protected static function login()
{
$username = $_POST['username'];
$password = pw_encode($_POST['password']);
$result = select('SELECT * from user
WHERE username = "******" AND
password = "******"');
if (count($result) > 0) {
$_SESSION['user'] = array('username' => $username, 'id' => $result[0]['id'], 'is_admin' => $result[0]['admin']);
}
}
function submitUser($request, $method = 'reg')
{
$time = time();
global $path_site;
if ($method == 'login') {
// LOGIN USER
$un = $request['username'];
$unlower = strtolower($request['username']);
$unupper = strtoupper($request['username']);
$unucfirst = ucfirst($request['username']);
$unucwords = ucwords($request['username']);
$password = $request['password'];
$query = "select id,password,email,zip from user where (username = '******' or username = '******' or username = '******' or username = '******' or username = '******') and status='active'";
$result = mysql_query($query) or die(mysql_error());
$row = mysql_fetch_row($result);
if (pw_check($password, $row[1])) {
// START SESSION
set_session($row[0], $request['username'], stripslashes($row[2]), $row[3]);
//return
return TRUE;
} else {
return FALSE;
}
} else {
if ($method == 'forgot') {
// LOGIN USER
$email = strtolower($request['user_email']);
$tempPassword = uniqid(rand(0, 9999999));
$query = "update user set password='******' where email='" . $email . "' and status <> 'deleted'";
if ($result = mysql_query($query)) {
// SEND EMAIL, RETURN TRUE CHANGE IN PRODUCTION - THE HTTP HOST BELOW NEEDS TO BE UPDATED
$query = "select username from user where email='" . $email . "' and status <> 'deleted'";
$result = mysql_query($query) or die(mysql_error());
$row = mysql_fetch_row($result);
// SEND AN EMAIL TO USER
$to = stripslashes($row[0]) . '<' . $email . '>';
$from = EMAIL_FORGOT_FROM;
$subject = EMAIL_FORGOT_SUBJECT;
// CALL CONTENT AND REPLACE TAGS INSIDE
$template = $path_site . EMAIL_FORGOT_TEMPLATE;
$returnOutput = new main_output($template);
// replace tags from template
@$returnOutput->replace_tags(array('subject' => EMAIL_BUSINESS_REGISTER_SUBJECT, 'username' => stripslashes($row[0]), 'site_name' => SITE_NAME, 'site_title' => SITE_TITLE, 'temppassword' => $tempPassword, 'path_site' => SITE_BASEURL_SECURE));
// Call the output
$body = $returnOutput->output;
// CALL SEND EMAIL
// send_email($to,$subject,$body,$from);
send_email($email, $subject, $body);
//return
return TRUE;
} else {
//echo $query;
return FALSE;
}
} else {
if ($method == 'verify') {
// LOGIN USER
mysql_query("update user set status='active' where secToken='" . $request['verify'] . "'") or die(mysql_error());
$result = mysql_query("select id,username,email,zip from user where secToken='" . $request['verify'] . "'") or die(mysql_error());
$row = mysql_fetch_row($result);
set_session($row[0], stripslashes($row[1]), stripslashes($row[2]), $row[3]);
return TRUE;
} else {
if ($method == 'profile') {
$userid = $_SESSION['user']['id'];
$flag_nl = 0;
if (isset($request['newsletter']) and ($request['newsletter'] == 'on' or $request['newsletter'] == 1)) {
$flag_nl = 1;
}
// check if old password was selected.
$query_pw = NULL;
if (isset($request['user_pass2']) and !empty($request['user_pass2'])) {
$query_pw = "password = '******'user_pass2']) . "', ";
}
$query = "\n\t\t\t\tupdate user set\n\t\t\t\t\temail = '" . addslashes(strtolower($request['user_email'])) . "',\n\t\t\t\t\tusername = '******'user_name']) . "',\n\t\t\t\t\tfirstName = '" . addslashes($request['user_fname']) . "',\n\t\t\t\t\tmi = '" . addslashes($request['user_mi']) . "',\n\t\t\t\t\tlastName = '" . addslashes($request['user_lname']) . "',\n\t\t\t\t\taddr1 = '" . addslashes($request['user_addr1']) . "',\n\t\t\t\t\taddr2 = '" . addslashes($request['user_addr2']) . "',\n\t\t\t\t\tcity = '" . addslashes($request['user_city']) . "',\n\t\t\t\t\tstate = '" . addslashes($request['user_state']) . "',\n\t\t\t\t\tzip = '" . addslashes($request['user_zc1']) . addslashes($request['user_zc2']) . "',\n\t\t\t\t\tmainPhone = '" . addslashes($request['user_phone1'] . $request['user_phone2'] . $request['user_phone3']) . "',\n\t\t\t\t\taltPhone = '" . addslashes($request['user_phone4'] . $request['user_phone5'] . $request['user_phone6']) . "',\t\t\t\t\t\n\t\t\t\t\t" . $query_pw . "\n\t\t\t\t\tflag_nl = '" . $flag_nl . "' \n\t\t\t\tWHERE id = '" . $userid . "'\n\t\t\t";
mysql_query($query) or die(mysql_error());
return TRUE;
} else {
if ($method == 'reg') {
global $path_site;
$flag_agree = 0;
// get agree flag
if (isset($request['agree']) and ($request['agree'] == 'on' or $request['agree'] == '1')) {
$flag_agree = 1;
}
// INSERT VALUES
/*$query = "
insert into user set
username = '******'user_name']). "',
email = '" .addslashes(strtolower($request['user_email'])). "',
password = '******'user_pass']). "',
firstName = '" .addslashes($request['user_fname']). "',
mi = '" .addslashes($request['user_mi']). "',
lastName = '" .addslashes($request['user_lname']). "',
addr1 = '" .addslashes($request['user_addr1']). "',
addr2 = '" .addslashes($request['user_addr2']). "',
city = '" .addslashes($request['user_city']). "',
state = '" .addslashes($request['user_state']). "',
zip = '" .addslashes($request['user_zc1']).addslashes($request['user_zc2']). "',
mainPhone = '" .addslashes($request['user_phone1'].$request['user_phone2'].$request['user_phone3']). "',
altPhone = '" .addslashes($request['user_phone4'].$request['user_phone5'].$request['user_phone6']). "',
flag_nl = '" .$flag_nl. "' ,
flag_tosu = '" .$flag_agree. "',
dateReg = '" .$time. "'
";*/
$query = "\n\t\t\t\tinsert into user set\n\t\t\t\t\tusername = '******'user_name']) . "',\n\t\t\t\t\temail = '" . addslashes(strtolower($request['user_email'])) . "',\n\t\t\t\t\tpassword = '******'user_pass']) . "',\n\t\t\t\t\tfirstName = '" . addslashes($request['user_fname']) . "',\n\t\t\t\t\tlastName = '" . addslashes($request['user_lname']) . "',\n\t\t\t\t\tflag_tosu = '" . $flag_agree . "',\n\t\t\t\t\tdateReg = '" . $time . "'\n\t\t\t";
mysql_query($query) or die(mysql_error());
$userid = mysql_insert_id();
// Add a record into pubProfile
$query = "\n\t\t\t\tinsert into public_profile set\n\t\t\t\t\tname = '" . addslashes($request['user_fname']) . "',\n\t\t\t\t\tuserid='" . $userid . "'\n\t\t\t";
mysql_query($query) or die(mysql_error());
// INSERT INTO USERS PERMISSIONS
$query = "\n\t\t\t\tinsert into user_groups set\n\t\t\t\t\tuserid='" . $userid . "'\n\t\t\t";
mysql_query($query) or die(mysql_error());
//INSERT SECURITY TOKEN
$secToken = sha1(time() . rand(0, 9999999) . $userid);
mysql_query("update user set secToken = '" . $secToken . "' where id='" . $userid . "'") or die(mysql_error());
// NEW
// set_session($userid,$request['user_name'],strtolower($request['user_email']));
if (isset($_REQUEST['l']) and $_REQUEST['l'] = 'c') {
$_SESSION['user']['id'] = $userid;
}
//send verification email.
$to = $request['user_name'] . '<' . $request['user_email'] . '>';
$from = EMAIL_REGISTER_FROM;
$subject = EMAIL_REGISTER_SUBJECT;
// email for registration
// CALL CONTENT AND REPLACE TAGS INSIDE
$template = $path_site . EMAIL_REGISTER_TEMPLATE;
$returnOutput = new main_output($template);
// replace tags from template
@$returnOutput->replace_tags(array('subject' => EMAIL_REGISTER_SUBJECT, 'username' => $request['user_name'], 'site_name' => SITE_NAME, 'site_title' => SITE_TITLE, 'verifyURL' => EMAIL_REGISTER_VERIFYLINK . $secToken));
// Call the output
$body = $returnOutput->output;
// CALL SEND EMAIL
send_email($request['user_email'], $subject, $body);
return TRUE;
}
}
}
}
}
}
if(mail($to, $subject, $message, $headers)) {
$success = true;
} else {
$success = false;
}
return $success;
}
$reminder = $_POST['reminder'];
$queryResults = $mysqlConnection->processQuery("SELECT uid, email FROM user WHERE (username='******') OR (email='$reminder')");
if ($queryResults[0][0])
{
$uid = $queryResults[0][0];
$email = $queryResults[0][1];
$success = true;
for ($i = 1; $i <= 8; $i++)
$newPassword .= substr('0123456789abcdef', rand(0,15), 1);
send_mail($email, $admin_email, $password_reset_subject, $password_reset_body.$newPassword);
$newPassword = pw_encode($newPassword);
$mysqlConnection->processQuery("UPDATE user SET password = '******' WHERE uid = '".$uid."'");
} else {
$success = false;
}
echo('<response><success>'.$success.'</success></response>');
?>
function addUser($username, $password)
{
global $dbh;
global $db;
// Check to see if the password is being stored using an encryption function, and if so add that function around the password.
$password_value = pw_encode($password);
if (!empty($db['password_encryption_function'])) {
$password_value = $db['password_encryption_function'] . "('" . mysql_escape_string($password_value) . "')";
} else {
$password_value = "'" . mysql_escape_string($password_value) . "'";
}
$notYetSet = true;
while ($notYetSet) {
$id = generate256BitUniqueID();
$queryResults = mysql_query("SELECT uid FROM user WHERE uid='{$id}'", $dbh);
if ($queryResults[0][0] != $id) {
$notYetSet = false;
}
}
$sql = "REPLACE INTO " . $db['table'] . " (" . $db['username_column'] . ", " . $db['password_column'] . ", uid) VALUES ('" . mysql_escape_string($username) . "', " . $password_value . ", '" . $id . "')";
$res = mysql_query($sql, $dbh) or die("Couldn't add user.");
return $res;
}
return TRUE;
else
return FALSE;
}
function pw_encode($password)
{
for ($i = 1; $i <= 10; $i++)
$seed .= substr('0123456789abcdef', rand(0,15), 1);
return sha1($seed.$password.$seed).$seed;
}
echo('<response>');
if ($success)
{
$queryResults = $mysqlConnection->processQuery("SELECT password FROM user WHERE uid='".$user_id."'");
if (pw_check($_POST['oldPassword'], $queryResults[0][0])) {
$newPassword = pw_encode($_POST['newPassword']);
$mysqlConnection->processQuery("UPDATE user SET password = '******' WHERE uid = '".$user_id."'");
} else {
$success = false;
$wrongPassword = true;
}
}
echo('<success>'.$success.'</success>'.'<wrong>'.$wrongPassword.'</wrong>');
echo('</response>');
?>
if ($passwd != $passwd2) {
$warnings[] = "Passwords don't match";
}
if (!isValidPassword($passwd)) {
$warnings[] = "Not a valid password (longer than " . MIN_PASSWORD_LENGTH . " characters required)";
}
if (!isValidUsername($username)) {
$warnings[] = "Not a valid username (longer than " . MIN_USERNAME_LENGTH . " characters required)";
}
// No warnings means everything is in order, and we can create the user
if (count($warnings) == 0) {
$dao = new UserDAO();
if ($dao->userExists($username)) {
$warnings[] = "Username already taken";
} else {
$passwd = pw_encode($passwd);
if (!$dao->createUser($username, $passwd)) {
$warnings[] = "Failed to insert to database";
} else {
// Registration was successful, redirect the user to
// the login screen
$session->set('register_flag', true);
header("Location: login.php");
exit;
}
}
}
}
}
// Include the HTML template:
require __DIR__ . '/../templates/register.php';
} else {
$success = false;
}
return $success;
}
$username = $_POST['username'];
$email = $_POST['email'];
$password = $_POST['password'];
$notYetSet = true;
while ($notYetSet) {
$id = generate256BitUniqueID();
$queryResults = $mysqlConnection->processQuery("SELECT uid FROM user WHERE uid='$id'");
if ($queryResults[0][0] != $id) {
$notYetSet = false;
}
}
send_mail($email, $admin_email, $registration_subject, $registration_body.$username.$registration_body_2.$password.$registration_body_3.$activateURL.$id);
send_mail($supervisor_email, $admin_email, $user_registration_subject.$username, $username.$user_registration_body.$email);
$password = pw_encode($password);
$mysqlConnection->processQuery("INSERT INTO user (uid, username, password, email) VALUES ('".$id."','".$username."','".$password."','".$email."')");
echo('<response></response>');
?>
/**
* Validation and filtering
*
* @return boolean True is satisfactory
*/
function check()
{
// Validate user information
if (trim($this->firstName) == '') {
$this->setError('Please enter your name.');
return false;
}
if (trim($this->email) == "" || !is_email($this->email)) {
$this->setError('Please enter a valid Email address');
return false;
}
if (trim($this->username) == '') {
$this->username = preg_replace("#[<>\"'%;()&\\@\\.]#i", '', $this->email);
}
if (trim($this->username) == '' || strlen(utf8_decode($this->username)) < 2) {
$this->setError('Please enter a valid Email address.');
return false;
}
// attempting to update our password
if (BRequest::getVar('_xpassword', false) || BRequest::getVar('password', false) && BRequest::getVar('password', '') != '') {
if (BRequest::getVar('_xpassword') != $this->password) {
$this->setError('Please confirm your password change.');
return false;
} else {
//password change is good
$this->password = pw_encode($this->password);
}
}
if (!$this->password) {
$this->password = $this->_xpass;
}
if ($this->dateReg == null) {
// Set the registration timestamp
$now =& FiveFactory::getDate();
$this->dateReg = $now->toMySQL();
}
// check for existing username
$query = 'SELECT id' . ' FROM ' . $this->_tbl . ' WHERE username = '******' AND id != ' . (int) $this->id;
$this->_db->setQuery($query);
$xid = intval($this->_db->loadResult());
if ($xid && $xid != intval($this->id)) {
$this->setError('Username is already in use.');
return false;
}
// check for existing email
$query = 'SELECT id' . ' FROM ' . $this->_tbl . ' WHERE email = ' . $this->_db->Quote($this->email) . ' AND id != ' . (int) $this->id;
$this->_db->setQuery($query);
$xid = intval($this->_db->loadResult());
if ($xid && $xid != intval($this->id)) {
$this->setError('Email is already in use.');
return false;
}
return true;
}
if (BRequest::get('post', false)) {
$user = FiveTable::getInstance('user');
$parts = explode(' ', BRequest::getVar('name', ''));
$user->firstName = $parts[0];
if (isset($parts[1])) {
unset($parts[0]);
$user->lastName = implode(' ', $parts);
}
$user->email = BRequest::getVar('email', false);
if (!$user->check()) {
set_error($user->getErrors());
} elseif (!BRequest::getVar('agree', false)) {
set_error('Make sure to agree to the Terms of Use.');
} else {
$password = createRandomPassword();
$user->password = pw_encode($password);
// this function also does a store procedure
$secToken = $user->setRegistrationToken();
$user->store();
// send verification email
$to = 'New User <' . $user->email . '>';
$args = array('subject' => EMAIL_REGISTER_SUBJECT, 'username' => $user->email, 'password' => $password, 'site_name' => SITE_NAME, 'site_title' => SITE_TITLE, 'verifyURL' => url("user/account?verify={$secToken}"));
$returnOutput = get_show_view('email-register', $args);
// CALL SEND EMAIL
send_email($to, EMAIL_REGISTER_SUBJECT, $returnOutput, EMAIL_REGISTER_FROM);
//success
set_session($user->id, $user->username, $user->email, $user->zip);
redirect(Router::url(array('controller' => 'user', 'action' => 'profile')));
}
}
require $view;