function do_register()
{
global $hasError, $data, $dbc, $globals, $mostrar_captcha;
validar_captcha($hasError);
// PENDIENTE: VALIDAR EMAIL ... y en register.php
$user_email = $data['Email'];
// Valido si existe ya el email
$parts = explode('@', $user_email);
$subparts = explode('+', $parts[0]);
// se permiten direcciones del tipo user+extension@gmail.com, que debemos controlar para no permitir abusos
$rs_check = mysql_query("select `id` from users where (user_email = '{$subparts['0']}@{$parts['1']}' or user_email LIKE '{$subparts['0']}+%@{$parts['1']}') AND banned=0 limit 1") or die(mysql_error());
$num = mysql_num_rows($rs_check);
if ($num <= 0) {
$hasError[] = "El correo electrónico introducido no está registrado o la cuenta está anulada.";
return;
}
if (empty($hasError)) {
$new_pwd = GenKey();
$pwd_reset = PwdHash($new_pwd);
list($id) = mysql_fetch_row($rs_check);
$rs_activ = mysql_query("update users set pwd='{$pwd_reset}' WHERE \n id={$id}") or die(mysql_error());
enviar_correo_recover($user_email, $new_pwd);
$_SESSION['hasSuccessRecover'] = "Te hemos enviado un mensaje a {$user_email} con tu nueva contraseña.";
$_SESSION['hasInfoRecover'] = "Si no recibes el correo en unos instantes revisa también en la carpeta de spam.";
header("Location: login.php");
exit;
}
}
}
//check against salt
if ($pwd === PwdHash($pass, substr($pwd, 0, 9))) {
if (empty($err)) {
// this sets session and logs user in
session_start();
session_regenerate_id(true);
//prevent against session fixation attacks.
// this sets variables in the session
$_SESSION['user_id'] = $id;
$_SESSION['user_name'] = $user_name;
$_SESSION['user_level'] = $user_level;
$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
//update the timestamp and key for cookie
$stamp = time();
$ckey = GenKey();
$sid = sha1('occasions2011' . session_id());
mysql_query("UPDATE {$const['TBL_USERS']} SET ctime='{$stamp}', ckey='{$ckey}', sid='{$sid}' WHERE id='{$id}'") or die(mysql_error());
//set a cookie
if (isset($_POST['remember'])) {
setcookie("user_id", $_SESSION['user_id'], time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
setcookie("user_key", sha1($ckey), time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
setcookie("user_name", $_SESSION['user_name'], time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
}
header("Location: " . PAGE_HOME);
}
} else {
$err[] = "Invalid Login. Please try again with the correct user email and password.";
}
} else {
$err[] = "Error - Invalid login. No such user exists";
function login()
{
global $link;
foreach ($_POST as $key => $value) {
$data[$key] = $value;
// post variables are filtered
}
$user_email = $data['user_email'];
$pass = $data['pass'];
if (strpos($user_email, '@') === false) {
$user_cond = "user_name='{$user_email}'";
} else {
$user_cond = "user_email='{$user_email}'";
}
$result = mysqli_query($link, "SELECT `id`,`pwd`,`full_name`,`approved`,`user_level`,`user_email` FROM users WHERE \n {$user_cond}\n\t\t\tAND `banned` = '0'\n\t\t\t");
$num = mysqli_num_rows($result);
// Match row found with more than 1 results - the user is authenticated.
if ($num > 0) {
$str_query = "SELECT `id`,`full_name`,`user_level`,`user_email` FROM users WHERE \n {$user_cond}\n\t\t\tAND `banned` = '0'\n\t\t\t";
$obj_result = mysqli_query($link, $str_query);
$user = array();
while ($arr_line = mysqli_fetch_array($obj_result, MYSQLI_ASSOC)) {
//$arr_line['editable'] = true ;
$user[] = $arr_line;
}
list($id, $pwd, $full_name, $approved, $user_level, $user_email) = mysqli_fetch_row($result);
if (!$approved) {
$msg['errorCode'] = 3;
echo json_encode($msg);
exit;
}
//check against salt
if ($pwd === PwdHash($pass, substr($pwd, 0, 9))) {
// if ($pwd === $pwd){
// this sets session and logs user in
if (!isset($_SESSION)) {
session_start();
}
session_regenerate_id(true);
//prevent against session fixation attacks.
// this sets variables in the session
$_SESSION['user_id'] = $id;
$_SESSION['user_email'] = $user_email;
$_SESSION['user_name'] = $full_name;
$_SESSION['user_level'] = $user_level;
$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
//update the timestamp and key for cookie
$stamp = time();
$ckey = GenKey();
mysqli_query($link, "update users set `ctime`='{$stamp}', `ckey` = '{$ckey}' where id='{$id}'") or die(mysql_error());
//set a cookie
if (isset($_POST['remember'])) {
setcookie("user_id", $_SESSION['user_id'], time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
setcookie("user_key", sha1($ckey), time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
setcookie("user_name", $_SESSION['user_name'], time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
setcookie("user_email", $_SESSION['user_email'], time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
setcookie("user_level", $_SESSION['user_level'], time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
}
echo json_encode($user);
} else {
$msg['errorCode'] = 2;
echo json_encode($msg);
//header("Location: login.php?msg=$msg");
}
} else {
$msg['errorCode'] = 1;
echo json_encode($msg);
}
}
function login() {
include 'datalink.php';
$err = array();
foreach($_GET as $key => $value) {
$get[$key] = filter($value); //get variables are filtered.
}
if ($_POST['doLogin']=='Login')
{
foreach($_POST as $key => $value) {
$data[$key] = filter($value); // post variables are filtered
}
$user_email = $data['usr_email'];
$pass = $data['pwd'];
if (strpos($user_email,'@') === false) {
$user_cond = "user_name='$user_email'";
} else {
$user_cond = "user_email='$user_email'";
}
$result = mysql_query("SELECT `id`,`pwd`,`full_name`,`approved`,`user_level` FROM users WHERE
$user_cond
AND `banned` = '0'
") or die (mysql_error());
$num = mysql_num_rows($result);
// Match row found with more than 1 results - the user is authenticated.
if ( $num > 0 ) {
list($id,$pwd,$full_name,$approved,$user_level) = mysql_fetch_row($result);
if(!$approved) {
//$msg = urlencode("Account not activated. Please check your email for activation code");
$err[] = "Account not activated. Please check your email for activation code";
//header("Location: login.php?msg=$msg");
//exit();
}
//check against salt
if ($pwd === PwdHash($pass,substr($pwd,0,9))) {
if(empty($err)){
// this sets session and logs user in
session_start();
session_regenerate_id (true); //prevent against session fixation attacks.
// this sets variables in the session
$_SESSION['user_id']= $id;
$_SESSION['user_name'] = $full_name;
$_SESSION['user_level'] = $user_level;
$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
//update the timestamp and key for cookie
$stamp = time();
$ckey = GenKey();
mysql_query("update users set `ctime`='$stamp', `ckey` = '$ckey' where id='$id'") or die(mysql_error());
//set a cookie
if(isset($_POST['remember'])){
setcookie("user_id", $_SESSION['user_id'], time()+60*60*24*COOKIE_TIME_OUT, "/");
setcookie("user_key", sha1($ckey), time()+60*60*24*COOKIE_TIME_OUT, "/");
setcookie("user_name",$_SESSION['user_name'], time()+60*60*24*COOKIE_TIME_OUT, "/");
}
header("Location: myaccount.php");
}
}
else
{
//$msg = urlencode("Invalid Login. Please try again with correct user email and password. ");
$err[] = "Invalid Login. Please try again with correct user email and password.";
//header("Location: login.php?msg=$msg");
}
} else {
$err[] = "Error - Invalid login. No such user exists";
}
}
}
function check()
{
global $mysql_hostname, $mysql_username, $mysql_password, $mysql_dbname;
// username and password sent from form
$username = $_POST['username'];
$password = $_POST['password'];
//Filter out html entities to preve nt XSS attacks
$username = htmlentities($username);
$password = htmlentities($password);
// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$conn = mysql_connect($mysql_hostname, $mysql_username, $mysql_password);
if (!$conn) {
die('Could not connect: ' . mysql_error());
}
mysql_select_db($mysql_dbname);
$sql = "SELECT * FROM users WHERE username='******'";
$result = mysql_query($sql, $conn);
// Mysql_num_row is counting table row
$count = mysql_num_rows($result);
// If result matched $username table row must be 1 row
if ($count == 1) {
$ret = mysql_fetch_array($result, MYSQL_ASSOC);
//authenticated user
$pwd = $ret['password'];
if ($pwd == PwdHash($password, substr($pwd, 0, 9))) {
if (!$ret['flag']) {
mysql_close($conn);
echo "Account not verified.Please check your email for verification link";
die;
} else {
// this sets session and logs user in
session_start();
session_regenerate_id(true);
//prevent against session fixation attacks.
// this sets variables in the session
$_SESSION['username'] = $username;
$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
//update the timestamp and key for cookie
$stamp = time();
$ckey = GenKey();
$upd_qry = "UPDATE users SET ctime={$stamp},ckey='{$ckey}' WHERE username='******'";
mysql_query($upd_qry, $conn);
//set a cookie
if ($_POST['remember'] == "true") {
setcookie("username", $_SESSION['username'], time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
setcookie("userkey", sha1($ckey), time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
}
mysql_close($conn);
echo "true";
//header("Location : http://www.google.com");
die;
}
} else {
mysql_close($conn);
echo "Wrong Password";
}
} else {
mysql_close($conn);
echo "Wrong Username";
}
}
function do_register()
{
global $hasError, $data, $dbc, $globals, $mostrar_captcha;
if ($mostrar_captcha) {
if (!validar_captcha($hasError)) {
return;
}
// si no introduce correctamente el código de seguridad no debemos mirar nada más... porque podría sacar por fuerza bruta usuario/clave.
}
$user_email = $data['UserNameEmail'];
$pass = $data['Password'];
if (strpos($user_email, '@') === false) {
$user_cond = "user_name='{$user_email}'";
} else {
$parts = explode('@', $user_email);
$subparts = explode('+', $parts[0]);
// se permiten direcciones del tipo user+extension@gmail.com, que debemos controlar para no permitir abusos
$user_cond = "(user_email='{$subparts['0']}@{$parts['1']}' or user_email LIKE '{$subparts['0']}+%@{$parts['1']}')";
}
$result = mysql_query("SELECT `id`,`pwd`,`user_name`,`approved`,`banned`,`user_level` FROM users WHERE {$user_cond} limit 1") or die(mysql_error());
$num = mysql_num_rows($result);
if ($num > 0) {
list($id, $pwd, $user_name, $approved, $banned, $user_level) = mysql_fetch_row($result);
if ($banned) {
$hasError[] = "Cuenta anulada.";
return;
}
if (!$approved) {
$hasError[] = "Cuenta registrada pero aún no activada. Revisa tu buzón de correo y sigue el enlace que allí aparece.";
return;
}
if ($pwd === PwdHash($pass, substr($pwd, 0, 9))) {
log_insert("login_ok", $id, $id);
session_regenerate_id(true);
//prevent against session fixation attacks.
// this sets variables in the session
$_SESSION['user_id'] = $id;
$_SESSION['user_name'] = $user_name;
$_SESSION['user_level'] = $user_level;
$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
//update the timestamp and key for cookie
$stamp = time();
$ckey = GenKey();
mysql_query("update users set `ctime`='{$stamp}', `ckey` = '{$ckey}' where id='{$id}'") or die(mysql_error());
//set a cookie
if (isset($_POST['remember'])) {
setcookie("user_id", $_SESSION['user_id'], time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
setcookie("user_key", sha1($ckey), time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
setcookie("user_name", $_SESSION['user_name'], time() + 60 * 60 * 24 * COOKIE_TIME_OUT, "/");
}
header("Location: myaccount.php");
exit;
} else {
$hasError[] = "Contraseña incorrecta. Vuelve a intentarlo.";
}
} else {
$hasError[] = "Usuario o correo electrónico inexistente.";
}
}
