function recover() { $err = array(); $msg = array(); foreach ($_POST as $key => $value) { $data[$key] = filter($value); } if (!isEmail($data['user_email'])) { $err[] = "ERROR - Please enter a valid email"; } $user_email = $data['user_email']; //check if activ code and user is valid as precaution $rs_check = mysql_query("select id from users where user_email='{$user_email}'") or die(mysql_error()); $num = mysql_num_rows($rs_check); // Match row found with more than 1 results - the user is authenticated. if ($num <= 0) { $err[] = "Error - Sorry no such account exists or registered."; //header("Location: forgot.php?msg=$msg"); //exit(); } if (empty($err)) { $new_pwd = GenPwd(); $pwd_reset = PwdHash($new_pwd); //$sha1_new = sha1($new); //set update sha1 of new password + salt $rs_activ = mysqli_query($link, "update users set pwd='{$pwd_reset}' WHERE \n\t\t\t\t\t\t\t user_email='{$user_email}'") or die(mysql_error()); $host = $_SERVER['HTTP_HOST']; $host_upper = strtoupper($host); //send email $message = "Here are your new password details ...\n\n\tUser Email: {$user_email} \n\n\tPasswd: {$new_pwd} \n\n\n\tThank You\n\n\tAdministrator\n\t{$host_upper}\n\t______________________________________________________\n\tTHIS IS AN AUTOMATED RESPONSE. \n\t***DO NOT RESPOND TO THIS EMAIL****\n\t"; mail($user_email, "Reset Password", $message, "From: \"Member Registration\" <auto-reply@{$host}>\r\n" . "X-Mailer: PHP/" . phpversion()); $msg[] = "Your account password has been reset and a new password has been sent to your email address."; } }
function do_register() { global $hasError, $data, $dbc, $globals, $mostrar_captcha; validar_captcha($hasError); // PENDIENTE: VALIDAR EMAIL ... y en register.php $user_email = $data['Email']; // Valido si existe ya el email $parts = explode('@', $user_email); $subparts = explode('+', $parts[0]); // se permiten direcciones del tipo user+extension@gmail.com, que debemos controlar para no permitir abusos $rs_check = mysql_query("select `id` from users where (user_email = '{$subparts['0']}@{$parts['1']}' or user_email LIKE '{$subparts['0']}+%@{$parts['1']}') AND banned=0 limit 1") or die(mysql_error()); $num = mysql_num_rows($rs_check); if ($num <= 0) { $hasError[] = "El correo electrónico introducido no está registrado o la cuenta está anulada."; return; } if (empty($hasError)) { $new_pwd = GenKey(); $pwd_reset = PwdHash($new_pwd); list($id) = mysql_fetch_row($rs_check); $rs_activ = mysql_query("update users set pwd='{$pwd_reset}' WHERE \n id={$id}") or die(mysql_error()); enviar_correo_recover($user_email, $new_pwd); $_SESSION['hasSuccessRecover'] = "Te hemos enviado un mensaje a {$user_email} con tu nueva contraseña."; $_SESSION['hasInfoRecover'] = "Si no recibes el correo en unos instantes revisa también en la carpeta de spam."; header("Location: login.php"); exit; } }
} // Validate User Name if (!isUserID($data['user_name'])) { $err[] = "ERROR - Invalid user name. It can contain alphabet, number and underscore."; } // Validate Email if (!isEmail($data['usr_email'])) { $err[] = "ERROR - Invalid email address."; } // Check User Passwords if (!checkPwd($data['pwd'], $data['pwd2'])) { $err[] = "ERROR - Invalid Password or mismatch. Enter 5 chars or more"; } $user_ip = $_SERVER['REMOTE_ADDR']; // stores sha1 of password $sha1pass = PwdHash($data['pwd']); // Automatically collects the hostname or domain like example.com) $host = $_SERVER['HTTP_HOST']; $host_upper = strtoupper($host); $path = rtrim(dirname($_SERVER['PHP_SELF']), '/\\'); // Generates activation code simple 4 digit number $activ_code = rand(1000, 9999); $usr_email = $data['usr_email']; $user_name = $data['user_name']; /************ USER EMAIL CHECK ************************************ This code does a second check on the server side if the email already exists. It queries the database and if it has any existing email it throws user email already exists *******************************************************************/ //$rs_duplicate = mysql_query("select count(*) as total from {$const['TBL_USERS']} where user_email='$usr_email' OR user_name='$user_name'") or die(mysql_error()); $rs_duplicate = mysql_query("select count(*) as total from {$const['TBL_USERS']} where user_name='{$user_name}'") or die(mysql_error()); list($total) = mysql_fetch_row($rs_duplicate);
if (!isEmail($data['user_email'])) { $err[] = "ERROR - Please enter a valid email"; } $user_email = $data['user_email']; //check if activ code and user is valid as precaution $rs_check = mysqli_query($link, "select id from users where user_email='{$user_email}'") or die(mysql_error()); $num = mysqli_num_rows($link, $rs_check); // Match row found with more than 1 results - the user is authenticated. if ($num <= 0) { $err[] = "Error - Sorry no such account exists or registered."; //header("Location: forgot.php?msg=$msg"); //exit(); } if (empty($err)) { $new_pwd = GenPwd(); $pwd_reset = PwdHash($new_pwd); //$sha1_new = sha1($new); //set update sha1 of new password + salt $rs_activ = mysqli_query($link, "update users set pwd='{$pwd_reset}' WHERE \n\t\t\t\t\t\t user_email='{$user_email}'") or die(mysql_error()); $host = $_SERVER['HTTP_HOST']; $host_upper = strtoupper($host); //send email $message = "Here are your new password details ...\n\nUser Email: {$user_email} \n\nPasswd: {$new_pwd} \n\n\nThank You\n\nAdministrator\n{$host_upper}\n______________________________________________________\nTHIS IS AN AUTOMATED RESPONSE. \n***DO NOT RESPOND TO THIS EMAIL****\n"; mail($user_email, "Reset Password", $message, "From: \"Member Registration\" <auto-reply@{$host}>\r\n" . "X-Mailer: PHP/" . phpversion()); $msg[] = "Your account password has been reset and a new password has been sent to your email address."; //$msg = urlencode(); //header("Location: forgot.php?msg=$msg"); //exit(); } } ?>
// $_SESSION['user'] = $user; header("Location: index.php"); } else { // $msg = urlencode("Invalid Login. Please try again with correct user email and password. "); $err[] = "Invalid Login. Please try again with correct user email and password."; header("Location: login.php"); } } } if ($_POST['type'] == 'recruiter') { $check_user_sql = "select userid,recid from recruiter WHERE UserID='{$userid}'"; $result2 = mysqli_query($dbcon, $check_user_sql); if (mysqli_num_rows($result2) == 1) { list($userid2, $recid) = mysqli_fetch_row($result2); $pwd = PwdHash($password, substr($password, 0, 9)); if ($pwd === PwdHash($user_pass, substr($password, 0, 9))) { session_start(); session_regenerate_id(true); // prevent against session fixation attacks. // this sets variables in the session $_SESSION['user_name'] = $username; $_SESSION['user_email'] = $email; $_SESSION['user_fname'] = $fname; $_SESSION['user_mname'] = $mname; $_SESSION['user_lname'] = $lname; $_SESSION['recid'] = $recid; // $_SESSION['user_level'] = $user_level; $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']); // $_SESSION['user'] = $user; header("Location: RecruiterAppReview.php"); } else {
} ?> </p> <?php if ($_POST['doSubmit'] == 'Create') { $rs_dup = mysql_query("select count(*) as total from users where user_name='{$post['user_name']}' OR user_email='{$post['user_email']}'") or die(mysql_error()); list($dups) = mysql_fetch_row($rs_dup); if ($dups > 0) { die("The user name or email already exists in the system"); } if (!empty($_POST['pwd'])) { $pwd = $post['pwd']; $hash = PwdHash($post['pwd']); } else { $pwd = GenPwd(); $hash = PwdHash($pwd); } mysql_query("INSERT INTO users (`user_name`,`user_email`,`pwd`,`approved`,`date`,`user_level`)\r\n\t\t\t VALUES ('{$post['user_name']}','{$post['user_email']}','{$hash}','1',now(),'{$post['user_level']}')\r\n\t\t\t ") or die(mysql_error()); $message = "Thank you for registering with us. Here are your login details...\n\r\nUser Email: {$post['user_email']} \n\r\nPasswd: {$pwd} \n\r\n\r\n*****LOGIN LINK*****\n\r\nhttp://{$host}{$path}/login.php\r\n\r\nThank You\r\n\r\nAdministrator\r\n{$host_upper}\r\n______________________________________________________\r\nTHIS IS AN AUTOMATED RESPONSE.\r\n***DO NOT RESPOND TO THIS EMAIL****\r\n"; if ($_POST['send'] == '1') { mail($post['user_email'], "Login Details", $message, "From: \"Member Registration\" <auto-reply@{$host}>\r\n" . "X-Mailer: PHP/" . phpversion()); } echo "<div class=\"msg\">User created with password {$pwd}....done.</div>"; } ?> <h2><font color="#FF0000">Create New User</font></h2> <table width="80%" border="0" cellpadding="5" cellspacing="2" class="myaccount"> <tr> <td><form name="form1" method="post" action="admin.php"> <p>User ID
$pass = $data['pwd']; if (strpos($user_email, '@') === false) { $user_cond = "user_name='{$user_email}'"; } else { $user_cond = "user_email='{$user_email}'"; } $result = mysql_query("SELECT `id`,`pwd`,`full_name`,`user_name`,`approved`,`user_level` FROM {$const['TBL_USERS']} WHERE {$user_cond} AND `banned` = '0'") or die(mysql_error()); $num = mysql_num_rows($result); // Match row found with more than 1 results - the user is authenticated. if ($num > 0) { list($id, $pwd, $full_name, $user_name, $approved, $user_level) = mysql_fetch_row($result); if (!$approved) { $err[] = "Account not activated. Please check your email for activation code"; } //check against salt if ($pwd === PwdHash($pass, substr($pwd, 0, 9))) { if (empty($err)) { // this sets session and logs user in session_start(); session_regenerate_id(true); //prevent against session fixation attacks. // this sets variables in the session $_SESSION['user_id'] = $id; $_SESSION['user_name'] = $user_name; $_SESSION['user_level'] = $user_level; $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']); //update the timestamp and key for cookie $stamp = time(); $ckey = GenKey(); $sid = sha1('occasions2011' . session_id()); mysql_query("UPDATE {$const['TBL_USERS']} SET ctime='{$stamp}', ckey='{$ckey}', sid='{$sid}' WHERE id='{$id}'") or die(mysql_error());
function check() { global $mysql_hostname, $mysql_username, $mysql_password, $mysql_dbname; // username and password sent from form $username = $_POST['username']; $password = $_POST['password']; //Filter out html entities to preve nt XSS attacks $username = htmlentities($username); $password = htmlentities($password); // To protect MySQL injection (more detail about MySQL injection) $username = stripslashes($username); $password = stripslashes($password); $conn = mysql_connect($mysql_hostname, $mysql_username, $mysql_password); if (!$conn) { die('Could not connect: ' . mysql_error()); } mysql_select_db($mysql_dbname); $sql = "SELECT * FROM users WHERE username='******'"; $result = mysql_query($sql, $conn); // Mysql_num_row is counting table row $count = mysql_num_rows($result); // If result matched $username table row must be 1 row if ($count == 1) { $ret = mysql_fetch_array($result, MYSQL_ASSOC); //authenticated user $pwd = $ret['password']; if ($pwd == PwdHash($password, substr($pwd, 0, 9))) { if (!$ret['flag']) { mysql_close($conn); echo "Account not verified.Please check your email for verification link"; die; } else { // this sets session and logs user in session_start(); session_regenerate_id(true); //prevent against session fixation attacks. // this sets variables in the session $_SESSION['username'] = $username; $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']); //update the timestamp and key for cookie $stamp = time(); $ckey = GenKey(); $upd_qry = "UPDATE users SET ctime={$stamp},ckey='{$ckey}' WHERE username='******'"; mysql_query($upd_qry, $conn); //set a cookie if ($_POST['remember'] == "true") { setcookie("username", $_SESSION['username'], time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/"); setcookie("userkey", sha1($ckey), time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/"); } mysql_close($conn); echo "true"; //header("Location : http://www.google.com"); die; } } else { mysql_close($conn); echo "Wrong Password"; } } else { mysql_close($conn); echo "Wrong Username"; } }
include 'src/Instagram.php'; use MetzWeb\Instagram\Instagram; include '../initialize.php'; page_protect(); $err = array(); $msg = array(); if ($_POST['SUBMIT_BUTTON_NAME'] == 'Update') { $addsite = $_POST['site']; mysql_query("update users set rss=CONCAT('{$addsite}',',',rss) where id='{$_SESSION['user_id']}'"); } if ($_POST['doUpdate'] == 'Update') { $rs_pwd = mysql_query("select pwd from users where id='{$_SESSION['user_id']}'"); list($old) = mysql_fetch_row($rs_pwd); $old_salt = substr($old, 0, 9); if ($old === PwdHash($_POST['pwd_old'], $old_salt)) { $newsha1 = PwdHash($_POST['pwd_new']); mysql_query("update users set pwd='{$newsha1}' where id='{$_SESSION['user_id']}'"); $msg[] = "Your new password is updated"; } else { $err[] = "Your old password is invalid"; } } if ($_POST['doSave'] == 'Save') { foreach ($_POST as $key => $value) { $data[$key] = filter($value); } mysql_query("UPDATE users SET\r\n WHERE id='{$_SESSION['user_id']}'\r\n ") or die(mysql_error()); $msg[] = "Profile Sucessfully saved"; } $rs_settings = mysql_query("select * from users where id='{$_SESSION['user_id']}'"); $instagram = new Instagram(array('apiKey' => $apikey, 'apiSecret' => $apisecret, 'apiCallback' => $callback));
function reset_pwd() { global $link; function get_include_contents($filename, $variablesToMakeLocal) { extract($variablesToMakeLocal); if (is_file($filename)) { ob_start(); include $filename; return ob_get_clean(); } return false; } $err = array(); $msg = array(); foreach ($_POST as $key => $value) { $data[$key] = filter($value); } if (!isEmail($data['user_email'])) { $err[] = "ERROR - Please enter a valid email"; } $user_email = $data['user_email']; $new_pwd = $data['pass']; //check if activ code and user is valid as precaution $pwd_reset = PwdHash($new_pwd); //$sha1_new = sha1($new); //set update sha1 of new password + salt mysqli_query($link, "update users set pwd='{$pwd_reset}' WHERE \n\t\t\t\t\t\t user_email='{$user_email}'") or die(mysql_error()); $host = $_SERVER['HTTP_HOST']; $host_upper = strtoupper($host); if (empty($err)) { $host = $_SERVER['HTTP_HOST']; $host_upper = strtoupper($host); //send email $mail = new PHPMailer(); $mail->isSMTP(); // Set mailer to use SMTP $mail->Host = 'smtp.gmail.com'; // Specify main and backup server $mail->SMTPAuth = true; // Enable SMTP authentication $mail->Username = '******'; // SMTP username $mail->Password = '******'; // SMTP password $mail->SMTPSecure = 'tls'; // Enable encryption, 'ssl' also accepted $mail->Port = 587; //Set the SMTP port number - 587 for authenticated TLS $mail->setFrom('*****@*****.**', 'Lake Nona'); //Set who the message is to be sent from //$mail->addReplyTo('*****@*****.**', 'First Last'); //Set an alternative reply-to address $mail->addAddress($user_email, $user_name); // Add a recipient //$mail->addAddress('*****@*****.**'); // Name is optional //$mail->addCC('*****@*****.**'); //$mail->addBCC('*****@*****.**'); $mail->WordWrap = 50; // Set word wrap to 50 characters //$mail->addAttachment('/usr/labnol/file.doc'); // Add attachments //$mail->addAttachment('/images/image.jpg', 'new.jpg'); // Optional name $mail->isHTML(true); // Set email format to HTML // $mail->SMTPDebug = 2; $mail->Subject = 'GroupX onDemand Password Recovery Link'; $variable['user_username'] = $data['user_name']; $variable['user_name'] = $data['user_name']; $variable['user_email'] = $data['user_email']; $variable['host'] = $host; $variable['path'] = $path; $variable['activ_code'] = $activ_code; $variable['id'] = $md5_id; //$mail->Body = 'This is the HTML message body <b>in bold!</b>'; //$mail->AltBody = 'HEllo JIm Reydnolds this is a test'; //Read an HTML message body from an external file, convert referenced images to embedded, //convert HTML into a basic plain-text alternative body $mail->Body = get_include_contents('recover.php', $variable); $mail->Send(); $msg['errorCode'] = 1; echo json_encode($msg); exit; } else { if (!$mail->send()) { echo 'Message could not be sent.'; echo 'Mailer Error: ' . $mail->ErrorInfo; exit; } } }
function register() { include 'datalink.php'; $err = array(); if($_POST['doRegister'] == 'Register') { /******************* Filtering/Sanitizing Input ***************************** This code filters harmful script code and escapes data of all POST data from the user submitted form. *****************************************************************/ foreach($_POST as $key => $value) { $data[$key] = filter($value); } /************************ SERVER SIDE VALIDATION **************************************/ /********** This validation is useful if javascript is disabled in the browswer ***/ if(empty($data['full_name']) || strlen($data['full_name']) < 4) { $err[] = "ERROR - Invalid name. Please enter atleast 3 or more characters for your name"; //header("Location: register.php?msg=$err"); //exit(); } // Validate User Name if (!isUserID($data['user_name'])) { $err[] = "ERROR - Invalid user name. It can contain alphabet, number and underscore."; //header("Location: register.php?msg=$err"); //exit(); } // Validate Email if(!isEmail($data['usr_email'])) { $err[] = "ERROR - Invalid email address."; //header("Location: register.php?msg=$err"); //exit(); } // Check User Passwords if (!checkPwd($data['pwd'],$data['pwd2'])) { $err[] = "ERROR - Invalid Password or mismatch. Enter 5 chars or more"; //header("Location: register.php?msg=$err"); //exit(); } $user_ip = $_SERVER['REMOTE_ADDR']; // stores sha1 of password $sha1pass = PwdHash($data['pwd']); // Automatically collects the hostname or domain like example.com) $host = $_SERVER['HTTP_HOST']; $host_upper = strtoupper($host); $path = rtrim(dirname($_SERVER['PHP_SELF']), '/\\'); // Generates activation code simple 4 digit number $activ_code = rand(1000,9999); $usr_email = $data['usr_email']; $user_name = $data['user_name']; /************ USER EMAIL CHECK ************************************ This code does a second check on the server side if the email already exists. It queries the database and if it has any existing email it throws user email already exists *******************************************************************/ $rs_duplicate = mysql_query("select count(*) as total from users where user_email='$usr_email' OR user_name='$user_name'") or die(mysql_error()); list($total) = mysql_fetch_row($rs_duplicate); if ($total > 0) { $err[] = "ERROR - The username/email already exists. Please try again with different username and email."; //header("Location: register.php?msg=$err"); //exit(); } /***************************************************************************/ if(empty($err)) { $sql_insert = "INSERT into `users` (`first_name`, `last_name`, `user_name`, `user_email`,`pwd`,`city`,`state`,`field`,`gpa`,`date`,`users_ip`,`activation_code` ) VALUES ('$data[first_name]','$data[last_name]','$user_name','$usr_email','$sha1pass','$data[city]','$data[state]','$data[field]','$data[gpa]', ,now(),'$user_ip','$activ_code' ) "; mysql_query($sql_insert,$link) or die("Insertion Failed:" . mysql_error()); $user_id = mysql_insert_id($link); $md5_id = md5($user_id); mysql_query("update users set md5_id='$md5_id' where id='$user_id'"); // echo "<h3>Thank You</h3> We received your submission."; if($user_registration) { $a_link = " *****ACTIVATION LINK*****\n http://$host$path/activate.php?user=$md5_id&activ_code=$activ_code "; } else { $a_link = "Your account is *PENDING APPROVAL* and will be soon activated the administrator. "; } $message = "Hello \n Thank you for registering with us. Here are your login details...\n User ID: $user_name Email: $usr_email \n Passwd: $data[pwd] \n $a_link Thank You Administrator $host_upper ______________________________________________________ THIS IS AN AUTOMATED RESPONSE. ***DO NOT RESPOND TO THIS EMAIL**** "; mail($usr_email, "Login Details", $message, "From: \"Member Registration\" <auto-reply@$host>\r\n" . "X-Mailer: PHP/" . phpversion()); header("Location: thankyou.php"); exit(); } } }
public function register($firstname, $lastname, $email, $username, $password) { global $mysql_hostname, $mysql_username, $mysql_password, $mysql_dbname; $string = "abcdefghijklmnopqrstuvwxyz0123456789"; for ($i = 0; $i < 25; $i++) { $pos = rand(0, 36); $str .= $string[$pos]; } //return $str; $flag = 1; $authcode = $str; // First Name if (!preg_match("/^[a-z ,.'-]+\$/i", $firstname)) { $err_name = 'Please enter valid Firstname.'; return $err_name; } // Last Name if (!preg_match("/^[a-z ,.'-]+\$/i", $lastname)) { $err_name = 'Please enter valid Lastname.'; return $err_name; } // Email if (!preg_match('/^[_a-z0-9-]+(\\.[_a-z0-9-]+)*@[a-z0-9-]+(\\.[a-z0-9-]+)*(\\.[a-z]{2,3})$/', $email)) { $err_email = 'Please enter valid Email.'; return $err_email; } // Usename min 6 char max 20 char if (!preg_match('/^[a-z\\d_]{6,20}$/i', $username)) { $err_username = '******'; return $err_username; } // Password min 6 char max 20 char if (!preg_match("/^[a-z0-9_-~!@#\$%^&*()]{6,20}\$/i", $password)) { $err_password = '******'; return $err_password; } //Filter out html entities to prevent XSS attacks $firstname = htmlentities($firstname); $lastname = htmlentities($lastname); $email = htmlentities($email); $username = htmlentities($username); $password = htmlentities($password); $authcode = htmlentities($authcode); $conn = mysql_connect($mysql_hostname, $mysql_username, $mysql_password); if (!$conn) { die('Could not connect: ' . mysql_error()); } mysql_select_db($mysql_dbname); if (strlen($username) > 1) { // stores sha1 of password $sha1pass = PwdHash($password); } $query = "INSERT INTO users(username,firstname,lastname,email,password,authcode,flag) VALUES('{$username}','{$firstname}', '{$lastname}', '{$email}', '{$sha1pass}', '{$authcode}', '{$flag}')"; if (!mysql_query($query, $conn)) { //return mysql_errno(); if (mysql_errno() == 1062) { return "Username or Email already registered"; } else { return "Error creating account"; } } else { $path = dirname(__FILE__) . "/users/"; mkdir($path . $username); chmod($path . $username, 0777); mkdir($path . $username . "/Projects"); chmod($path . $username . "/Projects", 0777); $dst = $path . $username; $src = $path . "templates"; $command = 'cp -a ' . $src . ' ' . $dst; $shell_result_output = shell_exec(escapeshellcmd($command)); /***************************Verification Mail **************************/ // Automatically collects the hostname or domain like example.com) $host = $_SERVER['HTTP_HOST']; $host_upper = strtoupper($host); $path = rtrim(dirname($_SERVER['PHP_SELF']), '/\\'); $a_link = "\r\n\t\t\t\t***** VERIFICATION LINK FOR COMPILEONE.COM *****\n\r\n\t\t\t\thttp://{$host}{$path}/activate.php?user={$username}&code={$authcode}\r\n\t\t\t\t"; $message = "Hello,\n\r\n\t\t\t\tThank you for registering with us. Here are your login details...\n\r\n\r\n\t\t\t\tUser ID: {$username}\r\n\t\t\t\tEmail: {$email} \n \r\n\t\t\t\tPasswd: {$password} \n\r\n\r\n\t\t\t\t{$a_link}\r\n\r\n\t\t\t\tThank You\r\n\r\n\t\t\t\tAdministrator\r\n\t\t\t\t{$host_upper}\r\n\t\t\t\t______________________________________________________\r\n\t\t\t\tTHIS IS AN AUTOMATED RESPONSE. \r\n\t\t\t\t***DO NOT RESPOND TO THIS EMAIL****\r\n\t\t\t\t"; mail($email, "Login Details", $message, "From: \"Compileone Member Registration\" <*****@*****.**>\r\n" . "X-Mailer: PHP/" . phpversion()); return "Account created Successfully"; } mysql_close($conn); }
function login() { include 'datalink.php'; $err = array(); foreach($_GET as $key => $value) { $get[$key] = filter($value); //get variables are filtered. } if ($_POST['doLogin']=='Login') { foreach($_POST as $key => $value) { $data[$key] = filter($value); // post variables are filtered } $user_email = $data['usr_email']; $pass = $data['pwd']; if (strpos($user_email,'@') === false) { $user_cond = "user_name='$user_email'"; } else { $user_cond = "user_email='$user_email'"; } $result = mysql_query("SELECT `id`,`pwd`,`full_name`,`approved`,`user_level` FROM users WHERE $user_cond AND `banned` = '0' ") or die (mysql_error()); $num = mysql_num_rows($result); // Match row found with more than 1 results - the user is authenticated. if ( $num > 0 ) { list($id,$pwd,$full_name,$approved,$user_level) = mysql_fetch_row($result); if(!$approved) { //$msg = urlencode("Account not activated. Please check your email for activation code"); $err[] = "Account not activated. Please check your email for activation code"; //header("Location: login.php?msg=$msg"); //exit(); } //check against salt if ($pwd === PwdHash($pass,substr($pwd,0,9))) { if(empty($err)){ // this sets session and logs user in session_start(); session_regenerate_id (true); //prevent against session fixation attacks. // this sets variables in the session $_SESSION['user_id']= $id; $_SESSION['user_name'] = $full_name; $_SESSION['user_level'] = $user_level; $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']); //update the timestamp and key for cookie $stamp = time(); $ckey = GenKey(); mysql_query("update users set `ctime`='$stamp', `ckey` = '$ckey' where id='$id'") or die(mysql_error()); //set a cookie if(isset($_POST['remember'])){ setcookie("user_id", $_SESSION['user_id'], time()+60*60*24*COOKIE_TIME_OUT, "/"); setcookie("user_key", sha1($ckey), time()+60*60*24*COOKIE_TIME_OUT, "/"); setcookie("user_name",$_SESSION['user_name'], time()+60*60*24*COOKIE_TIME_OUT, "/"); } header("Location: myaccount.php"); } } else { //$msg = urlencode("Invalid Login. Please try again with correct user email and password. "); $err[] = "Invalid Login. Please try again with correct user email and password."; //header("Location: login.php?msg=$msg"); } } else { $err[] = "Error - Invalid login. No such user exists"; } } }
} if ($_POST['doLogin'] == 'Login') { foreach ($_POST as $key => $value) { $data[$key] = filter($value); // post variables are filtered } $user_email = $data['usr_email']; $pass = $data['pwd']; $user_cond = "Email='" . $user_email . "'"; $result = mysql_query("SELECT * FROM user WHERE " . $user_cond) or die(mysql_error()); $num = mysql_num_rows($result); // Match row found with more than 1 results - the user is authenticated. if ($num > 0) { list($email, $pwd, $full_name, ) = mysql_fetch_row($result); //check against salt if ($pwd === PwdHash($pass)) { if (empty($err)) { // this sets session and logs user in session_start(); session_regenerate_id(true); //prevent against session fixation attacks. // this sets variables in the session $_SESSION['email'] = $email; $_SESSION['user_name'] = $full_name; $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']); header("Location: library.php"); } } else { //$msg = urlencode("Invalid Login. Please try again with correct user email and password. "); $err[] = "Invalid Login. Please try again with correct user email and password."; //header("Location: login.php?msg=$msg");
function do_register() { global $hasError, $data, $dbc, $globals, $mostrar_captcha; borrar_usuarios_no_activados_antiguos(); if ($mostrar_captcha) { validar_captcha($hasError); } $user_ip = $globals['ip']; // hash sha1 de la clave $sha1pass = PwdHash($data['Password']); // Generamos el código de activación $activ_code = rand(1000, 9999); $usr_email = $data['Email']; $user_name = $data['UserName']; // Valido si existe ya el usuario $rs_duplicate = mysql_query("select count(*) as total from users where user_name='{$user_name}'") or die(mysql_error()); list($total) = mysql_fetch_row($rs_duplicate); if ($total > 0) { $hasError[] = "El usuario ya está dado de alta."; } // Valido si existe ya el email $parts = explode('@', $usr_email); $subparts = explode('+', $parts[0]); // se permiten direcciones del tipo user+extension@gmail.com, que debemos controlar para no permitir abusos $rs_duplicate = mysql_query("select count(*) as total from users where user_email = '{$subparts['0']}@{$parts['1']}' or user_email LIKE '{$subparts['0']}+%@{$parts['1']}'") or die(mysql_error()); list($total) = mysql_fetch_row($rs_duplicate); if ($total > 0) { $hasError[] = "El email ya está dado de alta."; } if (empty($hasError)) { // Insertamos el Nuevo Usuario $sql_insert = "INSERT into `users`\n (`user_email`,`pwd`,`date`,`users_ip`,`activation_code`,`user_name`)\n VALUES\n ('{$usr_email}','{$sha1pass}',now(),'{$user_ip}','{$activ_code}','{$user_name}')\n "; mysql_query($sql_insert, $dbc['link']) or die("Insertion Failed:" . mysql_error()); $user_id = mysql_insert_id($dbc['link']); $md5_id = md5($user_id); mysql_query("update users set md5_id='{$md5_id}' where id='{$user_id}'"); log_insert("register_ok", ip2long($globals['ip'])); $_SESSION['email_registro'] = $usr_email; $_SESSION['email_registro_contador'] = 3; $_SESSION['hasSuccess'] = null; enviar_correo_registro($usr_email, $md5_id, $activ_code); header("Location: thankyou.php"); exit; } }
$password = stripslashes($password); $username = mysql_real_escape_string($username); $password = mysql_real_escape_string($password); $conn = mysql_connect($mysql_hostname, $mysql_username, $mysql_password); if (!$conn) { die('Could not connect: ' . mysql_error()); } mysql_select_db($mysql_dbname); $sql = "SELECT * FROM users WHERE username='******' and authcode='{$authcode}'"; $result = mysql_query($sql, $conn); // Mysql_num_row is counting table row $count = mysql_num_rows($result); // If result matched $username table row must be 1 row //echo "count".$count; if ($count == 1) { $sha1pass = PwdHash($password); $sql = "UPDATE users SET password='******' where username='******'"; $retval = mysql_query($sql, $conn); if (!$retval) { die('Could not update data: ' . mysql_error()); } mysql_close($conn); echo "Password Updated Successfully !!"; die; //authenticated user } else { mysql_close($conn); echo "Wrong Username or Authentication code "; die; } }
if ($get['cmd'] == 'edit') { /* Duplicate user name check */ $rs_usr_duplicate = mysqli_query($link, "select count(*) as total from `users` where `user_name`='{$get['user_name']}' and `id` != '{$get['id']}'") or die(mysqli_error($link)); list($usr_total) = mysqli_fetch_row($rs_usr_duplicate); if ($usr_total > 0) { echo "Sorry! user name already registered."; exit; } /* Duplicate email check */ $rs_eml_duplicate = mysqli_query($link, "select count(*) as total from `users` where `user_email`='{$get['user_email']}' and `id` != '{$get['id']}'") or die(mysqli_error($link)); list($eml_total) = mysqli_fetch_row($rs_eml_duplicate); if ($eml_total > 0) { echo "Sorry! user email already registered."; exit; } /* Now update user data*/ mysqli_query($link, "\r\nupdate users set \r\n`user_name`='{$get['user_name']}', \r\n`user_email`='{$get['user_email']}',\r\n`user_level`='{$get['user_level']}',\r\n`accode`='{$get['user_accode']}'\r\nwhere `id`='{$get['id']}'") or die(mysqli_error($link)); //header("Location: $ret"); if (!empty($get['pass'])) { $hash = PwdHash($get['pass']); mysqli_query($link, "update users set `pwd` = '{$hash}' where `id`='{$get['id']}'") or die(mysqli_error($link)); } echo "changes done"; exit; } if ($get['cmd'] == 'unban') { mysqli_query($link, "update users set banned='0' where id='{$get['id']}'"); echo "no"; //header("Location: $ret"); // exit(); }
function do_register() { global $hasError, $data, $dbc, $globals, $mostrar_captcha; if ($mostrar_captcha) { if (!validar_captcha($hasError)) { return; } // si no introduce correctamente el código de seguridad no debemos mirar nada más... porque podría sacar por fuerza bruta usuario/clave. } $user_email = $data['UserNameEmail']; $pass = $data['Password']; if (strpos($user_email, '@') === false) { $user_cond = "user_name='{$user_email}'"; } else { $parts = explode('@', $user_email); $subparts = explode('+', $parts[0]); // se permiten direcciones del tipo user+extension@gmail.com, que debemos controlar para no permitir abusos $user_cond = "(user_email='{$subparts['0']}@{$parts['1']}' or user_email LIKE '{$subparts['0']}+%@{$parts['1']}')"; } $result = mysql_query("SELECT `id`,`pwd`,`user_name`,`approved`,`banned`,`user_level` FROM users WHERE {$user_cond} limit 1") or die(mysql_error()); $num = mysql_num_rows($result); if ($num > 0) { list($id, $pwd, $user_name, $approved, $banned, $user_level) = mysql_fetch_row($result); if ($banned) { $hasError[] = "Cuenta anulada."; return; } if (!$approved) { $hasError[] = "Cuenta registrada pero aún no activada. Revisa tu buzón de correo y sigue el enlace que allí aparece."; return; } if ($pwd === PwdHash($pass, substr($pwd, 0, 9))) { log_insert("login_ok", $id, $id); session_regenerate_id(true); //prevent against session fixation attacks. // this sets variables in the session $_SESSION['user_id'] = $id; $_SESSION['user_name'] = $user_name; $_SESSION['user_level'] = $user_level; $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']); //update the timestamp and key for cookie $stamp = time(); $ckey = GenKey(); mysql_query("update users set `ctime`='{$stamp}', `ckey` = '{$ckey}' where id='{$id}'") or die(mysql_error()); //set a cookie if (isset($_POST['remember'])) { setcookie("user_id", $_SESSION['user_id'], time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/"); setcookie("user_key", sha1($ckey), time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/"); setcookie("user_name", $_SESSION['user_name'], time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/"); } header("Location: myaccount.php"); exit; } else { $hasError[] = "Contraseña incorrecta. Vuelve a intentarlo."; } } else { $hasError[] = "Usuario o correo electrónico inexistente."; } }