A PHP Chat based on LE CHAT

[Screenshot] https://imgur.com/a/JDWUkLl

Warning: Use of undefined constant SODIUM_CRYPTO_AEAD_AES256GCM_KEYBYTES - assumed 'SODIUM_CRYPTO_AEAD_AES256GCM_KEYBYTES' (this will throw an Error in a future version of PHP) in C:\xampp\htdocs\index.php on line 4233

Warning: Use of undefined constant SODIUM_CRYPTO_AEAD_AES256GCM_KEYBYTES - assumed 'SODIUM_CRYPTO_AEAD_AES256GCM_KEYBYTES' (this will throw an Error in a future version of PHP) in C:\xampp\htdocs\index.php on line 4234

Warning: substr() expects parameter 3 to be int, string given in C:\xampp\htdocs\index.php on line 4234

Warning: Use of undefined constant SODIUM_CRYPTO_AEAD_AES256GCM_NPUBBYTES - assumed 'SODIUM_CRYPTO_AEAD_AES256GCM_NPUBBYTES' (this will throw an Error in a future version of PHP) in C:\xampp\htdocs\index.php on line 4238

Warning: Use of undefined constant SODIUM_CRYPTO_AEAD_AES256GCM_NPUBBYTES - assumed 'SODIUM_CRYPTO_AEAD_AES256GCM_NPUBBYTES' (this will throw an Error in a future version of PHP) in C:\xampp\htdocs\index.php on line 4239

Warning: substr() expects parameter 3 to be int, string given in C:\xampp\htdocs\index.php on line 4239

[The Old version of this chat script is working without any errors.] [Renamed the chat.php to index.php] [My configurations for the new updated script]

function load_config(){ mb_internal_encoding('UTF-8'); define('VERSION', '1.24'); // Script version define('DBVERSION', 42); // Database layout version define('MSGENCRYPTED', true); // Store messages encrypted in the database to prevent other database users from reading them - true/false - visit the setup page after editing! define('ENCRYPTKEY_PASS', '13117132423542543653635467854326'); // Recommended length: 32. Encryption key for messages define('AES_IV_PASS', '012345678912'); // Recommended length: 12. AES Encryption IV define('DBHOST', 'localhost'); // Database host define('DBUSER', 'root'); // Database user define('DBPASS', ''); // Database password define('DBNAME', 'newupdate'); // Database define('PERSISTENT', true); // Use persistent database conection true/false define('PREFIX', ''); // Prefix - Set this to a unique value for every chat, if you have more than 1 chats on the same database or domain - use only alpha-numeric values (A-Z, a-z, 0-9, or _) other symbols might break the queries define('MEMCACHED', false); // Enable/disable memcached caching true/false - needs memcached extension and a memcached server.

i want to improve the appearance of this website home page like improving navigation etc share this site with friends options and changing navigation slider according to this website layout

I want to use this on my TOR site but I don't know how to install PHP extensions on my Linux PC. Any help on installing the extensions would be amazing.

I see the session DB so I can drop the information in to there, but what other things do I need to send or set to be able to use my own login system, I have a full profile and friends system I want to control the login to the chat.

is there session I have to set in the browser and also passhash is also set in the session database, why is this if you could help on this it would be really helpful, I wouldn't mind bypassing the login and user settings fully in the chage but I am able to to save the login details to the members section of the chat db also if I need to.

So when I saved an public note while || define('MSGENCRYPTED', true) || in the settings, public notes were showing like this.

BUT! When I saved a public note while || define('MSGENCRYPTED', false) || in the settings, public notes were normal.

So why my public notes also encrypting like messages to the database and showing that encrypted data to public notes without showing the normal input? I think this is same in admin, staff notes also. but it's good to encrypt private, staff, admin notes but without showing that encrypted data, only showing the normal input back in the chat. And also no need to encrypt public notes since it's public. Is there a way to solve this while I'm using message encryption? Thank you daniel.

The chat does not validate session cookies across multiple clients when the client is a guest username. This effectively allows a user to control a guest user's account without the user being authenticated, and thus allows "eavesdropping" and arbitrary control of a guest user's account. This was executed as a proof of concept at https://chat.danwin1210.me/ by specifying a guest username that is already logged in at the login prompt.

There is a bug, if I set it to sqlite as I don't have mysql for less attack vectors and resources but soon as I try set it up I get

Warning: PDO::prepare(): SQLSTATE[HY000]: General error: 1 no such table:

The sqlite file is created but after that it's does that error, the part that installs the db seems to be missing I see a trigger for it ever.

The file size is 0 so there is no date been written to it

Windows tested with Xampp, Laragon Apache and Nginx,

Warning: PDO::prepare(): SQLSTATE[HY000]: General error: 1 no such table: main_settings in chat.php on line 4288

Fatal error: Uncaught Error: Call to a member function execute() on bool in chat.php:4289 
Stack trace: 
#0 chat.php(3481): get_setting('imgembed') 
#1 chat.php(379): send_headers() 
#2 chat.php(916): print_start('init') 
#3 chat.php(4373): send_init() 
#4 chat.php(51): check_db() 
#5 {main} thrown in chat.php on line 4289

Although this suggestion may not work because of the constant page-refreshing and lack of JavaScript, I believe this could save a lot of space by finding a way to clean out chat data by keeping it "client-sided." Meaning all the dialogue is shown on the user's screen, after the data is broadcasted from the server, but is wiped from the database.

I know this idea brings into question of how important it is to preserve such logs for the sake of the chat server. To this, we should definitely discuss the matter.

The profile area is showing empty. I'm on my admin account. even normal user the same. how to fix this? Thank you very much for your time to resolve my problem.

Should we start a new chat project only compatible with PHP >= 7.4 using new PHP "strict" mode + objects and variable types + better security and encryption + better UI templates??

I'm using MySQL 5.5.48 netstat -an:

tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN

3306 port is opened, Why "No connection to database"?

Add a "Report" button in the chat for users to put disallowed links there, and with the approval of the Moderators, every new user who shares this link will be kicked.

I'm running this as a tor hidden service, and whenever I try to send a message, it gives me "session expired" so I click "reaload postbox" and it does the same thing, same with updating staff notes, but not changing the settings. The issue persists if I connect to it from LAN (not with tor). Am I doing something wrong? I have enabled encryption and memcached and I'm using SQLite.

A spammer can abuse guest accounts to distribute questionable messages, without the staff being able to do anything about it, if they are unaware of the abusive guests. To keep the service quality high in such cases, an option should be implemented that allows disabling PMs for guests, while letting regular members still talk in private.

hi..

with every restore of the filters/linkfilters the internal shown number for both is increased every restore..

how can this be reset?

thx in advance

We changed some time ago the message encryption to use the new, safer and faster AES GCM with libsodium.

But we are reusing the IV/Nonce for the same Key. AES GCM is vulnerable in this cases. Nonces should be generated for each new message and stored with the message for decryption (a new DB column).

Exploiting this is not that easy, so we should review our threat model and decide or not to change it or maybe just put a warning on the readme...