Wrapped everything up

Everything is now wrapped as part of a lightweight application which can
be used as a blank slate for any admin or user control panel projects.

.htaccess

@@ -1,4 +1 @@
-<Files "config.inc.php">
-	Order Allow,Deny
-	Deny from all
-</Files>
+Require all denied

app/.htaccess

@@ -0,0 +1,8 @@
+Require all granted
+
+RewriteEngine On
+RewriteCond %{REQUEST_URI} !\.(jpg|png|bmp|gif|css|js|map|ttf|woff|woff2|svg|eot)$
+RewriteRule ^(.*)$ controller.php?page=$1 [NC,L,QSA]
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteRule ^(.*)$ controller.php?page=error&rewritten=1&missing=$1 [NC,L,QSA]

app/cache/.htaccess

@@ -0,0 +1 @@
+Require all denied

app/config.inc.php

@@ -0,0 +1,44 @@
+<?php
+// prevent this file from being called directly
+if(!defined('LIVE')) { exit(); };
+
+// define the public application root
+define('APP_ROOT',				'/app/');
+define('APP_THEME',				'gentelella');
+define('APP_NAME',				'Secure Area');
+
+// OTP Configuration
+define('OTP_COMPANY',	'ACME');	// company name
+define('OTP_MAX_TRIES',	3);			// maximum attempts before preventing use of the current timeblock
+define('OTP_LENGTH',	6);			// length of digits a code should be
+define('OTP_ALGORITHM',	'sha256');	// the hashing algorithm used (sha256, sha1, sha512)
+
+// session control
+define('SESSION_TIMEOUT',	30);	// how many minutes a logged in session should last
+
+// user control. acl's between these values are granted control to modify
+// users that are lower acl. for example, a user with acl 9999 can modify
+// users with acl 0 to 9998, but can not modify users with acl of 9997, and
+// can't add a user with an acl value higher than 9998
+define('ACL_ADMIN_MAX',		9999);	// maximum acl to grant control over modifying users with lower acl
+define('ACL_ADMIN_MIN',		9994);	// users with an acl below this value do not get control over other users
+
+// maximum notifications to show on Notifications page
+define('MAX_NOTIFICATIONS',	50);
+
+// Database Credentials used for user authentication
+define('SQL_SERVER',	'localhost');
+define('SQL_USERNAME',	'root');
+define('SQL_PASSWORD',	'');
+define('SQL_DATA',		'test');
+define('SQL_PREFIX',	'');
+
+// Smarty
+define('SMARTY_DEBUGGING',	false);
+define('SMARTY_CACHING',	false);
+define('SMARTY_CACHE_LIFETIME',	120);
+define('SMARTY_FORCE_COMPILE',	false);
+define('SMARTY_DIR_TEMPLATES',	'./templates');
+define('SMARTY_DIR_TEMPLATES_C','./templates_c');
+define('SMARTY_DIR_CACHE',	'./cache');
+

app/controller.php

@@ -0,0 +1,47 @@
+<?php
+define('LIVE', true);
+require_once dirname(__FILE__).'/lib/autoload.php';
+
+// get token
+$token = isset($_SESSION['csrf']) ? $_SESSION['csrf'] : '';
+
+// get the current page
+$page = get_this_page();
+
+if(!empty($page)) {
+	if(($page == 'error') && isset($_REQUEST['missing']) && isset($_REQUEST['rewritten'])) { redirect('error?missing=' . filter_input(INPUT_GET, 'missing', FILTER_SANITIZE_SPECIAL_CHARS)); }
+
+	// load the current page if model exists
+	if(file_exists('model/' . $page . '.php')) {
+		include('model/' . $page . '.php');
+		exit(0);
+	}
+} else {
+	// load the home page if $page is empty
+	if(file_exists('model/app.php')) {
+		include('model/app.php');
+		exit(0);
+	}
+}
+// load the error page model if it exists
+if(file_exists('model/error.php')) { redirect('error?missing=' . filter_input(INPUT_GET, 'page', FILTER_SANITIZE_SPECIAL_CHARS)); }
+
+// display generic page not found if all else fails
+echo 'Page not found';
+
+// get page and slug it. removes all stray characters
+function get_this_page(){
+	$page = '';
+	if(isset($_REQUEST['page'])) { $page = filter_input(INPUT_GET, 'page', FILTER_SANITIZE_SPECIAL_CHARS); }
+	if(!empty($page)) {
+		$page = trim(preg_replace('~[^\\pL\d]+~u', '-', $page), '-');
+		if (function_exists('iconv')) { $page = iconv('utf-8', 'us-ascii//TRANSLIT', $page); }
+		//$page = preg_replace('~[^-\w]+~', '', strtolower($text));
+	}
+	return $page;
+}
+
+function redirect($page = '') {
+	header('location: ' . APP_ROOT . $page);
+	exit(0);
+}

app/lib/.htaccess

@@ -0,0 +1 @@
+Require all denied

app/lib/autoload.php

@@ -0,0 +1,20 @@
+<?php
+// setup files to include
+include  dirname(__FILE__).'/../config.inc.php';
+require dirname(__FILE__).'/smarty/Smarty.class.php';
+require dirname(__FILE__).'/session.class.php';
+require dirname(__FILE__).'/otp.class.php';
+require dirname(__FILE__).'/users.class.php';
+require dirname(__FILE__).'/db.class.php';
+
+// initialize smarty engine
+$smarty = new Smarty;
+$smarty->force_compile = SMARTY_FORCE_COMPILE;
+$smarty->debugging = SMARTY_DEBUGGING;
+$smarty->caching = SMARTY_CACHING;
+$smarty->cache_lifetime = SMARTY_CACHE_LIFETIME;
+$smarty->setTemplateDir(SMARTY_DIR_TEMPLATES)
+       ->setCompileDir(SMARTY_DIR_TEMPLATES_C)
+       ->setCacheDir(SMARTY_DIR_CACHE)
+	   ->assign('NAME',				APP_NAME)
+	   ->assign('ROOT',				APP_ROOT);

app/lib/db.class.php

@@ -0,0 +1,139 @@
+<?php
+class db {
+	var $params;
+	var $_db;
+	var $last_error;
+
+	function __construct() {
+		$this->params = Array();
+		$this->params[] = '';
+
+		$this->_db = new mysqli(SQL_SERVER, SQL_USERNAME, SQL_PASSWORD, SQL_DATA);
+		if($this->_db->connect_errno > 0){ $last_error = $this->_db->connect_error; throw new Exception("Connection Failed: " . $this->_db->connect_error); }
+	}
+
+	function __destruct() {
+		try {
+			$this->_db->close();
+			$this->_db = null;
+			$this->last_error = null;
+			$this->params = null;
+		} catch (Exception $e) {
+			// ignore exception quietly on destruction of objects
+		}
+	}
+
+	function add($value, $type='s') {
+		$this->params[] = $value;
+		$this->params[0] .= $type;
+	}
+
+	function resetparams() {
+		$this->params = Array();
+		$this->params[] = '';
+	}
+
+	function getError() {
+		return $this->last_error;
+	}
+
+	function query($sql) {
+		$p = $this->params;
+		$bind_arguments = Array();
+        foreach ($this->params as $recordkey => $recordvalue)
+        {
+            $bind_arguments[] = & $this->params[$recordkey];    # bind to array ref, not to the temporary $recordvalue
+        }
+
+
+		$qtype = explode(" ",strtolower(trim($sql)))[0];
+		$result = false;
+		$rows = Array();
+		if(count($p) > 1) {
+			// store procedure
+			switch($qtype) {
+				case 'insert':
+					// return the last insert id
+					$result = false;
+					if($stmt = $this->_db->prepare($sql)) {
+						call_user_func_array(array($stmt, 'bind_param'), $bind_arguments);
+						$stmt->execute();
+						$result = $stmt->insert_id;
+						$stmt->close();
+					}
+					break;
+				case 'select':
+					// return result set
+					$result = Array();
+					if($stmt = $this->_db->prepare($sql)) {
+						call_user_func_array(array($stmt, 'bind_param'), $bind_arguments);
+						$stmt->execute();
+
+						$meta = $stmt->result_metadata();
+						$parameters = Array();
+						while ($field = $meta->fetch_field()) {
+							$parameters[] = &$row[$field->name];
+						}
+						call_user_func_array(array($stmt, 'bind_result'), $parameters);
+
+						while ($stmt->fetch()) {
+							foreach($row as $key => $val) {
+								$x[$key] = $val;
+							}
+							$result[] = $x;
+						}
+						$stmt->close();
+					}
+					break;
+				case 'delete':
+					// return how many rows affected
+					$result = false;
+					if($stmt = $this->_db->prepare($sql)) {
+						call_user_func_array(array($stmt, 'bind_param'), $bind_arguments);
+						$stmt->execute();
+						$result = $stmt->affected_rows;
+						$stmt->close();
+					}
+					break;
+				case 'update':
+					// return how many rows affected
+					$result = false;
+					if($stmt = $this->_db->prepare($sql)) {
+						call_user_func_array(array($stmt, 'bind_param'), $bind_arguments);
+						$stmt->execute();
+						$result = $stmt->affected_rows;
+						$stmt->close();
+					} else {
+						$this->last_error = "Prepare failed: (" . $this->_db->errno . ") " . $this->_db->error;
+						echo $this->last_error; die();
+					}
+					break;
+			}
+		} else {
+			// normal query
+			switch($qtype) {
+				case 'insert':
+					break;
+				case 'select':
+					$result = Array();
+					if($resource = $this->_db->query($sql)) {
+						for ($result = array(); $tmp = $resource->fetch_array(MYSQLI_ASSOC);) $result[] = $tmp;
+					}
+					break;
+				case 'update':
+					break;
+				case 'delete':
+					break;
+				case 'alter':
+					break;
+				case 'create':
+					break;
+			}
+		}
+
+		if(empty($result)) { $result = false; }
+		return $result;
+
+	}
+
+}

lib/session.class.php → app/lib/session.class.php

@@ -4,7 +4,7 @@
 
 class session {
 
-	static $duration = 300;
+	static $duration = 60 * SESSION_TIMEOUT;
 
 	public static function start() {
 		session_start();