function authenticate($username, $password, $givenname) { // Authenticates user's password by binding to LDAP server using the password // If successful, password is correct global $ldap_host; // Connects to LDAP server $ds = ldap_connect($ldap_host); // Performs bind to LDAP server with user's paasword // Error messages are supressed if wrong password is entered if (@ldap_bind($ds, $username, $password)) { // Bind is successful - password is correct // Sets cookie with user's givenname setLoginCookie($givenname); } else { // Bind is unsuccessful - password is incorrect echo "Log in failed. Details incorrect."; echo "<p>Click <a href='../../login.php'>here</a> to go back.</p>"; } }
public function action_register2() { global $txt, $modSettings, $context, $user_info; // Start collecting together any errors. $reg_errors = Error_Context::context('register', 0); // Check they are who they should be checkSession(); if (!validateToken('register', 'post', true, false)) { $reg_errors->addError('token_verification'); } // You can't register if it's disabled. if (!empty($modSettings['registration_method']) && $modSettings['registration_method'] == 3) { fatal_lang_error('registration_disabled', false); } // Well, if you don't agree, you can't register. if (!empty($modSettings['requireAgreement']) && !isset($_POST['checkbox_agreement'])) { $reg_errors->addError('agreement_unchecked'); } // Make sure they came from *somewhere*, have a session. if (!isset($_SESSION['old_url'])) { redirectexit('action=register'); } // Check their provider deatils match up correctly in case they're pulling something funny if ($_POST['provider'] != $_SESSION['extauth_info']['provider']) { redirectexit('action=register'); } // Clean up foreach ($_POST as $key => $value) { if (!is_array($_POST[$key])) { $_POST[$key] = htmltrim__recursive(str_replace(array("\n", "\r"), '', $_POST[$key])); } } // Needed for isReservedName() and registerMember() require_once SUBSDIR . '/Members.subs.php'; // Needed for generateValidationCode() require_once SUBSDIR . '/Auth.subs.php'; // Set the options needed for registration. $regOptions = array('interface' => 'guest', 'username' => !empty($_POST['user']) ? $_POST['user'] : '', 'email' => !empty($_POST['email']) ? $_POST['email'] : '', 'check_reserved_name' => true, 'check_password_strength' => true, 'check_email_ban' => true, 'send_welcome_email' => !empty($modSettings['send_welcomeEmail']), 'require' => empty($modSettings['registration_method']) ? 'nothing' : ($modSettings['registration_method'] == 1 ? 'activation' : 'approval')); // Lets check for other errors before trying to register the member. if ($reg_errors->hasErrors()) { return $this->action_register(); } mt_srand(time() + 1277); $regOptions['password'] = generateValidationCode(); $regOptions['password_check'] = $regOptions['password']; // Registration needs to know your IP $req = request(); $regOptions['ip'] = $user_info['ip']; $regOptions['ip2'] = $req->ban_ip(); $memberID = registerMember($regOptions, 'register'); // If there are "important" errors and you are not an admin: log the first error // Otherwise grab all of them and don't log anything if ($reg_errors->hasErrors(1) && !$user_info['is_admin']) { foreach ($reg_errors->prepareErrors(1) as $error) { fatal_error($error, 'general'); } } // One last error check if ($reg_errors->hasErrors()) { return $this->action_register(); } // Do our spam protection now. spamProtection('register'); // Since all is well, we'll go ahead and associate the member's external account addAuth($memberID, $_SESSION['extauth_info']['provider'], $_SESSION['extauth_info']['uid'], $_SESSION['extauth_info']['name']); // Basic template variable setup. if (!empty($modSettings['registration_method'])) { loadTemplate('Register'); $context += array('page_title' => $txt['register'], 'title' => $txt['registration_successful'], 'sub_template' => 'after', 'description' => $modSettings['registration_method'] == 2 ? $txt['approval_after_registration'] : $txt['activate_after_registration']); } else { call_integration_hook('integrate_activate', array($regOptions['username'])); setLoginCookie(60 * $modSettings['cookieTime'], $memberID, hash('sha256', Util::strtolower($regOptions['username']) . $regOptions['password'] . $regOptions['register_vars']['password_salt'])); redirectexit('action=auth;sa=check;member=' . $memberID, $context['server']['needs_login_fix']); } }
function DeleteInstall() { global $txt, $HTTP_SESSION_VARS, $incontext; global $current_smf_version, $sourcedir, $forum_version, $modSettings, $user_info, $db_type; $incontext['page_title'] = $txt['congratulations']; $incontext['sub_template'] = 'delete_install'; $incontext['continue'] = 0; require dirname(__FILE__) . '/Settings.php'; load_database(); chdir(dirname(__FILE__)); require_once $sourcedir . '/Errors.php'; require_once $sourcedir . '/lib/Subs.php'; require_once $sourcedir . '/CommonAPI.php'; require_once $sourcedir . '/Load.php'; require_once $sourcedir . '/Security.php'; require_once $sourcedir . '/lib/Subs-Auth.php'; // Bring a warning over. if (!empty($incontext['account_existed'])) { $incontext['warning'] = $incontext['account_existed']; } smf_db_query(' SET NAMES utf8', array()); // As track stats is by default enabled let's add some activity. smf_db_insert('ignore', '{db_prefix}log_activity', array('date' => 'date', 'topics' => 'int', 'posts' => 'int', 'registers' => 'int'), array(strftime('%Y-%m-%d', time()), 1, 1, !empty($incontext['member_id']) ? 1 : 0), array('date')); // Automatically log them in ;) if (isset($incontext['member_id']) && isset($incontext['member_salt'])) { setLoginCookie(3153600 * 60, $incontext['member_id'], sha1(sha1(strtolower($_POST['username']) . $_POST['password1']) . $incontext['member_salt'])); } $result = smf_db_query(' SELECT value FROM {db_prefix}settings WHERE variable = {string:db_sessions}', array('db_sessions' => 'databaseSession_enable', 'db_error_skip' => true)); if (mysql_num_rows($result) != 0) { list($db_sessions) = mysql_fetch_row($result); } mysql_free_result($result); if (empty($db_sessions)) { if (@version_compare(PHP_VERSION, '4.2.0') == -1) { $HTTP_SESSION_VARS['php_412_bugfix'] = true; } $_SESSION['admin_time'] = time(); } else { $_SERVER['HTTP_USER_AGENT'] = substr($_SERVER['HTTP_USER_AGENT'], 0, 211); smf_db_insert('replace', '{db_prefix}sessions', array('session_id' => 'string', 'last_update' => 'int', 'data' => 'string'), array(session_id(), time(), 'USER_AGENT|s:' . strlen($_SERVER['HTTP_USER_AGENT']) . ':"' . $_SERVER['HTTP_USER_AGENT'] . '";admin_time|i:' . time() . ';'), array('session_id')); } // We're going to want our lovely $modSettings now. $request = smf_db_query(' SELECT variable, value FROM {db_prefix}settings', array('db_error_skip' => true)); // Only proceed if we can load the data. if ($request) { while ($row = mysql_fetch_row($request)) { $modSettings[$row[0]] = $row[1]; } mysql_free_result($request); } updateStats('member'); updateStats('message'); updateStats('topic'); $request = smf_db_query(' SELECT id_msg FROM {db_prefix}messages WHERE id_msg = 1 AND modified_time = 0 LIMIT 1', array('db_error_skip' => true)); if (mysql_num_rows($request) > 0) { updateStats('subject', 1, htmlspecialchars($txt['default_topic_subject'])); } mysql_free_result($request); // Now is the perfect time to fetch the SM files. require_once $sourcedir . '/ScheduledTasks.php'; // Sanity check that they loaded earlier! if (isset($modSettings['recycle_board'])) { $forum_version = $current_smf_version; // The variable is usually defined in index.php so lets just use our variable to do it for us. scheduled_fetchSMfiles(); // Now go get those files! // We've just installed! $user_info['ip'] = $_SERVER['REMOTE_ADDR']; $user_info['id'] = isset($incontext['member_id']) ? $incontext['member_id'] : 0; logAction('install', array('version' => $forum_version), 'admin'); } // Check if we need some stupid MySQL fix. $server_version = smf_db_get_version(); if ($db_type == 'mysql' && in_array(substr($server_version, 0, 6), array('5.0.50', '5.0.51'))) { updateSettings(array('db_mysql_group_by_fix' => '1')); } // Some final context for the template. $incontext['dir_still_writable'] = is_writable(dirname(__FILE__)) && substr(__FILE__, 1, 2) != ':\\'; $incontext['probably_delete_install'] = isset($_SESSION['installer_temp_ftp']) || is_writable(dirname(__FILE__)) || is_writable(__FILE__); return false; }
function set_smf_cookie($id, $passhash, $salt) { global $THIS_BASEPATH; require $THIS_BASEPATH . '/smf/SSI.php'; if (!function_exists(setLoginCookie)) { require $THIS_BASEPATH . '/smf/Sources/Subs-Auth.php'; } setLoginCookie(189216000, $id, sha1($passhash . $salt)); }
/* NOTE: Following code adapted from http://elbertf.com/2010/01/store-passwords-safely-with-php-and-mysql/ A random salt is generated and appended to the given password to generate a hash This is then hashed 100000 times for extra security The salt is then appended to the hash, so that the salt can be retrieved later (i.e. on log in) */ // Create a 256 bit (64 characters) long random salt // Add 'something random' and the username to the salt as well for added security $salt = hash('sha256', uniqid(mt_rand(), true) . 'something random' . strtolower($username)); // Prefix the password with the salt $hash = $salt . $password; // Hash the salted password 100000 times for ($i = 0; $i < 100000; $i++) { $hash = hash('sha256', $hash); } // Prefix the hash with the salt so we can get it back later $hash = $salt . $hash; // Insert the username and hashed password into the DB $query = "INSERT INTO Users (username, password) VALUES ('{$username}', '{$hash}')"; // If the insertion was successful, then set the log in cookie if (mysql_query($query)) { // Calls the setLoginCookie function, which sets a cookie for the username setLoginCookie($username); } else { // Insertion was unsuccessful if (mysql_errno() == 1062) { // Insertion failed because the username is already being used echo "Oh no! The username '{$username}' is already taken!"; } } }
/** * Actually register the member. * @todo split this function in two functions: * - a function that handles action=register2, which needs no parameter; * - a function that processes the case of OpenID verification. * * @param bool $verifiedOpenID = false */ public function action_register2($verifiedOpenID = false) { global $txt, $modSettings, $context, $user_info; // Start collecting together any errors. $reg_errors = Error_Context::context('register', 0); // We can't validate the token and the session with OpenID enabled. if (!$verifiedOpenID) { checkSession(); if (!validateToken('register', 'post', true, false)) { $reg_errors->addError('token_verification'); } } // Did we save some open ID fields? if ($verifiedOpenID && !empty($context['openid_save_fields'])) { foreach ($context['openid_save_fields'] as $id => $value) { $_POST[$id] = $value; } } // You can't register if it's disabled. if (!empty($modSettings['registration_method']) && $modSettings['registration_method'] == 3) { fatal_lang_error('registration_disabled', false); } // If we're using an agreement checkbox, did they check it? if (!empty($modSettings['checkboxAgreement']) && !empty($_POST['checkbox_agreement'])) { $_SESSION['registration_agreed'] = true; } // Things we don't do for people who have already confirmed their OpenID allegances via register. if (!$verifiedOpenID) { // Well, if you don't agree, you can't register. if (!empty($modSettings['requireAgreement']) && empty($_SESSION['registration_agreed'])) { redirectexit(); } // Make sure they came from *somewhere*, have a session. if (!isset($_SESSION['old_url'])) { redirectexit('action=register'); } // If we don't require an agreement, we need a extra check for coppa. if (empty($modSettings['requireAgreement']) && !empty($modSettings['coppaAge'])) { $_SESSION['skip_coppa'] = !empty($_POST['accept_agreement']); } // Are they under age, and under age users are banned? if (!empty($modSettings['coppaAge']) && empty($modSettings['coppaType']) && empty($_SESSION['skip_coppa'])) { loadLanguage('Login'); fatal_lang_error('under_age_registration_prohibited', false, array($modSettings['coppaAge'])); } // Check the time gate for miscreants. First make sure they came from somewhere that actually set it up. if (empty($_SESSION['register']['timenow']) || empty($_SESSION['register']['limit'])) { redirectexit('action=register'); } // Failing that, check the time limit for exessive speed. if (time() - $_SESSION['register']['timenow'] < $_SESSION['register']['limit']) { loadLanguage('Login'); $reg_errors->addError('too_quickly'); } // Check whether the visual verification code was entered correctly. if (!empty($modSettings['reg_verification'])) { require_once SUBSDIR . '/VerificationControls.class.php'; $verificationOptions = array('id' => 'register'); $context['visual_verification'] = create_control_verification($verificationOptions, true); if (is_array($context['visual_verification'])) { foreach ($context['visual_verification'] as $error) { $reg_errors->addError($error); } } } } foreach ($_POST as $key => $value) { if (!is_array($_POST[$key])) { $_POST[$key] = htmltrim__recursive(str_replace(array("\n", "\r"), '', $_POST[$key])); } } // Collect all extra registration fields someone might have filled in. $possible_strings = array('birthdate', 'time_format', 'buddy_list', 'pm_ignore_list', 'smiley_set', 'personal_text', 'avatar', 'lngfile', 'location', 'secret_question', 'secret_answer', 'website_url', 'website_title'); $possible_ints = array('pm_email_notify', 'notify_types', 'id_theme', 'gender'); $possible_floats = array('time_offset'); $possible_bools = array('notify_announcements', 'notify_regularity', 'notify_send_body', 'hide_email', 'show_online'); if (isset($_POST['secret_answer']) && $_POST['secret_answer'] != '') { $_POST['secret_answer'] = md5($_POST['secret_answer']); } // Needed for isReservedName() and registerMember(). require_once SUBSDIR . '/Members.subs.php'; // Validation... even if we're not a mall. if (isset($_POST['real_name']) && (!empty($modSettings['allow_editDisplayName']) || allowedTo('moderate_forum'))) { $_POST['real_name'] = trim(preg_replace('~[\\t\\n\\r \\x0B\\0\\x{A0}\\x{AD}\\x{2000}-\\x{200F}\\x{201F}\\x{202F}\\x{3000}\\x{FEFF}]+~u', ' ', $_POST['real_name'])); if (trim($_POST['real_name']) != '' && !isReservedName($_POST['real_name']) && Util::strlen($_POST['real_name']) < 60) { $possible_strings[] = 'real_name'; } } // Handle a string as a birthdate... if (isset($_POST['birthdate']) && $_POST['birthdate'] != '') { $_POST['birthdate'] = strftime('%Y-%m-%d', strtotime($_POST['birthdate'])); } elseif (!empty($_POST['bday1']) && !empty($_POST['bday2'])) { $_POST['birthdate'] = sprintf('%04d-%02d-%02d', empty($_POST['bday3']) ? 0 : (int) $_POST['bday3'], (int) $_POST['bday1'], (int) $_POST['bday2']); } // By default assume email is hidden, only show it if we tell it to. $_POST['hide_email'] = !empty($_POST['allow_email']) ? 0 : 1; // Validate the passed language file. if (isset($_POST['lngfile']) && !empty($modSettings['userLanguage'])) { // Do we have any languages? $context['languages'] = getLanguages(); // Did we find it? if (isset($context['languages'][$_POST['lngfile']])) { $_SESSION['language'] = $_POST['lngfile']; } else { unset($_POST['lngfile']); } } else { unset($_POST['lngfile']); } // Some of these fields we may not want. if (!empty($modSettings['registration_fields'])) { // But we might want some of them if the admin asks for them. $standard_fields = array('location', 'gender'); $reg_fields = explode(',', $modSettings['registration_fields']); $exclude_fields = array_diff($standard_fields, $reg_fields); // Website is a little different if (!in_array('website', $reg_fields)) { $exclude_fields = array_merge($exclude_fields, array('website_url', 'website_title')); } // We used to accept signature on registration but it's being abused by spammers these days, so no more. $exclude_fields[] = 'signature'; } else { $exclude_fields = array('signature', 'location', 'gender', 'website_url', 'website_title'); } $possible_strings = array_diff($possible_strings, $exclude_fields); $possible_ints = array_diff($possible_ints, $exclude_fields); $possible_floats = array_diff($possible_floats, $exclude_fields); $possible_bools = array_diff($possible_bools, $exclude_fields); // Set the options needed for registration. $regOptions = array('interface' => 'guest', 'username' => !empty($_POST['user']) ? $_POST['user'] : '', 'email' => !empty($_POST['email']) ? $_POST['email'] : '', 'password' => !empty($_POST['passwrd1']) ? $_POST['passwrd1'] : '', 'password_check' => !empty($_POST['passwrd2']) ? $_POST['passwrd2'] : '', 'openid' => !empty($_POST['openid_identifier']) ? $_POST['openid_identifier'] : '', 'auth_method' => !empty($_POST['authenticate']) ? $_POST['authenticate'] : '', 'check_reserved_name' => true, 'check_password_strength' => true, 'check_email_ban' => true, 'send_welcome_email' => !empty($modSettings['send_welcomeEmail']), 'require' => !empty($modSettings['coppaAge']) && !$verifiedOpenID && empty($_SESSION['skip_coppa']) ? 'coppa' : (empty($modSettings['registration_method']) ? 'nothing' : ($modSettings['registration_method'] == 1 ? 'activation' : 'approval')), 'extra_register_vars' => array(), 'theme_vars' => array()); // Include the additional options that might have been filled in. foreach ($possible_strings as $var) { if (isset($_POST[$var])) { $regOptions['extra_register_vars'][$var] = Util::htmlspecialchars($_POST[$var], ENT_QUOTES); } } foreach ($possible_ints as $var) { if (isset($_POST[$var])) { $regOptions['extra_register_vars'][$var] = (int) $_POST[$var]; } } foreach ($possible_floats as $var) { if (isset($_POST[$var])) { $regOptions['extra_register_vars'][$var] = (double) $_POST[$var]; } } foreach ($possible_bools as $var) { if (isset($_POST[$var])) { $regOptions['extra_register_vars'][$var] = empty($_POST[$var]) ? 0 : 1; } } // Registration options are always default options... if (isset($_POST['default_options'])) { $_POST['options'] = isset($_POST['options']) ? $_POST['options'] + $_POST['default_options'] : $_POST['default_options']; } $regOptions['theme_vars'] = isset($_POST['options']) && is_array($_POST['options']) ? $_POST['options'] : array(); // Make sure they are clean, dammit! $regOptions['theme_vars'] = htmlspecialchars__recursive($regOptions['theme_vars']); // Check whether we have fields that simply MUST be displayed? require_once SUBSDIR . '/Profile.subs.php'; loadCustomFields(0, 'register'); foreach ($context['custom_fields'] as $row) { // Don't allow overriding of the theme variables. if (isset($regOptions['theme_vars'][$row['colname']])) { unset($regOptions['theme_vars'][$row['colname']]); } // Prepare the value! $value = isset($_POST['customfield'][$row['colname']]) ? trim($_POST['customfield'][$row['colname']]) : ''; // We only care for text fields as the others are valid to be empty. if (!in_array($row['type'], array('check', 'select', 'radio'))) { // Is it too long? if ($row['field_length'] && $row['field_length'] < Util::strlen($value)) { $reg_errors->addError(array('custom_field_too_long', array($row['name'], $row['field_length']))); } // Any masks to apply? if ($row['type'] == 'text' && !empty($row['mask']) && $row['mask'] != 'none') { // @todo We never error on this - just ignore it at the moment... if ($row['mask'] == 'email' && !isValidEmail($value)) { $reg_errors->addError(array('custom_field_invalid_email', array($row['name']))); } elseif ($row['mask'] == 'number' && preg_match('~[^\\d]~', $value)) { $reg_errors->addError(array('custom_field_not_number', array($row['name']))); } elseif (substr($row['mask'], 0, 5) == 'regex' && trim($value) !== '' && preg_match(substr($row['mask'], 5), $value) === 0) { $reg_errors->addError(array('custom_field_inproper_format', array($row['name']))); } } } // Is this required but not there? if (trim($value) == '' && $row['show_reg'] > 1) { $reg_errors->addError(array('custom_field_empty', array($row['name']))); } } // Lets check for other errors before trying to register the member. if ($reg_errors->hasErrors()) { $_REQUEST['step'] = 2; // If they've filled in some details but made an error then they need less time to finish $_SESSION['register']['limit'] = 4; return $this->action_register(); } // If they're wanting to use OpenID we need to validate them first. if (empty($_SESSION['openid']['verified']) && !empty($_POST['authenticate']) && $_POST['authenticate'] == 'openid') { // What do we need to save? $save_variables = array(); foreach ($_POST as $k => $v) { if (!in_array($k, array('sc', 'sesc', $context['session_var'], 'passwrd1', 'passwrd2', 'regSubmit'))) { $save_variables[$k] = $v; } } require_once SUBSDIR . '/OpenID.subs.php'; $openID = new OpenID(); $openID->validate($_POST['openid_identifier'], false, $save_variables); } elseif ($verifiedOpenID || (!empty($_POST['openid_identifier']) || !empty($_SESSION['openid']['openid_uri'])) && $_POST['authenticate'] == 'openid') { $regOptions['username'] = !empty($_POST['user']) && trim($_POST['user']) != '' ? $_POST['user'] : $_SESSION['openid']['nickname']; $regOptions['email'] = !empty($_POST['email']) && trim($_POST['email']) != '' ? $_POST['email'] : $_SESSION['openid']['email']; $regOptions['auth_method'] = 'openid'; $regOptions['openid'] = !empty($_SESSION['openid']['openid_uri']) ? $_SESSION['openid']['openid_uri'] : (!empty($_POST['openid_identifier']) ? $_POST['openid_identifier'] : ''); } // Registration needs to know your IP $req = request(); $regOptions['ip'] = $user_info['ip']; $regOptions['ip2'] = $req->ban_ip(); $memberID = registerMember($regOptions, 'register'); // If there are "important" errors and you are not an admin: log the first error // Otherwise grab all of them and don't log anything if ($reg_errors->hasErrors(1) && !$user_info['is_admin']) { foreach ($reg_errors->prepareErrors(1) as $error) { fatal_error($error, 'general'); } } // Was there actually an error of some kind dear boy? if ($reg_errors->hasErrors()) { $_REQUEST['step'] = 2; return $this->action_register(); } // Do our spam protection now. spamProtection('register'); // We'll do custom fields after as then we get to use the helper function! if (!empty($_POST['customfield'])) { require_once SUBSDIR . '/Profile.subs.php'; makeCustomFieldChanges($memberID, 'register'); } // If COPPA has been selected then things get complicated, setup the template. if (!empty($modSettings['coppaAge']) && empty($_SESSION['skip_coppa'])) { redirectexit('action=coppa;member=' . $memberID); } elseif (!empty($modSettings['registration_method'])) { loadTemplate('Register'); $context += array('page_title' => $txt['register'], 'title' => $txt['registration_successful'], 'sub_template' => 'after', 'description' => $modSettings['registration_method'] == 2 ? $txt['approval_after_registration'] : $txt['activate_after_registration']); } else { call_integration_hook('integrate_activate', array($regOptions['username'])); setLoginCookie(60 * $modSettings['cookieTime'], $memberID, hash('sha256', Util::strtolower($regOptions['username']) . $regOptions['password'] . $regOptions['register_vars']['password_salt'])); redirectexit('action=auth;sa=check;member=' . $memberID, $context['server']['needs_login_fix']); } }
/** * Final step, clean up and a complete message! */ function action_deleteInstall() { global $txt, $incontext, $db_character_set; global $current_version, $databases, $forum_version, $modSettings, $user_info, $db_type; // A few items we will load in from settings and make avaialble. global $boardurl, $db_prefix, $cookiename, $mbname, $language; $incontext['page_title'] = $txt['congratulations']; $incontext['sub_template'] = 'delete_install'; $incontext['continue'] = 0; require dirname(__FILE__) . '/Settings.php'; if (!defined('ELK')) { define('ELK', 1); } definePaths(); $db = load_database(); if (!defined('SUBSDIR')) { define('SUBSDIR', dirname(__FILE__) . '/sources/subs'); } chdir(dirname(__FILE__)); require_once SOURCEDIR . '/Errors.php'; require_once SOURCEDIR . '/Logging.php'; require_once SOURCEDIR . '/Subs.php'; require_once SOURCEDIR . '/Load.php'; require_once SUBSDIR . '/Cache.subs.php'; require_once SOURCEDIR . '/Security.php'; require_once SUBSDIR . '/Auth.subs.php'; require_once SUBSDIR . '/Util.class.php'; // Bring a warning over. if (!empty($incontext['account_existed'])) { $incontext['warning'] = $incontext['account_existed']; } if (!empty($db_character_set) && !empty($databases[$db_type]['utf8_support'])) { $db->query('', ' SET NAMES {raw:db_character_set}', array('db_character_set' => $db_character_set, 'db_error_skip' => true)); } // As track stats is by default enabled let's add some activity. $db->insert('ignore', '{db_prefix}log_activity', array('date' => 'date', 'topics' => 'int', 'posts' => 'int', 'registers' => 'int'), array(strftime('%Y-%m-%d', time()), 1, 1, !empty($incontext['member_id']) ? 1 : 0), array('date')); // We're going to want our lovely $modSettings now. $request = $db->query('', ' SELECT variable, value FROM {db_prefix}settings', array('db_error_skip' => true)); // Only proceed if we can load the data. if ($request) { while ($row = $db->fetch_row($request)) { $modSettings[$row[0]] = $row[1]; } $db->free_result($request); } // Automatically log them in ;) if (isset($incontext['member_id']) && isset($incontext['member_salt'])) { setLoginCookie(3153600 * 60, $incontext['member_id'], hash('sha256', $incontext['passwd'] . $incontext['member_salt'])); } $result = $db->query('', ' SELECT value FROM {db_prefix}settings WHERE variable = {string:db_sessions}', array('db_sessions' => 'databaseSession_enable', 'db_error_skip' => true)); if ($db->num_rows($result) != 0) { list($db_sessions) = $db->fetch_row($result); } $db->free_result($result); if (empty($db_sessions)) { $_SESSION['admin_time'] = time(); } else { $_SERVER['HTTP_USER_AGENT'] = substr($_SERVER['HTTP_USER_AGENT'], 0, 211); $db->insert('replace', '{db_prefix}sessions', array('session_id' => 'string', 'last_update' => 'int', 'data' => 'string'), array(session_id(), time(), 'USER_AGENT|s:' . strlen($_SERVER['HTTP_USER_AGENT']) . ':"' . $_SERVER['HTTP_USER_AGENT'] . '";admin_time|i:' . time() . ';'), array('session_id')); } updateStats('member'); updateStats('message'); updateStats('topic'); $request = $db->query('', ' SELECT id_msg FROM {db_prefix}messages WHERE id_msg = 1 AND modified_time = 0 LIMIT 1', array('db_error_skip' => true)); if ($db->num_rows($request) > 0) { updateStats('subject', 1, htmlspecialchars($txt['default_topic_subject'])); } $db->free_result($request); // Now is the perfect time to fetch remote files. require_once SUBSDIR . '/ScheduledTask.class.php'; // Sanity check that they loaded earlier! if (isset($modSettings['recycle_board'])) { // The variable is usually defined in index.php so lets just use our variable to do it for us. $forum_version = $current_version; // Now go get those files! $task = new Scheduled_Task(); $task->fetchFiles(); // We've just installed! $user_info['ip'] = $_SERVER['REMOTE_ADDR']; $user_info['id'] = isset($incontext['member_id']) ? $incontext['member_id'] : 0; logAction('install', array('version' => $forum_version), 'admin'); } // Check if we need some stupid MySQL fix. $server_version = $db->db_server_info(); if ($db_type == 'mysql' && in_array(substr($server_version, 0, 6), array('5.0.50', '5.0.51'))) { updateSettings(array('db_mysql_group_by_fix' => '1')); } // Some final context for the template. $incontext['dir_still_writable'] = is_writable(dirname(__FILE__)) && substr(__FILE__, 1, 2) != ':\\'; $incontext['probably_delete_install'] = isset($_SESSION['installer_temp_ftp']) || is_writable(dirname(__FILE__)) || is_writable(__FILE__); return false; }
if (isset($_POST["jumpto"])) { $jumpto = $_POST["jumpto"]; } else { if (isset($_GET["jumpto"])) { $jumpto = $_GET["jumpto"]; } else { $jumpto = "home.php"; } } $msg = ""; if (isset($_POST["un"]) && isset($_POST["pwd"])) { $msg = parseCredentials($_POST["un"], $_POST["pwd"], $token, $expires); //echo $token; //exit; if (isset($token) && strlen($token) == 32 && isset($expires)) { setLoginCookie($token, $expires->getTimestamp()); header("Location: {$jumpto}"); } } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta name="keywords" content="" />
function Register2() { global $scripturl, $txt, $modSettings, $db_prefix, $context, $sourcedir; global $user_info, $options, $settings, $func; // Well, if you don't agree, you can't register. if (!empty($modSettings['requireAgreement']) && (empty($_POST['regagree']) || $_POST['regagree'] == 'no')) { redirectexit(); } // Make sure they came from *somewhere*, have a session. if (!isset($_SESSION['old_url'])) { redirectexit('action=register'); } // You can't register if it's disabled. if (!empty($modSettings['registration_method']) && $modSettings['registration_method'] == 3) { fatal_lang_error('registration_disabled', false); } foreach ($_POST as $key => $value) { if (!is_array($_POST[$key])) { $_POST[$key] = htmltrim__recursive(str_replace(array("\n", "\r"), '', $_POST[$key])); } } // Did they answer the verification questions correctly? if (!empty($modSettings['anti_spam_ver_enable'])) { if (!empty($modSettings['anti_spam_ver_ques_1']) && strcmp(strtolower($modSettings['anti_spam_ver_ans_1']), isset($_POST['anti_spam_ver_resp_1']) ? strtolower($_POST['anti_spam_ver_resp_1']) : '') || !empty($modSettings['anti_spam_ver_ques_2']) && strcmp(strtolower($modSettings['anti_spam_ver_ans_2']), isset($_POST['anti_spam_ver_resp_2']) ? strtolower($_POST['anti_spam_ver_resp_2']) : '') || !empty($modSettings['anti_spam_ver_ques_3']) && strcmp(strtolower($modSettings['anti_spam_ver_ans_3']), isset($_POST['anti_spam_ver_resp_3']) ? strtolower($_POST['anti_spam_ver_resp_3']) : '') || !empty($modSettings['anti_spam_ver_ques_4']) && strcmp(strtolower($modSettings['anti_spam_ver_ans_4']), isset($_POST['anti_spam_ver_resp_4']) ? strtolower($_POST['anti_spam_ver_resp_4']) : '') || !empty($modSettings['anti_spam_ver_ques_5']) && strcmp(strtolower($modSettings['anti_spam_ver_ans_5']), isset($_POST['anti_spam_ver_resp_5']) ? strtolower($_POST['anti_spam_ver_resp_5']) : '')) { fatal_lang_error('anti_spam_ver_failed', false); } } // Are they under age, and under age users are banned? if (!empty($modSettings['coppaAge']) && empty($modSettings['coppaType']) && !isset($_POST['skip_coppa'])) { // !!! This should be put in Errors, imho. loadLanguage('Login'); fatal_lang_error('under_age_registration_prohibited', false, array($modSettings['coppaAge'])); } // Check whether the visual verification code was entered correctly. if ((empty($modSettings['disable_visual_verification']) || $modSettings['disable_visual_verification'] != 1) && (empty($_REQUEST['visual_verification_code']) || strtoupper($_REQUEST['visual_verification_code']) !== $_SESSION['visual_verification_code'])) { $_SESSION['visual_errors'] = isset($_SESSION['visual_errors']) ? $_SESSION['visual_errors'] + 1 : 1; if ($_SESSION['visual_errors'] > 3 && isset($_SESSION['visual_verification_code'])) { unset($_SESSION['visual_verification_code']); } fatal_lang_error('visual_verification_failed', false); } elseif (isset($_SESSION['visual_errors'])) { unset($_SESSION['visual_errors']); } // Collect all extra registration fields someone might have filled in. $possible_strings = array('websiteUrl', 'websiteTitle', 'AIM', 'YIM', 'location', 'birthdate', 'timeFormat', 'buddy_list', 'pm_ignore_list', 'smileySet', 'signature', 'personalText', 'avatar', 'lngfile', 'secretQuestion', 'secretAnswer'); $possible_ints = array('pm_email_notify', 'notifyTypes', 'ICQ', 'gender', 'ID_THEME'); $possible_floats = array('timeOffset'); $possible_bools = array('notifyAnnouncements', 'notifyOnce', 'notifySendBody', 'hideEmail', 'showOnline'); if (isset($_POST['secretAnswer']) && $_POST['secretAnswer'] != '') { $_POST['secretAnswer'] = md5($_POST['secretAnswer']); } // Needed for isReservedName() and registerMember(). require_once $sourcedir . '/Subs-Members.php'; // Validation... even if we're not a mall. if (isset($_POST['realName']) && (!empty($modSettings['allow_editDisplayName']) || allowedTo('moderate_forum'))) { $_POST['realName'] = trim(preg_replace('~[\\s]~' . ($context['utf8'] ? 'u' : ''), ' ', $_POST['realName'])); if (trim($_POST['realName']) != '' && !isReservedName($_POST['realName']) && $func['strlen']($_POST['realName']) <= 60) { $possible_strings[] = 'realName'; } } if (isset($_POST['MSN']) && preg_match('~^[0-9A-Za-z=_+\\-/][0-9A-Za-z=_\'+\\-/\\.]*@[\\w\\-]+(\\.[\\w\\-]+)*(\\.[\\w]{2,6})$~', $_POST['MSN']) != 0) { $profile_strings[] = 'MSN'; } // Handle a string as a birthdate... if (isset($_POST['birthdate']) && $_POST['birthdate'] != '') { $_POST['birthdate'] = strftime('%Y-%m-%d', strtotime($_POST['birthdate'])); } elseif (!empty($_POST['bday1']) && !empty($_POST['bday2'])) { $_POST['birthdate'] = sprintf('%04d-%02d-%02d', empty($_POST['bday3']) ? 0 : (int) $_POST['bday3'], (int) $_POST['bday1'], (int) $_POST['bday2']); } // Validate the passed langauge file. if (isset($_POST['lngfile']) && !empty($modSettings['userLanguage'])) { $language_directories = array($settings['default_theme_dir'] . '/languages', $settings['actual_theme_dir'] . '/languages'); if (!empty($settings['base_theme_dir'])) { $language_directories[] = $settings['base_theme_dir'] . '/languages'; } $language_directories = array_unique($language_directories); foreach ($language_directories as $language_dir) { if (!file_exists($language_dir)) { continue; } $dir = dir($language_dir); while ($entry = $dir->read()) { if (preg_match('~^index\\.(.+)\\.php$~', $entry, $matches) && $matches[1] == $_POST['lngfile']) { // Got it! $found = true; $_SESSION['language'] = $_POST['lngfile']; break 2; } } $dir->close(); } if (empty($found)) { unset($_POST['lngfile']); } } else { unset($_POST['lngfile']); } // Set the options needed for registration. $regOptions = array('interface' => 'guest', 'username' => $_POST['user'], 'email' => $_POST['email'], 'password' => $_POST['passwrd1'], 'password_check' => $_POST['passwrd2'], 'check_reserved_name' => true, 'check_password_strength' => true, 'check_email_ban' => true, 'send_welcome_email' => !empty($modSettings['send_welcomeEmail']), 'require' => !empty($modSettings['coppaAge']) && !isset($_POST['skip_coppa']) ? 'coppa' : (empty($modSettings['registration_method']) ? 'nothing' : ($modSettings['registration_method'] == 1 ? 'activation' : 'approval')), 'extra_register_vars' => array(), 'theme_vars' => array()); // Include the additional options that might have been filled in. foreach ($possible_strings as $var) { if (isset($_POST[$var])) { $regOptions['extra_register_vars'][$var] = '\'' . $func['htmlspecialchars']($_POST[$var]) . '\''; } } foreach ($possible_ints as $var) { if (isset($_POST[$var])) { $regOptions['extra_register_vars'][$var] = (int) $_POST[$var]; } } foreach ($possible_floats as $var) { if (isset($_POST[$var])) { $regOptions['extra_register_vars'][$var] = (double) $_POST[$var]; } } foreach ($possible_bools as $var) { if (isset($_POST[$var])) { $regOptions['extra_register_vars'][$var] = empty($_POST[$var]) ? 0 : 1; } } // Registration options are always default options... if (isset($_POST['default_options'])) { $_POST['options'] = isset($_POST['options']) ? $_POST['options'] + $_POST['default_options'] : $_POST['default_options']; } $regOptions['theme_vars'] = isset($_POST['options']) && is_array($_POST['options']) ? htmlspecialchars__recursive($_POST['options']) : array(); $memberID = registerMember($regOptions); // If COPPA has been selected then things get complicated, setup the template. if (!empty($modSettings['coppaAge']) && !isset($_POST['skip_coppa'])) { redirectexit('action=coppa;member=' . $memberID); } elseif (!empty($modSettings['registration_method'])) { loadTemplate('Register'); $context += array('page_title' => &$txt[97], 'sub_template' => 'after', 'description' => $modSettings['registration_method'] == 2 ? $txt['approval_after_registration'] : $txt['activate_after_registration']); } else { setLoginCookie(60 * $modSettings['cookieTime'], $memberID, sha1(sha1(strtolower($regOptions['username']) . $regOptions['password']) . substr($regOptions['register_vars']['passwordSalt'], 1, -1))); redirectexit('action=login2;sa=check;member=' . $memberID, $context['server']['needs_login_fix']); } }
public function fb_log() { global $fb_hook_object, $smcFunc, $fb_object, $user_info, $scripturl, $modSettings, $sourcedir; $face_userid['id_member'] = $fb_hook_object->face_USettings($fb_object->user_info_fbid, 'id_member', 'fbid'); $face_pass['passwd'] = $fb_hook_object->face_USettings($face_userid['id_member'], 'passwd', 'id_member'); $face_passsalt['password_salt'] = $fb_hook_object->face_USettings($face_userid['id_member'], 'password_salt', 'id_member'); $modSettings['cookieTime'] = 3153600; require_once $sourcedir . '/Subs-Auth.php'; include_once $sourcedir . '/LogInOut.php'; setLoginCookie(60 * $modSettings['cookieTime'], $face_userid['id_member'], sha1($face_pass['passwd'] . $face_passsalt['password_salt'])); $face_pwp['fbpw'] = $fb_hook_object->face_USettings($face_userid['id_member'], 'fbpw', 'id_member'); if (!empty($face_pwp['fbpw'])) { setcookie("pwdone", 1); } else { setcookie("pwdone", 0); } if (empty($_SESSION['login_url'])) { $fb_log_url = !empty($fb_hook_object->modSettings['fb_log_url']) ? $fb_hook_object->modSettings['fb_log_url'] : $fb_hook_object->scripturl; header('Location: ' . $fb_log_url . ''); } else { $temp = $_SESSION['login_url']; $fb_log_url = !empty($fb_hook_object->modSettings['fb_log_url']) ? $fb_hook_object->modSettings['fb_log_url'] : $temp; unset($_SESSION['login_url']); header('Location: ' . $fb_log_url . ''); } }
<?php include_once "db.php"; include_once "dertyn.php"; if ($_POST['checksubmit']) { $user = $_POST['user']; $pass = $_POST['pass']; $logincheck = checkLogin($user, $pass); if ($logincheck == 0) { setLoginCookie($user); header("Location: {$siteurl}"); } } include_once "header.php"; echo "<p>\n"; if (!$_POST['checksubmit']) { showLoginform(); } else { if ($logincheck == 0) { echo "thanks for logging in {$user}!<br /><b>return to <a href='{$siteurl}'>{$sitename}</a></b>."; } else { $errmsg = $user; echo "login failed. try again."; logerr($errmsg, "login"); } } echo "</p>\n"; ?> <?php include_once "footer.php";
function Logout($internal = false) { global $db_prefix, $sourcedir, $ID_MEMBER, $user_info, $user_settings, $context, $modSettings; // Make sure they aren't being auto-logged out. if (!$internal) { checkSession('get'); } require_once $sourcedir . '/Subs-Auth.php'; if (isset($_SESSION['pack_ftp'])) { $_SESSION['pack_ftp'] = null; } // Just ensure they aren't a guest! if (!$user_info['is_guest']) { if (isset($modSettings['integrate_logout']) && function_exists($modSettings['integrate_logout'])) { call_user_func($modSettings['integrate_logout'], $user_settings['memberName']); } // If you log out, you aren't online anymore :P. db_query("\n\t\t\tDELETE FROM {$db_prefix}log_online\n\t\t\tWHERE ID_MEMBER = {$ID_MEMBER}\n\t\t\tLIMIT 1", __FILE__, __LINE__); } $_SESSION['log_time'] = 0; // Empty the cookie! (set it in the past, and for ID_MEMBER = 0) setLoginCookie(-3600, 0); // Off to the merry board index we go! if (empty($_SESSION['logout_url'])) { redirectexit('', $context['server']['needs_login_fix']); } else { $temp = $_SESSION['logout_url']; unset($_SESSION['logout_url']); redirectexit($temp, $context['server']['needs_login_fix']); } }
function gplus_connectlog() { global $scripturl, $modSettings, $sourcedir; $_SESSION['gplus']['id'] = $_SESSION['gplus']['idm']; if (empty($_SESSION['gplus']['id'])) { fatal_lang_error('gp__app_error3', false); } $member_load = gplus_loadUser($_SESSION['gplus']['id'], 'gpid'); $modSettings['cookieTime'] = 3153600; require_once $sourcedir . '/Subs-Auth.php'; include_once $sourcedir . '/LogInOut.php'; setLoginCookie(60 * $modSettings['cookieTime'], $member_load['id_member'], sha1($member_load['passwd'] . $member_load['password_salt'])); unset($_SESSION['gplus']['id']); unset($_SESSION['gplus']['name']); unset($_SESSION['gplusdata']); $gplus_log_url = !empty($modSettings['gp_app_custon_logurl']) ? $modSettings['gp_app_custon_logurl'] : $scripturl; redirectexit($gplus_log_url); }
/** * Modify cookies settings. * * This method handles the display, allows to edit, and saves the result * for the _cookieSettings form. */ public function action_cookieSettings_display() { global $context, $scripturl, $txt, $modSettings, $cookiename, $user_settings, $boardurl; // Initialize the form $this->_initCookieSettingsForm(); $context['post_url'] = $scripturl . '?action=admin;area=serversettings;sa=cookie;save'; $context['settings_title'] = $txt['cookies_sessions_settings']; // Saving settings? if (isset($_REQUEST['save'])) { call_integration_hook('integrate_save_cookie_settings'); // Its either local or global cookies if (!empty($_POST['localCookies']) && empty($_POST['globalCookies'])) { unset($_POST['globalCookies']); } if (!empty($_POST['globalCookiesDomain']) && strpos($boardurl, $_POST['globalCookiesDomain']) === false) { fatal_lang_error('invalid_cookie_domain', false); } //Settings_Form::save_db($config_vars); $this->_cookieSettingsForm->save(); // If the cookie name was changed, reset the cookie. if ($cookiename != $_POST['cookiename']) { require_once SUBSDIR . '/Auth.subs.php'; $original_session_id = $context['session_id']; // Remove the old cookie, nom nom nom setLoginCookie(-3600, 0); // Set the new one. $cookiename = $_POST['cookiename']; setLoginCookie(60 * $modSettings['cookieTime'], $user_settings['id_member'], hash('sha256', $user_settings['passwd'] . $user_settings['password_salt'])); redirectexit('action=admin;area=serversettings;sa=cookie;' . $context['session_var'] . '=' . $original_session_id, $context['server']['needs_login_fix']); } redirectexit('action=admin;area=serversettings;sa=cookie;' . $context['session_var'] . '=' . $context['session_id'] . ';msg=' . (!empty($context['settings_message']) ? $context['settings_message'] : 'core_settings_saved')); } addInlineJavascript(' // Initial state hideGlobalCookies(); // Update when clicked $("#localCookies, #globalCookies").click(function() { hideGlobalCookies(); });', true); // Fill the config array. $this->_cookieSettingsForm->prepare_file(); }
function method_logout_user() { global $context, $mobdb, $mobsettings, $modSettings, $user_info, $sourcedir, $ID_MEMBER, $user_settings; require_once $sourcedir . '/Subs-Auth.php'; if (isset($_SESSION['pack_ftp'])) { $_SESSION['pack_ftp'] = null; } // Just ensure they aren't a guest! if (!$user_info['is_guest']) { if (isset($modSettings['integrate_logout']) && function_exists($modSettings['integrate_logout'])) { call_user_func($modSettings['integrate_logout'], $user_settings['memberName']); } // If you log out, you aren't online anymore :P. $mobdb->query("\n DELETE FROM {db_prefix}log_online\n WHERE ID_MEMBER = {int:current_member}\n LIMIT 1", array('current_member' => $ID_MEMBER)); } $_SESSION['log_time'] = 0; // Empty the cookie! (set it in the past, and for ID_MEMBER = 0) setLoginCookie(-3600, 0); }
function ModifyProfile2() { global $txt, $modSettings; global $cookiename, $context; global $sourcedir, $scripturl, $db_prefix; global $ID_MEMBER, $user_info; global $context, $newpassemail, $user_profile, $validationCode; loadLanguage('Profile'); /* Set allowed sub-actions. The format of $sa_allowed is as follows: $sa_allowed = array( 'sub-action' => array(permission_array_for_editing_OWN_profile, permission_array_for_editing_ANY_profile, session_validation_method[, require_password]), ... ); */ $sa_allowed = array('account' => array(array('manage_membergroups', 'profile_identity_any', 'profile_identity_own'), array('manage_membergroups', 'profile_identity_any'), 'post', true), 'forumProfile' => array(array('profile_extra_any', 'profile_extra_own'), array('profile_extra_any'), 'post'), 'theme' => array(array('profile_extra_any', 'profile_extra_own'), array('profile_extra_any'), 'post'), 'notification' => array(array('profile_extra_any', 'profile_extra_own'), array('profile_extra_any'), 'post'), 'pmprefs' => array(array('profile_extra_any', 'profile_extra_own'), array('profile_extra_any'), 'post'), 'deleteAccount' => array(array('profile_remove_any', 'profile_remove_own'), array('profile_remove_any'), 'post', true), 'activateAccount' => array(array(), array('moderate_forum'), 'get')); // Is the current sub-action allowed? if (empty($_REQUEST['sa']) || !isset($sa_allowed[$_REQUEST['sa']])) { fatal_lang_error(453, false); } checkSession($sa_allowed[$_REQUEST['sa']][2]); // Start with no updates and no errors. $profile_vars = array(); $post_errors = array(); // Normally, don't send an email. $newpassemail = false; // Clean up the POST variables. $_POST = htmltrim__recursive($_POST); $_POST = stripslashes__recursive($_POST); $_POST = htmlspecialchars__recursive($_POST); $_POST = addslashes__recursive($_POST); // Search for the member being edited and put the information in $user_profile. $memberResult = loadMemberData((int) $_REQUEST['userID'], false, 'profile'); if (!is_array($memberResult)) { fatal_lang_error(453, false); } list($memID) = $memberResult; // Are you modifying your own, or someone else's? if ($ID_MEMBER == $memID) { $context['user']['is_owner'] = true; } else { $context['user']['is_owner'] = false; validateSession(); } // Check profile editing permissions. isAllowedTo($sa_allowed[$_REQUEST['sa']][$context['user']['is_owner'] ? 0 : 1]); // If this is yours, check the password. if ($context['user']['is_owner'] && !empty($sa_allowed[$_REQUEST['sa']][3])) { // You didn't even enter a password! if (trim($_POST['oldpasswrd']) == '') { $post_errors[] = 'no_password'; } // Since the password got modified due to all the $_POST cleaning, lets undo it so we can get the correct password $_POST['oldpasswrd'] = addslashes(un_htmlspecialchars(stripslashes($_POST['oldpasswrd']))); // Does the integration want to check passwords? $good_password = false; if (isset($modSettings['integrate_verify_password']) && function_exists($modSettings['integrate_verify_password'])) { if (call_user_func($modSettings['integrate_verify_password'], $user_profile[$memID]['memberName'], $_POST['oldpasswrd'], false) === true) { $good_password = true; } } // Bad password!!! if (!$good_password && $user_info['passwd'] != sha1(strtolower($user_profile[$memID]['memberName']) . $_POST['oldpasswrd'])) { $post_errors[] = 'bad_password'; } } // No need for the sub action array. unset($sa_allowed); // If the user is an admin - see if they are resetting someones username. if ($user_info['is_admin'] && isset($_POST['memberName'])) { // We'll need this... require_once $sourcedir . '/Subs-Auth.php'; // Do the reset... this will send them an email too. resetPassword($memID, $_POST['memberName']); } // Change the IP address in the database. if ($context['user']['is_owner']) { $profile_vars['memberIP'] = "'{$user_info['ip']}'"; } // Now call the sub-action function... if (isset($_POST['sa']) && $_POST['sa'] == 'deleteAccount') { deleteAccount2($profile_vars, $post_errors, $memID); if (empty($post_errors)) { redirectexit(); } } else { saveProfileChanges($profile_vars, $post_errors, $memID); } // There was a problem, let them try to re-enter. if (!empty($post_errors)) { // Load the language file so we can give a nice explanation of the errors. loadLanguage('Errors'); $context['post_errors'] = $post_errors; $_REQUEST['sa'] = $_POST['sa']; $_REQUEST['u'] = $memID; return ModifyProfile($post_errors); } if (!empty($profile_vars)) { // If we've changed the password, notify any integration that may be listening in. if (isset($profile_vars['passwd']) && isset($modSettings['integrate_reset_pass']) && function_exists($modSettings['integrate_reset_pass'])) { call_user_func($modSettings['integrate_reset_pass'], $user_profile[$memID]['memberName'], $user_profile[$memID]['memberName'], $_POST['passwrd1']); } updateMemberData($memID, $profile_vars); } // What if this is the newest member? if ($modSettings['latestMember'] == $memID) { updateStats('member'); } elseif (isset($profile_vars['realName'])) { updateSettings(array('memberlist_updated' => time())); } // If the member changed his/her birthdate, update calendar statistics. if (isset($profile_vars['birthdate']) || isset($profile_vars['realName'])) { updateStats('calendar'); } // Send an email? if ($newpassemail) { require_once $sourcedir . '/Subs-Post.php'; // Send off the email. sendmail($_POST['emailAddress'], $txt['activate_reactivate_title'] . ' ' . $context['forum_name'], "{$txt['activate_reactivate_mail']}\n\n" . "{$scripturl}?action=activate;u={$memID};code={$validationCode}\n\n" . "{$txt['activate_code']}: {$validationCode}\n\n" . $txt[130]); // Log the user out. db_query("\n\t\t\tDELETE FROM {$db_prefix}log_online\n\t\t\tWHERE ID_MEMBER = {$memID}", __FILE__, __LINE__); $_SESSION['log_time'] = 0; $_SESSION['login_' . $cookiename] = serialize(array(0, '', 0)); if (isset($_COOKIE[$cookiename])) { $_COOKIE[$cookiename] = ''; } loadUserSettings(); $context['user']['is_logged'] = false; $context['user']['is_guest'] = true; // Send them to the done-with-registration-login screen. loadTemplate('Register'); $context += array('page_title' => &$txt[79], 'sub_template' => 'after', 'description' => &$txt['activate_changed_email']); return; } elseif ($context['user']['is_owner']) { // Log them back in. if (isset($_POST['passwrd1']) && $_POST['passwrd1'] != '') { require_once $sourcedir . '/Subs-Auth.php'; setLoginCookie(60 * $modSettings['cookieTime'], $memID, sha1(sha1(strtolower($user_profile[$memID]['memberName']) . un_htmlspecialchars(stripslashes($_POST['passwrd1']))) . $user_profile[$memID]['passwordSalt'])); } loadUserSettings(); writeLog(); } // Back to same subaction page.. redirectexit('action=profile;u=' . $memID . ';sa=' . $_REQUEST['sa'], isset($_POST['passwrd1']) && $context['server']['needs_login_fix'] || $context['browser']['is_ie'] && isset($_FILES['attachment'])); }
/** * Logs the current user out of their account. * * What it does: * - It requires that the session hash is sent as well, to prevent automatic logouts by images or javascript. * - It redirects back to $_SESSION['logout_url'], if it exists. * - It is accessed via ?action=logout;session_var=... * * @param boolean $internal if true, it doesn't check the session * @param boolean $redirect */ public function action_logout($internal = false, $redirect = true) { global $user_info, $user_settings, $context; // Make sure they aren't being auto-logged out. if (!$internal) { checkSession('get'); } require_once SUBSDIR . '/Auth.subs.php'; if (isset($_SESSION['pack_ftp'])) { $_SESSION['pack_ftp'] = null; } // They cannot be open ID verified any longer. if (isset($_SESSION['openid'])) { unset($_SESSION['openid']); } // It won't be first login anymore. unset($_SESSION['first_login']); // Just ensure they aren't a guest! if (!$user_info['is_guest']) { // Pass the logout information to integrations. call_integration_hook('integrate_logout', array($user_settings['member_name'])); // If you log out, you aren't online anymore :P. logOnline($user_info['id'], false); } // Logout? Let's kill the admin/moderate/other sessions, too. $types = array('admin', 'moderate'); call_integration_hook('integrate_validateSession', array(&$types)); foreach ($types as $type) { unset($_SESSION[$type . '_time']); } $_SESSION['log_time'] = 0; // Empty the cookie! (set it in the past, and for id_member = 0) setLoginCookie(-3600, 0); // And some other housekeeping while we're at it. session_destroy(); if (!empty($user_info['id'])) { updateMemberData($user_info['id'], array('password_salt' => substr(md5(mt_rand()), 0, 4))); } // Off to the merry board index we go! if ($redirect) { if (empty($_SESSION['logout_url'])) { redirectexit('', $context['server']['needs_login_fix']); } elseif (!empty($_SESSION['logout_url']) && (substr($_SESSION['logout_url'], 0, 7) !== 'http://' && substr($_SESSION['logout_url'], 0, 8) !== 'https://')) { unset($_SESSION['logout_url']); redirectexit(); } else { $temp = $_SESSION['logout_url']; unset($_SESSION['logout_url']); redirectexit($temp, $context['server']['needs_login_fix']); } } }
function Register2($verifiedOpenID = false) { global $scripturl, $txt, $modSettings, $context, $sourcedir; global $user_info, $options, $settings, $smcFunc; // Start collecting together any errors. $reg_errors = array(); // Did we save some open ID fields? if ($verifiedOpenID && !empty($context['openid_save_fields'])) { foreach ($context['openid_save_fields'] as $id => $value) { $_POST[$id] = $value; } } // You can't register if it's disabled. if (!empty($modSettings['registration_method']) && $modSettings['registration_method'] == 3) { fatal_lang_error('registration_disabled', false); } // Things we don't do for people who have already confirmed their OpenID allegances via register. if (!$verifiedOpenID) { // Well, if you don't agree, you can't register. if (!empty($modSettings['requireAgreement']) && empty($_SESSION['registration_agreed'])) { redirectexit(); } // Make sure they came from *somewhere*, have a session. if (!isset($_SESSION['old_url'])) { redirectexit('action=register'); } // Are they under age, and under age users are banned? if (!empty($modSettings['coppaAge']) && empty($modSettings['coppaType']) && empty($_SESSION['skip_coppa'])) { // !!! This should be put in Errors, imho. loadLanguage('Login'); fatal_lang_error('under_age_registration_prohibited', false, array($modSettings['coppaAge'])); } // Check whether the visual verification code was entered correctly. if (!empty($modSettings['reg_verification'])) { require_once $sourcedir . '/Subs-Editor.php'; $verificationOptions = array('id' => 'register'); $context['visual_verification'] = create_control_verification($verificationOptions, true); if (is_array($context['visual_verification'])) { loadLanguage('Errors'); foreach ($context['visual_verification'] as $error) { $reg_errors[] = $txt['error_' . $error]; } } } } foreach ($_POST as $key => $value) { if (!is_array($_POST[$key])) { $_POST[$key] = htmltrim__recursive(str_replace(array("\n", "\r"), '', $_POST[$key])); } } // Collect all extra registration fields someone might have filled in. $possible_strings = array('website_url', 'website_title', 'aim', 'yim', 'skype', 'gtalk', 'location', 'birthdate', 'time_format', 'buddy_list', 'pm_ignore_list', 'smiley_set', 'signature', 'personal_text', 'avatar', 'lngfile', 'secret_question', 'secret_answer'); $possible_ints = array('pm_email_notify', 'notify_types', 'icq', 'gender', 'id_theme'); $possible_floats = array('time_offset'); $possible_bools = array('notify_announcements', 'notify_regularity', 'notify_send_body', 'hide_email', 'show_online'); if (isset($_POST['secret_answer']) && $_POST['secret_answer'] != '') { $_POST['secret_answer'] = md5($_POST['secret_answer']); } // Needed for isReservedName() and registerMember(). require_once $sourcedir . '/Subs-Members.php'; // Validation... even if we're not a mall. if (isset($_POST['real_name']) && (!empty($modSettings['allow_editDisplayName']) || allowedTo('moderate_forum'))) { $_POST['real_name'] = trim(preg_replace('~[\\t\\n\\r \\x0B\\0' . ($context['utf8'] ? $context['server']['complex_preg_chars'] ? '\\x{A0}\\x{AD}\\x{2000}-\\x{200F}\\x{201F}\\x{202F}\\x{3000}\\x{FEFF}' : " -‟ ‟ " : '\\x00-\\x08\\x0B\\x0C\\x0E-\\x19\\xA0') . ']+~' . ($context['utf8'] ? 'u' : ''), ' ', $_POST['real_name'])); if (trim($_POST['real_name']) != '' && !isReservedName($_POST['real_name']) && $smcFunc['strlen']($_POST['real_name']) < 60) { $possible_strings[] = 'real_name'; } } if (isset($_POST['msn']) && preg_match('~^[0-9A-Za-z=_+\\-/][0-9A-Za-z=_\'+\\-/\\.]*@[\\w\\-]+(\\.[\\w\\-]+)*(\\.[\\w]{2,6})$~', $_POST['msn']) != 0) { $profile_strings[] = 'msn'; } // Handle a string as a birthdate... if (isset($_POST['birthdate']) && $_POST['birthdate'] != '') { $_POST['birthdate'] = strftime('%Y-%m-%d', strtotime($_POST['birthdate'])); } elseif (!empty($_POST['bday1']) && !empty($_POST['bday2'])) { $_POST['birthdate'] = sprintf('%04d-%02d-%02d', empty($_POST['bday3']) ? 0 : (int) $_POST['bday3'], (int) $_POST['bday1'], (int) $_POST['bday2']); } // By default assume email is hidden, only show it if we tell it to. $_POST['hide_email'] = !empty($_POST['allow_email']) ? 0 : 1; // Validate the passed language file. if (isset($_POST['lngfile']) && !empty($modSettings['userLanguage'])) { // Do we have any languages? if (empty($context['languages'])) { getLanguages(); } // Did we find it? if (isset($context['languages'][$_POST['lngfile']])) { $_SESSION['language'] = $_POST['lngfile']; } else { unset($_POST['lngfile']); } } else { unset($_POST['lngfile']); } // Some of these fields we may not want. if (!empty($modSettings['registration_fields'])) { // But we might want some of them if the admin asks for them. $standard_fields = array('icq', 'msn', 'aim', 'yim', 'location', 'gender'); $reg_fields = explode(',', $modSettings['registration_fields']); $exclude_fields = array_diff($standard_fields, $reg_fields); // Website is a little different if (!in_array('website', $reg_fields)) { $exclude_fields = array_merge($exclude_fields, array('website_url', 'website_title')); } // We used to accept signature on registration but it's being abused by spammers these days, so no more. $exclude_fields[] = 'signature'; } else { $exclude_fields = array('signature', 'icq', 'msn', 'aim', 'yim', 'location', 'gender', 'website_url', 'website_title'); } $possible_strings = array_diff($possible_strings, $exclude_fields); $possible_ints = array_diff($possible_ints, $exclude_fields); $possible_floats = array_diff($possible_floats, $exclude_fields); $possible_bools = array_diff($possible_bools, $exclude_fields); // Set the options needed for registration. $regOptions = array('interface' => 'guest', 'username' => !empty($_POST['user']) ? $_POST['user'] : '', 'email' => !empty($_POST['email']) ? $_POST['email'] : '', 'password' => !empty($_POST['passwrd1']) ? $_POST['passwrd1'] : '', 'password_check' => !empty($_POST['passwrd2']) ? $_POST['passwrd2'] : '', 'openid' => !empty($_POST['openid_identifier']) ? $_POST['openid_identifier'] : '', 'auth_method' => !empty($_POST['authenticate']) ? $_POST['authenticate'] : '', 'check_reserved_name' => true, 'check_password_strength' => true, 'check_email_ban' => true, 'send_welcome_email' => !empty($modSettings['send_welcomeEmail']), 'require' => !empty($modSettings['coppaAge']) && !$verifiedOpenID && empty($_SESSION['skip_coppa']) ? 'coppa' : (empty($modSettings['registration_method']) ? 'nothing' : ($modSettings['registration_method'] == 1 ? 'activation' : 'approval')), 'extra_register_vars' => array(), 'theme_vars' => array()); // Include the additional options that might have been filled in. foreach ($possible_strings as $var) { if (isset($_POST[$var])) { $regOptions['extra_register_vars'][$var] = $smcFunc['htmlspecialchars']($_POST[$var], ENT_QUOTES); } } foreach ($possible_ints as $var) { if (isset($_POST[$var])) { $regOptions['extra_register_vars'][$var] = (int) $_POST[$var]; } } foreach ($possible_floats as $var) { if (isset($_POST[$var])) { $regOptions['extra_register_vars'][$var] = (double) $_POST[$var]; } } foreach ($possible_bools as $var) { if (isset($_POST[$var])) { $regOptions['extra_register_vars'][$var] = empty($_POST[$var]) ? 0 : 1; } } // Registration options are always default options... if (isset($_POST['default_options'])) { $_POST['options'] = isset($_POST['options']) ? $_POST['options'] + $_POST['default_options'] : $_POST['default_options']; } $regOptions['theme_vars'] = isset($_POST['options']) && is_array($_POST['options']) ? $_POST['options'] : array(); // Make sure they are clean, dammit! $regOptions['theme_vars'] = htmlspecialchars__recursive($regOptions['theme_vars']); // If Quick Reply hasn't been set then set it to be shown but collapsed. if (!isset($regOptions['theme_vars']['display_quick_reply'])) { $regOptions['theme_vars']['display_quick_reply'] = 1; } // Check whether we have fields that simply MUST be displayed? $request = $smcFunc['db_query']('', ' SELECT col_name, field_name, field_type, field_length, mask, show_reg FROM {db_prefix}custom_fields WHERE active = {int:is_active}', array('is_active' => 1)); $custom_field_errors = array(); while ($row = $smcFunc['db_fetch_assoc']($request)) { // Don't allow overriding of the theme variables. if (isset($regOptions['theme_vars'][$row['col_name']])) { unset($regOptions['theme_vars'][$row['col_name']]); } // Not actually showing it then? if (!$row['show_reg']) { continue; } // Prepare the value! $value = isset($_POST['customfield'][$row['col_name']]) ? trim($_POST['customfield'][$row['col_name']]) : ''; // We only care for text fields as the others are valid to be empty. if (!in_array($row['field_type'], array('check', 'select', 'radio'))) { // Is it too long? if ($row['field_length'] && $row['field_length'] < $smcFunc['strlen']($value)) { $custom_field_errors[] = array('custom_field_too_long', array($row['field_name'], $row['field_length'])); } // Any masks to apply? if ($row['field_type'] == 'text' && !empty($row['mask']) && $row['mask'] != 'none') { //!!! We never error on this - just ignore it at the moment... if ($row['mask'] == 'email' && (preg_match('~^[0-9A-Za-z=_+\\-/][0-9A-Za-z=_\'+\\-/\\.]*@[\\w\\-]+(\\.[\\w\\-]+)*(\\.[\\w]{2,6})$~', $value) === 0 || strlen($value) > 255)) { $custom_field_errors[] = array('custom_field_invalid_email', array($row['field_name'])); } elseif ($row['mask'] == 'number' && preg_match('~[^\\d]~', $value)) { $custom_field_errors[] = array('custom_field_not_number', array($row['field_name'])); } elseif (substr($row['mask'], 0, 5) == 'regex' && trim($value) != '' && preg_match(substr($row['mask'], 5), $value) === 0) { $custom_field_errors[] = array('custom_field_inproper_format', array($row['field_name'])); } } } // xxx if we are editing our minecraft name, make sure there are no duplicates if (($row['col_name'] == "cust_minecra" || $row['col_name'] == "cust_rscnam") && $value != '') { $already_taken_memID = -1; $already_taken_memName = 'This user'; // first check the custom names $mc_request = $smcFunc['db_query']('', ' SELECT `id_member` FROM `{db_prefix}themes` WHERE `variable` = {string:col_name} AND `value` = {string:value}', array('col_name' => $row['col_name'], 'value' => strtolower($value))); if ($mc_row = $smcFunc['db_fetch_assoc']($mc_request)) { $already_taken_memID = $mc_row['id_member']; } $smcFunc['db_free_result']($mc_request); // if custom name is not taken, compare it to account names, or just grab name $mc_request = $smcFunc['db_query']('', ' SELECT `id_member`, `real_name` FROM `{db_prefix}members` WHERE id_member = {int:already_taken_memID} OR ( ( `real_name` = {string:value} OR `member_name` = {string:value} ) )', array('already_taken_memID' => $already_taken_memID, 'value' => strtolower($value))); if ($mc_row = $smcFunc['db_fetch_assoc']($mc_request)) { $already_taken_memID = $mc_row['id_member']; $already_taken_memName = $mc_row['real_name']; } $smcFunc['db_free_result']($mc_request); if ($already_taken_memID != -1) { // then someone already is using this name global $boardurl; $what_name = $row['col_name'] == "cust_minecra" ? 'Minecraft' : 'RSC'; die('<html>Error: <a href="' . $boardurl . '/index.php?action=profile;u=' . $already_taken_memID . "\">{$already_taken_memName}</a> has already registered this {$what_name} name!</html>"); } } if ($row['col_name'] == "cust_moparcr" && $value != '' && strlen($value) != 40) { if (strlen($value) > 30) { die("<html>Error: Maximum length for MoparCraft server password is 30 characters.</html>"); } if ($value == $regOptions['password']) { die("<html>Error: You can't set your MoparCraft server password to be the same as your forum password, if you want to use your forum password, leave this blank.</html>"); } $value = sha1(strtolower($regOptions['username']) . htmlspecialchars_decode($value)); $_POST['customfield'][$row['col_name']] = $value; } // xxx end if we are editing our minecraft name, make sure there are no duplicates // Is this required but not there? if (trim($value) == '' && $row['show_reg'] > 1) { $custom_field_errors[] = array('custom_field_empty', array($row['field_name'])); } } $smcFunc['db_free_result']($request); // Process any errors. if (!empty($custom_field_errors)) { loadLanguage('Errors'); foreach ($custom_field_errors as $error) { $reg_errors[] = vsprintf($txt['error_' . $error[0]], $error[1]); } } // Lets check for other errors before trying to register the member. if (!empty($reg_errors)) { $_REQUEST['step'] = 2; return Register($reg_errors); } // If they're wanting to use OpenID we need to validate them first. if (empty($_SESSION['openid']['verified']) && !empty($_POST['authenticate']) && $_POST['authenticate'] == 'openid') { // What do we need to save? $save_variables = array(); foreach ($_POST as $k => $v) { if (!in_array($k, array('sc', 'sesc', $context['session_var'], 'passwrd1', 'passwrd2', 'regSubmit'))) { $save_variables[$k] = $v; } } require_once $sourcedir . '/Subs-OpenID.php'; smf_openID_validate($_POST['openid_identifier'], false, $save_variables); } elseif ($verifiedOpenID || !empty($_POST['openid_identifier']) && $_POST['authenticate'] == 'openid') { $regOptions['username'] = !empty($_POST['user']) && trim($_POST['user']) != '' ? $_POST['user'] : $_SESSION['openid']['nickname']; $regOptions['email'] = !empty($_POST['email']) && trim($_POST['email']) != '' ? $_POST['email'] : $_SESSION['openid']['email']; $regOptions['auth_method'] = 'openid'; $regOptions['openid'] = !empty($_POST['openid_identifier']) ? $_POST['openid_identifier'] : $_SESSION['openid']['openid_uri']; } $memberID = registerMember($regOptions, true); // What there actually an error of some kind dear boy? if (is_array($memberID)) { $reg_errors = array_merge($reg_errors, $memberID); $_REQUEST['step'] = 2; return Register($reg_errors); } // Do our spam protection now. spamProtection('register'); // We'll do custom fields after as then we get to use the helper function! if (!empty($_POST['customfield'])) { require_once $sourcedir . '/Profile.php'; require_once $sourcedir . '/Profile-Modify.php'; makeCustomFieldChanges($memberID, 'register'); } // If COPPA has been selected then things get complicated, setup the template. if (!empty($modSettings['coppaAge']) && empty($_SESSION['skip_coppa'])) { redirectexit('action=coppa;member=' . $memberID); } elseif (!empty($modSettings['registration_method'])) { loadTemplate('Register'); $context += array('page_title' => $txt['register'], 'title' => $txt['registration_successful'], 'sub_template' => 'after', 'description' => $modSettings['registration_method'] == 2 ? $txt['approval_after_registration'] : $txt['activate_after_registration']); } else { call_integration_hook('integrate_activate', array($row['member_name'])); setLoginCookie(60 * $modSettings['cookieTime'], $memberID, sha1(sha1(strtolower($regOptions['username']) . $regOptions['password']) . $regOptions['register_vars']['password_salt'])); redirectexit('action=login2;sa=check;member=' . $memberID, $context['server']['needs_login_fix']); } }
function doStep2() { global $txt, $db_prefix, $db_connection, $HTTP_SESSION_VARS, $cookiename; global $func, $db_character_set, $mbname, $context, $scripturl, $boardurl; global $current_smf_version; // Load the SQL server login information. require_once dirname(__FILE__) . '/Settings.php'; if (!isset($_POST['password3'])) { return doStep2a(); } $db_connection = @mysql_connect($db_server, $db_user, $_POST['password3']); if (!$db_connection) { echo ' <div class="error_message"> <div style="color: red;">', $txt['error_mysql_connect'], '</div> </div>'; return doStep2a(); } if (!mysql_select_db($db_name, $db_connection)) { echo ' <div class="error_message"> <div style="color: red;">', sprintf($txt['error_mysql_database'], $db_name), '</div> </div> <br />'; return doStep2a(); } // Let them try again... if ($_POST['password1'] != $_POST['password2']) { echo ' <div class="error_message"> <div style="color: red;">', $txt['error_user_settings_again_match'], '</div> </div> <br />'; return doStep2a(); } if (!file_exists($sourcedir . '/Subs.php')) { echo ' <div class="error_message"> <div style="color: red;">', $txt['error_subs_missing'], '</div> </div> <br />'; return doStep2a(); } updateSettingsFile(array('webmaster_email' => $_POST['email'])); chdir(dirname(__FILE__)); define('SMF', 1); require_once $sourcedir . '/Subs.php'; require_once $sourcedir . '/Load.php'; require_once $sourcedir . '/Security.php'; require_once $sourcedir . '/Subs-Auth.php'; // Define the sha1 function, if it doesn't exist. if (!function_exists('sha1')) { require_once $sourcedir . '/Subs-Compat.php'; } if (isset($db_character_set)) { mysql_query("\n\t\t\tSET NAMES {$db_character_set}"); } $result = mysql_query("\n\t\tSELECT ID_MEMBER, passwordSalt\n\t\tFROM {$db_prefix}members\n\t\tWHERE memberName = '{$_POST['username']}' OR emailAddress = '{$_POST['email']}'\n\t\tLIMIT 1"); if (mysql_num_rows($result) != 0) { list($id, $salt) = mysql_fetch_row($result); mysql_free_result($result); echo ' <div class="error_message"> <div style="color: red;">', $txt['error_user_settings_taken'], '</div> </div> <br />'; } elseif (preg_match('~[<>&"\'=\\\\]~', $_POST['username']) != 0 || strlen($_POST['username']) > 25 || $_POST['username'] == '_' || $_POST['username'] == '|' || strpos($_POST['username'], '[code') !== false || strpos($_POST['username'], '[/code') !== false) { // Initialize some variables needed for the language file. $context = array('forum_name' => $mbname); $modSettings = array('lastActive' => '15', 'hotTopicPosts' => '15', 'hotTopicVeryPosts' => '25', 'smfVersion' => $current_smf_version); $scripturl = $boardurl . '/index.php'; require_once dirname(__FILE__) . '/Themes/default/languages/' . strtr($_SESSION['installer_temp_lang'], array('Install' => 'index')); echo ' <div class="error_message"> <div style="color: red;">', $txt[240], '</div> </div> <br />'; // Try the previous step again. return doStep2a(); } elseif (empty($_POST['email']) || preg_match('~^[0-9A-Za-z=_+\\-/][0-9A-Za-z=_\'+\\-/\\.]*@[\\w\\-]+(\\.[\\w\\-]+)*(\\.[\\w]{2,6})$~', stripslashes($_POST['email'])) === 0 || strlen(stripslashes($_POST['email'])) > 255) { // Artificially fill some of the globals needed for the language files. $context = array('forum_name' => $mbname); $modSettings = array('lastActive' => '15', 'hotTopicPosts' => '15', 'hotTopicVeryPosts' => '25', 'smfVersion' => $current_smf_version); $scripturl = $boardurl . '/index.php'; require_once dirname(__FILE__) . '/Themes/default/languages/' . strtr($_SESSION['installer_temp_lang'], array('Install' => 'index')); require_once dirname(__FILE__) . '/Themes/default/languages/' . strtr($_SESSION['installer_temp_lang'], array('Install' => 'Login')); echo ' <div class="error_message"> <div style="color: red;">', sprintf($txt[500], $_POST['username']), '</div> </div> <br />'; // One step back, this time fill out a proper email address. return doStep2a(); } elseif ($_POST['username'] != '') { $salt = substr(md5(mt_rand()), 0, 4); // Format the username properly. $_POST['username'] = preg_replace('~[\\t\\n\\r\\x0B\\0\\xA0]+~', ' ', $_POST['username']); $ip = isset($_SERVER['REMOTE_ADDR']) ? addslashes(substr(stripslashes($_SERVER['REMOTE_ADDR']), 0, 255)) : ''; $request = mysql_query("\n\t\t\tINSERT INTO {$db_prefix}members\n\t\t\t\t(memberName, realName, passwd, emailAddress, ID_GROUP, posts, dateRegistered, hideEmail, passwordSalt, lngfile, personalText, avatar, memberIP, memberIP2, buddy_list, pm_ignore_list, messageLabels, websiteTitle, websiteUrl, location, ICQ, MSN, signature, usertitle, secretQuestion, additionalGroups)\n\t\t\tVALUES (SUBSTRING('{$_POST['username']}', 1, 25), SUBSTRING('{$_POST['username']}', 1, 25), '" . sha1(strtolower($_POST['username']) . $_POST['password1']) . "', '{$_POST['email']}', 1, '0', '" . time() . "', '0', '{$salt}', '', '', '', '{$ip}', '{$ip}', '', '', '', '', '', '', '', '', '', '', '', '')"); // Awww, crud! if ($request === false) { echo ' <div class="error_message"> <div style="color: red;">', $txt['error_user_settings_query'], '</div> <div style="margin: 2ex;">', nl2br(htmlspecialchars(mysql_error($db_connection))), '</div> <a href="', $_SERVER['PHP_SELF'], '?step=2">', $txt['error_message_click'], '</a> ', $txt['error_message_try_again'], ' </div>'; return false; } $id = mysql_insert_id(); } // Automatically log them in ;). if (isset($id) && isset($salt)) { setLoginCookie(3153600 * 60, $id, sha1(sha1(strtolower($_POST['username']) . $_POST['password1']) . $salt)); } $result = mysql_query("\n\t\tSELECT value\n\t\tFROM {$db_prefix}settings\n\t\tWHERE variable = 'databaseSession_enable'"); if (mysql_num_rows($result) != 0) { list($db_sessions) = mysql_fetch_row($result); } mysql_free_result($result); if (empty($db_sessions)) { if (@version_compare(PHP_VERSION, '4.2.0') == -1) { $HTTP_SESSION_VARS['php_412_bugfix'] = true; } $_SESSION['admin_time'] = time(); } else { $_SERVER['HTTP_USER_AGENT'] = addslashes(substr($_SERVER['HTTP_USER_AGENT'], 0, 211)); mysql_query("\n\t\t\tINSERT INTO {$db_prefix}sessions\n\t\t\t\t(session_id, last_update, data)\n\t\t\tVALUES ('" . session_id() . "', " . time() . ",\n\t\t\t\t'USER_AGENT|s:" . strlen(stripslashes($_SERVER['HTTP_USER_AGENT'])) . ":\"{$_SERVER['HTTP_USER_AGENT']}\";admin_time|i:" . time() . ";')"); } updateStats('member'); updateStats('message'); updateStats('topic'); // This function is needed to do the updateStats('subject') call. $func['strtolower'] = $db_character_set === 'utf8' || $txt['lang_character_set'] === 'UTF-8' ? create_function('$string', ' return $string;') : 'strtolower'; $request = mysql_query("\n\t\tSELECT ID_MSG\n\t\tFROM {$db_prefix}messages\n\t\tWHERE ID_MSG = 1\n\t\t\tAND modifiedTime = 0\n\t\tLIMIT 1"); if (mysql_num_rows($request) > 0) { updateStats('subject', 1, addslashes(htmlspecialchars($txt['default_topic_subject']))); } mysql_free_result($request); echo ' <div class="panel"> <h2>', $txt['congratulations'], '</h2> <br /> ', $txt['congratulations_help'], '<br /> <br />'; if (is_writable(dirname(__FILE__)) && substr(__FILE__, 1, 2) != ':\\') { echo ' <i>', $txt['still_writable'], '</i><br /> <br />'; } // Don't show the box if it's like 99% sure it won't work :P. if (isset($_SESSION['installer_temp_ftp']) || is_writable(dirname(__FILE__)) || is_writable(__FILE__)) { echo ' <div style="margin: 1ex; font-weight: bold;"> <label for="delete_self"><input type="checkbox" id="delete_self" onclick="doTheDelete();" /> ', $txt['delete_installer'], !isset($_SESSION['installer_temp_ftp']) ? ' ' . $txt['delete_installer_maybe'] : '', '</label> </div> <script language="JavaScript" type="text/javascript"><!-- // --><![CDATA[ function doTheDelete() { var theCheck = document.getElementById ? document.getElementById("delete_self") : document.all.delete_self; var tempImage = new Image(); tempImage.src = "', $_SERVER['PHP_SELF'], '?delete=1&ts=" + (new Date().getTime()); tempImage.width = 0; theCheck.disabled = true; } // ]]></script> <br />'; } echo ' ', sprintf($txt['go_to_your_forum'], $boardurl . '/index.php'), '<br /> <br /> ', $txt['good_luck'], ' </div>'; return true; }
function mob_update_password($rpcmsg) { global $txt, $modSettings; global $cookiename, $context; global $sourcedir, $scripturl, $db_prefix; global $ID_MEMBER, $user_info; global $newpassemail, $user_profile, $validationCode; loadLanguage('Profile'); // Start with no updates and no errors. $profile_vars = array(); $post_errors = array(); $good_password = false; // reset directly with tapatalk id credential if ($rpcmsg->getParam(2)) { $_POST['passwrd1'] = $rpcmsg->getParam(0) ? $rpcmsg->getScalarValParam(0) : ''; $_POST['passwrd1'] = utf8ToAscii($_POST['passwrd1']); $token = $rpcmsg->getParam(1) ? $rpcmsg->getScalarValParam(1) : ''; $code = $rpcmsg->getParam(2) ? $rpcmsg->getScalarValParam(2) : ''; // verify Tapatalk Authorization if ($token && $code) { $ttid = TapatalkSsoVerification($token, $code); if ($ttid && $ttid->result) { $tapatalk_id_email = $ttid->email; if (empty($ID_MEMBER) && ($ID_MEMBER = emailExists($tapatalk_id_email))) { loadMemberData($ID_MEMBER, false, 'profile'); $user_info = $user_profile[$ID_MEMBER]; $user_info['is_guest'] = false; $user_info['is_admin'] = $user_info['id_group'] == 1 || in_array(1, explode(',', $user_info['additionalGroups'])); $user_info['id'] = $ID_MEMBER; if (empty($user_info['additionalGroups'])) { $user_info['groups'] = array($user_info['ID_GROUP'], $user_info['ID_POST_GROUP']); } else { $user_info['groups'] = array_merge(array($user_info['ID_GROUP'], $user_info['ID_POST_GROUP']), explode(',', $user_info['additionalGroups'])); } $user_info['groups'] = array_unique(array_map('intval', $user_info['groups'])); loadPermissions(); } if (strtolower($user_info['emailAddress']) == strtolower($tapatalk_id_email) && $user_info['ID_GROUP'] != 1) { $good_password = true; } } } if (!$good_password) { get_error('Failed to update password'); } } else { $_POST['oldpasswrd'] = $rpcmsg->getParam(0) ? $rpcmsg->getScalarValParam(0) : ''; $_POST['passwrd1'] = $rpcmsg->getParam(1) ? $rpcmsg->getScalarValParam(1) : ''; $_POST['passwrd1'] = utf8ToAscii($_POST['passwrd1']); } // Clean up the POST variables. $_POST = htmltrim__recursive($_POST); $_POST = stripslashes__recursive($_POST); $_POST = htmlspecialchars__recursive($_POST); $_POST = addslashes__recursive($_POST); $memberResult = loadMemberData($ID_MEMBER, false, 'profile'); if (!is_array($memberResult)) { fatal_lang_error(453, false); } $memID = $ID_MEMBER; $context['user']['is_owner'] = true; isAllowedTo(array('manage_membergroups', 'profile_identity_any', 'profile_identity_own')); // You didn't even enter a password! if (trim($_POST['oldpasswrd']) == '' && !$good_password) { fatal_error($txt['profile_error_no_password']); } // Since the password got modified due to all the $_POST cleaning, lets undo it so we can get the correct password $_POST['oldpasswrd'] = addslashes(un_htmlspecialchars(stripslashes($_POST['oldpasswrd']))); // Does the integration want to check passwords? if (isset($modSettings['integrate_verify_password']) && function_exists($modSettings['integrate_verify_password'])) { if (call_user_func($modSettings['integrate_verify_password'], $user_profile[$memID]['memberName'], $_POST['oldpasswrd'], false) === true) { $good_password = true; } } // Bad password!!! if (!$good_password && $user_info['passwd'] != sha1(strtolower($user_profile[$memID]['memberName']) . $_POST['oldpasswrd'])) { fatal_error($txt['profile_error_bad_password']); } // Let's get the validation function into play... require_once $sourcedir . '/Subs-Auth.php'; $passwordErrors = validatePassword($_POST['passwrd1'], $user_info['username'], array($user_info['name'], $user_info['email'])); // Were there errors? if ($passwordErrors != null) { fatal_error($txt['profile_error_password_' . $passwordErrors]); } // Set up the new password variable... ready for storage. $profile_vars['passwd'] = '\'' . sha1(strtolower($user_profile[$memID]['memberName']) . un_htmlspecialchars(stripslashes($_POST['passwrd1']))) . '\''; // If we've changed the password, notify any integration that may be listening in. if (isset($modSettings['integrate_reset_pass']) && function_exists($modSettings['integrate_reset_pass'])) { call_user_func($modSettings['integrate_reset_pass'], $user_profile[$memID]['memberName'], $user_profile[$memID]['memberName'], $_POST['passwrd1']); } updateMemberData($memID, $profile_vars); require_once $sourcedir . '/Subs-Auth.php'; setLoginCookie(60 * $modSettings['cookieTime'], $memID, sha1(sha1(strtolower($user_profile[$memID]['memberName']) . un_htmlspecialchars(stripslashes($_POST['passwrd1']))) . $user_profile[$memID]['passwordSalt'])); $response = array('result' => new xmlrpcval(true, 'boolean'), 'result_text' => new xmlrpcval('', 'base64')); return new xmlrpcresp(new xmlrpcval($response, 'struct')); }
function Register2($verifiedOpenID = false) { global $txt, $modSettings, $context, $sourcedir; // Start collecting together any errors. $reg_errors = array(); // Did we save some open ID fields? if ($verifiedOpenID && !empty($context['openid_save_fields'])) { foreach ($context['openid_save_fields'] as $id => $value) { $_POST[$id] = $value; } } // You can't register if it's disabled. if (!empty($modSettings['registration_method']) && $modSettings['registration_method'] == 3) { fatal_lang_error('registration_disabled', false); } // Things we don't do for people who have already confirmed their OpenID allegances via register. if (!$verifiedOpenID) { // Well, if you don't agree, you can't register. if (!empty($modSettings['requireAgreement']) && empty($_SESSION['registration_agreed'])) { redirectexit(); } // Make sure they came from *somewhere*, have a session. if (!isset($_SESSION['old_url'])) { redirectexit('action=register'); } // Are they under age, and under age users are banned? if (!empty($modSettings['coppaAge']) && empty($modSettings['coppaType']) && empty($_SESSION['skip_coppa'])) { // !!! This should be put in Errors, imho. loadLanguage('Login'); fatal_lang_error('under_age_registration_prohibited', false, array($modSettings['coppaAge'])); } // Check whether the visual verification code was entered correctly. if (!empty($modSettings['reg_verification'])) { require_once $sourcedir . '/lib/Subs-Editor.php'; $verificationOptions = array('id' => 'register'); $context['visual_verification'] = create_control_verification($verificationOptions, true); if (is_array($context['visual_verification'])) { loadLanguage('Errors'); foreach ($context['visual_verification'] as $error) { $reg_errors[] = $txt['error_' . $error]; } } } } foreach ($_POST as $key => $value) { if (!is_array($_POST[$key])) { $_POST[$key] = htmltrim__recursive(str_replace(array("\n", "\r"), '', $_POST[$key])); } } // Collect all extra registration fields someone might have filled in. $possible_strings = array('location', 'birthdate', 'time_format', 'buddy_list', 'pm_ignore_list', 'smiley_set', 'signature', 'personal_text', 'avatar', 'lngfile', 'secret_question', 'secret_answer'); $possible_ints = array('pm_email_notify', 'notify_types', 'gender', 'id_theme'); $possible_floats = array('time_offset'); $possible_bools = array('notify_announcements', 'notify_regularity', 'notify_send_body', 'hide_email', 'show_online'); if (isset($_POST['secret_answer']) && $_POST['secret_answer'] != '') { $_POST['secret_answer'] = md5($_POST['secret_answer']); } // Needed for isReservedName() and registerMember(). require_once $sourcedir . '/lib/Subs-Members.php'; // Validation... even if we're not a mall. if (isset($_POST['real_name']) && (!empty($modSettings['allow_editDisplayName']) || allowedTo('moderate_forum'))) { $_POST['real_name'] = trim(preg_replace('~[\\s]~u', ' ', $_POST['real_name'])); if (trim($_POST['real_name']) != '' && !isReservedName($_POST['real_name']) && commonAPI::strlen($_POST['real_name']) < 60) { $possible_strings[] = 'real_name'; } } // Handle a string as a birthdate... if (isset($_POST['birthdate']) && $_POST['birthdate'] != '') { $_POST['birthdate'] = strftime('%Y-%m-%d', strtotime($_POST['birthdate'])); } elseif (!empty($_POST['bday1']) && !empty($_POST['bday2'])) { $_POST['birthdate'] = sprintf('%04d-%02d-%02d', empty($_POST['bday3']) ? 0 : (int) $_POST['bday3'], (int) $_POST['bday1'], (int) $_POST['bday2']); } // By default assume email is hidden, only show it if we tell it to. $_POST['hide_email'] = !empty($_POST['allow_email']) ? 0 : 1; // Validate the passed language file. if (isset($_POST['lngfile']) && !empty($modSettings['userLanguage'])) { // Do we have any languages? if (empty($context['languages'])) { getLanguages(); } // Did we find it? if (isset($context['languages'][$_POST['lngfile']])) { $_SESSION['language'] = $_POST['lngfile']; } else { unset($_POST['lngfile']); } } else { unset($_POST['lngfile']); } // Set the options needed for registration. $regOptions = array('interface' => 'guest', 'username' => !empty($_POST['user']) ? $_POST['user'] : '', 'email' => !empty($_POST['email']) ? $_POST['email'] : '', 'password' => !empty($_POST['passwrd1']) ? $_POST['passwrd1'] : '', 'password_check' => !empty($_POST['passwrd2']) ? $_POST['passwrd2'] : '', 'openid' => !empty($_POST['openid_identifier']) ? $_POST['openid_identifier'] : '', 'auth_method' => !empty($_POST['authenticate']) ? $_POST['authenticate'] : '', 'check_reserved_name' => true, 'check_password_strength' => true, 'check_email_ban' => true, 'send_welcome_email' => !empty($modSettings['send_welcomeEmail']), 'require' => !empty($modSettings['coppaAge']) && !$verifiedOpenID && empty($_SESSION['skip_coppa']) ? 'coppa' : (empty($modSettings['registration_method']) ? 'nothing' : ($modSettings['registration_method'] == 1 ? 'activation' : 'approval')), 'extra_register_vars' => array(), 'theme_vars' => array()); // Include the additional options that might have been filled in. foreach ($possible_strings as $var) { if (isset($_POST[$var])) { $regOptions['extra_register_vars'][$var] = commonAPI::htmlspecialchars($_POST[$var], ENT_QUOTES); } } foreach ($possible_ints as $var) { if (isset($_POST[$var])) { $regOptions['extra_register_vars'][$var] = (int) $_POST[$var]; } } foreach ($possible_floats as $var) { if (isset($_POST[$var])) { $regOptions['extra_register_vars'][$var] = (double) $_POST[$var]; } } foreach ($possible_bools as $var) { if (isset($_POST[$var])) { $regOptions['extra_register_vars'][$var] = empty($_POST[$var]) ? 0 : 1; } } // Registration options are always default options... if (isset($_POST['default_options'])) { $_POST['options'] = isset($_POST['options']) ? $_POST['options'] + $_POST['default_options'] : $_POST['default_options']; } $regOptions['theme_vars'] = isset($_POST['options']) && is_array($_POST['options']) ? $_POST['options'] : array(); // Make sure they are clean, dammit! $regOptions['theme_vars'] = htmlspecialchars__recursive($regOptions['theme_vars']); // If Quick Reply hasn't been set then set it to be shown but collapsed. if (!isset($regOptions['theme_vars']['display_quick_reply'])) { $regOptions['theme_vars']['display_quick_reply'] = 1; } // Check whether we have fields that simply MUST be displayed? $request = smf_db_query(' SELECT col_name, field_name, field_type, field_length, mask, show_reg FROM {db_prefix}custom_fields WHERE active = {int:is_active}', array('is_active' => 1)); $custom_field_errors = array(); while ($row = mysql_fetch_assoc($request)) { // Don't allow overriding of the theme variables. if (isset($regOptions['theme_vars'][$row['col_name']])) { unset($regOptions['theme_vars'][$row['col_name']]); } // Not actually showing it then? if (!$row['show_reg']) { continue; } // Prepare the value! $value = isset($_POST['customfield'][$row['col_name']]) ? trim($_POST['customfield'][$row['col_name']]) : ''; // We only care for text fields as the others are valid to be empty. if (!in_array($row['field_type'], array('check', 'select', 'radio'))) { // Is it too long? if ($row['field_length'] && $row['field_length'] < commonAPI::strlen($value)) { $custom_field_errors[] = array('custom_field_too_long', array($row['field_name'], $row['field_length'])); } // Any masks to apply? if ($row['field_type'] == 'text' && !empty($row['mask']) && $row['mask'] != 'none') { //!!! We never error on this - just ignore it at the moment... if ($row['mask'] == 'email' && (preg_match('~^[0-9A-Za-z=_+\\-/][0-9A-Za-z=_\'+\\-/\\.]*@[\\w\\-]+(\\.[\\w\\-]+)*(\\.[\\w]{2,6})$~', $value) === 0 || strlen($value) > 255)) { $custom_field_errors[] = array('custom_field_invalid_email', array($row['field_name'])); } elseif ($row['mask'] == 'number' && preg_match('~[^\\d]~', $value)) { $custom_field_errors[] = array('custom_field_not_number', array($row['field_name'])); } elseif (substr($row['mask'], 0, 5) == 'regex' && preg_match(substr($row['mask'], 5), $value) === 0) { $custom_field_errors[] = array('custom_field_inproper_format', array($row['field_name'])); } } } // Is this required but not there? if (trim($value) == '' && $row['show_reg'] > 1) { $custom_field_errors[] = array('custom_field_empty', array($row['field_name'])); } } mysql_free_result($request); // Process any errors. if (!empty($custom_field_errors)) { loadLanguage('Errors'); foreach ($custom_field_errors as $error) { $reg_errors[] = vsprintf($txt['error_' . $error[0]], $error[1]); } } // Lets check for other errors before trying to register the member. if (!empty($reg_errors)) { $_REQUEST['step'] = 2; return Register($reg_errors); } // If they're wanting to use OpenID we need to validate them first. if (empty($_SESSION['openid']['verified']) && !empty($_POST['authenticate']) && $_POST['authenticate'] == 'openid') { // What do we need to save? $save_variables = array(); foreach ($_POST as $k => $v) { if (!in_array($k, array('sc', 'sesc', $context['session_var'], 'passwrd1', 'passwrd2', 'regSubmit'))) { $save_variables[$k] = $v; } } require_once $sourcedir . '/lib/Subs-OpenID.php'; smf_openID_validate($_POST['openid_identifier'], false, $save_variables); } elseif ($verifiedOpenID || !empty($_POST['openid_identifier']) && $_POST['authenticate'] == 'openid') { $regOptions['username'] = !empty($_POST['user']) && trim($_POST['user']) != '' ? $_POST['user'] : $_SESSION['openid']['nickname']; $regOptions['email'] = !empty($_POST['email']) && trim($_POST['email']) != '' ? $_POST['email'] : $_SESSION['openid']['email']; $regOptions['auth_method'] = 'openid'; $regOptions['openid'] = !empty($_POST['openid_identifier']) ? $_POST['openid_identifier'] : $_SESSION['openid']['openid_uri']; } $memberID = registerMember($regOptions, true); // What there actually an error of some kind dear boy? if (is_array($memberID)) { $reg_errors = array_merge($reg_errors, $memberID); $_REQUEST['step'] = 2; return Register($reg_errors); } // Do our spam protection now. spamProtection('register'); HookAPI::callHook('register_process'); // We'll do custom fields after as then we get to use the helper function! if (!empty($_POST['customfield'])) { require_once $sourcedir . '/Profile.php'; require_once $sourcedir . '/Profile-Modify.php'; makeCustomFieldChanges($memberID, 'register'); } // If COPPA has been selected then things get complicated, setup the template. if (!empty($modSettings['coppaAge']) && empty($_SESSION['skip_coppa'])) { redirectexit('action=coppa;member=' . $memberID); } elseif (!empty($modSettings['registration_method'])) { EoS_Smarty::loadTemplate('register/base'); EoS_Smarty::getConfigInstance()->registerHookTemplate('register_content_area', 'register/done'); $context += array('page_title' => $txt['register'], 'title' => $txt['registration_successful'], 'description' => $modSettings['registration_method'] == 2 ? $txt['approval_after_registration'] : $txt['activate_after_registration']); } else { HookAPI::callHook('integrate_activate', array($row['member_name'])); setLoginCookie(60 * $modSettings['cookieTime'], $memberID, sha1(sha1(strtolower($regOptions['username']) . $regOptions['password']) . $regOptions['register_vars']['password_salt'])); redirectexit('action=login2;sa=check;member=' . $memberID, $context['server']['needs_login_fix']); } }
function ModifyCoreSettings2() { global $boarddir, $sc, $cookiename, $modSettings, $user_settings, $sourcedir; global $context; // Strip the slashes off of the post vars. foreach ($_POST as $key => $val) { $_POST[$key] = stripslashes__recursive($val); } // Fix the darn stupid cookiename! (more may not be allowed, but these for sure!) if (isset($_POST['cookiename'])) { $_POST['cookiename'] = preg_replace('~[,;\\s\\.$]+~' . ($context['utf8'] ? 'u' : ''), '', $_POST['cookiename']); } // Fix the forum's URL if necessary. if (substr($_POST['boardurl'], -10) == '/index.php') { $_POST['boardurl'] = substr($_POST['boardurl'], 0, -10); } elseif (substr($_POST['boardurl'], -1) == '/') { $_POST['boardurl'] = substr($_POST['boardurl'], 0, -1); } if (substr($_POST['boardurl'], 0, 7) != 'http://' && substr($_POST['boardurl'], 0, 7) != 'file://' && substr($_POST['boardurl'], 0, 8) != 'https://') { $_POST['boardurl'] = 'http://' . $_POST['boardurl']; } // Any passwords? $config_passwords = array('db_passwd'); // All the strings to write. $config_strs = array('mtitle', 'mmessage', 'language', 'mbname', 'boardurl', 'cookiename', 'webmaster_email', 'db_name', 'db_user', 'db_server', 'db_prefix', 'boarddir', 'sourcedir'); // All the numeric variables. $config_ints = array(); // All the checkboxes. $config_bools = array('db_persist', 'db_error_send', 'maintenance'); // Now sort everything into a big array, and figure out arrays and etc. $config_vars = array(); foreach ($config_passwords as $config_var) { if (isset($_POST[$config_var][1]) && $_POST[$config_var][0] == $_POST[$config_var][1]) { $config_vars[$config_var] = '\'' . addcslashes($_POST[$config_var][0], "'\\") . '\''; } } foreach ($config_strs as $config_var) { if (isset($_POST[$config_var])) { $config_vars[$config_var] = '\'' . addcslashes($_POST[$config_var], "'\\") . '\''; } } foreach ($config_ints as $config_var) { if (isset($_POST[$config_var])) { $config_vars[$config_var] = (int) $_POST[$config_var]; } } foreach ($config_bools as $key) { if (!empty($_POST[$key])) { $config_vars[$key] = '1'; } else { $config_vars[$key] = '0'; } } require_once $sourcedir . '/Admin.php'; updateSettingsFile($config_vars); // If the cookie name was changed, reset the cookie. if (isset($config_vars['cookiename']) && $cookiename != $_POST['cookiename']) { include_once $sourcedir . '/Subs-Auth.php'; $cookiename = $_POST['cookiename']; setLoginCookie(60 * $modSettings['cookieTime'], $user_settings['ID_MEMBER'], sha1($user_settings['passwd'] . $user_settings['passwordSalt'])); redirectexit('action=serversettings;sa=core;sesc=' . $sc, $context['server']['needs_login_fix']); } redirectexit('action=serversettings;sa=core;sesc=' . $sc); }
function guiLogout(&$session) { clearLoginCookie($session); setLoginCookie($session, '?', '?'); $session->clearSessionData(); $session->fUserId = null; $name = $session->fUserName; $session->fUserName = null; guiLogin($session, 'Daten für automatische Anmeldung wurden gelöscht: ' . $name); }
/** * Reload a users settings. */ function profileReloadUser() { global $modSettings, $context, $cur_profile; // Log them back in - using the verify password as they must have matched and this one doesn't get changed by anyone! if (isset($_POST['passwrd2']) && $_POST['passwrd2'] != '') { require_once SUBSDIR . '/Auth.subs.php'; setLoginCookie(60 * $modSettings['cookieTime'], $context['id_member'], hash('sha256', Util::strtolower($cur_profile['member_name']) . un_htmlspecialchars($_POST['passwrd2']) . $cur_profile['password_salt'])); } loadUserSettings(); writeLog(); }
function validatePasswordFlood($id_member, $password_flood_value = false, $was_correct = false) { global $smcFunc, $cookiename, $sourcedir; // As this is only brute protection, we allow 5 attempts every 10 seconds. // Destroy any session or cookie data about this member, as they validated wrong. require_once $sourcedir . '/Subs-Auth.php'; setLoginCookie(-3600, 0); if (isset($_SESSION['login_' . $cookiename])) { unset($_SESSION['login_' . $cookiename]); } // We need a member! if (!$id_member) { // Redirect back! redirectexit(); // Probably not needed, but still make sure... fatal_lang_error('no_access', false); } // Right, have we got a flood value? if ($password_flood_value !== false) { @(list($time_stamp, $number_tries) = explode('|', $password_flood_value)); } // Timestamp or number of tries invalid? if (empty($number_tries) || empty($time_stamp)) { $number_tries = 0; $time_stamp = time(); } // They've failed logging in already if (!empty($number_tries)) { // Give them less chances if they failed before $number_tries = $time_stamp < time() - 20 ? 2 : $number_tries; // They are trying too fast, make them wait longer if ($time_stamp < time() - 10) { $time_stamp = time(); } } $number_tries++; // Broken the law? if ($number_tries > 5) { fatal_lang_error('login_threshold_brute_fail', 'critical'); } // Otherwise set the members data. If they correct on their first attempt then we actually clear it, otherwise we set it! updateMemberData($id_member, array('passwd_flood' => $was_correct && $number_tries == 1 ? '' : $time_stamp . '|' . $number_tries)); }
// this list of conditions and the following disclaimer in the documentation // and/or other materials provided with the distribution. // 3. The name of the author may not be used to endorse or promote products // derived from this software without specific prior written permission. // // THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED // WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF // MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. // IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED // TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR // PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF // LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING // NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, // EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // //////////////////////////////////////////////////////////////////////////////////// $THIS_BASEPATH = dirname(__FILE__); require "include/functions.php"; logoutcookie(); dbconn(); if (substr($GLOBALS["FORUMLINK"], 0, 3) == "smf") { require $THIS_BASEPATH . '/smf/SSI.php'; if (!function_exists(setLoginCookie)) { require $THIS_BASEPATH . '/smf/Sources/Subs-Auth.php'; } setLoginCookie(-3600, 0); } elseif ($GLOBALS["FORUMLINK"] == "ipb") { kill_ipb_cookie(); } header("Location: index.php");
function ModifyCookieSettings($return_config = false) { global $context, $scripturl, $txt, $sourcedir, $modSettings, $cookiename, $user_settings; // Define the variables we want to edit. $config_vars = array(array('cookiename', $txt['cookie_name'], 'file', 'text', 20), array('cookieTime', $txt['cookieTime'], 'db', 'int'), array('localCookies', $txt['localCookies'], 'db', 'check', false, 'localCookies'), array('globalCookies', $txt['globalCookies'], 'db', 'check', false, 'globalCookies'), array('secureCookies', $txt['secureCookies'], 'db', 'check', false, 'secureCookies', 'disabled' => !isset($_SERVER['HTTPS']) || !(strtolower($_SERVER['HTTPS']) == 'on' || strtolower($_SERVER['HTTPS']) == '1')), '', array('databaseSession_enable', $txt['databaseSession_enable'], 'db', 'check', false, 'databaseSession_enable'), array('databaseSession_loose', $txt['databaseSession_loose'], 'db', 'check', false, 'databaseSession_loose'), array('databaseSession_lifetime', $txt['databaseSession_lifetime'], 'db', 'int', false, 'databaseSession_lifetime')); if ($return_config) { return $config_vars; } $context['post_url'] = $scripturl . '?action=admin;area=serversettings;sa=cookie;save'; $context['settings_title'] = $txt['cookies_sessions_settings']; // Saving settings? if (isset($_REQUEST['save'])) { saveSettings($config_vars); // If the cookie name was changed, reset the cookie. if ($cookiename != $_POST['cookiename']) { $original_session_id = $context['session_id']; include_once $sourcedir . '/Subs-Auth.php'; // Remove the old cookie. setLoginCookie(-3600, 0); // Set the new one. $cookiename = $_POST['cookiename']; setLoginCookie(60 * $modSettings['cookieTime'], $user_settings['id_member'], sha1($user_settings['passwd'] . $user_settings['password_salt'])); redirectexit('action=admin;area=serversettings;sa=cookie;' . $context['session_var'] . '=' . $original_session_id, $context['server']['needs_login_fix']); } redirectexit('action=admin;area=serversettings;sa=cookie;' . $context['session_var'] . '=' . $context['session_id']); } // Fill the config array. prepareServerSettingsContext($config_vars); }
function profileReloadUser() { global $sourcedir, $modSettings, $context, $cur_profile, $smcFunc, $profile_vars; // Log them back in - using the verify password as they must have matched and this one doesn't get changed by anyone! if (isset($_POST['passwrd2']) && $_POST['passwrd2'] != '') { require_once $sourcedir . '/Subs-Auth.php'; setLoginCookie(60 * $modSettings['cookieTime'], $context['id_member'], sha1(sha1(strtolower($cur_profile['member_name']) . un_htmlspecialchars($_POST['passwrd2'])) . $cur_profile['password_salt'])); } loadUserSettings(); writeLog(); }
function validatePasswordFlood($id_member, $password_flood_value = false, $was_correct = false) { global $smcFunc, $cookiename, $sourcedir; // As this is only brute protection, we allow 5 attempts every 10 seconds. // Destroy any session or cookie data about this member, as they validated wrong. require_once $sourcedir . '/Subs-Auth.php'; setLoginCookie(-3600, 0); if (isset($_SESSION['login_' . $cookiename])) { unset($_SESSION['login_' . $cookiename]); } // We need a member! if (!$id_member) { fatal_lang_error('no_access', false); } // Right, have we got a flood value? if ($password_flood_value !== false) { @(list($time_stamp, $number_tries) = explode('|', $password_flood_value)); } // Timestamp invalid or non-existent? if (empty($number_tries) || $time_stamp < time() - 10) { // If it wasn't *that* long ago, don't give them another five goes. $number_tries = !empty($number_tries) && $time_stamp < time() - 20 ? 2 : 0; $time_stamp = time(); } $number_tries++; // Broken the law? if ($number_tries > 5) { fatal_lang_error('login_threshold_brute_fail', 'critical'); } // Otherwise set the members data. If they correct on their first attempt then we actually clear it, otherwise we set it! updateMemberData($id_member, array('passwd_flood' => $was_correct && $number_tries == 1 ? '' : $time_stamp . '|' . $number_tries)); }
/** * Changing authentication method? * Only appropriate for people using OpenID. * * @param bool $saving = false */ public function action_authentication($saving = false) { global $context, $cur_profile, $post_errors, $modSettings; $memID = currentMemberID(); loadLanguage('Login'); loadTemplate('ProfileOptions'); // We are saving? if ($saving) { // Moving to password passed authentication? if ($_POST['authenticate'] == 'passwd') { // Didn't enter anything? if ($_POST['passwrd1'] == '') { $post_errors[] = 'no_password'; } elseif (!isset($_POST['passwrd2']) || $_POST['passwrd1'] != $_POST['passwrd2']) { $post_errors[] = 'bad_new_password'; } else { require_once SUBSDIR . '/Auth.subs.php'; $passwordErrors = validatePassword($_POST['passwrd1'], $cur_profile['member_name'], array($cur_profile['real_name'], $cur_profile['email_address'])); // Were there errors? if ($passwordErrors != null) { $post_errors[] = 'password_' . $passwordErrors; } } if (empty($post_errors)) { // Integration? call_integration_hook('integrate_reset_pass', array($cur_profile['member_name'], $cur_profile['member_name'], $_POST['passwrd1'])); // Go then. require_once SUBSDIR . '/Auth.subs.php'; $new_pass = $_POST['passwrd1']; $passwd = validateLoginPassword($new_pass, '', $cur_profile['member_name'], true); // Do the important bits. updateMemberData($memID, array('openid_uri' => '', 'passwd' => $passwd)); if ($context['user']['is_owner']) { setLoginCookie(60 * $modSettings['cookieTime'], $memID, hash('sha256', $new_pass . $cur_profile['password_salt'])); redirectexit('action=profile;area=authentication;updated'); } else { redirectexit('action=profile;u=' . $memID); } } return true; } elseif ($_POST['authenticate'] == 'openid' && !empty($_POST['openid_identifier'])) { require_once SUBSDIR . '/OpenID.subs.php'; require_once SUBSDIR . '/Members.subs.php'; $openID = new OpenID(); $_POST['openid_identifier'] = $openID->canonize($_POST['openid_identifier']); if (memberExists($_POST['openid_identifier'])) { $post_errors[] = 'openid_in_use'; } elseif (empty($post_errors)) { // Authenticate using the new OpenID URI first to make sure they didn't make a mistake. if ($context['user']['is_owner']) { $_SESSION['new_openid_uri'] = $_POST['openid_identifier']; $openID->validate($_POST['openid_identifier'], false, null, 'change_uri'); } else { updateMemberData($memID, array('openid_uri' => $_POST['openid_identifier'])); } } } } // Some stuff. $context['member']['openid_uri'] = $cur_profile['openid_uri']; $context['auth_method'] = empty($cur_profile['openid_uri']) ? 'password' : 'openid'; $context['sub_template'] = 'authentication_method'; loadJavascriptFile('register.js'); }