Beispiel #1
0
function do_register()
{
    global $hasError, $data, $dbc, $globals, $mostrar_captcha;
    validar_captcha($hasError);
    // PENDIENTE: VALIDAR EMAIL ... y en register.php
    $user_email = $data['Email'];
    // Valido si existe ya el email
    $parts = explode('@', $user_email);
    $subparts = explode('+', $parts[0]);
    // se permiten direcciones del tipo user+extension@gmail.com, que debemos controlar para no permitir abusos
    $rs_check = mysql_query("select `id` from users where (user_email = '{$subparts['0']}@{$parts['1']}' or user_email LIKE '{$subparts['0']}+%@{$parts['1']}') AND banned=0 limit 1") or die(mysql_error());
    $num = mysql_num_rows($rs_check);
    if ($num <= 0) {
        $hasError[] = "El correo electrónico introducido no está registrado o la cuenta está anulada.";
        return;
    }
    if (empty($hasError)) {
        $new_pwd = GenKey();
        $pwd_reset = PwdHash($new_pwd);
        list($id) = mysql_fetch_row($rs_check);
        $rs_activ = mysql_query("update users set pwd='{$pwd_reset}' WHERE \n                                    id={$id}") or die(mysql_error());
        enviar_correo_recover($user_email, $new_pwd);
        $_SESSION['hasSuccessRecover'] = "Te hemos enviado un mensaje a {$user_email} con tu nueva contraseña.";
        $_SESSION['hasInfoRecover'] = "Si no recibes el correo en unos instantes revisa también en la carpeta de spam.";
        header("Location: login.php");
        exit;
    }
}
     }
     //check against salt
     if ($pwd === PwdHash($pass, substr($pwd, 0, 9))) {
         if (empty($err)) {
             // this sets session and logs user in
             session_start();
             session_regenerate_id(true);
             //prevent against session fixation attacks.
             // this sets variables in the session
             $_SESSION['user_id'] = $id;
             $_SESSION['user_name'] = $user_name;
             $_SESSION['user_level'] = $user_level;
             $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
             //update the timestamp and key for cookie
             $stamp = time();
             $ckey = GenKey();
             $sid = sha1('occasions2011' . session_id());
             mysql_query("UPDATE {$const['TBL_USERS']} SET ctime='{$stamp}', ckey='{$ckey}', sid='{$sid}' WHERE id='{$id}'") or die(mysql_error());
             //set a cookie
             if (isset($_POST['remember'])) {
                 setcookie("user_id", $_SESSION['user_id'], time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
                 setcookie("user_key", sha1($ckey), time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
                 setcookie("user_name", $_SESSION['user_name'], time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
             }
             header("Location: " . PAGE_HOME);
         }
     } else {
         $err[] = "Invalid Login. Please try again with the correct user email and password.";
     }
 } else {
     $err[] = "Error - Invalid login. No such user exists";
Beispiel #3
0
function login()
{
    global $link;
    foreach ($_POST as $key => $value) {
        $data[$key] = $value;
        // post variables are filtered
    }
    $user_email = $data['user_email'];
    $pass = $data['pass'];
    if (strpos($user_email, '@') === false) {
        $user_cond = "user_name='{$user_email}'";
    } else {
        $user_cond = "user_email='{$user_email}'";
    }
    $result = mysqli_query($link, "SELECT `id`,`pwd`,`full_name`,`approved`,`user_level`,`user_email` FROM users WHERE \n           {$user_cond}\n\t\t\tAND `banned` = '0'\n\t\t\t");
    $num = mysqli_num_rows($result);
    // Match row found with more than 1 results  - the user is authenticated.
    if ($num > 0) {
        $str_query = "SELECT `id`,`full_name`,`user_level`,`user_email` FROM users WHERE \n           {$user_cond}\n\t\t\tAND `banned` = '0'\n\t\t\t";
        $obj_result = mysqli_query($link, $str_query);
        $user = array();
        while ($arr_line = mysqli_fetch_array($obj_result, MYSQLI_ASSOC)) {
            //$arr_line['editable'] 	= true ;
            $user[] = $arr_line;
        }
        list($id, $pwd, $full_name, $approved, $user_level, $user_email) = mysqli_fetch_row($result);
        if (!$approved) {
            $msg['errorCode'] = 3;
            echo json_encode($msg);
            exit;
        }
        //check against salt
        if ($pwd === PwdHash($pass, substr($pwd, 0, 9))) {
            //	if ($pwd === $pwd){
            // this sets session and logs user in
            if (!isset($_SESSION)) {
                session_start();
            }
            session_regenerate_id(true);
            //prevent against session fixation attacks.
            // this sets variables in the session
            $_SESSION['user_id'] = $id;
            $_SESSION['user_email'] = $user_email;
            $_SESSION['user_name'] = $full_name;
            $_SESSION['user_level'] = $user_level;
            $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
            //update the timestamp and key for cookie
            $stamp = time();
            $ckey = GenKey();
            mysqli_query($link, "update users set `ctime`='{$stamp}', `ckey` = '{$ckey}' where id='{$id}'") or die(mysql_error());
            //set a cookie
            if (isset($_POST['remember'])) {
                setcookie("user_id", $_SESSION['user_id'], time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
                setcookie("user_key", sha1($ckey), time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
                setcookie("user_name", $_SESSION['user_name'], time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
                setcookie("user_email", $_SESSION['user_email'], time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
                setcookie("user_level", $_SESSION['user_level'], time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
            }
            echo json_encode($user);
        } else {
            $msg['errorCode'] = 2;
            echo json_encode($msg);
            //header("Location: login.php?msg=$msg");
        }
    } else {
        $msg['errorCode'] = 1;
        echo json_encode($msg);
    }
}
Beispiel #4
0
function login() {
include 'datalink.php';

$err = array();

foreach($_GET as $key => $value) {
	$get[$key] = filter($value); //get variables are filtered.
}

if ($_POST['doLogin']=='Login')
{

foreach($_POST as $key => $value) {
	$data[$key] = filter($value); // post variables are filtered
}


$user_email = $data['usr_email'];
$pass = $data['pwd'];


if (strpos($user_email,'@') === false) {
    $user_cond = "user_name='$user_email'";
} else {
      $user_cond = "user_email='$user_email'";
    
}

	
$result = mysql_query("SELECT `id`,`pwd`,`full_name`,`approved`,`user_level` FROM users WHERE 
           $user_cond
			AND `banned` = '0'
			") or die (mysql_error()); 
$num = mysql_num_rows($result);

  // Match row found with more than 1 results  - the user is authenticated. 
    if ( $num > 0 ) { 
	
	list($id,$pwd,$full_name,$approved,$user_level) = mysql_fetch_row($result);
	
	if(!$approved) {
	//$msg = urlencode("Account not activated. Please check your email for activation code");
	$err[] = "Account not activated. Please check your email for activation code";
	
	//header("Location: login.php?msg=$msg");
	 //exit();
	 }
	 
		//check against salt
	if ($pwd === PwdHash($pass,substr($pwd,0,9))) { 
	if(empty($err)){			

     // this sets session and logs user in  
       session_start();
	   session_regenerate_id (true); //prevent against session fixation attacks.

	   // this sets variables in the session 
		$_SESSION['user_id']= $id;  
		$_SESSION['user_name'] = $full_name;
		$_SESSION['user_level'] = $user_level;
		$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
		
		//update the timestamp and key for cookie
		$stamp = time();
		$ckey = GenKey();
		mysql_query("update users set `ctime`='$stamp', `ckey` = '$ckey' where id='$id'") or die(mysql_error());
		
		//set a cookie 
		
	   if(isset($_POST['remember'])){
				  setcookie("user_id", $_SESSION['user_id'], time()+60*60*24*COOKIE_TIME_OUT, "/");
				  setcookie("user_key", sha1($ckey), time()+60*60*24*COOKIE_TIME_OUT, "/");
				  setcookie("user_name",$_SESSION['user_name'], time()+60*60*24*COOKIE_TIME_OUT, "/");
				   }
		  header("Location: myaccount.php");
		 }
		}
		else
		{
		//$msg = urlencode("Invalid Login. Please try again with correct user email and password. ");
		$err[] = "Invalid Login. Please try again with correct user email and password.";
		//header("Location: login.php?msg=$msg");
		}
	} else {
		$err[] = "Error - Invalid login. No such user exists";
	  }		
}
}					 
function check()
{
    global $mysql_hostname, $mysql_username, $mysql_password, $mysql_dbname;
    // username and password sent from form
    $username = $_POST['username'];
    $password = $_POST['password'];
    //Filter out html entities to preve	nt XSS attacks
    $username = htmlentities($username);
    $password = htmlentities($password);
    // To protect MySQL injection (more detail about MySQL injection)
    $username = stripslashes($username);
    $password = stripslashes($password);
    $conn = mysql_connect($mysql_hostname, $mysql_username, $mysql_password);
    if (!$conn) {
        die('Could not connect: ' . mysql_error());
    }
    mysql_select_db($mysql_dbname);
    $sql = "SELECT * FROM users WHERE username='******'";
    $result = mysql_query($sql, $conn);
    // Mysql_num_row is counting table row
    $count = mysql_num_rows($result);
    // If result matched $username table row must be 1 row
    if ($count == 1) {
        $ret = mysql_fetch_array($result, MYSQL_ASSOC);
        //authenticated user
        $pwd = $ret['password'];
        if ($pwd == PwdHash($password, substr($pwd, 0, 9))) {
            if (!$ret['flag']) {
                mysql_close($conn);
                echo "Account not verified.Please check your email for verification link";
                die;
            } else {
                // this sets session and logs user in
                session_start();
                session_regenerate_id(true);
                //prevent against session fixation attacks.
                // this sets variables in the session
                $_SESSION['username'] = $username;
                $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
                //update the timestamp and key for cookie
                $stamp = time();
                $ckey = GenKey();
                $upd_qry = "UPDATE users SET ctime={$stamp},ckey='{$ckey}' WHERE username='******'";
                mysql_query($upd_qry, $conn);
                //set a cookie
                if ($_POST['remember'] == "true") {
                    setcookie("username", $_SESSION['username'], time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
                    setcookie("userkey", sha1($ckey), time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
                }
                mysql_close($conn);
                echo "true";
                //header("Location : http://www.google.com");
                die;
            }
        } else {
            mysql_close($conn);
            echo "Wrong Password";
        }
    } else {
        mysql_close($conn);
        echo "Wrong Username";
    }
}
Beispiel #6
0
function do_register()
{
    global $hasError, $data, $dbc, $globals, $mostrar_captcha;
    if ($mostrar_captcha) {
        if (!validar_captcha($hasError)) {
            return;
        }
        // si no introduce correctamente el código de seguridad no debemos mirar nada más... porque podría sacar por fuerza bruta usuario/clave.
    }
    $user_email = $data['UserNameEmail'];
    $pass = $data['Password'];
    if (strpos($user_email, '@') === false) {
        $user_cond = "user_name='{$user_email}'";
    } else {
        $parts = explode('@', $user_email);
        $subparts = explode('+', $parts[0]);
        // se permiten direcciones del tipo user+extension@gmail.com, que debemos controlar para no permitir abusos
        $user_cond = "(user_email='{$subparts['0']}@{$parts['1']}' or user_email LIKE '{$subparts['0']}+%@{$parts['1']}')";
    }
    $result = mysql_query("SELECT `id`,`pwd`,`user_name`,`approved`,`banned`,`user_level` FROM users WHERE {$user_cond} limit 1") or die(mysql_error());
    $num = mysql_num_rows($result);
    if ($num > 0) {
        list($id, $pwd, $user_name, $approved, $banned, $user_level) = mysql_fetch_row($result);
        if ($banned) {
            $hasError[] = "Cuenta anulada.";
            return;
        }
        if (!$approved) {
            $hasError[] = "Cuenta registrada pero aún no activada. Revisa tu buzón de correo y sigue el enlace que allí aparece.";
            return;
        }
        if ($pwd === PwdHash($pass, substr($pwd, 0, 9))) {
            log_insert("login_ok", $id, $id);
            session_regenerate_id(true);
            //prevent against session fixation attacks.
            // this sets variables in the session
            $_SESSION['user_id'] = $id;
            $_SESSION['user_name'] = $user_name;
            $_SESSION['user_level'] = $user_level;
            $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
            //update the timestamp and key for cookie
            $stamp = time();
            $ckey = GenKey();
            mysql_query("update users set `ctime`='{$stamp}', `ckey` = '{$ckey}' where id='{$id}'") or die(mysql_error());
            //set a cookie
            if (isset($_POST['remember'])) {
                setcookie("user_id", $_SESSION['user_id'], time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
                setcookie("user_key", sha1($ckey), time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
                setcookie("user_name", $_SESSION['user_name'], time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
            }
            header("Location: myaccount.php");
            exit;
        } else {
            $hasError[] = "Contraseña incorrecta. Vuelve a intentarlo.";
        }
    } else {
        $hasError[] = "Usuario o correo electrónico inexistente.";
    }
}