function recover()
{
$err = array();
$msg = array();
foreach ($_POST as $key => $value) {
$data[$key] = filter($value);
}
if (!isEmail($data['user_email'])) {
$err[] = "ERROR - Please enter a valid email";
}
$user_email = $data['user_email'];
//check if activ code and user is valid as precaution
$rs_check = mysql_query("select id from users where user_email='{$user_email}'") or die(mysql_error());
$num = mysql_num_rows($rs_check);
// Match row found with more than 1 results - the user is authenticated.
if ($num <= 0) {
$err[] = "Error - Sorry no such account exists or registered.";
//header("Location: forgot.php?msg=$msg");
//exit();
}
if (empty($err)) {
$new_pwd = GenPwd();
$pwd_reset = PwdHash($new_pwd);
//$sha1_new = sha1($new);
//set update sha1 of new password + salt
$rs_activ = mysqli_query($link, "update users set pwd='{$pwd_reset}' WHERE \n\t\t\t\t\t\t\t user_email='{$user_email}'") or die(mysql_error());
$host = $_SERVER['HTTP_HOST'];
$host_upper = strtoupper($host);
//send email
$message = "Here are your new password details ...\n\n\tUser Email: {$user_email} \n\n\tPasswd: {$new_pwd} \n\n\n\tThank You\n\n\tAdministrator\n\t{$host_upper}\n\t______________________________________________________\n\tTHIS IS AN AUTOMATED RESPONSE. \n\t***DO NOT RESPOND TO THIS EMAIL****\n\t";
mail($user_email, "Reset Password", $message, "From: \"Member Registration\" <auto-reply@{$host}>\r\n" . "X-Mailer: PHP/" . phpversion());
$msg[] = "Your account password has been reset and a new password has been sent to your email address.";
}
}
function do_register()
{
global $hasError, $data, $dbc, $globals, $mostrar_captcha;
validar_captcha($hasError);
// PENDIENTE: VALIDAR EMAIL ... y en register.php
$user_email = $data['Email'];
// Valido si existe ya el email
$parts = explode('@', $user_email);
$subparts = explode('+', $parts[0]);
// se permiten direcciones del tipo user+extension@gmail.com, que debemos controlar para no permitir abusos
$rs_check = mysql_query("select `id` from users where (user_email = '{$subparts['0']}@{$parts['1']}' or user_email LIKE '{$subparts['0']}+%@{$parts['1']}') AND banned=0 limit 1") or die(mysql_error());
$num = mysql_num_rows($rs_check);
if ($num <= 0) {
$hasError[] = "El correo electrónico introducido no está registrado o la cuenta está anulada.";
return;
}
if (empty($hasError)) {
$new_pwd = GenKey();
$pwd_reset = PwdHash($new_pwd);
list($id) = mysql_fetch_row($rs_check);
$rs_activ = mysql_query("update users set pwd='{$pwd_reset}' WHERE \n id={$id}") or die(mysql_error());
enviar_correo_recover($user_email, $new_pwd);
$_SESSION['hasSuccessRecover'] = "Te hemos enviado un mensaje a {$user_email} con tu nueva contraseña.";
$_SESSION['hasInfoRecover'] = "Si no recibes el correo en unos instantes revisa también en la carpeta de spam.";
header("Location: login.php");
exit;
}
}
}
// Validate User Name
if (!isUserID($data['user_name'])) {
$err[] = "ERROR - Invalid user name. It can contain alphabet, number and underscore.";
}
// Validate Email
if (!isEmail($data['usr_email'])) {
$err[] = "ERROR - Invalid email address.";
}
// Check User Passwords
if (!checkPwd($data['pwd'], $data['pwd2'])) {
$err[] = "ERROR - Invalid Password or mismatch. Enter 5 chars or more";
}
$user_ip = $_SERVER['REMOTE_ADDR'];
// stores sha1 of password
$sha1pass = PwdHash($data['pwd']);
// Automatically collects the hostname or domain like example.com)
$host = $_SERVER['HTTP_HOST'];
$host_upper = strtoupper($host);
$path = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');
// Generates activation code simple 4 digit number
$activ_code = rand(1000, 9999);
$usr_email = $data['usr_email'];
$user_name = $data['user_name'];
/************ USER EMAIL CHECK ************************************
This code does a second check on the server side if the email already exists. It
queries the database and if it has any existing email it throws user email already exists
*******************************************************************/
//$rs_duplicate = mysql_query("select count(*) as total from {$const['TBL_USERS']} where user_email='$usr_email' OR user_name='$user_name'") or die(mysql_error());
$rs_duplicate = mysql_query("select count(*) as total from {$const['TBL_USERS']} where user_name='{$user_name}'") or die(mysql_error());
list($total) = mysql_fetch_row($rs_duplicate);
if (!isEmail($data['user_email'])) {
$err[] = "ERROR - Please enter a valid email";
}
$user_email = $data['user_email'];
//check if activ code and user is valid as precaution
$rs_check = mysqli_query($link, "select id from users where user_email='{$user_email}'") or die(mysql_error());
$num = mysqli_num_rows($link, $rs_check);
// Match row found with more than 1 results - the user is authenticated.
if ($num <= 0) {
$err[] = "Error - Sorry no such account exists or registered.";
//header("Location: forgot.php?msg=$msg");
//exit();
}
if (empty($err)) {
$new_pwd = GenPwd();
$pwd_reset = PwdHash($new_pwd);
//$sha1_new = sha1($new);
//set update sha1 of new password + salt
$rs_activ = mysqli_query($link, "update users set pwd='{$pwd_reset}' WHERE \n\t\t\t\t\t\t user_email='{$user_email}'") or die(mysql_error());
$host = $_SERVER['HTTP_HOST'];
$host_upper = strtoupper($host);
//send email
$message = "Here are your new password details ...\n\nUser Email: {$user_email} \n\nPasswd: {$new_pwd} \n\n\nThank You\n\nAdministrator\n{$host_upper}\n______________________________________________________\nTHIS IS AN AUTOMATED RESPONSE. \n***DO NOT RESPOND TO THIS EMAIL****\n";
mail($user_email, "Reset Password", $message, "From: \"Member Registration\" <auto-reply@{$host}>\r\n" . "X-Mailer: PHP/" . phpversion());
$msg[] = "Your account password has been reset and a new password has been sent to your email address.";
//$msg = urlencode();
//header("Location: forgot.php?msg=$msg");
//exit();
}
}
?>
// $_SESSION['user'] = $user;
header("Location: index.php");
} else {
// $msg = urlencode("Invalid Login. Please try again with correct user email and password. ");
$err[] = "Invalid Login. Please try again with correct user email and password.";
header("Location: login.php");
}
}
}
if ($_POST['type'] == 'recruiter') {
$check_user_sql = "select userid,recid from recruiter WHERE UserID='{$userid}'";
$result2 = mysqli_query($dbcon, $check_user_sql);
if (mysqli_num_rows($result2) == 1) {
list($userid2, $recid) = mysqli_fetch_row($result2);
$pwd = PwdHash($password, substr($password, 0, 9));
if ($pwd === PwdHash($user_pass, substr($password, 0, 9))) {
session_start();
session_regenerate_id(true);
// prevent against session fixation attacks.
// this sets variables in the session
$_SESSION['user_name'] = $username;
$_SESSION['user_email'] = $email;
$_SESSION['user_fname'] = $fname;
$_SESSION['user_mname'] = $mname;
$_SESSION['user_lname'] = $lname;
$_SESSION['recid'] = $recid;
// $_SESSION['user_level'] = $user_level;
$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
// $_SESSION['user'] = $user;
header("Location: RecruiterAppReview.php");
} else {
}
?>
</p>
<?php
if ($_POST['doSubmit'] == 'Create') {
$rs_dup = mysql_query("select count(*) as total from users where user_name='{$post['user_name']}' OR user_email='{$post['user_email']}'") or die(mysql_error());
list($dups) = mysql_fetch_row($rs_dup);
if ($dups > 0) {
die("The user name or email already exists in the system");
}
if (!empty($_POST['pwd'])) {
$pwd = $post['pwd'];
$hash = PwdHash($post['pwd']);
} else {
$pwd = GenPwd();
$hash = PwdHash($pwd);
}
mysql_query("INSERT INTO users (`user_name`,`user_email`,`pwd`,`approved`,`date`,`user_level`)\r\n\t\t\t VALUES ('{$post['user_name']}','{$post['user_email']}','{$hash}','1',now(),'{$post['user_level']}')\r\n\t\t\t ") or die(mysql_error());
$message = "Thank you for registering with us. Here are your login details...\n\r\nUser Email: {$post['user_email']} \n\r\nPasswd: {$pwd} \n\r\n\r\n*****LOGIN LINK*****\n\r\nhttp://{$host}{$path}/login.php\r\n\r\nThank You\r\n\r\nAdministrator\r\n{$host_upper}\r\n______________________________________________________\r\nTHIS IS AN AUTOMATED RESPONSE.\r\n***DO NOT RESPOND TO THIS EMAIL****\r\n";
if ($_POST['send'] == '1') {
mail($post['user_email'], "Login Details", $message, "From: \"Member Registration\" <auto-reply@{$host}>\r\n" . "X-Mailer: PHP/" . phpversion());
}
echo "<div class=\"msg\">User created with password {$pwd}....done.</div>";
}
?>
<h2><font color="#FF0000">Create New User</font></h2>
<table width="80%" border="0" cellpadding="5" cellspacing="2" class="myaccount">
<tr>
<td><form name="form1" method="post" action="admin.php">
<p>User ID
$pass = $data['pwd'];
if (strpos($user_email, '@') === false) {
$user_cond = "user_name='{$user_email}'";
} else {
$user_cond = "user_email='{$user_email}'";
}
$result = mysql_query("SELECT `id`,`pwd`,`full_name`,`user_name`,`approved`,`user_level` FROM {$const['TBL_USERS']} WHERE {$user_cond} AND `banned` = '0'") or die(mysql_error());
$num = mysql_num_rows($result);
// Match row found with more than 1 results - the user is authenticated.
if ($num > 0) {
list($id, $pwd, $full_name, $user_name, $approved, $user_level) = mysql_fetch_row($result);
if (!$approved) {
$err[] = "Account not activated. Please check your email for activation code";
}
//check against salt
if ($pwd === PwdHash($pass, substr($pwd, 0, 9))) {
if (empty($err)) {
// this sets session and logs user in
session_start();
session_regenerate_id(true);
//prevent against session fixation attacks.
// this sets variables in the session
$_SESSION['user_id'] = $id;
$_SESSION['user_name'] = $user_name;
$_SESSION['user_level'] = $user_level;
$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
//update the timestamp and key for cookie
$stamp = time();
$ckey = GenKey();
$sid = sha1('occasions2011' . session_id());
mysql_query("UPDATE {$const['TBL_USERS']} SET ctime='{$stamp}', ckey='{$ckey}', sid='{$sid}' WHERE id='{$id}'") or die(mysql_error());
function check()
{
global $mysql_hostname, $mysql_username, $mysql_password, $mysql_dbname;
// username and password sent from form
$username = $_POST['username'];
$password = $_POST['password'];
//Filter out html entities to preve nt XSS attacks
$username = htmlentities($username);
$password = htmlentities($password);
// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$conn = mysql_connect($mysql_hostname, $mysql_username, $mysql_password);
if (!$conn) {
die('Could not connect: ' . mysql_error());
}
mysql_select_db($mysql_dbname);
$sql = "SELECT * FROM users WHERE username='******'";
$result = mysql_query($sql, $conn);
// Mysql_num_row is counting table row
$count = mysql_num_rows($result);
// If result matched $username table row must be 1 row
if ($count == 1) {
$ret = mysql_fetch_array($result, MYSQL_ASSOC);
//authenticated user
$pwd = $ret['password'];
if ($pwd == PwdHash($password, substr($pwd, 0, 9))) {
if (!$ret['flag']) {
mysql_close($conn);
echo "Account not verified.Please check your email for verification link";
die;
} else {
// this sets session and logs user in
session_start();
session_regenerate_id(true);
//prevent against session fixation attacks.
// this sets variables in the session
$_SESSION['username'] = $username;
$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
//update the timestamp and key for cookie
$stamp = time();
$ckey = GenKey();
$upd_qry = "UPDATE users SET ctime={$stamp},ckey='{$ckey}' WHERE username='******'";
mysql_query($upd_qry, $conn);
//set a cookie
if ($_POST['remember'] == "true") {
setcookie("username", $_SESSION['username'], time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
setcookie("userkey", sha1($ckey), time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
}
mysql_close($conn);
echo "true";
//header("Location : http://www.google.com");
die;
}
} else {
mysql_close($conn);
echo "Wrong Password";
}
} else {
mysql_close($conn);
echo "Wrong Username";
}
}
include 'src/Instagram.php';
use MetzWeb\Instagram\Instagram;
include '../initialize.php';
page_protect();
$err = array();
$msg = array();
if ($_POST['SUBMIT_BUTTON_NAME'] == 'Update') {
$addsite = $_POST['site'];
mysql_query("update users set rss=CONCAT('{$addsite}',',',rss) where id='{$_SESSION['user_id']}'");
}
if ($_POST['doUpdate'] == 'Update') {
$rs_pwd = mysql_query("select pwd from users where id='{$_SESSION['user_id']}'");
list($old) = mysql_fetch_row($rs_pwd);
$old_salt = substr($old, 0, 9);
if ($old === PwdHash($_POST['pwd_old'], $old_salt)) {
$newsha1 = PwdHash($_POST['pwd_new']);
mysql_query("update users set pwd='{$newsha1}' where id='{$_SESSION['user_id']}'");
$msg[] = "Your new password is updated";
} else {
$err[] = "Your old password is invalid";
}
}
if ($_POST['doSave'] == 'Save') {
foreach ($_POST as $key => $value) {
$data[$key] = filter($value);
}
mysql_query("UPDATE users SET\r\n WHERE id='{$_SESSION['user_id']}'\r\n ") or die(mysql_error());
$msg[] = "Profile Sucessfully saved";
}
$rs_settings = mysql_query("select * from users where id='{$_SESSION['user_id']}'");
$instagram = new Instagram(array('apiKey' => $apikey, 'apiSecret' => $apisecret, 'apiCallback' => $callback));
function reset_pwd()
{
global $link;
function get_include_contents($filename, $variablesToMakeLocal)
{
extract($variablesToMakeLocal);
if (is_file($filename)) {
ob_start();
include $filename;
return ob_get_clean();
}
return false;
}
$err = array();
$msg = array();
foreach ($_POST as $key => $value) {
$data[$key] = filter($value);
}
if (!isEmail($data['user_email'])) {
$err[] = "ERROR - Please enter a valid email";
}
$user_email = $data['user_email'];
$new_pwd = $data['pass'];
//check if activ code and user is valid as precaution
$pwd_reset = PwdHash($new_pwd);
//$sha1_new = sha1($new);
//set update sha1 of new password + salt
mysqli_query($link, "update users set pwd='{$pwd_reset}' WHERE \n\t\t\t\t\t\t user_email='{$user_email}'") or die(mysql_error());
$host = $_SERVER['HTTP_HOST'];
$host_upper = strtoupper($host);
if (empty($err)) {
$host = $_SERVER['HTTP_HOST'];
$host_upper = strtoupper($host);
//send email
$mail = new PHPMailer();
$mail->isSMTP();
// Set mailer to use SMTP
$mail->Host = 'smtp.gmail.com';
// Specify main and backup server
$mail->SMTPAuth = true;
// Enable SMTP authentication
$mail->Username = '******';
// SMTP username
$mail->Password = '******';
// SMTP password
$mail->SMTPSecure = 'tls';
// Enable encryption, 'ssl' also accepted
$mail->Port = 587;
//Set the SMTP port number - 587 for authenticated TLS
$mail->setFrom('*****@*****.**', 'Lake Nona');
//Set who the message is to be sent from
//$mail->addReplyTo('*****@*****.**', 'First Last'); //Set an alternative reply-to address
$mail->addAddress($user_email, $user_name);
// Add a recipient
//$mail->addAddress('*****@*****.**'); // Name is optional
//$mail->addCC('*****@*****.**');
//$mail->addBCC('*****@*****.**');
$mail->WordWrap = 50;
// Set word wrap to 50 characters
//$mail->addAttachment('/usr/labnol/file.doc'); // Add attachments
//$mail->addAttachment('/images/image.jpg', 'new.jpg'); // Optional name
$mail->isHTML(true);
// Set email format to HTML
// $mail->SMTPDebug = 2;
$mail->Subject = 'GroupX onDemand Password Recovery Link';
$variable['user_username'] = $data['user_name'];
$variable['user_name'] = $data['user_name'];
$variable['user_email'] = $data['user_email'];
$variable['host'] = $host;
$variable['path'] = $path;
$variable['activ_code'] = $activ_code;
$variable['id'] = $md5_id;
//$mail->Body = 'This is the HTML message body <b>in bold!</b>';
//$mail->AltBody = 'HEllo JIm Reydnolds this is a test';
//Read an HTML message body from an external file, convert referenced images to embedded,
//convert HTML into a basic plain-text alternative body
$mail->Body = get_include_contents('recover.php', $variable);
$mail->Send();
$msg['errorCode'] = 1;
echo json_encode($msg);
exit;
} else {
if (!$mail->send()) {
echo 'Message could not be sent.';
echo 'Mailer Error: ' . $mail->ErrorInfo;
exit;
}
}
}
function register() {
include 'datalink.php';
$err = array();
if($_POST['doRegister'] == 'Register')
{
/******************* Filtering/Sanitizing Input *****************************
This code filters harmful script code and escapes data of all POST data
from the user submitted form.
*****************************************************************/
foreach($_POST as $key => $value) {
$data[$key] = filter($value);
}
/************************ SERVER SIDE VALIDATION **************************************/
/********** This validation is useful if javascript is disabled in the browswer ***/
if(empty($data['full_name']) || strlen($data['full_name']) < 4)
{
$err[] = "ERROR - Invalid name. Please enter atleast 3 or more characters for your name";
//header("Location: register.php?msg=$err");
//exit();
}
// Validate User Name
if (!isUserID($data['user_name'])) {
$err[] = "ERROR - Invalid user name. It can contain alphabet, number and underscore.";
//header("Location: register.php?msg=$err");
//exit();
}
// Validate Email
if(!isEmail($data['usr_email'])) {
$err[] = "ERROR - Invalid email address.";
//header("Location: register.php?msg=$err");
//exit();
}
// Check User Passwords
if (!checkPwd($data['pwd'],$data['pwd2'])) {
$err[] = "ERROR - Invalid Password or mismatch. Enter 5 chars or more";
//header("Location: register.php?msg=$err");
//exit();
}
$user_ip = $_SERVER['REMOTE_ADDR'];
// stores sha1 of password
$sha1pass = PwdHash($data['pwd']);
// Automatically collects the hostname or domain like example.com)
$host = $_SERVER['HTTP_HOST'];
$host_upper = strtoupper($host);
$path = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');
// Generates activation code simple 4 digit number
$activ_code = rand(1000,9999);
$usr_email = $data['usr_email'];
$user_name = $data['user_name'];
/************ USER EMAIL CHECK ************************************
This code does a second check on the server side if the email already exists. It
queries the database and if it has any existing email it throws user email already exists
*******************************************************************/
$rs_duplicate = mysql_query("select count(*) as total from users where user_email='$usr_email' OR user_name='$user_name'") or die(mysql_error());
list($total) = mysql_fetch_row($rs_duplicate);
if ($total > 0)
{
$err[] = "ERROR - The username/email already exists. Please try again with different username and email.";
//header("Location: register.php?msg=$err");
//exit();
}
/***************************************************************************/
if(empty($err)) {
$sql_insert = "INSERT into `users`
(`first_name`, `last_name`, `user_name`, `user_email`,`pwd`,`city`,`state`,`field`,`gpa`,`date`,`users_ip`,`activation_code`
)
VALUES
('$data[first_name]','$data[last_name]','$user_name','$usr_email','$sha1pass','$data[city]','$data[state]','$data[field]','$data[gpa]',
,now(),'$user_ip','$activ_code'
)
";
mysql_query($sql_insert,$link) or die("Insertion Failed:" . mysql_error());
$user_id = mysql_insert_id($link);
$md5_id = md5($user_id);
mysql_query("update users set md5_id='$md5_id' where id='$user_id'");
// echo "<h3>Thank You</h3> We received your submission.";
if($user_registration) {
$a_link = "
*****ACTIVATION LINK*****\n
http://$host$path/activate.php?user=$md5_id&activ_code=$activ_code
";
} else {
$a_link =
"Your account is *PENDING APPROVAL* and will be soon activated the administrator.
";
}
$message =
"Hello \n
Thank you for registering with us. Here are your login details...\n
User ID: $user_name
Email: $usr_email \n
Passwd: $data[pwd] \n
$a_link
Thank You
Administrator
$host_upper
______________________________________________________
THIS IS AN AUTOMATED RESPONSE.
***DO NOT RESPOND TO THIS EMAIL****
";
mail($usr_email, "Login Details", $message,
"From: \"Member Registration\" <auto-reply@$host>\r\n" .
"X-Mailer: PHP/" . phpversion());
header("Location: thankyou.php");
exit();
}
}
}
public function register($firstname, $lastname, $email, $username, $password)
{
global $mysql_hostname, $mysql_username, $mysql_password, $mysql_dbname;
$string = "abcdefghijklmnopqrstuvwxyz0123456789";
for ($i = 0; $i < 25; $i++) {
$pos = rand(0, 36);
$str .= $string[$pos];
}
//return $str;
$flag = 1;
$authcode = $str;
// First Name
if (!preg_match("/^[a-z ,.'-]+\$/i", $firstname)) {
$err_name = 'Please enter valid Firstname.';
return $err_name;
}
// Last Name
if (!preg_match("/^[a-z ,.'-]+\$/i", $lastname)) {
$err_name = 'Please enter valid Lastname.';
return $err_name;
}
// Email
if (!preg_match('/^[_a-z0-9-]+(\\.[_a-z0-9-]+)*@[a-z0-9-]+(\\.[a-z0-9-]+)*(\\.[a-z]{2,3})$/', $email)) {
$err_email = 'Please enter valid Email.';
return $err_email;
}
// Usename min 6 char max 20 char
if (!preg_match('/^[a-z\\d_]{6,20}$/i', $username)) {
$err_username = '******';
return $err_username;
}
// Password min 6 char max 20 char
if (!preg_match("/^[a-z0-9_-~!@#\$%^&*()]{6,20}\$/i", $password)) {
$err_password = '******';
return $err_password;
}
//Filter out html entities to prevent XSS attacks
$firstname = htmlentities($firstname);
$lastname = htmlentities($lastname);
$email = htmlentities($email);
$username = htmlentities($username);
$password = htmlentities($password);
$authcode = htmlentities($authcode);
$conn = mysql_connect($mysql_hostname, $mysql_username, $mysql_password);
if (!$conn) {
die('Could not connect: ' . mysql_error());
}
mysql_select_db($mysql_dbname);
if (strlen($username) > 1) {
// stores sha1 of password
$sha1pass = PwdHash($password);
}
$query = "INSERT INTO users(username,firstname,lastname,email,password,authcode,flag) VALUES('{$username}','{$firstname}', '{$lastname}', '{$email}', '{$sha1pass}', '{$authcode}', '{$flag}')";
if (!mysql_query($query, $conn)) {
//return mysql_errno();
if (mysql_errno() == 1062) {
return "Username or Email already registered";
} else {
return "Error creating account";
}
} else {
$path = dirname(__FILE__) . "/users/";
mkdir($path . $username);
chmod($path . $username, 0777);
mkdir($path . $username . "/Projects");
chmod($path . $username . "/Projects", 0777);
$dst = $path . $username;
$src = $path . "templates";
$command = 'cp -a ' . $src . ' ' . $dst;
$shell_result_output = shell_exec(escapeshellcmd($command));
/***************************Verification Mail **************************/
// Automatically collects the hostname or domain like example.com)
$host = $_SERVER['HTTP_HOST'];
$host_upper = strtoupper($host);
$path = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');
$a_link = "\r\n\t\t\t\t***** VERIFICATION LINK FOR COMPILEONE.COM *****\n\r\n\t\t\t\thttp://{$host}{$path}/activate.php?user={$username}&code={$authcode}\r\n\t\t\t\t";
$message = "Hello,\n\r\n\t\t\t\tThank you for registering with us. Here are your login details...\n\r\n\r\n\t\t\t\tUser ID: {$username}\r\n\t\t\t\tEmail: {$email} \n \r\n\t\t\t\tPasswd: {$password} \n\r\n\r\n\t\t\t\t{$a_link}\r\n\r\n\t\t\t\tThank You\r\n\r\n\t\t\t\tAdministrator\r\n\t\t\t\t{$host_upper}\r\n\t\t\t\t______________________________________________________\r\n\t\t\t\tTHIS IS AN AUTOMATED RESPONSE. \r\n\t\t\t\t***DO NOT RESPOND TO THIS EMAIL****\r\n\t\t\t\t";
mail($email, "Login Details", $message, "From: \"Compileone Member Registration\" <*****@*****.**>\r\n" . "X-Mailer: PHP/" . phpversion());
return "Account created Successfully";
}
mysql_close($conn);
}
function login() {
include 'datalink.php';
$err = array();
foreach($_GET as $key => $value) {
$get[$key] = filter($value); //get variables are filtered.
}
if ($_POST['doLogin']=='Login')
{
foreach($_POST as $key => $value) {
$data[$key] = filter($value); // post variables are filtered
}
$user_email = $data['usr_email'];
$pass = $data['pwd'];
if (strpos($user_email,'@') === false) {
$user_cond = "user_name='$user_email'";
} else {
$user_cond = "user_email='$user_email'";
}
$result = mysql_query("SELECT `id`,`pwd`,`full_name`,`approved`,`user_level` FROM users WHERE
$user_cond
AND `banned` = '0'
") or die (mysql_error());
$num = mysql_num_rows($result);
// Match row found with more than 1 results - the user is authenticated.
if ( $num > 0 ) {
list($id,$pwd,$full_name,$approved,$user_level) = mysql_fetch_row($result);
if(!$approved) {
//$msg = urlencode("Account not activated. Please check your email for activation code");
$err[] = "Account not activated. Please check your email for activation code";
//header("Location: login.php?msg=$msg");
//exit();
}
//check against salt
if ($pwd === PwdHash($pass,substr($pwd,0,9))) {
if(empty($err)){
// this sets session and logs user in
session_start();
session_regenerate_id (true); //prevent against session fixation attacks.
// this sets variables in the session
$_SESSION['user_id']= $id;
$_SESSION['user_name'] = $full_name;
$_SESSION['user_level'] = $user_level;
$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
//update the timestamp and key for cookie
$stamp = time();
$ckey = GenKey();
mysql_query("update users set `ctime`='$stamp', `ckey` = '$ckey' where id='$id'") or die(mysql_error());
//set a cookie
if(isset($_POST['remember'])){
setcookie("user_id", $_SESSION['user_id'], time()+60*60*24*COOKIE_TIME_OUT, "/");
setcookie("user_key", sha1($ckey), time()+60*60*24*COOKIE_TIME_OUT, "/");
setcookie("user_name",$_SESSION['user_name'], time()+60*60*24*COOKIE_TIME_OUT, "/");
}
header("Location: myaccount.php");
}
}
else
{
//$msg = urlencode("Invalid Login. Please try again with correct user email and password. ");
$err[] = "Invalid Login. Please try again with correct user email and password.";
//header("Location: login.php?msg=$msg");
}
} else {
$err[] = "Error - Invalid login. No such user exists";
}
}
}
}
if ($_POST['doLogin'] == 'Login') {
foreach ($_POST as $key => $value) {
$data[$key] = filter($value);
// post variables are filtered
}
$user_email = $data['usr_email'];
$pass = $data['pwd'];
$user_cond = "Email='" . $user_email . "'";
$result = mysql_query("SELECT * FROM user WHERE " . $user_cond) or die(mysql_error());
$num = mysql_num_rows($result);
// Match row found with more than 1 results - the user is authenticated.
if ($num > 0) {
list($email, $pwd, $full_name, ) = mysql_fetch_row($result);
//check against salt
if ($pwd === PwdHash($pass)) {
if (empty($err)) {
// this sets session and logs user in
session_start();
session_regenerate_id(true);
//prevent against session fixation attacks.
// this sets variables in the session
$_SESSION['email'] = $email;
$_SESSION['user_name'] = $full_name;
$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
header("Location: library.php");
}
} else {
//$msg = urlencode("Invalid Login. Please try again with correct user email and password. ");
$err[] = "Invalid Login. Please try again with correct user email and password.";
//header("Location: login.php?msg=$msg");
function do_register()
{
global $hasError, $data, $dbc, $globals, $mostrar_captcha;
borrar_usuarios_no_activados_antiguos();
if ($mostrar_captcha) {
validar_captcha($hasError);
}
$user_ip = $globals['ip'];
// hash sha1 de la clave
$sha1pass = PwdHash($data['Password']);
// Generamos el código de activación
$activ_code = rand(1000, 9999);
$usr_email = $data['Email'];
$user_name = $data['UserName'];
// Valido si existe ya el usuario
$rs_duplicate = mysql_query("select count(*) as total from users where user_name='{$user_name}'") or die(mysql_error());
list($total) = mysql_fetch_row($rs_duplicate);
if ($total > 0) {
$hasError[] = "El usuario ya está dado de alta.";
}
// Valido si existe ya el email
$parts = explode('@', $usr_email);
$subparts = explode('+', $parts[0]);
// se permiten direcciones del tipo user+extension@gmail.com, que debemos controlar para no permitir abusos
$rs_duplicate = mysql_query("select count(*) as total from users where user_email = '{$subparts['0']}@{$parts['1']}' or user_email LIKE '{$subparts['0']}+%@{$parts['1']}'") or die(mysql_error());
list($total) = mysql_fetch_row($rs_duplicate);
if ($total > 0) {
$hasError[] = "El email ya está dado de alta.";
}
if (empty($hasError)) {
// Insertamos el Nuevo Usuario
$sql_insert = "INSERT into `users`\n (`user_email`,`pwd`,`date`,`users_ip`,`activation_code`,`user_name`)\n VALUES\n ('{$usr_email}','{$sha1pass}',now(),'{$user_ip}','{$activ_code}','{$user_name}')\n ";
mysql_query($sql_insert, $dbc['link']) or die("Insertion Failed:" . mysql_error());
$user_id = mysql_insert_id($dbc['link']);
$md5_id = md5($user_id);
mysql_query("update users set md5_id='{$md5_id}' where id='{$user_id}'");
log_insert("register_ok", ip2long($globals['ip']));
$_SESSION['email_registro'] = $usr_email;
$_SESSION['email_registro_contador'] = 3;
$_SESSION['hasSuccess'] = null;
enviar_correo_registro($usr_email, $md5_id, $activ_code);
header("Location: thankyou.php");
exit;
}
}
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$conn = mysql_connect($mysql_hostname, $mysql_username, $mysql_password);
if (!$conn) {
die('Could not connect: ' . mysql_error());
}
mysql_select_db($mysql_dbname);
$sql = "SELECT * FROM users WHERE username='******' and authcode='{$authcode}'";
$result = mysql_query($sql, $conn);
// Mysql_num_row is counting table row
$count = mysql_num_rows($result);
// If result matched $username table row must be 1 row
//echo "count".$count;
if ($count == 1) {
$sha1pass = PwdHash($password);
$sql = "UPDATE users SET password='******' where username='******'";
$retval = mysql_query($sql, $conn);
if (!$retval) {
die('Could not update data: ' . mysql_error());
}
mysql_close($conn);
echo "Password Updated Successfully !!";
die;
//authenticated user
} else {
mysql_close($conn);
echo "Wrong Username or Authentication code ";
die;
}
}
if ($get['cmd'] == 'edit') {
/* Duplicate user name check */
$rs_usr_duplicate = mysqli_query($link, "select count(*) as total from `users` where `user_name`='{$get['user_name']}' and `id` != '{$get['id']}'") or die(mysqli_error($link));
list($usr_total) = mysqli_fetch_row($rs_usr_duplicate);
if ($usr_total > 0) {
echo "Sorry! user name already registered.";
exit;
}
/* Duplicate email check */
$rs_eml_duplicate = mysqli_query($link, "select count(*) as total from `users` where `user_email`='{$get['user_email']}' and `id` != '{$get['id']}'") or die(mysqli_error($link));
list($eml_total) = mysqli_fetch_row($rs_eml_duplicate);
if ($eml_total > 0) {
echo "Sorry! user email already registered.";
exit;
}
/* Now update user data*/
mysqli_query($link, "\r\nupdate users set \r\n`user_name`='{$get['user_name']}', \r\n`user_email`='{$get['user_email']}',\r\n`user_level`='{$get['user_level']}',\r\n`accode`='{$get['user_accode']}'\r\nwhere `id`='{$get['id']}'") or die(mysqli_error($link));
//header("Location: $ret");
if (!empty($get['pass'])) {
$hash = PwdHash($get['pass']);
mysqli_query($link, "update users set `pwd` = '{$hash}' where `id`='{$get['id']}'") or die(mysqli_error($link));
}
echo "changes done";
exit;
}
if ($get['cmd'] == 'unban') {
mysqli_query($link, "update users set banned='0' where id='{$get['id']}'");
echo "no";
//header("Location: $ret");
// exit();
}
function do_register()
{
global $hasError, $data, $dbc, $globals, $mostrar_captcha;
if ($mostrar_captcha) {
if (!validar_captcha($hasError)) {
return;
}
// si no introduce correctamente el código de seguridad no debemos mirar nada más... porque podría sacar por fuerza bruta usuario/clave.
}
$user_email = $data['UserNameEmail'];
$pass = $data['Password'];
if (strpos($user_email, '@') === false) {
$user_cond = "user_name='{$user_email}'";
} else {
$parts = explode('@', $user_email);
$subparts = explode('+', $parts[0]);
// se permiten direcciones del tipo user+extension@gmail.com, que debemos controlar para no permitir abusos
$user_cond = "(user_email='{$subparts['0']}@{$parts['1']}' or user_email LIKE '{$subparts['0']}+%@{$parts['1']}')";
}
$result = mysql_query("SELECT `id`,`pwd`,`user_name`,`approved`,`banned`,`user_level` FROM users WHERE {$user_cond} limit 1") or die(mysql_error());
$num = mysql_num_rows($result);
if ($num > 0) {
list($id, $pwd, $user_name, $approved, $banned, $user_level) = mysql_fetch_row($result);
if ($banned) {
$hasError[] = "Cuenta anulada.";
return;
}
if (!$approved) {
$hasError[] = "Cuenta registrada pero aún no activada. Revisa tu buzón de correo y sigue el enlace que allí aparece.";
return;
}
if ($pwd === PwdHash($pass, substr($pwd, 0, 9))) {
log_insert("login_ok", $id, $id);
session_regenerate_id(true);
//prevent against session fixation attacks.
// this sets variables in the session
$_SESSION['user_id'] = $id;
$_SESSION['user_name'] = $user_name;
$_SESSION['user_level'] = $user_level;
$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
//update the timestamp and key for cookie
$stamp = time();
$ckey = GenKey();
mysql_query("update users set `ctime`='{$stamp}', `ckey` = '{$ckey}' where id='{$id}'") or die(mysql_error());
//set a cookie
if (isset($_POST['remember'])) {
setcookie("user_id", $_SESSION['user_id'], time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
setcookie("user_key", sha1($ckey), time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
setcookie("user_name", $_SESSION['user_name'], time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
}
header("Location: myaccount.php");
exit;
} else {
$hasError[] = "Contraseña incorrecta. Vuelve a intentarlo.";
}
} else {
$hasError[] = "Usuario o correo electrónico inexistente.";
}
}
