Beispiel #1
0
    protected static function login()
    {
        $username = $_POST['username'];
        $password = pw_encode($_POST['password']);
        $result = select('SELECT * from user
				WHERE username = "******" AND
				password = "******"');
        if (count($result) > 0) {
            $_SESSION['user'] = array('username' => $username, 'id' => $result[0]['id'], 'is_admin' => $result[0]['admin']);
        }
    }
Beispiel #2
0
 function submitUser($request, $method = 'reg')
 {
     $time = time();
     global $path_site;
     if ($method == 'login') {
         // LOGIN USER
         $un = $request['username'];
         $unlower = strtolower($request['username']);
         $unupper = strtoupper($request['username']);
         $unucfirst = ucfirst($request['username']);
         $unucwords = ucwords($request['username']);
         $password = $request['password'];
         $query = "select id,password,email,zip from user where (username = '******' or username = '******' or username = '******' or username = '******' or username = '******') and status='active'";
         $result = mysql_query($query) or die(mysql_error());
         $row = mysql_fetch_row($result);
         if (pw_check($password, $row[1])) {
             // START SESSION
             set_session($row[0], $request['username'], stripslashes($row[2]), $row[3]);
             //return
             return TRUE;
         } else {
             return FALSE;
         }
     } else {
         if ($method == 'forgot') {
             // LOGIN USER
             $email = strtolower($request['user_email']);
             $tempPassword = uniqid(rand(0, 9999999));
             $query = "update user set password='******' where email='" . $email . "' and status <> 'deleted'";
             if ($result = mysql_query($query)) {
                 // SEND EMAIL, RETURN TRUE CHANGE IN PRODUCTION - THE HTTP HOST BELOW NEEDS TO BE UPDATED
                 $query = "select username from user where email='" . $email . "' and status <> 'deleted'";
                 $result = mysql_query($query) or die(mysql_error());
                 $row = mysql_fetch_row($result);
                 // SEND AN EMAIL TO USER
                 $to = stripslashes($row[0]) . '<' . $email . '>';
                 $from = EMAIL_FORGOT_FROM;
                 $subject = EMAIL_FORGOT_SUBJECT;
                 // CALL CONTENT AND REPLACE TAGS INSIDE
                 $template = $path_site . EMAIL_FORGOT_TEMPLATE;
                 $returnOutput = new main_output($template);
                 // replace tags from template
                 @$returnOutput->replace_tags(array('subject' => EMAIL_BUSINESS_REGISTER_SUBJECT, 'username' => stripslashes($row[0]), 'site_name' => SITE_NAME, 'site_title' => SITE_TITLE, 'temppassword' => $tempPassword, 'path_site' => SITE_BASEURL_SECURE));
                 // Call the output
                 $body = $returnOutput->output;
                 // CALL SEND EMAIL
                 // send_email($to,$subject,$body,$from);
                 send_email($email, $subject, $body);
                 //return
                 return TRUE;
             } else {
                 //echo $query;
                 return FALSE;
             }
         } else {
             if ($method == 'verify') {
                 // LOGIN USER
                 mysql_query("update user set status='active' where secToken='" . $request['verify'] . "'") or die(mysql_error());
                 $result = mysql_query("select id,username,email,zip from user where secToken='" . $request['verify'] . "'") or die(mysql_error());
                 $row = mysql_fetch_row($result);
                 set_session($row[0], stripslashes($row[1]), stripslashes($row[2]), $row[3]);
                 return TRUE;
             } else {
                 if ($method == 'profile') {
                     $userid = $_SESSION['user']['id'];
                     $flag_nl = 0;
                     if (isset($request['newsletter']) and ($request['newsletter'] == 'on' or $request['newsletter'] == 1)) {
                         $flag_nl = 1;
                     }
                     // check if old password was selected.
                     $query_pw = NULL;
                     if (isset($request['user_pass2']) and !empty($request['user_pass2'])) {
                         $query_pw = "password = '******'user_pass2']) . "', ";
                     }
                     $query = "\n\t\t\t\tupdate user set\n\t\t\t\t\temail = '" . addslashes(strtolower($request['user_email'])) . "',\n\t\t\t\t\tusername = '******'user_name']) . "',\n\t\t\t\t\tfirstName = '" . addslashes($request['user_fname']) . "',\n\t\t\t\t\tmi = '" . addslashes($request['user_mi']) . "',\n\t\t\t\t\tlastName = '" . addslashes($request['user_lname']) . "',\n\t\t\t\t\taddr1 = '" . addslashes($request['user_addr1']) . "',\n\t\t\t\t\taddr2 = '" . addslashes($request['user_addr2']) . "',\n\t\t\t\t\tcity = '" . addslashes($request['user_city']) . "',\n\t\t\t\t\tstate = '" . addslashes($request['user_state']) . "',\n\t\t\t\t\tzip = '" . addslashes($request['user_zc1']) . addslashes($request['user_zc2']) . "',\n\t\t\t\t\tmainPhone = '" . addslashes($request['user_phone1'] . $request['user_phone2'] . $request['user_phone3']) . "',\n\t\t\t\t\taltPhone = '" . addslashes($request['user_phone4'] . $request['user_phone5'] . $request['user_phone6']) . "',\t\t\t\t\t\n\t\t\t\t\t" . $query_pw . "\n\t\t\t\t\tflag_nl = '" . $flag_nl . "' \n\t\t\t\tWHERE id = '" . $userid . "'\n\t\t\t";
                     mysql_query($query) or die(mysql_error());
                     return TRUE;
                 } else {
                     if ($method == 'reg') {
                         global $path_site;
                         $flag_agree = 0;
                         // get agree flag
                         if (isset($request['agree']) and ($request['agree'] == 'on' or $request['agree'] == '1')) {
                             $flag_agree = 1;
                         }
                         // INSERT VALUES
                         /*$query = "
                         			insert into user set
                         				username = '******'user_name']). "',
                         				email = '" .addslashes(strtolower($request['user_email'])). "',
                         				password = '******'user_pass']). "',
                         				firstName = '" .addslashes($request['user_fname']). "',
                         				mi = '" .addslashes($request['user_mi']). "',
                         				lastName = '" .addslashes($request['user_lname']). "',
                         				addr1 = '" .addslashes($request['user_addr1']). "',
                         				addr2 = '" .addslashes($request['user_addr2']). "',
                         				city = '" .addslashes($request['user_city']). "',
                         				state = '" .addslashes($request['user_state']). "',
                         				zip = '" .addslashes($request['user_zc1']).addslashes($request['user_zc2']). "',
                         				mainPhone = '" .addslashes($request['user_phone1'].$request['user_phone2'].$request['user_phone3']). "',
                         				altPhone = '" .addslashes($request['user_phone4'].$request['user_phone5'].$request['user_phone6']). "',
                         				flag_nl = '" .$flag_nl. "' ,
                         				flag_tosu = '" .$flag_agree. "',
                         				dateReg = '" .$time. "'
                         		";*/
                         $query = "\n\t\t\t\tinsert into user set\n\t\t\t\t\tusername = '******'user_name']) . "',\n\t\t\t\t\temail = '" . addslashes(strtolower($request['user_email'])) . "',\n\t\t\t\t\tpassword = '******'user_pass']) . "',\n\t\t\t\t\tfirstName = '" . addslashes($request['user_fname']) . "',\n\t\t\t\t\tlastName = '" . addslashes($request['user_lname']) . "',\n\t\t\t\t\tflag_tosu = '" . $flag_agree . "',\n\t\t\t\t\tdateReg = '" . $time . "'\n\t\t\t";
                         mysql_query($query) or die(mysql_error());
                         $userid = mysql_insert_id();
                         // Add a record into pubProfile
                         $query = "\n\t\t\t\tinsert into public_profile set\n\t\t\t\t\tname = '" . addslashes($request['user_fname']) . "',\n\t\t\t\t\tuserid='" . $userid . "'\n\t\t\t";
                         mysql_query($query) or die(mysql_error());
                         // INSERT INTO USERS PERMISSIONS
                         $query = "\n\t\t\t\tinsert into user_groups set\n\t\t\t\t\tuserid='" . $userid . "'\n\t\t\t";
                         mysql_query($query) or die(mysql_error());
                         //INSERT SECURITY TOKEN
                         $secToken = sha1(time() . rand(0, 9999999) . $userid);
                         mysql_query("update user set secToken = '" . $secToken . "' where id='" . $userid . "'") or die(mysql_error());
                         // NEW
                         // set_session($userid,$request['user_name'],strtolower($request['user_email']));
                         if (isset($_REQUEST['l']) and $_REQUEST['l'] = 'c') {
                             $_SESSION['user']['id'] = $userid;
                         }
                         //send verification email.
                         $to = $request['user_name'] . '<' . $request['user_email'] . '>';
                         $from = EMAIL_REGISTER_FROM;
                         $subject = EMAIL_REGISTER_SUBJECT;
                         // email for registration
                         // CALL CONTENT AND REPLACE TAGS INSIDE
                         $template = $path_site . EMAIL_REGISTER_TEMPLATE;
                         $returnOutput = new main_output($template);
                         // replace tags from template
                         @$returnOutput->replace_tags(array('subject' => EMAIL_REGISTER_SUBJECT, 'username' => $request['user_name'], 'site_name' => SITE_NAME, 'site_title' => SITE_TITLE, 'verifyURL' => EMAIL_REGISTER_VERIFYLINK . $secToken));
                         // Call the output
                         $body = $returnOutput->output;
                         // CALL SEND EMAIL
                         send_email($request['user_email'], $subject, $body);
                         return TRUE;
                     }
                 }
             }
         }
     }
 }
Beispiel #3
0
		if(mail($to, $subject, $message, $headers)) {
			$success = true;
		} else {
			$success = false;
		}
		return $success;
	} 

	$reminder = $_POST['reminder'];
	$queryResults = $mysqlConnection->processQuery("SELECT uid, email FROM user WHERE (username='******') OR (email='$reminder')");
	
	if ($queryResults[0][0])
	{                  
		$uid = $queryResults[0][0];
		$email = $queryResults[0][1];
		$success = true;		
		for ($i = 1; $i <= 8; $i++)
			$newPassword .= substr('0123456789abcdef', rand(0,15), 1);
			
		send_mail($email, $admin_email, $password_reset_subject, $password_reset_body.$newPassword);
			
		$newPassword = pw_encode($newPassword);
		$mysqlConnection->processQuery("UPDATE user SET password = '******' WHERE uid = '".$uid."'");
	} else {
		$success = false;		
	}

	echo('<response><success>'.$success.'</success></response>');
?>
Beispiel #4
0
function addUser($username, $password)
{
    global $dbh;
    global $db;
    // Check to see if the password is being stored using an encryption function, and if so add that function around the password.
    $password_value = pw_encode($password);
    if (!empty($db['password_encryption_function'])) {
        $password_value = $db['password_encryption_function'] . "('" . mysql_escape_string($password_value) . "')";
    } else {
        $password_value = "'" . mysql_escape_string($password_value) . "'";
    }
    $notYetSet = true;
    while ($notYetSet) {
        $id = generate256BitUniqueID();
        $queryResults = mysql_query("SELECT uid FROM user WHERE uid='{$id}'", $dbh);
        if ($queryResults[0][0] != $id) {
            $notYetSet = false;
        }
    }
    $sql = "REPLACE INTO " . $db['table'] . " (" . $db['username_column'] . ", " . $db['password_column'] . ", uid) VALUES ('" . mysql_escape_string($username) . "', " . $password_value . ", '" . $id . "')";
    $res = mysql_query($sql, $dbh) or die("Couldn't add user.");
    return $res;
}
Beispiel #5
0
	     return TRUE;
	   else
	     return FALSE;
	}

	function pw_encode($password)
	{
	   for ($i = 1; $i <= 10; $i++)
	       $seed .= substr('0123456789abcdef', rand(0,15), 1);
	   return sha1($seed.$password.$seed).$seed;
	}

	echo('<response>');
	if ($success)
	{
		$queryResults = $mysqlConnection->processQuery("SELECT password FROM user WHERE uid='".$user_id."'");

		if (pw_check($_POST['oldPassword'], $queryResults[0][0])) {
			$newPassword = pw_encode($_POST['newPassword']);
			$mysqlConnection->processQuery("UPDATE user SET password = '******' WHERE uid = '".$user_id."'");
		} else {
			$success = false;
			$wrongPassword = true;
		}
		
	}

	echo('<success>'.$success.'</success>'.'<wrong>'.$wrongPassword.'</wrong>');
	echo('</response>');
?>
Beispiel #6
0
        if ($passwd != $passwd2) {
            $warnings[] = "Passwords don't match";
        }
        if (!isValidPassword($passwd)) {
            $warnings[] = "Not a valid password (longer than " . MIN_PASSWORD_LENGTH . " characters required)";
        }
        if (!isValidUsername($username)) {
            $warnings[] = "Not a valid username (longer than " . MIN_USERNAME_LENGTH . " characters required)";
        }
        // No warnings means everything is in order, and we can create the user
        if (count($warnings) == 0) {
            $dao = new UserDAO();
            if ($dao->userExists($username)) {
                $warnings[] = "Username already taken";
            } else {
                $passwd = pw_encode($passwd);
                if (!$dao->createUser($username, $passwd)) {
                    $warnings[] = "Failed to insert to database";
                } else {
                    // Registration was successful, redirect the user to
                    // the login screen
                    $session->set('register_flag', true);
                    header("Location: login.php");
                    exit;
                }
            }
        }
    }
}
// Include the HTML template:
require __DIR__ . '/../templates/register.php';
Beispiel #7
0
		} else {
			$success = false;
		}
		return $success;
	} 

	$username = $_POST['username'];
	$email = $_POST['email'];
  	$password = $_POST['password'];

	$notYetSet = true;
	while ($notYetSet) {
		$id = generate256BitUniqueID();
		$queryResults = $mysqlConnection->processQuery("SELECT uid FROM user WHERE uid='$id'");
		if ($queryResults[0][0] != $id) {
			$notYetSet = false;
		}
	}

	send_mail($email, $admin_email, $registration_subject, $registration_body.$username.$registration_body_2.$password.$registration_body_3.$activateURL.$id);
	
	send_mail($supervisor_email, $admin_email, $user_registration_subject.$username, $username.$user_registration_body.$email);
	

	$password = pw_encode($password);


	$mysqlConnection->processQuery("INSERT INTO user (uid, username, password, email) VALUES ('".$id."','".$username."','".$password."','".$email."')");
	
	echo('<response></response>');
?>
Beispiel #8
0
 /**
  * Validation and filtering
  *
  * @return boolean True is satisfactory
  */
 function check()
 {
     // Validate user information
     if (trim($this->firstName) == '') {
         $this->setError('Please enter your name.');
         return false;
     }
     if (trim($this->email) == "" || !is_email($this->email)) {
         $this->setError('Please enter a valid Email address');
         return false;
     }
     if (trim($this->username) == '') {
         $this->username = preg_replace("#[<>\"'%;()&\\@\\.]#i", '', $this->email);
     }
     if (trim($this->username) == '' || strlen(utf8_decode($this->username)) < 2) {
         $this->setError('Please enter a valid Email address.');
         return false;
     }
     // attempting to update our password
     if (BRequest::getVar('_xpassword', false) || BRequest::getVar('password', false) && BRequest::getVar('password', '') != '') {
         if (BRequest::getVar('_xpassword') != $this->password) {
             $this->setError('Please confirm your password change.');
             return false;
         } else {
             //password change is good
             $this->password = pw_encode($this->password);
         }
     }
     if (!$this->password) {
         $this->password = $this->_xpass;
     }
     if ($this->dateReg == null) {
         // Set the registration timestamp
         $now =& FiveFactory::getDate();
         $this->dateReg = $now->toMySQL();
     }
     // check for existing username
     $query = 'SELECT id' . ' FROM ' . $this->_tbl . ' WHERE username = '******' AND id != ' . (int) $this->id;
     $this->_db->setQuery($query);
     $xid = intval($this->_db->loadResult());
     if ($xid && $xid != intval($this->id)) {
         $this->setError('Username is already in use.');
         return false;
     }
     // check for existing email
     $query = 'SELECT id' . ' FROM ' . $this->_tbl . ' WHERE email = ' . $this->_db->Quote($this->email) . ' AND id != ' . (int) $this->id;
     $this->_db->setQuery($query);
     $xid = intval($this->_db->loadResult());
     if ($xid && $xid != intval($this->id)) {
         $this->setError('Email is already in use.');
         return false;
     }
     return true;
 }
if (BRequest::get('post', false)) {
    $user = FiveTable::getInstance('user');
    $parts = explode(' ', BRequest::getVar('name', ''));
    $user->firstName = $parts[0];
    if (isset($parts[1])) {
        unset($parts[0]);
        $user->lastName = implode(' ', $parts);
    }
    $user->email = BRequest::getVar('email', false);
    if (!$user->check()) {
        set_error($user->getErrors());
    } elseif (!BRequest::getVar('agree', false)) {
        set_error('Make sure to agree to the Terms of Use.');
    } else {
        $password = createRandomPassword();
        $user->password = pw_encode($password);
        // this function also does a store procedure
        $secToken = $user->setRegistrationToken();
        $user->store();
        // send verification email
        $to = 'New User <' . $user->email . '>';
        $args = array('subject' => EMAIL_REGISTER_SUBJECT, 'username' => $user->email, 'password' => $password, 'site_name' => SITE_NAME, 'site_title' => SITE_TITLE, 'verifyURL' => url("user/account?verify={$secToken}"));
        $returnOutput = get_show_view('email-register', $args);
        // CALL SEND EMAIL
        send_email($to, EMAIL_REGISTER_SUBJECT, $returnOutput, EMAIL_REGISTER_FROM);
        //success
        set_session($user->id, $user->username, $user->email, $user->zip);
        redirect(Router::url(array('controller' => 'user', 'action' => 'profile')));
    }
}
require $view;