Beispiel #1
2
function recover()
{
    $err = array();
    $msg = array();
    foreach ($_POST as $key => $value) {
        $data[$key] = filter($value);
    }
    if (!isEmail($data['user_email'])) {
        $err[] = "ERROR - Please enter a valid email";
    }
    $user_email = $data['user_email'];
    //check if activ code and user is valid as precaution
    $rs_check = mysql_query("select id from users where user_email='{$user_email}'") or die(mysql_error());
    $num = mysql_num_rows($rs_check);
    // Match row found with more than 1 results  - the user is authenticated.
    if ($num <= 0) {
        $err[] = "Error - Sorry no such account exists or registered.";
        //header("Location: forgot.php?msg=$msg");
        //exit();
    }
    if (empty($err)) {
        $new_pwd = GenPwd();
        $pwd_reset = PwdHash($new_pwd);
        //$sha1_new = sha1($new);
        //set update sha1 of new password + salt
        $rs_activ = mysqli_query($link, "update users set pwd='{$pwd_reset}' WHERE \n\t\t\t\t\t\t\t user_email='{$user_email}'") or die(mysql_error());
        $host = $_SERVER['HTTP_HOST'];
        $host_upper = strtoupper($host);
        //send email
        $message = "Here are your new password details ...\n\n\tUser Email: {$user_email} \n\n\tPasswd: {$new_pwd} \n\n\n\tThank You\n\n\tAdministrator\n\t{$host_upper}\n\t______________________________________________________\n\tTHIS IS AN AUTOMATED RESPONSE. \n\t***DO NOT RESPOND TO THIS EMAIL****\n\t";
        mail($user_email, "Reset Password", $message, "From: \"Member Registration\" <auto-reply@{$host}>\r\n" . "X-Mailer: PHP/" . phpversion());
        $msg[] = "Your account password has been reset and a new password has been sent to your email address.";
    }
}
Beispiel #2
0
function do_register()
{
    global $hasError, $data, $dbc, $globals, $mostrar_captcha;
    validar_captcha($hasError);
    // PENDIENTE: VALIDAR EMAIL ... y en register.php
    $user_email = $data['Email'];
    // Valido si existe ya el email
    $parts = explode('@', $user_email);
    $subparts = explode('+', $parts[0]);
    // se permiten direcciones del tipo user+extension@gmail.com, que debemos controlar para no permitir abusos
    $rs_check = mysql_query("select `id` from users where (user_email = '{$subparts['0']}@{$parts['1']}' or user_email LIKE '{$subparts['0']}+%@{$parts['1']}') AND banned=0 limit 1") or die(mysql_error());
    $num = mysql_num_rows($rs_check);
    if ($num <= 0) {
        $hasError[] = "El correo electrónico introducido no está registrado o la cuenta está anulada.";
        return;
    }
    if (empty($hasError)) {
        $new_pwd = GenKey();
        $pwd_reset = PwdHash($new_pwd);
        list($id) = mysql_fetch_row($rs_check);
        $rs_activ = mysql_query("update users set pwd='{$pwd_reset}' WHERE \n                                    id={$id}") or die(mysql_error());
        enviar_correo_recover($user_email, $new_pwd);
        $_SESSION['hasSuccessRecover'] = "Te hemos enviado un mensaje a {$user_email} con tu nueva contraseña.";
        $_SESSION['hasInfoRecover'] = "Si no recibes el correo en unos instantes revisa también en la carpeta de spam.";
        header("Location: login.php");
        exit;
    }
}
 }
 // Validate User Name
 if (!isUserID($data['user_name'])) {
     $err[] = "ERROR - Invalid user name. It can contain alphabet, number and underscore.";
 }
 // Validate Email
 if (!isEmail($data['usr_email'])) {
     $err[] = "ERROR - Invalid email address.";
 }
 // Check User Passwords
 if (!checkPwd($data['pwd'], $data['pwd2'])) {
     $err[] = "ERROR - Invalid Password or mismatch. Enter 5 chars or more";
 }
 $user_ip = $_SERVER['REMOTE_ADDR'];
 // stores sha1 of password
 $sha1pass = PwdHash($data['pwd']);
 // Automatically collects the hostname or domain like example.com)
 $host = $_SERVER['HTTP_HOST'];
 $host_upper = strtoupper($host);
 $path = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');
 // Generates activation code simple 4 digit number
 $activ_code = rand(1000, 9999);
 $usr_email = $data['usr_email'];
 $user_name = $data['user_name'];
 /************ USER EMAIL CHECK ************************************
 This code does a second check on the server side if the email already exists. It 
 queries the database and if it has any existing email it throws user email already exists
 *******************************************************************/
 //$rs_duplicate = mysql_query("select count(*) as total from {$const['TBL_USERS']} where user_email='$usr_email' OR user_name='$user_name'") or die(mysql_error());
 $rs_duplicate = mysql_query("select count(*) as total from {$const['TBL_USERS']} where user_name='{$user_name}'") or die(mysql_error());
 list($total) = mysql_fetch_row($rs_duplicate);
Beispiel #4
0
    if (!isEmail($data['user_email'])) {
        $err[] = "ERROR - Please enter a valid email";
    }
    $user_email = $data['user_email'];
    //check if activ code and user is valid as precaution
    $rs_check = mysqli_query($link, "select id from users where user_email='{$user_email}'") or die(mysql_error());
    $num = mysqli_num_rows($link, $rs_check);
    // Match row found with more than 1 results  - the user is authenticated.
    if ($num <= 0) {
        $err[] = "Error - Sorry no such account exists or registered.";
        //header("Location: forgot.php?msg=$msg");
        //exit();
    }
    if (empty($err)) {
        $new_pwd = GenPwd();
        $pwd_reset = PwdHash($new_pwd);
        //$sha1_new = sha1($new);
        //set update sha1 of new password + salt
        $rs_activ = mysqli_query($link, "update users set pwd='{$pwd_reset}' WHERE \n\t\t\t\t\t\t user_email='{$user_email}'") or die(mysql_error());
        $host = $_SERVER['HTTP_HOST'];
        $host_upper = strtoupper($host);
        //send email
        $message = "Here are your new password details ...\n\nUser Email: {$user_email} \n\nPasswd: {$new_pwd} \n\n\nThank You\n\nAdministrator\n{$host_upper}\n______________________________________________________\nTHIS IS AN AUTOMATED RESPONSE. \n***DO NOT RESPOND TO THIS EMAIL****\n";
        mail($user_email, "Reset Password", $message, "From: \"Member Registration\" <auto-reply@{$host}>\r\n" . "X-Mailer: PHP/" . phpversion());
        $msg[] = "Your account password has been reset and a new password has been sent to your email address.";
        //$msg = urlencode();
        //header("Location: forgot.php?msg=$msg");
        //exit();
    }
}
?>
Beispiel #5
0
             // $_SESSION['user'] = $user;
             header("Location: index.php");
         } else {
             // $msg = urlencode("Invalid Login. Please try again with correct user email and password. ");
             $err[] = "Invalid Login. Please try again with correct user email and password.";
             header("Location: login.php");
         }
     }
 }
 if ($_POST['type'] == 'recruiter') {
     $check_user_sql = "select userid,recid from recruiter WHERE UserID='{$userid}'";
     $result2 = mysqli_query($dbcon, $check_user_sql);
     if (mysqli_num_rows($result2) == 1) {
         list($userid2, $recid) = mysqli_fetch_row($result2);
         $pwd = PwdHash($password, substr($password, 0, 9));
         if ($pwd === PwdHash($user_pass, substr($password, 0, 9))) {
             session_start();
             session_regenerate_id(true);
             // prevent against session fixation attacks.
             // this sets variables in the session
             $_SESSION['user_name'] = $username;
             $_SESSION['user_email'] = $email;
             $_SESSION['user_fname'] = $fname;
             $_SESSION['user_mname'] = $mname;
             $_SESSION['user_lname'] = $lname;
             $_SESSION['recid'] = $recid;
             // $_SESSION['user_level'] = $user_level;
             $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
             // $_SESSION['user'] = $user;
             header("Location: RecruiterAppReview.php");
         } else {
Beispiel #6
0
}
?>
      &nbsp;</p>
	  <?php 
if ($_POST['doSubmit'] == 'Create') {
    $rs_dup = mysql_query("select count(*) as total from users where user_name='{$post['user_name']}' OR user_email='{$post['user_email']}'") or die(mysql_error());
    list($dups) = mysql_fetch_row($rs_dup);
    if ($dups > 0) {
        die("The user name or email already exists in the system");
    }
    if (!empty($_POST['pwd'])) {
        $pwd = $post['pwd'];
        $hash = PwdHash($post['pwd']);
    } else {
        $pwd = GenPwd();
        $hash = PwdHash($pwd);
    }
    mysql_query("INSERT INTO users (`user_name`,`user_email`,`pwd`,`approved`,`date`,`user_level`)\r\n\t\t\t VALUES ('{$post['user_name']}','{$post['user_email']}','{$hash}','1',now(),'{$post['user_level']}')\r\n\t\t\t ") or die(mysql_error());
    $message = "Thank you for registering with us. Here are your login details...\n\r\nUser Email: {$post['user_email']} \n\r\nPasswd: {$pwd} \n\r\n\r\n*****LOGIN LINK*****\n\r\nhttp://{$host}{$path}/login.php\r\n\r\nThank You\r\n\r\nAdministrator\r\n{$host_upper}\r\n______________________________________________________\r\nTHIS IS AN AUTOMATED RESPONSE.\r\n***DO NOT RESPOND TO THIS EMAIL****\r\n";
    if ($_POST['send'] == '1') {
        mail($post['user_email'], "Login Details", $message, "From: \"Member Registration\" <auto-reply@{$host}>\r\n" . "X-Mailer: PHP/" . phpversion());
    }
    echo "<div class=\"msg\">User created with password {$pwd}....done.</div>";
}
?>

      <h2><font color="#FF0000">Create New User</font></h2>
      <table width="80%" border="0" cellpadding="5" cellspacing="2" class="myaccount">
        <tr>
          <td><form name="form1" method="post" action="admin.php">
              <p>User ID
 $pass = $data['pwd'];
 if (strpos($user_email, '@') === false) {
     $user_cond = "user_name='{$user_email}'";
 } else {
     $user_cond = "user_email='{$user_email}'";
 }
 $result = mysql_query("SELECT `id`,`pwd`,`full_name`,`user_name`,`approved`,`user_level` FROM {$const['TBL_USERS']} WHERE {$user_cond} AND `banned` = '0'") or die(mysql_error());
 $num = mysql_num_rows($result);
 // Match row found with more than 1 results  - the user is authenticated.
 if ($num > 0) {
     list($id, $pwd, $full_name, $user_name, $approved, $user_level) = mysql_fetch_row($result);
     if (!$approved) {
         $err[] = "Account not activated. Please check your email for activation code";
     }
     //check against salt
     if ($pwd === PwdHash($pass, substr($pwd, 0, 9))) {
         if (empty($err)) {
             // this sets session and logs user in
             session_start();
             session_regenerate_id(true);
             //prevent against session fixation attacks.
             // this sets variables in the session
             $_SESSION['user_id'] = $id;
             $_SESSION['user_name'] = $user_name;
             $_SESSION['user_level'] = $user_level;
             $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
             //update the timestamp and key for cookie
             $stamp = time();
             $ckey = GenKey();
             $sid = sha1('occasions2011' . session_id());
             mysql_query("UPDATE {$const['TBL_USERS']} SET ctime='{$stamp}', ckey='{$ckey}', sid='{$sid}' WHERE id='{$id}'") or die(mysql_error());
function check()
{
    global $mysql_hostname, $mysql_username, $mysql_password, $mysql_dbname;
    // username and password sent from form
    $username = $_POST['username'];
    $password = $_POST['password'];
    //Filter out html entities to preve	nt XSS attacks
    $username = htmlentities($username);
    $password = htmlentities($password);
    // To protect MySQL injection (more detail about MySQL injection)
    $username = stripslashes($username);
    $password = stripslashes($password);
    $conn = mysql_connect($mysql_hostname, $mysql_username, $mysql_password);
    if (!$conn) {
        die('Could not connect: ' . mysql_error());
    }
    mysql_select_db($mysql_dbname);
    $sql = "SELECT * FROM users WHERE username='******'";
    $result = mysql_query($sql, $conn);
    // Mysql_num_row is counting table row
    $count = mysql_num_rows($result);
    // If result matched $username table row must be 1 row
    if ($count == 1) {
        $ret = mysql_fetch_array($result, MYSQL_ASSOC);
        //authenticated user
        $pwd = $ret['password'];
        if ($pwd == PwdHash($password, substr($pwd, 0, 9))) {
            if (!$ret['flag']) {
                mysql_close($conn);
                echo "Account not verified.Please check your email for verification link";
                die;
            } else {
                // this sets session and logs user in
                session_start();
                session_regenerate_id(true);
                //prevent against session fixation attacks.
                // this sets variables in the session
                $_SESSION['username'] = $username;
                $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
                //update the timestamp and key for cookie
                $stamp = time();
                $ckey = GenKey();
                $upd_qry = "UPDATE users SET ctime={$stamp},ckey='{$ckey}' WHERE username='******'";
                mysql_query($upd_qry, $conn);
                //set a cookie
                if ($_POST['remember'] == "true") {
                    setcookie("username", $_SESSION['username'], time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
                    setcookie("userkey", sha1($ckey), time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
                }
                mysql_close($conn);
                echo "true";
                //header("Location : http://www.google.com");
                die;
            }
        } else {
            mysql_close($conn);
            echo "Wrong Password";
        }
    } else {
        mysql_close($conn);
        echo "Wrong Username";
    }
}
Beispiel #9
0
include 'src/Instagram.php';
use MetzWeb\Instagram\Instagram;
include '../initialize.php';
page_protect();
$err = array();
$msg = array();
if ($_POST['SUBMIT_BUTTON_NAME'] == 'Update') {
    $addsite = $_POST['site'];
    mysql_query("update users set rss=CONCAT('{$addsite}',',',rss) where id='{$_SESSION['user_id']}'");
}
if ($_POST['doUpdate'] == 'Update') {
    $rs_pwd = mysql_query("select pwd from users where id='{$_SESSION['user_id']}'");
    list($old) = mysql_fetch_row($rs_pwd);
    $old_salt = substr($old, 0, 9);
    if ($old === PwdHash($_POST['pwd_old'], $old_salt)) {
        $newsha1 = PwdHash($_POST['pwd_new']);
        mysql_query("update users set pwd='{$newsha1}' where id='{$_SESSION['user_id']}'");
        $msg[] = "Your new password is updated";
    } else {
        $err[] = "Your old password is invalid";
    }
}
if ($_POST['doSave'] == 'Save') {
    foreach ($_POST as $key => $value) {
        $data[$key] = filter($value);
    }
    mysql_query("UPDATE users SET\r\n       WHERE id='{$_SESSION['user_id']}'\r\n      ") or die(mysql_error());
    $msg[] = "Profile Sucessfully saved";
}
$rs_settings = mysql_query("select * from users where id='{$_SESSION['user_id']}'");
$instagram = new Instagram(array('apiKey' => $apikey, 'apiSecret' => $apisecret, 'apiCallback' => $callback));
Beispiel #10
0
function reset_pwd()
{
    global $link;
    function get_include_contents($filename, $variablesToMakeLocal)
    {
        extract($variablesToMakeLocal);
        if (is_file($filename)) {
            ob_start();
            include $filename;
            return ob_get_clean();
        }
        return false;
    }
    $err = array();
    $msg = array();
    foreach ($_POST as $key => $value) {
        $data[$key] = filter($value);
    }
    if (!isEmail($data['user_email'])) {
        $err[] = "ERROR - Please enter a valid email";
    }
    $user_email = $data['user_email'];
    $new_pwd = $data['pass'];
    //check if activ code and user is valid as precaution
    $pwd_reset = PwdHash($new_pwd);
    //$sha1_new = sha1($new);
    //set update sha1 of new password + salt
    mysqli_query($link, "update users set pwd='{$pwd_reset}' WHERE \n\t\t\t\t\t\t user_email='{$user_email}'") or die(mysql_error());
    $host = $_SERVER['HTTP_HOST'];
    $host_upper = strtoupper($host);
    if (empty($err)) {
        $host = $_SERVER['HTTP_HOST'];
        $host_upper = strtoupper($host);
        //send email
        $mail = new PHPMailer();
        $mail->isSMTP();
        // Set mailer to use SMTP
        $mail->Host = 'smtp.gmail.com';
        // Specify main and backup server
        $mail->SMTPAuth = true;
        // Enable SMTP authentication
        $mail->Username = '******';
        // SMTP username
        $mail->Password = '******';
        // SMTP password
        $mail->SMTPSecure = 'tls';
        // Enable encryption, 'ssl' also accepted
        $mail->Port = 587;
        //Set the SMTP port number - 587 for authenticated TLS
        $mail->setFrom('*****@*****.**', 'Lake Nona');
        //Set who the message is to be sent from
        //$mail->addReplyTo('*****@*****.**', 'First Last');  //Set an alternative reply-to address
        $mail->addAddress($user_email, $user_name);
        // Add a recipient
        //$mail->addAddress('*****@*****.**');               // Name is optional
        //$mail->addCC('*****@*****.**');
        //$mail->addBCC('*****@*****.**');
        $mail->WordWrap = 50;
        // Set word wrap to 50 characters
        //$mail->addAttachment('/usr/labnol/file.doc');         // Add attachments
        //$mail->addAttachment('/images/image.jpg', 'new.jpg'); // Optional name
        $mail->isHTML(true);
        // Set email format to HTML
        // $mail->SMTPDebug = 2;
        $mail->Subject = 'GroupX onDemand Password Recovery Link';
        $variable['user_username'] = $data['user_name'];
        $variable['user_name'] = $data['user_name'];
        $variable['user_email'] = $data['user_email'];
        $variable['host'] = $host;
        $variable['path'] = $path;
        $variable['activ_code'] = $activ_code;
        $variable['id'] = $md5_id;
        //$mail->Body    = 'This is the HTML message body <b>in bold!</b>';
        //$mail->AltBody = 'HEllo JIm Reydnolds this is a test';
        //Read an HTML message body from an external file, convert referenced images to embedded,
        //convert HTML into a basic plain-text alternative body
        $mail->Body = get_include_contents('recover.php', $variable);
        $mail->Send();
        $msg['errorCode'] = 1;
        echo json_encode($msg);
        exit;
    } else {
        if (!$mail->send()) {
            echo 'Message could not be sent.';
            echo 'Mailer Error: ' . $mail->ErrorInfo;
            exit;
        }
    }
}
Beispiel #11
0
function register() {
include 'datalink.php';

$err = array();
					 
if($_POST['doRegister'] == 'Register') 
{ 
/******************* Filtering/Sanitizing Input *****************************
This code filters harmful script code and escapes data of all POST data
from the user submitted form.
*****************************************************************/
foreach($_POST as $key => $value) {
	$data[$key] = filter($value);
}

/************************ SERVER SIDE VALIDATION **************************************/
/********** This validation is useful if javascript is disabled in the browswer ***/

if(empty($data['full_name']) || strlen($data['full_name']) < 4)
{
$err[] = "ERROR - Invalid name. Please enter atleast 3 or more characters for your name";
//header("Location: register.php?msg=$err");
//exit();
}

// Validate User Name
if (!isUserID($data['user_name'])) {
$err[] = "ERROR - Invalid user name. It can contain alphabet, number and underscore.";
//header("Location: register.php?msg=$err");
//exit();
}

// Validate Email
if(!isEmail($data['usr_email'])) {
$err[] = "ERROR - Invalid email address.";
//header("Location: register.php?msg=$err");
//exit();
}
// Check User Passwords
if (!checkPwd($data['pwd'],$data['pwd2'])) {
$err[] = "ERROR - Invalid Password or mismatch. Enter 5 chars or more";
//header("Location: register.php?msg=$err");
//exit();
}
	  
$user_ip = $_SERVER['REMOTE_ADDR'];

// stores sha1 of password
$sha1pass = PwdHash($data['pwd']);

// Automatically collects the hostname or domain  like example.com) 
$host  = $_SERVER['HTTP_HOST'];
$host_upper = strtoupper($host);
$path   = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');

// Generates activation code simple 4 digit number
$activ_code = rand(1000,9999);

$usr_email = $data['usr_email'];
$user_name = $data['user_name'];

/************ USER EMAIL CHECK ************************************
This code does a second check on the server side if the email already exists. It 
queries the database and if it has any existing email it throws user email already exists
*******************************************************************/

$rs_duplicate = mysql_query("select count(*) as total from users where user_email='$usr_email' OR user_name='$user_name'") or die(mysql_error());
list($total) = mysql_fetch_row($rs_duplicate);

if ($total > 0)
{
$err[] = "ERROR - The username/email already exists. Please try again with different username and email.";
//header("Location: register.php?msg=$err");
//exit();
}
/***************************************************************************/

if(empty($err)) {

$sql_insert = "INSERT into `users`
  			(`first_name`, `last_name`, `user_name`, `user_email`,`pwd`,`city`,`state`,`field`,`gpa`,`date`,`users_ip`,`activation_code`
			)
		    VALUES
		    ('$data[first_name]','$data[last_name]','$user_name','$usr_email','$sha1pass','$data[city]','$data[state]','$data[field]','$data[gpa]',
			,now(),'$user_ip','$activ_code'
			)
			";
			
mysql_query($sql_insert,$link) or die("Insertion Failed:" . mysql_error());
$user_id = mysql_insert_id($link);  
$md5_id = md5($user_id);
mysql_query("update users set md5_id='$md5_id' where id='$user_id'");
//	echo "<h3>Thank You</h3> We received your submission.";

if($user_registration)  {
$a_link = "
*****ACTIVATION LINK*****\n
http://$host$path/activate.php?user=$md5_id&activ_code=$activ_code
"; 
} else {
$a_link = 
"Your account is *PENDING APPROVAL* and will be soon activated the administrator.
";
}

$message = 
"Hello \n
Thank you for registering with us. Here are your login details...\n

User ID: $user_name
Email: $usr_email \n 
Passwd: $data[pwd] \n

$a_link

Thank You

Administrator
$host_upper
______________________________________________________
THIS IS AN AUTOMATED RESPONSE. 
***DO NOT RESPOND TO THIS EMAIL****
";

	mail($usr_email, "Login Details", $message,
    "From: \"Member Registration\" <auto-reply@$host>\r\n" .
     "X-Mailer: PHP/" . phpversion());

  header("Location: thankyou.php");  
  exit();
	 
	 } 
 }					 
}
 public function register($firstname, $lastname, $email, $username, $password)
 {
     global $mysql_hostname, $mysql_username, $mysql_password, $mysql_dbname;
     $string = "abcdefghijklmnopqrstuvwxyz0123456789";
     for ($i = 0; $i < 25; $i++) {
         $pos = rand(0, 36);
         $str .= $string[$pos];
     }
     //return $str;
     $flag = 1;
     $authcode = $str;
     // First Name
     if (!preg_match("/^[a-z ,.'-]+\$/i", $firstname)) {
         $err_name = 'Please enter valid Firstname.';
         return $err_name;
     }
     // Last Name
     if (!preg_match("/^[a-z ,.'-]+\$/i", $lastname)) {
         $err_name = 'Please enter valid Lastname.';
         return $err_name;
     }
     // Email
     if (!preg_match('/^[_a-z0-9-]+(\\.[_a-z0-9-]+)*@[a-z0-9-]+(\\.[a-z0-9-]+)*(\\.[a-z]{2,3})$/', $email)) {
         $err_email = 'Please enter valid Email.';
         return $err_email;
     }
     // Usename min 6 char max 20 char
     if (!preg_match('/^[a-z\\d_]{6,20}$/i', $username)) {
         $err_username = '******';
         return $err_username;
     }
     // Password min 6 char max 20 char
     if (!preg_match("/^[a-z0-9_-~!@#\$%^&*()]{6,20}\$/i", $password)) {
         $err_password = '******';
         return $err_password;
     }
     //Filter out html entities to prevent XSS attacks
     $firstname = htmlentities($firstname);
     $lastname = htmlentities($lastname);
     $email = htmlentities($email);
     $username = htmlentities($username);
     $password = htmlentities($password);
     $authcode = htmlentities($authcode);
     $conn = mysql_connect($mysql_hostname, $mysql_username, $mysql_password);
     if (!$conn) {
         die('Could not connect: ' . mysql_error());
     }
     mysql_select_db($mysql_dbname);
     if (strlen($username) > 1) {
         // stores sha1 of password
         $sha1pass = PwdHash($password);
     }
     $query = "INSERT INTO users(username,firstname,lastname,email,password,authcode,flag) VALUES('{$username}','{$firstname}', '{$lastname}', '{$email}', '{$sha1pass}', '{$authcode}', '{$flag}')";
     if (!mysql_query($query, $conn)) {
         //return mysql_errno();
         if (mysql_errno() == 1062) {
             return "Username or Email already registered";
         } else {
             return "Error creating account";
         }
     } else {
         $path = dirname(__FILE__) . "/users/";
         mkdir($path . $username);
         chmod($path . $username, 0777);
         mkdir($path . $username . "/Projects");
         chmod($path . $username . "/Projects", 0777);
         $dst = $path . $username;
         $src = $path . "templates";
         $command = 'cp -a ' . $src . ' ' . $dst;
         $shell_result_output = shell_exec(escapeshellcmd($command));
         /***************************Verification Mail **************************/
         // Automatically collects the hostname or domain  like example.com)
         $host = $_SERVER['HTTP_HOST'];
         $host_upper = strtoupper($host);
         $path = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');
         $a_link = "\r\n\t\t\t\t***** VERIFICATION LINK FOR COMPILEONE.COM *****\n\r\n\t\t\t\thttp://{$host}{$path}/activate.php?user={$username}&code={$authcode}\r\n\t\t\t\t";
         $message = "Hello,\n\r\n\t\t\t\tThank you for registering with us. Here are your login details...\n\r\n\r\n\t\t\t\tUser ID: {$username}\r\n\t\t\t\tEmail: {$email} \n \r\n\t\t\t\tPasswd: {$password} \n\r\n\r\n\t\t\t\t{$a_link}\r\n\r\n\t\t\t\tThank You\r\n\r\n\t\t\t\tAdministrator\r\n\t\t\t\t{$host_upper}\r\n\t\t\t\t______________________________________________________\r\n\t\t\t\tTHIS IS AN AUTOMATED RESPONSE. \r\n\t\t\t\t***DO NOT RESPOND TO THIS EMAIL****\r\n\t\t\t\t";
         mail($email, "Login Details", $message, "From: \"Compileone Member Registration\" <*****@*****.**>\r\n" . "X-Mailer: PHP/" . phpversion());
         return "Account created Successfully";
     }
     mysql_close($conn);
 }
Beispiel #13
0
function login() {
include 'datalink.php';

$err = array();

foreach($_GET as $key => $value) {
	$get[$key] = filter($value); //get variables are filtered.
}

if ($_POST['doLogin']=='Login')
{

foreach($_POST as $key => $value) {
	$data[$key] = filter($value); // post variables are filtered
}


$user_email = $data['usr_email'];
$pass = $data['pwd'];


if (strpos($user_email,'@') === false) {
    $user_cond = "user_name='$user_email'";
} else {
      $user_cond = "user_email='$user_email'";
    
}

	
$result = mysql_query("SELECT `id`,`pwd`,`full_name`,`approved`,`user_level` FROM users WHERE 
           $user_cond
			AND `banned` = '0'
			") or die (mysql_error()); 
$num = mysql_num_rows($result);

  // Match row found with more than 1 results  - the user is authenticated. 
    if ( $num > 0 ) { 
	
	list($id,$pwd,$full_name,$approved,$user_level) = mysql_fetch_row($result);
	
	if(!$approved) {
	//$msg = urlencode("Account not activated. Please check your email for activation code");
	$err[] = "Account not activated. Please check your email for activation code";
	
	//header("Location: login.php?msg=$msg");
	 //exit();
	 }
	 
		//check against salt
	if ($pwd === PwdHash($pass,substr($pwd,0,9))) { 
	if(empty($err)){			

     // this sets session and logs user in  
       session_start();
	   session_regenerate_id (true); //prevent against session fixation attacks.

	   // this sets variables in the session 
		$_SESSION['user_id']= $id;  
		$_SESSION['user_name'] = $full_name;
		$_SESSION['user_level'] = $user_level;
		$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
		
		//update the timestamp and key for cookie
		$stamp = time();
		$ckey = GenKey();
		mysql_query("update users set `ctime`='$stamp', `ckey` = '$ckey' where id='$id'") or die(mysql_error());
		
		//set a cookie 
		
	   if(isset($_POST['remember'])){
				  setcookie("user_id", $_SESSION['user_id'], time()+60*60*24*COOKIE_TIME_OUT, "/");
				  setcookie("user_key", sha1($ckey), time()+60*60*24*COOKIE_TIME_OUT, "/");
				  setcookie("user_name",$_SESSION['user_name'], time()+60*60*24*COOKIE_TIME_OUT, "/");
				   }
		  header("Location: myaccount.php");
		 }
		}
		else
		{
		//$msg = urlencode("Invalid Login. Please try again with correct user email and password. ");
		$err[] = "Invalid Login. Please try again with correct user email and password.";
		//header("Location: login.php?msg=$msg");
		}
	} else {
		$err[] = "Error - Invalid login. No such user exists";
	  }		
}
}					 
}
if ($_POST['doLogin'] == 'Login') {
    foreach ($_POST as $key => $value) {
        $data[$key] = filter($value);
        // post variables are filtered
    }
    $user_email = $data['usr_email'];
    $pass = $data['pwd'];
    $user_cond = "Email='" . $user_email . "'";
    $result = mysql_query("SELECT * FROM user WHERE " . $user_cond) or die(mysql_error());
    $num = mysql_num_rows($result);
    // Match row found with more than 1 results  - the user is authenticated.
    if ($num > 0) {
        list($email, $pwd, $full_name, ) = mysql_fetch_row($result);
        //check against salt
        if ($pwd === PwdHash($pass)) {
            if (empty($err)) {
                // this sets session and logs user in
                session_start();
                session_regenerate_id(true);
                //prevent against session fixation attacks.
                // this sets variables in the session
                $_SESSION['email'] = $email;
                $_SESSION['user_name'] = $full_name;
                $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
                header("Location: library.php");
            }
        } else {
            //$msg = urlencode("Invalid Login. Please try again with correct user email and password. ");
            $err[] = "Invalid Login. Please try again with correct user email and password.";
            //header("Location: login.php?msg=$msg");
Beispiel #15
0
function do_register()
{
    global $hasError, $data, $dbc, $globals, $mostrar_captcha;
    borrar_usuarios_no_activados_antiguos();
    if ($mostrar_captcha) {
        validar_captcha($hasError);
    }
    $user_ip = $globals['ip'];
    // hash sha1 de la clave
    $sha1pass = PwdHash($data['Password']);
    // Generamos el código de activación
    $activ_code = rand(1000, 9999);
    $usr_email = $data['Email'];
    $user_name = $data['UserName'];
    // Valido si existe ya el usuario
    $rs_duplicate = mysql_query("select count(*) as total from users where user_name='{$user_name}'") or die(mysql_error());
    list($total) = mysql_fetch_row($rs_duplicate);
    if ($total > 0) {
        $hasError[] = "El usuario ya está dado de alta.";
    }
    // Valido si existe ya el email
    $parts = explode('@', $usr_email);
    $subparts = explode('+', $parts[0]);
    // se permiten direcciones del tipo user+extension@gmail.com, que debemos controlar para no permitir abusos
    $rs_duplicate = mysql_query("select count(*) as total from users where user_email = '{$subparts['0']}@{$parts['1']}' or user_email LIKE '{$subparts['0']}+%@{$parts['1']}'") or die(mysql_error());
    list($total) = mysql_fetch_row($rs_duplicate);
    if ($total > 0) {
        $hasError[] = "El email ya está dado de alta.";
    }
    if (empty($hasError)) {
        // Insertamos el Nuevo Usuario
        $sql_insert = "INSERT into `users`\n                  (`user_email`,`pwd`,`date`,`users_ip`,`activation_code`,`user_name`)\n                   VALUES\n                   ('{$usr_email}','{$sha1pass}',now(),'{$user_ip}','{$activ_code}','{$user_name}')\n                  ";
        mysql_query($sql_insert, $dbc['link']) or die("Insertion Failed:" . mysql_error());
        $user_id = mysql_insert_id($dbc['link']);
        $md5_id = md5($user_id);
        mysql_query("update users set md5_id='{$md5_id}' where id='{$user_id}'");
        log_insert("register_ok", ip2long($globals['ip']));
        $_SESSION['email_registro'] = $usr_email;
        $_SESSION['email_registro_contador'] = 3;
        $_SESSION['hasSuccess'] = null;
        enviar_correo_registro($usr_email, $md5_id, $activ_code);
        header("Location: thankyou.php");
        exit;
    }
}
    $password = stripslashes($password);
    $username = mysql_real_escape_string($username);
    $password = mysql_real_escape_string($password);
    $conn = mysql_connect($mysql_hostname, $mysql_username, $mysql_password);
    if (!$conn) {
        die('Could not connect: ' . mysql_error());
    }
    mysql_select_db($mysql_dbname);
    $sql = "SELECT * FROM users WHERE username='******' and authcode='{$authcode}'";
    $result = mysql_query($sql, $conn);
    // Mysql_num_row is counting table row
    $count = mysql_num_rows($result);
    // If result matched $username table row must be 1 row
    //echo "count".$count;
    if ($count == 1) {
        $sha1pass = PwdHash($password);
        $sql = "UPDATE users SET password='******' where username='******'";
        $retval = mysql_query($sql, $conn);
        if (!$retval) {
            die('Could not update data: ' . mysql_error());
        }
        mysql_close($conn);
        echo "Password Updated Successfully !!";
        die;
        //authenticated user
    } else {
        mysql_close($conn);
        echo "Wrong Username or Authentication code ";
        die;
    }
}
Beispiel #17
0
if ($get['cmd'] == 'edit') {
    /* Duplicate user name check */
    $rs_usr_duplicate = mysqli_query($link, "select count(*) as total from `users` where `user_name`='{$get['user_name']}' and `id` != '{$get['id']}'") or die(mysqli_error($link));
    list($usr_total) = mysqli_fetch_row($rs_usr_duplicate);
    if ($usr_total > 0) {
        echo "Sorry! user name already registered.";
        exit;
    }
    /* Duplicate email check */
    $rs_eml_duplicate = mysqli_query($link, "select count(*) as total from `users` where `user_email`='{$get['user_email']}' and `id` != '{$get['id']}'") or die(mysqli_error($link));
    list($eml_total) = mysqli_fetch_row($rs_eml_duplicate);
    if ($eml_total > 0) {
        echo "Sorry! user email already registered.";
        exit;
    }
    /* Now update user data*/
    mysqli_query($link, "\r\nupdate users set  \r\n`user_name`='{$get['user_name']}', \r\n`user_email`='{$get['user_email']}',\r\n`user_level`='{$get['user_level']}',\r\n`accode`='{$get['user_accode']}'\r\nwhere `id`='{$get['id']}'") or die(mysqli_error($link));
    //header("Location: $ret");
    if (!empty($get['pass'])) {
        $hash = PwdHash($get['pass']);
        mysqli_query($link, "update users set `pwd` = '{$hash}' where `id`='{$get['id']}'") or die(mysqli_error($link));
    }
    echo "changes done";
    exit;
}
if ($get['cmd'] == 'unban') {
    mysqli_query($link, "update users set banned='0' where id='{$get['id']}'");
    echo "no";
    //header("Location: $ret");
    // exit();
}
Beispiel #18
0
function do_register()
{
    global $hasError, $data, $dbc, $globals, $mostrar_captcha;
    if ($mostrar_captcha) {
        if (!validar_captcha($hasError)) {
            return;
        }
        // si no introduce correctamente el código de seguridad no debemos mirar nada más... porque podría sacar por fuerza bruta usuario/clave.
    }
    $user_email = $data['UserNameEmail'];
    $pass = $data['Password'];
    if (strpos($user_email, '@') === false) {
        $user_cond = "user_name='{$user_email}'";
    } else {
        $parts = explode('@', $user_email);
        $subparts = explode('+', $parts[0]);
        // se permiten direcciones del tipo user+extension@gmail.com, que debemos controlar para no permitir abusos
        $user_cond = "(user_email='{$subparts['0']}@{$parts['1']}' or user_email LIKE '{$subparts['0']}+%@{$parts['1']}')";
    }
    $result = mysql_query("SELECT `id`,`pwd`,`user_name`,`approved`,`banned`,`user_level` FROM users WHERE {$user_cond} limit 1") or die(mysql_error());
    $num = mysql_num_rows($result);
    if ($num > 0) {
        list($id, $pwd, $user_name, $approved, $banned, $user_level) = mysql_fetch_row($result);
        if ($banned) {
            $hasError[] = "Cuenta anulada.";
            return;
        }
        if (!$approved) {
            $hasError[] = "Cuenta registrada pero aún no activada. Revisa tu buzón de correo y sigue el enlace que allí aparece.";
            return;
        }
        if ($pwd === PwdHash($pass, substr($pwd, 0, 9))) {
            log_insert("login_ok", $id, $id);
            session_regenerate_id(true);
            //prevent against session fixation attacks.
            // this sets variables in the session
            $_SESSION['user_id'] = $id;
            $_SESSION['user_name'] = $user_name;
            $_SESSION['user_level'] = $user_level;
            $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
            //update the timestamp and key for cookie
            $stamp = time();
            $ckey = GenKey();
            mysql_query("update users set `ctime`='{$stamp}', `ckey` = '{$ckey}' where id='{$id}'") or die(mysql_error());
            //set a cookie
            if (isset($_POST['remember'])) {
                setcookie("user_id", $_SESSION['user_id'], time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
                setcookie("user_key", sha1($ckey), time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
                setcookie("user_name", $_SESSION['user_name'], time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
            }
            header("Location: myaccount.php");
            exit;
        } else {
            $hasError[] = "Contraseña incorrecta. Vuelve a intentarlo.";
        }
    } else {
        $hasError[] = "Usuario o correo electrónico inexistente.";
    }
}