin-->
+	<div class="header">
+		<h2>Admin - create user</h2>
+	</div>
+
+	<form method="post" action="create_user.php">
+
+		<?php echo display_error(); ?>
+
+		<div class="input-group">
+			<label>Username</label>
+			<input type="text" name="username" value="<?php echo $username; ?>">
+		</div>
+		<div class="input-group">
+			<label>Email</label>
+			<input type="email" name="email" value="<?php echo $email; ?>">
+		</div>
+		<div class="input-group">
+			<label>User type</label>
+			<select name="user_type" id="user_type" >
+				<option value=""></option>
+				<option value="admin">Admin</option>
+				<option value="level_1">Level_1</option>
+				<option value="level_2">Level_2</option>
+			</select>
+		</div>
+		<div class="input-group">
+			<label>Password</label>
+			<input type="password" name="password_1">
+		</div>
+		<div class="input-group">
+			<label>Confirm password</label>
+			<input type="password" name="password_2">
+		</div>
+		<div class="input-group">
+			<button type="submit" class="btn" name="register_btn"> + Create user</button>
+		</div>
+	</form>
+</body>
+</html>

admin/deleteSubscriber.php

@@ -0,0 +1,92 @@
+<?php 
+include('../functions.php');
+
+if (!isAdmin()) {
+	$_SESSION['msg'] = "You must log in first";
+	header('location: ../login.php');
+}
+
+if (isset($_GET['logout'])) {
+	session_destroy();
+	unset($_SESSION['user']);
+	header("location: ../login.php");
+}
+?>
+<?php
+
+/**
+  * Delete a user
+  */
+
+require "../config.php";
+require "../common.php";
+
+if (isset($_GET["id"])) {
+  try {
+    $connection = new PDO($dsn, $username, $password, $options);
+
+    $id = $_GET["id"];
+
+    $sql = "DELETE FROM subscribers WHERE id = :id";
+
+    $statement = $connection->prepare($sql);
+    $statement->bindValue(':id', $id);
+    $statement->execute();
+
+    $success = "Subscriber successfully deleted";
+  } catch(PDOException $error) {
+    echo $sql . "<br>" . $error->getMessage();
+  }
+}
+
+try {
+  $connection = new PDO($dsn, $username, $password, $options);
+
+  $sql = "SELECT * FROM subscribers";
+
+  $statement = $connection->prepare($sql);
+  $statement->execute();
+
+  $result = $statement->fetchAll();
+} catch(PDOException $error) {
+  echo $sql . "<br>" . $error->getMessage();
+}
+?>
+<?php require "../templates/header.php"; ?>
+
+<h2>Delete users</h2>
+
+<?php if ($success) echo $success; ?>
+
+<table>
+  <thead>
+    <tr>
+      <th>#</th>
+      <th>First Name</th>
+      <th>Last Name</th>
+      <th>Card Number</th>
+      <th>CVV</th>
+      <th>Location</th>
+      <th>Date</th>
+      <th>Delete</th>
+    </tr>
+  </thead>
+  <tbody>
+  <?php foreach ($result as $row) : ?>
+    <tr>
+      <td><?php echo escape($row["id"]); ?></td>
+      <td><?php echo escape($row["firstname"]); ?></td>
+      <td><?php echo escape($row["lastname"]); ?></td>
+      <td><?php echo escape($row["cardnumber"]); ?></td>
+      <td><?php echo escape($row["cvv"]); ?></td>
+      <td><?php echo escape($row["location"]); ?></td>
+      <td><?php echo escape($row["date"]); ?> </td>
+      <td><a href="deleteSubscriber.php?id=<?php echo escape($row["id"]); ?>">Delete</a></td>
+    </tr>
+  <?php endforeach; ?>
+  </tbody>
+</table>
+
+<a href="home.php">Back to home</a>
+
+<?php require "../templates/footer.php"; ?>

admin/home.php

@@ -0,0 +1,67 @@
+<?php 
+include('../functions.php');
+
+if (!isAdmin()) {
+	$_SESSION['msg'] = "You must log in first";
+	header('location: ../login.php');
+}
+
+if (isset($_GET['logout'])) {
+	session_destroy();
+	unset($_SESSION['user']);
+	header("location: ../login.php");
+}
+?>
+<!DOCTYPE html>
+<html>
+<head>
+	<title>Home</title>
+	<link rel="stylesheet" type="text/css" href="../styles.css">
+	<style>
+	.header {
+		background: #003366;
+	}
+	button[name=register_btn] {
+		background: #003366;
+	}
+	</style>
+</head>
+<body>
+	<div class="header">
+		<h2>Admin - Home Page</h2>
+	</div>
+	<div class="content">
+		<!-- notification message -->
+		<?php if (isset($_SESSION['success'])) : ?>
+			<div class="error success" >
+				<h3>
+					<?php 
+						echo $_SESSION['success']; 
+						unset($_SESSION['success']);
+					?>
+				</h3>
+			</div>
+		<?php endif ?>
+
+		<!-- logged in user information -->
+		<div class="profile_info">
+			<img src="../images/admin_profile.png"  >
+
+			<div>
+				<?php  if (isset($_SESSION['user'])) : ?>
+					<strong><?php echo $_SESSION['user']['username']; ?></strong>
+
+					<small>
+						<i  style="color: #888;">(<?php echo ucfirst($_SESSION['user']['user_type']); ?>)</i> 
+						<br>
+						<a href="home.php?logout='1'" style="color: red;">logout</a>
+                       &nbsp; <a href="create_user.php"> + add user</a>
+					   &nbsp; <a href="indexAdmin.php">view subscriber info</a>
+					</small>
+
+				<?php endif ?>
+			</div>
+		</div>
+	</div>
+</body>
+</html>

admin/indexAdmin.php

@@ -0,0 +1,25 @@
+<?php 
+include('../functions.php');
+
+if (!isAdmin()) {
+	$_SESSION['msg'] = "You must log in first";
+	header('location: ../login.php');
+}
+
+if (isset($_GET['logout'])) {
+	session_destroy();
+	unset($_SESSION['user']);
+	header("location: ../login.php");
+}
+?>
+<h1>View For Admin</h1>
+<ul>
+  <li>
+    <a href="readSubscriber.php"><strong>Read</strong></a> - Find a subscriber
+  </li>
+  <li>
+    <a href="deleteSubscriber.php"><strong>Delete</strong></a> - Delete a subscriber
+  </li>
+</ul>
+
+<?php include "../templates/footer.php"; ?>

admin/readSubscriber.php

@@ -0,0 +1,97 @@
+<?php 
+include('../functions.php');
+
+if (!isAdmin()) {
+	$_SESSION['msg'] = "You must log in first";
+	header('location: ../login.php');
+}
+
+if (isset($_GET['logout'])) {
+	session_destroy();
+	unset($_SESSION['user']);
+	header("location: ../login.php");
+}
+?>
+<?php
+
+/**
+  * Function to query information based on
+  * a parameter: in this case, location.
+  *
+  */
+
+if (isset($_POST['submit'])) {
+  try {
+    require "../config.php";
+    require "../common.php";
+    //Decryption Keys
+    $cardkey = 'pass1234';
+    $cvvkey = 'pass5678';
+
+    $connection = new PDO($dsn, $username, $password, $options);
+
+    $sql = "SELECT id, firstname, lastname, AES_DECRYPT(cardnumber, '$cardkey') as cardnumber, AES_DECRYPT(cvv, '$cvvkey') as cvv, location, date 
+    FROM subscribers
+    WHERE location = :location";
+
+    $location = $_POST['location'];
+
+    $statement = $connection->prepare($sql);
+    $statement->bindParam(':location', $location, PDO::PARAM_STR);
+    $statement->execute();
+
+    $result = $statement->fetchAll();
+  } catch(PDOException $error) {
+    echo $sql . "<br>" . $error->getMessage();
+  }
+}
+?>
+<?php require "../templates/header.php"; ?>
+
+<?php
+if (isset($_POST['submit'])) {
+  if ($result && $statement->rowCount() > 0) { ?>
+    <h2>Results</h2>
+
+    <table>
+      <thead>
+<tr>
+  <th>#</th>
+  <th>First Name</th>
+  <th>Last Name</th>
+  <th>Card Number</th>
+  <th>CVV</th>
+  <th>Location</th>
+  <th>Date</th>
+</tr>
+      </thead>
+      <tbody>
+  <?php foreach ($result as $row) { ?>
+      <tr>
+<td><?php echo escape($row["id"]); ?></td>
+<td><?php echo escape($row["firstname"]); ?></td>
+<td><?php echo escape($row["lastname"]); ?></td>
+<td><?php echo escape($row["cardnumber"]); ?></td>
+<td><?php echo escape($row["cvv"]); ?></td>
+<td><?php echo escape($row["location"]); ?></td>
+<td><?php echo escape($row["date"]); ?> </td>
+      </tr>
+    <?php } ?>
+      </tbody>
+  </table>
+  <?php } else { ?>
+    > No results found for <?php echo escape($_POST['location']); ?>.
+  <?php }
+} ?>
+
+<h2>Find Subscriber based on location</h2>
+
+<form method="post">
+  <label for="location">Location</label>
+  <input type="text" id="location" name="location">
+  <input type="submit" name="submit" value="View Results">
+</form>
+
+<a href="home.php">Back to home</a>
+
+<?php require "../templates/footer.php"; ?>

common.php

@@ -0,0 +1,10 @@
+<?php
+
+/**
+  * Escapes HTML for output
+  *
+  */
+
+function escape($html) {
+  return htmlspecialchars($html, ENT_QUOTES | ENT_SUBSTITUTE, "UTF-8");
+}