user id int fixed; token check

index.php

@@ -4,19 +4,9 @@ require_once "status.php";
 require_once "user.php";
 require_once "sql.php";
 
-function check_api_key_()
-{
-  $headers = apache_request_headers();
-  if (!isset($headers["Api-Key"]))
-    return false;
-  return database_exec("SELECT id FROM api_keys WHERE `key` = :key",
-                       array(":key" => $headers["Api-Key"]))-> fetch()
-                       !== false;
-}
-
 function check_api_key()
 {
-  if (!check_api_key_())
+  if (!check_table_field("Api-Key", "api_keys", "key"))
     error(401, "Bad API key");
 }
 

status.php

@@ -1,13 +1,25 @@
 <?php
+require_once "utils.php";
+
+function check_token()
+{
+  if (!check_table_field("Authorization", "tokens", "token"))
+    error(401, "Invalid token");
+}
+
 function status_confirm($id)
 {
+  check_token();
 }
 
 function status_create()
 {
+  check_token();
+  $status = get_post("status");
 }
 
 function status_feed()
 {
+  check_token();
 }
 ?>

user.php

@@ -41,7 +41,7 @@ function user_login($username = false)
   $token = hash_password(uniqid(mt_rand(), true));
   database_exec("INSERT INTO tokens (`token`, `user`) VALUES (:token, :user)",
     array(":token" => $token, ":user" => $u['id']));
-  echo json_encode(array("username" => $username, "id" => $u["id"],
+  echo json_encode(array("username" => $username, "id" => intval($u["id"]),
     "token" => $token));
 }
 ?>

utils.php

@@ -28,4 +28,14 @@ function get_post($key, $is_error = true)
     return false;
 }
 
+function check_table_field($header, $table, $field)
+{
+  $headers = apache_request_headers();
+  if (!isset($headers[$header]))
+    return false;
+  return database_exec("SELECT id FROM $table WHERE `$field` = :data",
+    array(":data" => $headers[$header]))-> fetch()
+    !== false;
+}
+
 ?>