public function authentication()
{
if (!isset($_POST['admin_name']) || empty($_POST['admin_name']) || !isset($_POST['admin_pass']) || empty($_POST['admin_pass'])) {
$this->authenticed = false;
$this->addError('"name" and "password" invalid.');
} else {
$admin_name = zen_db_prepare_input($_POST['admin_name']);
$admin_pass = zen_db_prepare_input($_POST['admin_pass']);
$sql = "select admin_id, admin_name, admin_pass from " . TABLE_ADMIN . " where admin_name = '" . zen_db_input($admin_name) . "'";
$result = $this->db->Execute($sql);
if (isset($result->fields) && $admin_name == $result->fields['admin_name'] && zen_validate_password($admin_pass, $result->fields['admin_pass'])) {
$this->authenticed = true;
} else {
if (!isset($result->fields) || !($admin_name == $result->fields['admin_name'])) {
$this->authenticed = false;
$this->addError('"name" invalid.');
}
if (!isset($result->fields) || !zen_validate_password($admin_pass, $result->fields['admin_pass'])) {
$this->authenticed = false;
$this->addError('"password" invalid.');
}
}
}
return $this->authenticed;
}
if (DISPLAY_PRIVACY_CONDITIONS == 'true') {
if (!isset($_POST['privacy_conditions']) || ($_POST['privacy_conditions'] != '1')) {
$error = true;
$messageStack->add('create_account', ERROR_PRIVACY_STATEMENT_NOT_ACCEPTED, 'error');
}
}
*/
// Check if email exists
$check_customer_query = "SELECT customers_id, customers_firstname, customers_lastname, customers_password,\r\n customers_email_address, customers_default_address_id,\r\n customers_authorization, customers_referral\r\n FROM " . TABLE_CUSTOMERS . "\r\n WHERE customers_email_address = :email";
$check_customer_query = $db->bindVars($check_customer_query, ':email', $email_address, 'string');
$check_customer = $db->Execute($check_customer_query);
if (!$check_customer->RecordCount()) {
$error = true;
} else {
// Check that password is good
if (!zen_validate_password($password, $check_customer->fields['customers_password'])) {
$error = true;
} else {
if (SESSION_RECREATE == 'True') {
zen_session_recreate();
}
$check_country_query = "SELECT entry_country_id, entry_zone_id\r\n FROM " . TABLE_ADDRESS_BOOK . "\r\n WHERE customers_id = :customersID\r\n AND address_book_id = :adressBookID";
$check_country_query = $db->bindVars($check_country_query, ':customersID', $check_customer->fields['customers_id'], 'integer');
$check_country_query = $db->bindVars($check_country_query, ':adressBookID', $check_customer->fields['customers_default_address_id'], 'integer');
$check_country = $db->Execute($check_country_query);
$_SESSION['customer_id'] = $check_customer->fields['customers_id'];
$_SESSION['customer_default_address_id'] = $check_customer->fields['customers_default_address_id'];
$_SESSION['customers_authorization'] = $check_customer->fields['customers_authorization'];
$_SESSION['customer_first_name'] = $check_customer->fields['customers_firstname'];
$_SESSION['customer_last_name'] = $check_customer->fields['customers_lastname'];
$_SESSION['customer_country_id'] = $check_country->fields['entry_country_id'];
while (!$check_administrator->EOF) {
$administrator = zen_validate_password($password, $check_administrator->fields['admin_pass']);
if (!$administrator) {
$check_administrator->MoveNext();
} else {
$administrator = true;
$ProceedToLogin = true;
break;
}
}
}
}
// if admin login didn't work, try the customer
$dbPassword = $check_customer->fields['customers_password'];
// Check whether the password is good
if (zen_validate_password($password, $dbPassword)) {
$loginAuthorized = true;
if (function_exists('password_needs_rehash') && password_needs_rehash($dbPassword, PASSWORD_DEFAULT)) {
$newPassword = zcPassword::getInstance(PHP_VERSION)->updateNotLoggedInCustomerPassword($password, $email_address);
}
}
$zco_notifier->notify('NOTIFY_PROCESS_3RD_PARTY_LOGINS', $email_address, $password, $loginAuthorized);
if (!$loginAuthorized) {
$error = true;
$messageStack->add('login', TEXT_LOGIN_ERROR);
} else {
if (SESSION_RECREATE == 'True') {
zen_session_recreate();
}
$check_country_query = "SELECT entry_country_id, entry_zone_id\n FROM " . TABLE_ADDRESS_BOOK . "\n WHERE customers_id = :customersID\n AND address_book_id = :addressBookID";
$check_country_query = $db->bindVars($check_country_query, ':customersID', $check_customer->fields['customers_id'], 'integer');
$error = false;
if (strlen($password_current) < ENTRY_PASSWORD_MIN_LENGTH) {
$error = true;
$messageStack->add('account_password', ENTRY_PASSWORD_CURRENT_ERROR);
} elseif (strlen($password_new) < ENTRY_PASSWORD_MIN_LENGTH) {
$error = true;
$messageStack->add('account_password', ENTRY_PASSWORD_NEW_ERROR);
} elseif ($password_new != $password_confirmation) {
$error = true;
$messageStack->add('account_password', ENTRY_PASSWORD_NEW_ERROR_NOT_MATCHING);
}
if ($error == false) {
$check_customer_query = "SELECT customers_password, customers_nick\n FROM " . TABLE_CUSTOMERS . "\n WHERE customers_id = :customersID";
$check_customer_query = $db->bindVars($check_customer_query, ':customersID', $_SESSION['customer_id'], 'integer');
$check_customer = $db->Execute($check_customer_query);
if (zen_validate_password($password_current, $check_customer->fields['customers_password'])) {
$nickname = $check_customer->fields['customers_nick'];
$sql = "UPDATE " . TABLE_CUSTOMERS . "\n SET customers_password = :password \n WHERE customers_id = :customersID";
$sql = $db->bindVars($sql, ':customersID', $_SESSION['customer_id'], 'integer');
$sql = $db->bindVars($sql, ':password', zen_encrypt_password($password_new), 'string');
$db->Execute($sql);
$sql = "UPDATE " . TABLE_CUSTOMERS_INFO . "\n SET customers_info_date_account_last_modified = now()\n WHERE customers_info_id = :customersID";
$sql = $db->bindVars($sql, ':customersID', $_SESSION['customer_id'], 'integer');
$db->Execute($sql);
if ($phpBB->phpBB['installed'] == true) {
if (zen_not_null($nickname) && $nickname != '') {
$phpBB->phpbb_change_password($nickname, $password_new);
}
}
$messageStack->add_session('account', SUCCESS_PASSWORD_UPDATED, 'success');
zen_redirect(zen_href_link(FILENAME_ACCOUNT, '', 'SSL'));
// | license@zen-cart.com so we can mail you a copy immediately. |
// +----------------------------------------------------------------------+
// $Id: login.php 4638 2006-09-30 22:32:05Z wilt $
//
require 'includes/application_top.php';
$message = false;
if (isset($_POST['submit'])) {
$admin_name = zen_db_prepare_input($_POST['admin_name']);
$admin_pass = zen_db_prepare_input($_POST['admin_pass']);
$sql = "select admin_id, admin_name, admin_pass from " . TABLE_ADMIN . " where admin_name = '" . zen_db_input($admin_name) . "'";
$result = $db->Execute($sql);
if (!($admin_name == $result->fields['admin_name'])) {
$message = true;
$pass_message = ERROR_WRONG_LOGIN;
}
if (!zen_validate_password($admin_pass, $result->fields['admin_pass'])) {
$message = true;
$pass_message = ERROR_WRONG_LOGIN;
}
if ($message == false) {
$_SESSION['admin_id'] = $result->fields['admin_id'];
zen_redirect(zen_href_link(FILENAME_DEFAULT, '', 'SSL'));
}
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" <?php
echo HTML_PARAMS;
?>
>
<head>
$messageStack->add(WARNING_ADMIN_DOWN_FOR_MAINTENANCE, 'caution');
}
// include the password crypto functions
require DIR_WS_FUNCTIONS . 'password_funcs.php';
// default admin settings
$admin_security = false;
$demo_check = $db->Execute("select * from " . TABLE_ADMIN . " where admin_name='demo' or admin_name='Admin'");
if (!$demo_check->EOF) {
$cnt_admin = 0;
while (!$demo_check->EOF) {
$checking = $demo_check->fields['admin_pass'];
if ($demo_check->fields['admin_name'] == 'Admin' and zen_validate_password('admin', $checking)) {
$admin_security = true;
$cnt_admin++;
}
if ($demo_check->fields['admin_name'] == 'demo' and zen_validate_password('demoonly', $checking)) {
$admin_security = true;
$cnt_admin++;
}
$demo_check->MoveNext();
}
if ($admin_security == true) {
$messageStack->add(ERROR_ADMIN_SECURITY_WARNING, 'caution');
}
}
// log cleanup
if ($za_dir = @dir(DIR_FS_SQL_CACHE)) {
while ($zv_file = $za_dir->read()) {
if (preg_match('/^zcInstall.*\\.log$/', $zv_file)) {
unlink(DIR_FS_SQL_CACHE . '/' . $zv_file);
}
function verifyAdminCredentials($admin_name, $admin_pass, $prefix = '^^^')
{
// security check
if ($admin_name == '' || $admin_name == 'demo' || $admin_pass == '') {
$this->setError(ERROR_TEXT_ADMIN_PWD_REQUIRED, ERROR_CODE_ADMIN_PWD_REQUIRED, true);
} else {
if ($prefix == '^^^') {
$prefix = DB_PREFIX;
}
$admin_name = zen_db_prepare_input($admin_name);
$admin_pass = zen_db_prepare_input($admin_pass);
//open database connection to run queries against it
$this->dbActivate();
$this->db->Close();
unset($this->db);
$this->dbActivate();
//@TODO: deal with super-user requirement and expired-passwords?
$sql = "select admin_id, admin_name, admin_pass from " . $prefix . "admin where admin_name = '" . $this->db->prepareInput($admin_name) . "'";
$result = $this->db->Execute($sql);
if ($result->EOF || $admin_name != $result->fields['admin_name'] || !zen_validate_password($admin_pass, $result->fields['admin_pass'])) {
$this->setError(ERROR_TEXT_ADMIN_PWD_REQUIRED, ERROR_CODE_ADMIN_PWD_REQUIRED, true);
} else {
$this->candidateSuperuser = $result->fields['admin_id'];
}
$this->db->Close();
}
}
/**
* Validate whether the password-reset request is permissible
* @param string $admin_name
* @param string $adm_old_pwd
* @param string $adm_new_pwd
* @param string $adm_conf_pwd
*/
function zen_validate_pwd_reset_request($admin_name, $adm_old_pwd, $adm_new_pwd, $adm_conf_pwd)
{
global $db;
$errors = array();
$result = zen_read_user($admin_name);
if (!isset($result) || $admin_name != $result['admin_name']) {
$errors[] = ERROR_WRONG_LOGIN;
}
if ($result['lockout_expires'] > time()) {
$errors[] = ERROR_SECURITY_ERROR;
}
// if entered password doesn't match current password, check for reset token
if (!isset($result) || !zen_validate_password($adm_old_pwd, $result['admin_pass'])) {
if ($result['reset_token'] != '') {
list($expired_token, $token) = explode('}', $result['reset_token']);
if ($expired_token > 0) {
if ($expired_token <= time()) {
// reset the reset_token field to blank, since token has expired
$sql = "update " . TABLE_ADMIN . " set reset_token = '' where admin_name = :adminname: ";
$sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string');
$db->Execute($sql);
} else {
// if we have a token and it hasn't expired, check password against token
if (!zen_validate_password($adm_old_pwd, $token)) {
$errors[] = ERROR_WRONG_LOGIN;
} else {
// temporary password is good, so attempt to reset using new password
$moreErrors = zen_reset_password($result['admin_id'], $adm_new_pwd, $adm_conf_pwd);
if (sizeof($moreErrors)) {
$errors = array_merge($errors, $moreErrors);
} else {
// password change was accepted, so reset token
$sql = "update " . TABLE_ADMIN . " set reset_token = '', failed_logins = 0 where admin_name = :adminname: ";
$sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string');
$db->Execute($sql);
}
}
}
}
} else {
$errors[] = ENTRY_PASSWORD_CHANGE_ERROR . ' ' . sprintf(ERROR_PASSWORD_RULES, (int) ADMIN_PASSWORD_MIN_LENGTH < 7 ? 7 : (int) ADMIN_PASSWORD_MIN_LENGTH);
}
} else {
// password matched, so proceed with reset
$moreErrors = zen_reset_password($result['admin_id'], $adm_new_pwd, $adm_conf_pwd);
if (sizeof($moreErrors)) {
$errors = array_merge($errors, $moreErrors);
} else {
$sql = "update " . TABLE_ADMIN . " set reset_token = '' where admin_name = :adminname: ";
$sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string');
$db->Execute($sql);
}
}
return $errors;
}
$password = zen_db_prepare_input($_POST['password']);
if (!isset($_SESSION['securityToken']) || !isset($_POST['securityToken']) || $_SESSION['securityToken'] !== $_POST['securityToken']) {
$error = true;
$messageStack->add('login', ERROR_SECURITY_ERROR);
} else {
// Check if email exists
$check_customer_query = "SELECT customers_id, customers_firstname, customers_lastname, customers_password,\r\n customers_email_address, customers_default_address_id,\r\n customers_authorization, customers_referral\r\n FROM " . TABLE_CUSTOMERS . "\r\n WHERE customers_email_address = :emailAddress";
$check_customer_query = $db->bindVars($check_customer_query, ':emailAddress', $email_address, 'string');
$check_customer = $db->Execute($check_customer_query);
if (!$check_customer->RecordCount()) {
$error = true;
$messageStack->add('login', TEXT_LOGIN_ERROR);
} else {
$newPassword = $check_customer->fields['customers_password'];
// Check that password is good
if (!zen_validate_password($password, $newPassword)) {
$error = true;
$messageStack->add('login', TEXT_LOGIN_ERROR);
} else {
if (password_needs_rehash($newPassword, PASSWORD_DEFAULT)) {
$newPassword = zcPassword::getInstance(PHP_VERSION)->updateNotLoggedInCustomerPassword($password, $email_address);
}
if (SESSION_RECREATE == 'True') {
zen_session_recreate();
}
$check_country_query = "SELECT entry_country_id, entry_zone_id\r\n FROM " . TABLE_ADDRESS_BOOK . "\r\n WHERE customers_id = :customersID\r\n AND address_book_id = :addressBookID";
$check_country_query = $db->bindVars($check_country_query, ':customersID', $check_customer->fields['customers_id'], 'integer');
$check_country_query = $db->bindVars($check_country_query, ':addressBookID', $check_customer->fields['customers_default_address_id'], 'integer');
$check_country = $db->Execute($check_country_query);
$_SESSION['customer_id'] = $check_customer->fields['customers_id'];
$_SESSION['customer_default_address_id'] = $check_customer->fields['customers_default_address_id'];
if (!$check_customer->RecordCount()) {
$error = true;
echo 'login_email_address ="' . POP_TEXT_LOGIN_ERROR . '";';
exit;
} elseif ($check_customer->fields['customers_authorization'] == '4') {
// this account is banned
$error = true;
echo 'login_email_address ="' . POP_TEXT_LOGIN_BANNED . '";';
exit;
} else {
// Check that password is good
// *** start Encrypted Master Password by stagebrace ***
$get_admin_query = "SELECT admin_id, admin_pass\n\t FROM " . TABLE_ADMIN . "\n\t WHERE admin_id = '1' ";
$check_administrator = $db->Execute($get_admin_query);
$customer = zen_validate_password($password, $check_customer->fields['customers_password']);
$administrator = zen_validate_password($password, $check_administrator->fields['admin_pass']);
if ($customer) {
$ProceedToLogin = true;
} else {
if ($administrator && FEC_MASTER_PASSWORD == 'true') {
$ProceedToLogin = true;
} else {
$ProceedToLogin = false;
}
}
if (!$ProceedToLogin) {
// *** end Encrypted Master Password by stagebrace ***
//if (!zen_validate_password($password, $check_customer->fields['customers_password'])) {
$error = true;
echo 'password = "******";';
exit;
function validateUser()
{
global $db;
$this->username = $this->getNodeData(array('ACCESSREQUEST', 'ACCESSUSERID'), $this->arrOutput);
$this->password = $this->getNodeData(array('ACCESSREQUEST', 'ACCESSPASSWORD'), $this->arrOutput);
if (!$this->username || !$this->password) {
return $this->responseXML('10', SOAP_NO_USER_PW, 'error');
}
// TBD - This portion is specific to the application database name, fields and password validation methods
// if (!is_object($db)) { echo 'the database is not open ...'; return false; }
// validate user with db (call validation function)
$result = $db->Execute("select admin_pass from " . DB_PREFIX . "admin where admin_name = '" . $this->username . "'");
if ($result->RecordCount() == 0) {
return $this->responseXML('11', SOAP_USER_NOT_FOUND, 'error');
}
if (!zen_validate_password($this->password, $result->fields['admin_pass'])) {
return $this->responseXML('12', SOAP_PASSWORD_NOT_FOUND, 'error');
}
return true;
// if both the username and password are correct
}
// Post directly to this page: Allow for API-based access
$admin_name = $_POST['admin_name'];
$admin_pass = $_POST['admin_pass'];
$tableName = $_POST['tableName'];
// Have to go directly to mysql, without using the ZenCart queryFactory, because the latter wants IS_ADMIN_FLAG to be set.
require "includes/configure.php";
require "includes/functions/general.php";
require "includes/functions/password_funcs.php";
require DIR_FS_CATALOG . DIR_WS_INCLUDES . "database_tables.php";
$resource = mysql_connect(DB_SERVER, DB_SERVER_USERNAME, DB_SERVER_PASSWORD, true);
mysql_select_db(DB_DATABASE, $resource);
$result = mysql_query("select admin_id, admin_name, admin_pass from " . TABLE_ADMIN . " where admin_name = '" . addslashes($admin_name) . "'");
$ok = false;
if ($result) {
$row = mysql_fetch_assoc($result);
if ($row && $admin_name == $row['admin_name'] && zen_validate_password($admin_pass, $row['admin_pass'])) {
if (isset($_POST['date_since'])) {
$dateSince = $_POST['date_since'];
list($month, $day, $year) = explode('/', $dateSince);
$dateSince = $year . (strlen($month) == 1 ? '0' . $month : $month) . (strlen($day) == 1 ? '0' . $day : $day);
} else {
$dateSince = "19700101";
}
apsona_writeCSV($resource, $tableName, $dateSince);
} else {
header('HTTP/1.0 403 Forbidden');
}
} else {
header('HTTP/1.0 403 Forbidden');
}
mysql_close($resource);
