give up

82f10359 · omar.alkheja · 6e0cc9cf · 82f10359 · 82f10359 · 82f10359
Commit 82f10359 authored 1 year ago by omar.alkheja
--- a/README.md
+++ b/README.md
 # Projet Web

+# https://sec-app-edc9f62bb6e5.herokuapp.com/
+## nous pouvons pas tester tout les fonctionalité car le site n'a pas pu se connecter à la base de donné sur heroku!
+## nous avons malheureusement pas fait les filtrages nécessaires pour les API's 
+## nous avons malheureusement pas fait les logs pour la tracabilité 
+
 ## Choix effectués 
 - Page HTML et CSS simple
 - Un fichier PHP

--- a/admin_dashbord.php
+++ b/admin_dashbord.php
 <?php

-// Enhanced security with session management and error handling
+
 session_start([
    'use_strict_mode' => true,
    'cookie_httponly' => true,
@@ -9,8 +9,17 @@ session_start([
 ]);
 include 'session_control.php';

+header("Content-Security-Policy: default-src 'self';");
+header('X-Frame-Options: DENY');
+header('X-Content-Type-Options: nosniff');
+header('Strict-Transport-Security: max-age=31536000; includeSubDomains'); 
+header("Referrer-Policy: no-referrer");
+header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
 // Ensure HTTPS is used
-if ($_SERVER['HTTPS'] !== 'on') {
+if (
+    (empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
+    && empty($_SERVER['HTTP_X_FORWARDED_PROTO']) || $_SERVER['HTTP_X_FORWARDED_PROTO'] !== 'https'
+) {
    header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
    exit();
 }
@@ -32,11 +41,6 @@ if (!isset($_SESSION['csrf_token'])) {
    $_SESSION['csrf_token'] = generateToken();
 }

-// Security headers
-header("Content-Security-Policy: default-src 'self';");
-header('X-Frame-Options: DENY');
-header('X-Content-Type-Options: nosniff');
-header('Strict-Transport-Security: max-age=31536000; includeSubDomains');


 $admin_id = $_SESSION['username'];

--- a/csrf_token.php
+++ b/csrf_token.php
@@ -11,4 +11,3 @@ function generateCsrfToken() {
 function validateCsrfToken($token) {
    return isset($_SESSION['csrf_token']) && $_SESSION['csrf_token'] === $token;
 }
-?>
--- a/display.php
+++ b/display.php
@@ -7,12 +7,20 @@ session_start([
 ]);

 include 'session_control.php';
+header("Content-Security-Policy: default-src 'self';");
+header('X-Frame-Options: DENY');
+header('X-Content-Type-Options: nosniff');
+header('Strict-Transport-Security: max-age=31536000; includeSubDomains'); 
+header("Referrer-Policy: no-referrer");
+header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
 // Ensure HTTPS is used
-if ($_SERVER['HTTPS'] !== 'on') {
+if (
+    (empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
+    && empty($_SERVER['HTTP_X_FORWARDED_PROTO']) || $_SERVER['HTTP_X_FORWARDED_PROTO'] !== 'https'
+) {
    header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
    exit();
 }
-
 $dbPath = realpath('users.db');
 $db = new PDO("sqlite:$dbPath");

@@ -25,7 +33,6 @@ header("Content-Security-Policy: default-src 'self';");
 header('X-Frame-Options: DENY');
 header('X-Content-Type-Options: nosniff');
 header('Strict-Transport-Security: max-age=31536000; includeSubDomains');
-
 ?>

 <!DOCTYPE html>

--- a/forgot_password.html
+++ b/forgot_password.html
@@ -13,7 +13,7 @@
        
        <form action="reset_psswd.php" method="post">
            <!--faut add value -->>
-            <input type="hidden" name="csrd_token" value="">
+            <input type="hidden" name="csrf_token" value="">
            <label for="email">Adresse e-mail:</label>
            <input type="email" id="email" name="email" placeholder="Entrez votre adresse e-mail" required>
            <input type="submit" name="reset_password" value="Réinitialiser le mot de passe">

--- a/inbox.php
+++ b/inbox.php
@@ -5,20 +5,23 @@ session_start([
    'cookie_secure' => true,
    'use_only_cookies' => true
 ]);
-
 include 'session_control.php';

 // Ensure HTTPS is used
-if ($_SERVER['HTTPS'] !== 'on') {
-    header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
-    exit();
-}
-// Security headers
 header("Content-Security-Policy: default-src 'self';");
 header('X-Frame-Options: DENY');
 header('X-Content-Type-Options: nosniff');
-header('Strict-Transport-Security: max-age=31536000; includeSubDomains');
-
+header('Strict-Transport-Security: max-age=31536000; includeSubDomains'); 
+header("Referrer-Policy: no-referrer");
+header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
+// Ensure HTTPS is used
+if (
+    (empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
+    && empty($_SERVER['HTTP_X_FORWARDED_PROTO']) || $_SERVER['HTTP_X_FORWARDED_PROTO'] !== 'https'
+) {
+    header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
+    exit();
+}
 $dbPath = realpath('users.db');
 $db = new PDO("sqlite:$dbPath");


--- a/index.php
+++ b/index.php
@@ -9,15 +9,21 @@
 <body>
    <?php
        // Ensure HTTPS is used
-        if ($_SERVER['HTTPS'] !== 'on') {
+        if (
+            (empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
+            && empty($_SERVER['HTTP_X_FORWARDED_PROTO']) || $_SERVER['HTTP_X_FORWARDED_PROTO'] !== 'https'
+        ) {
            header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
            exit();
        }
+    
        // Security headers
-        header("Content-Security-Policy: default-src 'self';");
-        header('X-Frame-Options: DENY');
-        header('X-Content-Type-Options: nosniff');
-        header('Strict-Transport-Security: max-age=31536000; includeSubDomains');
+             header("Content-Security-Policy: default-src 'self';");
+            header('X-Frame-Options: DENY');
+            header('X-Content-Type-Options: nosniff');
+            header('Strict-Transport-Security: max-age=31536000; includeSubDomains'); 
+            header("Referrer-Policy: no-referrer");
+            header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
    ?>
    <div class="container">
        <form action="login.php" method="post">

--- a/login.php
+++ b/login.php
 <?php
+ini_set('display_errors', 1);
+ini_set('display_startup_errors', 1);
+error_reporting(E_ALL);
 include 'session_control.php';
-$dbPath = realpath('users.db');
-$db = new PDO("sqlite:$dbPath");
-$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

-// Security headers
 header("Content-Security-Policy: default-src 'self';");
 header('X-Frame-Options: DENY');
 header('X-Content-Type-Options: nosniff');
-header('Strict-Transport-Security: max-age=31536000; includeSubDomains');
+header('Strict-Transport-Security: max-age=31536000; includeSubDomains'); 
+header("Referrer-Policy: no-referrer");
+header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
+
+if (
+    (empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
+    && empty($_SERVER['HTTP_X_FORWARDED_PROTO']) || $_SERVER['HTTP_X_FORWARDED_PROTO'] !== 'https'
+) {
+    header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
+    exit();
+}
+
+$dbPath = realpath('users.db');
+$db = new PDO("sqlite:$dbPath");
+$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
+echo "sfsfs";
+

 $loginError = ""; 

@@ -44,18 +59,6 @@ if (isset($_POST['login'])) {
            $loginError = "Identifiants incorrects!"; // Mot de passe incorrect
        }
        
-        if ($userData && password_verify($password, $user['password_hash'])) {
-            if ($userData['banned'] == 1) {
-                $loginError = "Votre compte est banni!";
-            } else {
-                // Connexion en tant qu'utilisateur normal
-                $_SESSION['username'] = $username;
-                $_SESSION['is_admin'] = false;
-                echo sprintf('<dt>%s<dt><dd>%s<dd>', 'user name ', $username);
-                echo "Connexion réussie en tant qu'utilisateur!";
-                header("Location: post_message.php");
-            }
-        }
    }
 }


--- a/logout.php
+++ b/logout.php
@@ -8,12 +8,20 @@ session_start([
    'use_only_cookies' => true
 ]);

-// Security headers
 header("Content-Security-Policy: default-src 'self';");
 header('X-Frame-Options: DENY');
 header('X-Content-Type-Options: nosniff');
-header('Strict-Transport-Security: max-age=31536000; includeSubDomains');
+header('Strict-Transport-Security: max-age=31536000; includeSubDomains'); 
+header("Referrer-Policy: no-referrer");
+header("Permissions-Policy: geolocation=(), microphone=(), camera=()");

+if (
+    (empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
+    && empty($_SERVER['HTTP_X_FORWARDED_PROTO']) || $_SERVER['HTTP_X_FORWARDED_PROTO'] !== 'https'
+) {
+    header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
+    exit();
+}
 $_SESSION = array();

 // Regenerate session ID and then destroy the session
@@ -30,4 +38,3 @@ session_destroy();
 header("Location: index.php");
 exit();

-?>
\ No newline at end of file
--- a/post_message.php
+++ b/post_message.php
@@ -10,11 +10,20 @@ session_start([
    'use_only_cookies' => true
 ]);

-// Security headers
 header("Content-Security-Policy: default-src 'self';");
 header('X-Frame-Options: DENY');
 header('X-Content-Type-Options: nosniff');
-header('Strict-Transport-Security: max-age=31536000; includeSubDomains');
+header('Strict-Transport-Security: max-age=31536000; includeSubDomains'); 
+header("Referrer-Policy: no-referrer");
+header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
+
+if (
+    (empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
+    && empty($_SERVER['HTTP_X_FORWARDED_PROTO']) || $_SERVER['HTTP_X_FORWARDED_PROTO'] !== 'https'
+) {
+    header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
+    exit();
+}

 if (isset($_POST['post_message'])) {
    $user_id = $_SESSION['username'];
@@ -23,13 +32,18 @@ if (isset($_POST['post_message'])) {
    $attachment_file = ''; 
  
    if ($_FILES['attachment']['error'] == 0) {
-        // L'utilisateur a téléchargé un fichier
-        $attachment_file = file_get_contents($_FILES['attachment']['tmp_name']);
+        // changer le nom du fichier pour eviter des probleme 
+        $newFilename = 'uploads/' . uniqid() . '_' . basename($_FILES['attachment']['name']);
+        move_uploaded_file($_FILES['attachment']['tmp_name'], $newFilename);
+        $attachment_file = file_get_contents($newFilename);
    } elseif (!empty($_POST['attachment_url'])) {
-        // L'utilisateur a fourni une URL pour la pièce jointe
-        $attachment_url = $_POST['attachment_url'];
+        $attachment_url = filter_var($_POST['attachment_url'], FILTER_VALIDATE_URL);
+        if ($attachment_url === false) {
+            echo "url non valide !!";
+        }
    }

+
    // Insérer le message dans la base de données
    $stmt = $db->prepare("INSERT INTO messages (user_id, message_text, attachment_url, attachment_file) VALUES (?, ?, ?, ?)");
    $stmt->execute([$user_id, $message_text, $attachment_url, $attachment_file]);

--- a/reply.php
+++ b/reply.php
@@ -11,12 +11,20 @@ session_start([
    'use_only_cookies' => true
 ]);

-// Security headers
 header("Content-Security-Policy: default-src 'self';");
 header('X-Frame-Options: DENY');
 header('X-Content-Type-Options: nosniff');
-header('Strict-Transport-Security: max-age=31536000; includeSubDomains');
-
+header('Strict-Transport-Security: max-age=31536000; includeSubDomains'); 
+header("Referrer-Policy: no-referrer");
+header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
+
+if (
+    (empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
+    && empty($_SERVER['HTTP_X_FORWARDED_PROTO']) || $_SERVER['HTTP_X_FORWARDED_PROTO'] !== 'https'
+) {
+    header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
+    exit();
+}

 $username = $_SESSION['username'];

@@ -40,4 +48,4 @@ if (isset($_POST['reply_text'], $_POST['recipient_id'])) {
 } else {
    echo "Erreur : les données nécessaires ne sont pas fournies.";
 }
-?>
+
--- a/report.php
+++ b/report.php
 <?php
 include 'session_control.php';
-include 'csrf_token.php'; // Include CSRF token utilities
+include 'csrf_token.php'; 

 $dbPath = realpath('users.db');
 $db = new PDO("sqlite:$dbPath");

-// Add Content-Security-Policy and other headers
-header('Content-Security-Policy: default-src \'self\';');
+header("Content-Security-Policy: default-src 'self';");
 header('X-Frame-Options: DENY');
 header('X-Content-Type-Options: nosniff');
+header('Strict-Transport-Security: max-age=31536000; includeSubDomains'); 
+header("Referrer-Policy: no-referrer");
+header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
+
+if (
+    (empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
+    && empty($_SERVER['HTTP_X_FORWARDED_PROTO']) || $_SERVER['HTTP_X_FORWARDED_PROTO'] !== 'https'
+) {
+    header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
+    exit();
+}

 if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    // Validate CSRF token
@@ -36,4 +46,4 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') {
        exit;
    }
 }
-?>
+
--- a/reset_psswd.php
+++ b/reset_psswd.php
 <?php
 include 'csrf_token.php'; 

+header("Content-Security-Policy: default-src 'self';");
+header('X-Frame-Options: DENY');
+header('X-Content-Type-Options: nosniff');
+header('Strict-Transport-Security: max-age=31536000; includeSubDomains'); 
+header("Referrer-Policy: no-referrer");
+header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
+
+if (
+    (empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
+    && empty($_SERVER['HTTP_X_FORWARDED_PROTO']) || $_SERVER['HTTP_X_FORWARDED_PROTO'] !== 'https'
+) {
+    header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
+    exit();
+}
+
 $dbPath = realpath('users.db'); 
 $db = new PDO("sqlite:$dbPath");

@@ -39,4 +54,4 @@ if (isset($_POST['reset_password'])) {
    header("Location: forgot_password.html");
    exit();
 }
-?>
+
--- a/send_message.php
+++ b/send_message.php
@@ -2,7 +2,20 @@
 include 'session_control.php';
 include 'csrf_token.php';

+header("Content-Security-Policy: default-src 'self';");
+header('X-Frame-Options: DENY');
+header('X-Content-Type-Options: nosniff');
+header('Strict-Transport-Security: max-age=31536000; includeSubDomains'); 
+header("Referrer-Policy: no-referrer");
+header("Permissions-Policy: geolocation=(), microphone=(), camera=()");

+if (
+    (empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
+    && empty($_SERVER['HTTP_X_FORWARDED_PROTO']) || $_SERVER['HTTP_X_FORWARDED_PROTO'] !== 'https'
+) {
+    header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
+    exit();
+}
 $dbPath = realpath('users.db');
 $db = new PDO("sqlite:$dbPath");

@@ -16,8 +29,8 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
    }
    
    // filter input
-    $to_username = filter_input(INPUT_POST, 'to_username', FILTER_SANITIZE_STRING);
-    $message_text = filter_input(INPUT_POST, 'message_text', FILTER_SANITIZE_STRING);
+    $to_username = filter_input(INPUT_POST, 'to_username', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
+    $message_text = filter_input(INPUT_POST, 'message_text', FILTER_SANITIZE_FULL_SPECIAL_CHARS);

    $sender_id = $_SESSION['username'];


--- a/session_control.php
+++ b/session_control.php
 <?php

 $timeout = 360; // Timeout en secondes
-ini_set("session.gc_maxlifetime", $timeout);
-ini_set("session.cookie_lifetime", $timeout);
-ini_set("session.cookie_httponly", 1);
-ini_set("session.cookie_secure", 1);
-ini_set("session.cookie_samesite", 'Strict');
+header("Content-Security-Policy: default-src 'self';");
+header('X-Frame-Options: DENY');
+header('X-Content-Type-Options: nosniff');
+header('Strict-Transport-Security: max-age=31536000; includeSubDomains'); 
+header("Referrer-Policy: no-referrer");
+header("Permissions-Policy: geolocation=(), microphone=(), camera=()");

+if (
+    (empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
+    && empty($_SERVER['HTTP_X_FORWARDED_PROTO']) || $_SERVER['HTTP_X_FORWARDED_PROTO'] !== 'https'
+) {
+    header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
+    exit();
+}
 session_start();

-
-
 if (!isset($_SESSION['initialized'])) {
    session_regenerate_id();
    $_SESSION['initialized'] = true;
 }

 $s_name = session_name();
-if(isset( $_COOKIE[ $s_name ] )) {
-    setcookie( $s_name, $_COOKIE[ $s_name ], time() + $timeout, '/' );
-
-    echo "New session is created .<br/>";
+if (!isset($_COOKIE[$s_name])) {
+    $_SESSION['expired'] = true; 
 } else {
-    echo   '<script type="text/javascript">
-    alert("Votre session a expiré. Veuillez vous connecter à nouveau.");
-    </script>';
-    session_destroy();
-    header("Location: index.php");
-    exit(); 
-}
-?>
\ No newline at end of file
+    setcookie($s_name, $_COOKIE[$s_name], time() + $timeout, '/');
+}
\ No newline at end of file
--- a/session_reglage.php
+++ b/session_reglage.php
 <?php
 include("session_control.php");
+
+header("Content-Security-Policy: default-src 'self';");
+header('X-Frame-Options: DENY');
+header('X-Content-Type-Options: nosniff');
+header('Strict-Transport-Security: max-age=31536000; includeSubDomains'); 
+header("Referrer-Policy: no-referrer");
+header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
+
+if (
+    (empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
+    && empty($_SERVER['HTTP_X_FORWARDED_PROTO']) || $_SERVER['HTTP_X_FORWARDED_PROTO'] !== 'https'
+) {
+    header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
+    exit();
+}
+
 $dbPath = realpath('users.db');
 $db = new PDO("sqlite:$dbPath");

+
 function generateToken($length = 20) {
    return bin2hex(random_bytes($length)); // Génère un token aléatoire de 100 caractères hexadécimaux
 }
@@ -22,7 +39,7 @@ $stmt = $db->prepare("SELECT username, phone, email, birthdate, gender, token FR
 $stmt->execute([$user_id]);
 $userData = $stmt->fetch(PDO::FETCH_ASSOC);

-//$csrfToken = generateCsrfToken();
+
 ?>

 <!DOCTYPE html>

--- a/signup.php
+++ b/signup.php
 <?php
 include 'csrf_token.php'; // CSRF token utilities
+header("Content-Security-Policy: default-src 'self';");
+header('X-Frame-Options: DENY');
+header('X-Content-Type-Options: nosniff');
+header('Strict-Transport-Security: max-age=31536000; includeSubDomains'); 
+header("Referrer-Policy: no-referrer");
+header("Permissions-Policy: geolocation=(), microphone=(), camera=()");

+if (
+    (empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
+    && empty($_SERVER['HTTP_X_FORWARDED_PROTO']) || $_SERVER['HTTP_X_FORWARDED_PROTO'] !== 'https'
+) {
+    header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
+    exit();
+}
 $dbPath = realpath('users.db'); 
 $db = new PDO("sqlite:$dbPath");

@@ -11,13 +24,12 @@ if (isset($_POST['signup'])) {
    }

    // Input validation and sanitization
-    $new_username = filter_input(INPUT_POST, 'new_username', FILTER_SANITIZE_STRING);
-    $new_password = $_POST['new_password']; // Password will be hashed, no need to sanitize
-    $phone = $_POST['phone'];
-    $email = $_POST['email'];
-    $birthdate = $_POST['birthdate'];
-    $gender = $_POST['gender'];
-    // ... similar validation for other inputs ...
+    $new_username = filter_input(INPUT_POST, 'new_username', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
+    $new_password = $_POST['new_password']; 
+    $phone = filter_input(INPUT_POST, 'phone', FILTER_SANITIZE_NUMBER_INT);
+    $email = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_EMAIL);
+    $birthdate = filter_input(INPUT_POST, 'birthdate', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
+    $gender = filter_input(INPUT_POST, 'gender', FILTER_SANITIZE_FULL_SPECIAL_CHARS);

    // Check for existing username
    $stmt = $db->prepare("SELECT username FROM users WHERE username = ?");
@@ -37,5 +49,4 @@ if (isset($_POST['signup'])) {
    
    header("Location: index.php"); 
    exit(); 
-}
-?>
\ No newline at end of file
+}
\ No newline at end of file
--- a/update_profile.php
+++ b/update_profile.php
 <?php
 include 'session_control.php';
 include 'csrf_token.php';
+header("Content-Security-Policy: default-src 'self';");
+header('X-Frame-Options: DENY');
+header('X-Content-Type-Options: nosniff');
+header('Strict-Transport-Security: max-age=31536000; includeSubDomains'); 
+header("Referrer-Policy: no-referrer");
+header("Permissions-Policy: geolocation=(), microphone=(), camera=()");

+if (
+    (empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
+    && empty($_SERVER['HTTP_X_FORWARDED_PROTO']) || $_SERVER['HTTP_X_FORWARDED_PROTO'] !== 'https'
+) {
+    header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
+    exit();
+}
 // Connexion à la base de données
 $dbPath = realpath('users.db');
 $db = new PDO("sqlite:$dbPath");
@@ -13,22 +26,21 @@ if (isset($_POST['update_profile'])) {
    }
    // Récupération des nouvelles informations du formulaire
    $new_username = filter_input(INPUT_POST, 'new_username', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
-    $new_password = $_POST['new_password'];
-    $phone = filter_input(INPUT_POST, 'phone', $phone = filter_input(INPUT_POST, 'phone', FILTER_SANITIZE_NUMBER_INT));
-    $email = $_POST['email'];
-    $birthdate = $_POST['birthdate'];
-    $gender = $_POST['gender'];
+    $new_password = filter_input(INPUT_POST, 'new_password', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
+    $phone = filter_input(INPUT_POST, 'phone', FILTER_SANITIZE_NUMBER_INT);
+    $email = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_EMAIL);
+    $birthdate = filter_input(INPUT_POST, 'birthdate', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
+    $gender = filter_input(INPUT_POST, 'gender', FILTER_SANITIZE_FULL_SPECIAL_CHARS);

    // Mise à jour des informations de l'utilisateur dans la base de données
    $stmt = $db->prepare("UPDATE users SET username = ?, password = ?, phone = ?, email = ?, birthdate = ?, gender = ? WHERE username = ?");
    $stmt->execute([$new_username, $new_password, $phone, $email, $birthdate, $gender, $_SESSION['username']]);

    // Redirection vers la page de profil mise à jour ou autre page appropriée
-    header("Location: index.php"); // Remplacez "profile.php" par l'URL souhaité
+    header("Location: index.php"); 
    exit();
 }
 ?>
-
 <!DOCTYPE html>
 <html lang="fr">
 <head>
@@ -45,8 +57,6 @@ if (isset($_POST['update_profile'])) {
    <div class="container">
        <form action="update_profile.php" method="post">
            <h2>Modifier vos informations</h2>
-            <!-- Les champs du formulaire -->
-            <!-- ... -->
            <input type="submit" name="update_profile" value="Enregistrer les modifications">
        </form>
    </div>