public function register()
{
check_if_already_logged_in();
$data["page"] = "register";
if (isset($_POST['btnRegister'])) {
$input = array("username" => $_POST['username'], "password" => $_POST['password'], "confirmpass" => $_POST['password_confirm'], "firstname" => $_POST['firstname'], "middlename" => $_POST['middlename'], "lastname" => $_POST['lastname'], "email" => $_POST['email'], "gender" => isset($_POST['gender']) ? $_POST['gender'] : "", "occupation" => $_POST['occupation'], "otherinfo" => $_POST['otherinfo']);
$data["error"] = verify_data($input);
if ($data["error"]["count"] == 0) {
$salt = generate_salt();
$userdata["username"] = $input["username"];
$userdata["salt"] = encrypt_salt($salt, 'enElpiPUP1516');
$userdata["password"] = hash_password($input["password"], $salt);
$userdata["type"] = "member";
$other["first_name"] = $input["firstname"];
$other["middle_name"] = $input["middlename"];
$other["last_name"] = $input["lastname"];
$other["email"] = $input["email"];
$other["gender"] = $input["gender"];
$other["occupation"] = $input["occupation"];
$other["about"] = $input["otherinfo"];
$user = $this->Users_model->insert($userdata, $other);
header('Location: register');
}
}
$this->load->view('templates/header');
$this->load->view('users/register', $data);
$this->load->view('templates/footer');
}
function add_user($username, $password, $email)
{
global $conn;
$salt = generate_salt();
$password_hash = hash("sha256", $password . $salt);
$query = "INSERT INTO login_data (username, password_hash, salt, email) VALUES ('{$username}', '{$password_hash}', '{$salt}', '{$email}');";
mysqli_query($conn, $query) or die(mysqli_error($conn));
}
function user_register($username, $password, $email)
{
$salt = generate_salt();
$encrypted = md5(md5($password) . $salt);
// $query = "INSERT into users (username, password, salt) values ('$username', '$encrypted', '$salt')";
$query = "INSERT into users (username, password, salt, email) values ('{$username}', '{$encrypted}', '{$salt}', '{$email}')";
mysql_query($query) or die('Could not create user.');
}
function new_user($firstName, $lastName, $email, $password, $userType)
{
$salt = generate_salt();
$encPassword = encrypt_password($password, $salt);
$user = create_user_object($firstName, $lastName, $email, $encPassword, $salt, $userType);
save_user_object($user);
return $user;
}
function password_encrypt($password)
{
$hash_format = "\$2y\$10\$";
$salt_length = 22;
$salt = generate_salt($salt_length);
$format_and_salt = $hash_format . $salt;
$hash = crypt($password, $format_and_salt);
return $hash;
}
function convert_data($data)
{
$insert_data = array();
// phpBB 2 values
$insert_data['usergroup'] = $this->board->get_group_id($data, array("not_multiple" => true));
$insert_data['additionalgroups'] = str_replace($insert_data['usergroup'], '', $this->board->get_group_id($data));
$insert_data['displaygroup'] = $this->board->get_group_id($data, array("not_multiple" => true));
$insert_data['import_usergroup'] = $this->board->get_group_id($data, array("not_multiple" => true, "original" => true));
$insert_data['import_additionalgroups'] = $this->board->get_group_id($data, array("original" => true));
$insert_data['import_displaygroup'] = $data['group_id'];
$insert_data['import_uid'] = $data['user_id'];
$insert_data['username'] = encode_to_utf8($data['username'], "users", "users");
$insert_data['email'] = $data['user_email'];
$insert_data['regdate'] = $data['user_regdate'];
$insert_data['lastactive'] = $data['user_lastvisit'];
$insert_data['lastvisit'] = $data['user_lastvisit'];
$insert_data['website'] = $data['user_website'];
$insert_data['avatar'] = $data['user_avatar'];
list($width, $height) = @getimagesize($data['user_avatar']);
$insert_data['avatardimensions'] = $width . '|' . $height;
if ($insert_data['avatar'] == '') {
$insert_data['avatartype'] = "";
} else {
$insert_data['avatartype'] = 'remote';
}
$last_post = $this->get_last_post($data['user_id']);
$insert_data['lastpost'] = intval($last_post['post_time']);
$insert_data['icq'] = $data['user_icq'];
$insert_data['aim'] = $data['user_aim'];
$insert_data['yahoo'] = $data['user_yim'];
$insert_data['msn'] = $data['user_msnm'];
$insert_data['hideemail'] = $data['hideEmail'];
$insert_data['invisible'] = int_to_01($data['user_allow_viewonline']);
$insert_datar['allownotices'] = $data['user_notify'];
if ($data['user_notify'] == 1) {
$subscription_method == 2;
} else {
$subscription_method = 0;
}
$insert_data['subscriptionmethod'] = $subscription_method;
$insert_data['receivepms'] = $data['user_allow_pm'];
$insert_data['pmnotice'] = $data['user_popup_pm'];
$insert_data['pmnotify'] = $data['pm_email_notify'];
$insert_data['showsigs'] = $data['user_attachsig'];
$insert_data['showavatars'] = $data['user_allowavatar'];
$insert_data['timeformat'] = $data['user_dateformat'];
$insert_data['timezone'] = $data['user_timezone'];
$insert_data['regip'] = $last_post['poster_ip'];
$insert_data['totalpms'] = $this->get_private_messages($data['user_id']);
$insert_data['unreadpms'] = $data['user_unread_privmsg'];
$insert_data['salt'] = generate_salt();
$insert_data['signature'] = encode_to_utf8(str_replace(':' . $data['user_sig_bbcode_uid'], '', utf8_unhtmlentities($data['user_sig'])), "users", "users");
$insert_data['password'] = salt_password($data['user_password'], $insert_data['salt']);
$insert_data['loginkey'] = generate_loginkey();
return $insert_data;
}
function password_encrypt($password)
{
$hash_format = "\$2y\$10\$";
$length = 22;
//generate salt function of length 22
$salt = generate_salt($length);
$format_and_salt = $hash_format . $salt;
$hashed_password = crypt($password, $format_and_salt);
return $hashed_password;
}
function password_encrypt($password)
{
$hash_format = "\$2a\$05\$";
//blowfish
$salt = generate_salt();
$format_and_salt = $hash_format . $salt;
//crypt using password and 22 characters (salt and blowfish)
$hash = crypt($password, $format_and_salt);
return $hash;
}
function user_register($username, $password, $email, $youtubeUserName)
{
// Get a salt using our function
$salt = generate_salt();
// Now encrypt the password using that salt
$encrypted = md5(md5($password) . $salt);
// And lastly, store the information in the database
$ref = $_SESSION['ref'];
$query = "insert into user (username, password, salt, email, youtubeUserName, video, refferal) values ('{$username}', '{$encrypted}', '{$salt}', '{$email}', '{$youtubeUserName}', '', '{$ref}')";
mysql_query($query) or die('Could not create user. Refresh the page to try again.');
}
public function change_password(IChangePasswordInput $input)
{
// Prepare data
$this->load->helper('crypto');
$passwordsalt = generate_salt();
$passwordhash = generate_hash($input->get_password(), $passwordsalt);
$this->db->where('email', $input->get_email());
$this->db->where('passwordresetcode', $input->get_resetcode());
$this->db->update("users", array("passwordresetcode" => NULL, "passwordhash" => $passwordhash, "passwordsalt" => $passwordsalt));
return $this->db->affected_rows() > 0;
}
function password_encrypt($password)
{
$hash_format = "\$2y\$10\$";
// Blowfish with a "cost" of 10
$salt_length = 22;
// Blowfish salts
$salt = generate_salt($salt_length);
$format_and_salt = $hash_format . $salt;
$hash = crypt($password, $format_and_salt);
return $hash;
}
function password_encrypt($password)
{
$hash_format = "\$2y\$10\$";
// Tells PHP to use Blowfish with a "cost" of 10
$salt_length = 22;
// Blowfish salts should be 22-characters or more
$salt = generate_salt($salt_length);
$format_and_salt = $hash_format . $salt;
$hash = crypt($password, $format_and_salt);
return $hash;
}
function verify_password($password, $salt, $uid = false)
{
$correct = false;
if (substr($salt, 0, 1) == '$') {
// new-style crypt()
$correct = crypt($password, $salt) == $salt;
} elseif (substr($salt, 0, 7) == '{crypt}') {
// old-style crypt() with DES and static salt - not used anymore
$correct = crypt($password, '77') == $salt;
} elseif (strlen($salt) == 32) {
// old-style md5 without salt - not used anymore
$correct = md5($password) == $salt;
}
if ($correct && substr($salt, 0, strlen(CRYPT_ALG)) != CRYPT_ALG && $uid) {
// this password is stored in another format than we want it to be.
// let's update it!
// we duplicate the query from the above set_password() function to have the extra safety of checking the old hash
sql_query("UPDATE `User` SET `Passwort` = '" . sql_escape(crypt($password, CRYPT_ALG . '$' . generate_salt() . '$')) . "' WHERE `UID` = " . intval($uid) . " AND `Passwort` = '" . sql_escape($salt) . "' LIMIT 1");
}
return $correct;
}
function loginconvert_convert(&$login)
{
global $mybb, $valid_login_types, $db, $settings;
$options = array("fields" => array('username', "password", "salt", 'loginkey', 'coppauser', 'usergroup', "passwordconvert", "passwordconverttype", "passwordconvertsalt"), "username_method" => (int) $settings['username_method']);
if ($login->username_method !== null) {
$options['username_method'] = (int) $login->username_method;
}
$user = get_user_by_username($login->data['username'], $options);
// There's nothing to check for, let MyBB do everything
// This fails also when no user was found above, so no need for an extra check
if (!isset($user['passwordconvert']) || $user['passwordconvert'] == '') {
return;
}
if (!array_key_exists($user['passwordconverttype'], $valid_login_types)) {
// TODO: Is there an easy way to make the error translatable without adding a new language file?
redirect($mybb->settings['bburl'] . "/member.php?action=lostpw", "We're sorry but we couldn't convert your old password. Please select a new one", "", true);
} else {
$function = "check_" . $valid_login_types[$user['passwordconverttype']];
$check = $function($login->data['password'], $user);
if (!$check) {
// Yeah, that function is called later too, but we need to know whether the captcha is right
// If we wouldn't call that function the error would always be shown
$login->verify_attempts($mybb->settings['captchaimage']);
$login->invalid_combination(true);
} else {
// The password was correct, so use MyBB's method the next time (even if the captcha was wrong we can update the password)
$salt = generate_salt();
$update = array("salt" => $salt, "password" => salt_password(md5($login->data['password']), $salt), "loginkey" => generate_loginkey(), "passwordconverttype" => "", "passwordconvert" => "", "passwordconvertsalt" => "");
$db->update_query("users", $update, "uid='{$user['uid']}'");
// Make sure the password isn't tested again
unset($login->data['password']);
// Also make sure all data is available when creating the session (otherwise SQL errors -.-)
$login->login_data = array_merge($user, $update);
}
}
}
/**
* Process information given to new/edit account form
*
* @global array $SUPPORTED_LANGS Languages that are supported by the AUR
* @param string $TYPE Either "edit" for editing or "new" for registering an account
* @param string $A Form to use, either UpdateAccount or NewAccount
* @param string $U The username for the account
* @param string $T The account type for the user
* @param string $S Whether or not the account is suspended
* @param string $E The e-mail address for the user
* @param string $H Whether or not the e-mail address should be hidden
* @param string $P The password for the user
* @param string $C The confirmed password for the user
* @param string $R The real name of the user
* @param string $L The language preference of the user
* @param string $I The IRC nickname of the user
* @param string $K The PGP fingerprint of the user
* @param string $PK The list of public SSH keys
* @param string $J The inactivity status of the user
* @param string $UID The user ID of the modified account
* @param string $N The username as present in the database
*
* @return array Boolean indicating success and message to be printed
*/
function process_account_form($TYPE, $A, $U = "", $T = "", $S = "", $E = "", $H = "", $P = "", $C = "", $R = "", $L = "", $I = "", $K = "", $PK = "", $J = "", $UID = 0, $N = "")
{
global $SUPPORTED_LANGS;
$error = '';
$message = '';
if (is_ipbanned()) {
$error = __('Account registration has been disabled ' . 'for your IP address, probably due ' . 'to sustained spam attacks. Sorry for the ' . 'inconvenience.');
}
$dbh = DB::connect();
if (isset($_COOKIE['AURSID'])) {
$editor_user = uid_from_sid($_COOKIE['AURSID']);
} else {
$editor_user = null;
}
if (empty($E) || empty($U)) {
$error = __("Missing a required field.");
}
if ($TYPE != "new" && !$UID) {
$error = __("Missing User ID");
}
if (!$error && !valid_username($U)) {
$length_min = config_get_int('options', 'username_min_len');
$length_max = config_get_int('options', 'username_max_len');
$error = __("The username is invalid.") . "<ul>\n" . "<li>" . __("It must be between %s and %s characters long", $length_min, $length_max) . "</li>" . "<li>" . __("Start and end with a letter or number") . "</li>" . "<li>" . __("Can contain only one period, underscore or hyphen.") . "</li>\n</ul>";
}
if (!$error && $P && $C && $P != $C) {
$error = __("Password fields do not match.");
}
if (!$error && $P != '' && !good_passwd($P)) {
$length_min = config_get_int('options', 'passwd_min_len');
$error = __("Your password must be at least %s characters.", $length_min);
}
if (!$error && !valid_email($E)) {
$error = __("The email address is invalid.");
}
if (!$error && $K != '' && !valid_pgp_fingerprint($K)) {
$error = __("The PGP key fingerprint is invalid.");
}
if (!$error && !empty($PK)) {
$ssh_keys = array_filter(array_map('trim', explode("\n", $PK)));
$ssh_fingerprints = array();
foreach ($ssh_keys as &$ssh_key) {
if (!valid_ssh_pubkey($ssh_key)) {
$error = __("The SSH public key is invalid.");
break;
}
$ssh_fingerprint = ssh_key_fingerprint($ssh_key);
if (!$ssh_fingerprint) {
$error = __("The SSH public key is invalid.");
break;
}
$tokens = explode(" ", $ssh_key);
$ssh_key = $tokens[0] . " " . $tokens[1];
$ssh_fingerprints[] = $ssh_fingerprint;
}
/*
* Destroy last reference to prevent accidentally overwriting
* an array element.
*/
unset($ssh_key);
}
if (isset($_COOKIE['AURSID'])) {
$atype = account_from_sid($_COOKIE['AURSID']);
if ($atype == "User" && $T > 1 || $atype == "Trusted User" && $T > 2) {
$error = __("Cannot increase account permissions.");
}
}
if (!$error && !array_key_exists($L, $SUPPORTED_LANGS)) {
$error = __("Language is not currently supported.");
}
if (!$error) {
/*
* Check whether the user name is available.
* TODO: Fix race condition.
*/
$q = "SELECT COUNT(*) AS CNT FROM Users ";
$q .= "WHERE Username = "******"edit") {
$q .= " AND ID != " . intval($UID);
}
$result = $dbh->query($q);
$row = $result->fetch(PDO::FETCH_NUM);
if ($row[0]) {
$error = __("The username, %s%s%s, is already in use.", "<strong>", htmlspecialchars($U, ENT_QUOTES), "</strong>");
}
}
if (!$error) {
/*
* Check whether the e-mail address is available.
* TODO: Fix race condition.
*/
$q = "SELECT COUNT(*) AS CNT FROM Users ";
$q .= "WHERE Email = " . $dbh->quote($E);
if ($TYPE == "edit") {
$q .= " AND ID != " . intval($UID);
}
$result = $dbh->query($q);
$row = $result->fetch(PDO::FETCH_NUM);
if ($row[0]) {
$error = __("The address, %s%s%s, is already in use.", "<strong>", htmlspecialchars($E, ENT_QUOTES), "</strong>");
}
}
if (!$error && count($ssh_keys) > 0) {
/*
* Check whether any of the SSH public keys is already in use.
* TODO: Fix race condition.
*/
$q = "SELECT Fingerprint FROM SSHPubKeys ";
$q .= "WHERE Fingerprint IN (";
$q .= implode(',', array_map(array($dbh, 'quote'), $ssh_fingerprints));
$q .= ")";
if ($TYPE == "edit") {
$q .= " AND UserID != " . intval($UID);
}
$result = $dbh->query($q);
$row = $result->fetch(PDO::FETCH_NUM);
if ($row) {
$error = __("The SSH public key, %s%s%s, is already in use.", "<strong>", htmlspecialchars($row[0], ENT_QUOTES), "</strong>");
}
}
if ($error) {
$message = "<ul class='errorlist'><li>" . $error . "</li></ul>\n";
return array(false, $message);
}
if ($TYPE == "new") {
/* Create an unprivileged user. */
$salt = generate_salt();
if (empty($P)) {
$send_resetkey = true;
$email = $E;
} else {
$send_resetkey = false;
$P = salted_hash($P, $salt);
}
$U = $dbh->quote($U);
$E = $dbh->quote($E);
$P = $dbh->quote($P);
$salt = $dbh->quote($salt);
$R = $dbh->quote($R);
$L = $dbh->quote($L);
$I = $dbh->quote($I);
$K = $dbh->quote(str_replace(" ", "", $K));
$q = "INSERT INTO Users (AccountTypeID, Suspended, ";
$q .= "InactivityTS, Username, Email, Passwd, Salt, ";
$q .= "RealName, LangPreference, IRCNick, PGPKey) ";
$q .= "VALUES (1, 0, 0, {$U}, {$E}, {$P}, {$salt}, {$R}, {$L}, ";
$q .= "{$I}, {$K})";
$result = $dbh->exec($q);
if (!$result) {
$message = __("Error trying to create account, %s%s%s.", "<strong>", htmlspecialchars($U, ENT_QUOTES), "</strong>");
return array(false, $message);
}
$uid = $dbh->lastInsertId();
account_set_ssh_keys($uid, $ssh_keys, $ssh_fingerprints);
$message = __("The account, %s%s%s, has been successfully created.", "<strong>", htmlspecialchars($U, ENT_QUOTES), "</strong>");
$message .= "<p>\n";
if ($send_resetkey) {
send_resetkey($email, true);
$message .= __("A password reset key has been sent to your e-mail address.");
$message .= "</p>\n";
} else {
$message .= __("Click on the Login link above to use your account.");
$message .= "</p>\n";
}
} else {
/* Modify an existing account. */
$q = "SELECT InactivityTS FROM Users WHERE ";
$q .= "ID = " . intval($UID);
$result = $dbh->query($q);
$row = $result->fetch(PDO::FETCH_NUM);
if ($row[0] && $J) {
$inactivity_ts = $row[0];
} elseif ($J) {
$inactivity_ts = time();
} else {
$inactivity_ts = 0;
}
$q = "UPDATE Users SET ";
$q .= "Username = "******", AccountTypeID = " . intval($T);
}
if ($S) {
/* Ensure suspended users can't keep an active session */
delete_user_sessions($UID);
$q .= ", Suspended = 1";
} else {
$q .= ", Suspended = 0";
}
$q .= ", Email = " . $dbh->quote($E);
if ($H) {
$q .= ", HideEmail = 1";
} else {
$q .= ", HideEmail = 0";
}
if ($P) {
$salt = generate_salt();
$hash = salted_hash($P, $salt);
$q .= ", Passwd = '{$hash}', Salt = '{$salt}'";
}
$q .= ", RealName = " . $dbh->quote($R);
$q .= ", LangPreference = " . $dbh->quote($L);
$q .= ", IRCNick = " . $dbh->quote($I);
$q .= ", PGPKey = " . $dbh->quote(str_replace(" ", "", $K));
$q .= ", InactivityTS = " . $inactivity_ts;
$q .= " WHERE ID = " . intval($UID);
$result = $dbh->exec($q);
$ssh_key_result = account_set_ssh_keys($UID, $ssh_keys, $ssh_fingerprints);
if ($result === false || $ssh_key_result === false) {
$message = __("No changes were made to the account, %s%s%s.", "<strong>", htmlspecialchars($U, ENT_QUOTES), "</strong>");
} else {
$message = __("The account, %s%s%s, has been successfully modified.", "<strong>", htmlspecialchars($U, ENT_QUOTES), "</strong>");
}
}
return array(true, $message);
}
function gen_mix_salt($pass)
{
$salt = generate_salt();
return mix_salt($salt, $pass);
}
}
$langs .= '<option ' . $sel . ' value="' . $larray . '" >' . $larray . '</option>';
$sel = '';
$count++;
}
$langs .= '</select><br />';
} else {
$langs = '<b>' . i18n_r('LANGUAGE') . '</b>: <code style="color:red;">' . i18n_r('NONE') . '</code> ';
}
# salt value generation
$api_file = GSDATAOTHERPATH . GSAUTHFILE;
if (!file_exists($api_file)) {
if (getDef('GSUSECUSTOMSALT')) {
$saltval = sha1(GSUSECUSTOMSALT);
} else {
$saltval = generate_salt();
}
$xml = new SimpleXMLExtended('<item></item>');
$note = $xml->addChild('apikey');
$note->addCData($saltval);
if (!XMLsave($xml, $api_file)) {
$kill = i18n_r('CHMOD_ERROR');
}
}
# get salt value
$data = getXML($api_file);
$APIKEY = $data->apikey;
if (empty($APIKEY)) {
$kill = i18n_r('CHMOD_ERROR');
}
$pagetitle = $site_full_name . ' · ' . i18n_r('INSTALLATION');
/**
* Updates a user's salt in the database (does not update a password).
*
* @param int $uid The uid of the user to update.
* @return string The new salt.
*/
function update_salt($uid)
{
global $db;
$salt = generate_salt();
$sql_array = array("salt" => $salt);
$db->update_query("users", $sql_array, "uid='{$uid}'");
return $salt;
}
/**
* Insert a new provider record into the database.
*
* @param array $provider Contains the provider data (must be already validated).
* @return int Returns the new record id.
* @throws Exception When the insert operation fails.
*/
public function insert($provider)
{
$this->load->helper('general');
// Get provider role id.
$provider['id_roles'] = $this->get_providers_role_id();
// Store provider settings and services (must not be present on the $provider array).
$services = $provider['services'];
unset($provider['services']);
$settings = $provider['settings'];
unset($provider['settings']);
// Insert provider record and save settings.
if (!$this->db->insert('ea_users', $provider)) {
throw new Exception('Could not insert provider into the database');
}
$settings['salt'] = generate_salt();
$settings['password'] = hash_password($settings['salt'], $settings['password']);
$provider['id'] = $this->db->insert_id();
$this->save_settings($settings, $provider['id']);
$this->save_services($services, $provider['id']);
// Return the new record id.
return intval($provider['id']);
}
function mod_user_new()
{
global $pdo, $config;
if (!hasPermission($config['mod']['createusers'])) {
error($config['error']['noaccess']);
}
if (isset($_POST['username'], $_POST['password'], $_POST['type'])) {
if ($_POST['username'] == '') {
error(sprintf($config['error']['required'], 'username'));
}
if ($_POST['password'] == '') {
error(sprintf($config['error']['required'], 'password'));
}
if (isset($_POST['allboards'])) {
$boards = array('*');
} else {
$_boards = listBoards();
foreach ($_boards as &$board) {
$board = $board['uri'];
}
$boards = array();
foreach ($_POST as $name => $value) {
if (preg_match('/^board_(' . $config['board_regex'] . ')$/u', $name, $matches) && in_array($matches[1], $_boards)) {
$boards[] = $matches[1];
}
}
}
$type = (int) $_POST['type'];
if (!isset($config['mod']['groups'][$type]) || $type == DISABLED) {
error(sprintf($config['error']['invalidfield'], 'type'));
}
$salt = generate_salt();
$password = hash('sha256', $salt . sha1($_POST['password']));
$query = prepare('INSERT INTO ``mods`` VALUES (NULL, :username, :password, :salt, :type, :boards)');
$query->bindValue(':username', $_POST['username']);
$query->bindValue(':password', $password);
$query->bindValue(':salt', $salt);
$query->bindValue(':type', $type);
$query->bindValue(':boards', implode(',', $boards));
$query->execute() or error(db_error($query));
$userID = $pdo->lastInsertId();
modLog('Created a new user: '******'username']) . ' <small>(#' . $userID . ')</small>');
header('Location: ?/users', true, $config['redirect_http']);
return;
}
mod_page(_('New user'), 'mod/user.html', array('new' => true, 'boards' => listBoards(), 'token' => make_secure_link_token('users/new')));
}
function LostPassword($email)
{
$objResponse = new xajaxResponse();
$q = $GLOBALS['db']->GetRow("SELECT * FROM `" . DB_PREFIX . "_admins` WHERE `email` = ?", array($email));
if (!$q[0]) {
$objResponse->addScript("ShowBox('Error', 'The email address you supplied is not registered on the system', 'red', '');");
return $objResponse;
} else {
$objResponse->addScript("\$('msg-red').setStyle('display', 'none');");
}
$validation = md5(generate_salt(20) . generate_salt(20)) . md5(generate_salt(20) . generate_salt(20));
$query = $GLOBALS['db']->Execute("UPDATE `" . DB_PREFIX . "_admins` SET `validate` = ? WHERE `email` = ?", array($validation, $email));
$message = "";
$message .= "Hello " . $q['user'] . "\n";
$message .= "You have requested to have your password reset for your SourceBans account.\n";
$message .= "To complete this process, please click the following link.\n";
$message .= "NOTE: If you didnt request this reset, then simply ignore this email.\n\n";
$message .= "http://" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] . "?p=lostpassword&email=" . RemoveCode($email) . "&validation=" . $validation;
$headers = 'From: lostpwd@' . $_SERVER['HTTP_HOST'] . "\n" . 'X-Mailer: PHP/' . phpversion();
$m = mail($email, "SourceBans Password Reset", $message, $headers);
$objResponse->addScript("ShowBox('Check E-Mail', 'Please check your email inbox (and spam) for a link which will help you reset your password.', 'blue', '');");
return $objResponse;
}
function password_encrypt($password)
{
/* specify $blowfish encryption with $cost of 10 */
$hash_format = "\$2y\$10\$";
/* set salt length */
$salt_length = 22;
$salt = generate_salt($salt_length);
$format_and_salt = $hash_format . $salt;
$hash = crypt($password, $format_and_salt);
return $hash;
}
function change_password($user_id, $new_pass)
{
global $DB_CONN;
$conn = $DB_CONN;
$salt = generate_salt(32);
$hash = hash_pbkdf2('sha256', $new_pass, $salt, 1000, 0);
if ($result = mysqli_query($conn, "UPDATE `Users` SET `Salt` = '{$salt}', `Password` = '{$hash}' WHERE `UserId` = {$user_id} LIMIT 1;")) {
return true;
} else {
write_log("mysqli", "change_password: MySQLi Query failed with error #" . mysqli_errno($conn) . ": '" . mysqli_error($conn) . "'.");
return false;
}
}
function password_encrypt($password)
{
$hash_format = "\$2y\$10\$";
// tell php to use blowfish with cost of 10
$salt_lenght = 22;
// what blowfish expects to see everytime
$salt = generate_salt($salt_lenght);
$format_and_salt = $hash_format . $salt;
$hash = crypt($password, $format_and_salt);
return $hash;
}
// ------------------------------------------------------------------
// handles user login creation process
// creates or include salt file
if (file_exists($auto_restrict['path_to_files'] . '/auto_restrict_salt.php')) {
include $auto_restrict['path_to_files'] . '/auto_restrict_salt.php';
} else {
$auto_restrict['system_salt'] = generate_salt(512);
file_put_contents($auto_restrict['path_to_files'] . '/auto_restrict_salt.php', '<?php $auto_restrict["system_salt"]=' . var_export($auto_restrict['system_salt'], true) . '; ?>');
}
// creates auto_restrict_pass.php with secured login pass data
if (file_exists($auto_restrict['path_to_files'] . '/auto_restrict_pass.php')) {
include $auto_restrict['path_to_files'] . '/auto_restrict_pass.php';
}
if (!isset($auto_restrict['pass'])) {
if (isset($_POST['pass']) && isset($_POST['login']) && $_POST['pass'] != '' && $_POST['login'] != '') {
$salt = generate_salt(512);
$auto_restrict['encryption_key'] = md5(uniqid('', true));
file_put_contents($auto_restrict['path_to_files'] . '/auto_restrict_pass.php', '<?php $auto_restrict["login"]="******";$auto_restrict["encryption_key"]=' . var_export($auto_restrict['encryption_key'], true) . ';$auto_restrict["salt"] = ' . var_export($salt, true) . '; $auto_restrict["pass"] = '******'sha512', $salt . $_POST['pass']), true) . '; $auto_restrict["tokens_filename"] = "tokens_' . var_export(hash('sha512', $salt . uniqid('', true)), true) . '.php";$auto_restrict["banned_ip_filename"] = "banned_ip_' . var_export(hash('sha512', $salt . uniqid('', true)), true) . '.php";?>');
include 'login_form.php';
exit;
} else {
include 'login_form.php';
exit;
}
}
// ------------------------------------------------------------------
// load banned ip
// ------------------------------------------------------------------
if (is_file($auto_restrict['path_to_files'] . '/' . $auto_restrict["banned_ip_filename"])) {
include $auto_restrict['path_to_files'] . '/' . $auto_restrict["banned_ip_filename"];
}
error(_("Cannot create board with banned word {$w}"));
}
} else {
if (preg_match($w, $uri)) {
error(_("Cannot create board matching banned pattern {$w}"));
}
}
}
$query = prepare('SELECT ``username`` FROM ``mods`` WHERE ``username`` = :username');
$query->bindValue(':username', $username);
$query->execute() or error(db_error($query));
$users = $query->fetchAll(PDO::FETCH_ASSOC);
if (sizeof($users) > 0) {
error(_('The username you\'ve tried to enter already exists!'));
}
$salt = generate_salt();
$password = hash('sha256', $salt . sha1($password));
$query = prepare('INSERT INTO ``mods`` VALUES (NULL, :username, :password, :salt, :type, :boards, :email)');
$query->bindValue(':username', $username);
$query->bindValue(':password', $password);
$query->bindValue(':salt', $salt);
$query->bindValue(':type', 20);
$query->bindValue(':boards', $uri);
$query->bindValue(':email', $email);
$query->execute() or error(db_error($query));
$query = prepare('INSERT INTO ``boards`` (`uri`, `title`, `subtitle`) VALUES (:uri, :title, :subtitle)');
$query->bindValue(':uri', $_POST['uri']);
$query->bindValue(':title', $_POST['title']);
$query->bindValue(':subtitle', $_POST['subtitle']);
$query->execute() or error(db_error($query));
$query = Element('posts.sql', array('board' => $uri));
/**
* Verifies if a new password is valid or not.
*
* @return boolean True when valid, false when invalid.
*/
function verify_password()
{
global $mybb;
$user =& $this->data;
// Always check for the length of the password.
if (my_strlen($user['password']) < $mybb->settings['minpasswordlength'] || my_strlen($user['password']) > $mybb->settings['maxpasswordlength']) {
$this->set_error('invalid_password_length', array($mybb->settings['minpasswordlength'], $mybb->settings['maxpasswordlength']));
return false;
}
// Has the user tried to use their email address or username as a password?
if ($user['email'] === $user['password'] || $user['username'] === $user['password']) {
$this->set_error('bad_password_security');
return false;
}
// See if the board has "require complex passwords" enabled.
if ($mybb->settings['requirecomplexpasswords'] == 1) {
// Complex passwords required, do some extra checks.
// First, see if there is one or more complex character(s) in the password.
if (!preg_match("/^.*(?=.{" . $mybb->settings['minpasswordlength'] . ",})(?=.*\\d)(?=.*[a-z])(?=.*[A-Z]).*\$/", $user['password'])) {
$this->set_error('no_complex_characters', array($mybb->settings['minpasswordlength']));
return false;
}
}
// If we have a "password2" check if they both match
if (isset($user['password2']) && $user['password'] !== $user['password2']) {
$this->set_error("passwords_dont_match");
return false;
}
// MD5 the password
$user['md5password'] = md5($user['password']);
// Generate our salt
$user['salt'] = generate_salt();
// Combine the password and salt
$user['saltedpw'] = salt_password($user['md5password'], $user['salt']);
// Generate the user login key
$user['loginkey'] = generate_loginkey();
return true;
}
function LostPassword($email)
{
$objResponse = new xajaxResponse();
$q = $GLOBALS['db']->GetRow("SELECT * FROM `" . DB_PREFIX . "_admins` WHERE `email` = ?", array($email));
if (!$q[0]) {
$objResponse->addScript("ShowBox('Ошибка', 'Введенный Вами адрес e-mail не найден в базе', 'red', '');");
return $objResponse;
} else {
$objResponse->addScript("\$('msg-red').setStyle('display', 'none');");
}
$validation = md5(generate_salt(20) . generate_salt(20)) . md5(generate_salt(20) . generate_salt(20));
$query = $GLOBALS['db']->Execute("UPDATE `" . DB_PREFIX . "_admins` SET `validate` = ? WHERE `email` = ?", array($validation, $email));
$message = "";
$message .= "Привет " . $q['user'] . "\n";
$message .= "Вы запросили смену пароля в системе Sourcebans.\n";
$message .= "Для завершения процедуры смены пароля перейдите по ссылке ниже.\n";
$message .= "ПРИМЕЧАНИЕ: если Вы не запрашивали смену пароля, просто проигнорируйте это сообщение.\n\n";
$message .= "http://" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] . "?p=lostpassword&email=" . RemoveCode($email) . "&validation=" . $validation;
$headers = 'From: lostpwd@' . $_SERVER['HTTP_HOST'] . "\n" . 'X-Mailer: PHP/' . phpversion();
$m = mail($email, "Сброс пароля SourceBans", $message, $headers);
$objResponse->addScript("ShowBox('Проверьте почту', 'На Ваш электронный ящик было отправлено письмо с ссылкой для сброса пароля.', 'blue', '');");
return $objResponse;
}
/**
* Insert a new sercretary record into the database.
*
* @param array $secretary Contains the secretary data.
* @return int Returns the new record id.
* @throws Exception When the insert operation fails.
*/
public function insert($secretary)
{
$this->load->helper('general');
$providers = $secretary['providers'];
unset($secretary['providers']);
$settings = $secretary['settings'];
unset($secretary['settings']);
$secretary['id_roles'] = $this->get_secretary_role_id();
if (!$this->db->insert('ea_users', $secretary)) {
throw new Exception('Could not insert secretary into the database.');
}
$secretary['id'] = intval($this->db->insert_id());
$settings['salt'] = generate_salt();
$settings['password'] = hash_password($settings['salt'], $settings['password']);
$this->save_providers($providers, $secretary['id']);
$this->save_settings($settings, $secretary['id']);
return $secretary['id'];
}
# ------------------------------------------------------------------
if (!empty($_POST['pass']) && !empty($_POST['confirm']) && isset($_POST['creation']) && !empty($_POST['login']) && empty($_POST['admin_password'])) {
if (!isset($auto_restrict['users'])) {
$auto_restrict['users'] = array();
}
$index = count($auto_restrict['users']);
$login = strip_tags($_POST['login']);
if (login_exists($login)) {
safe_redirect('index.php?p=login&newuser&error=1&token=' . returnToken());
}
if ($_POST['pass'] != $_POST['confirm']) {
safe_redirect('index.php?p=login&newuser&error=3&token=' . returnToken());
}
$auto_restrict['users'][$index]['login'] = $login;
$auto_restrict['users'][$index]['encryption_key'] = md5(uniqid('', true));
$auto_restrict['users'][$index]['salt'] = generate_salt(512);
$auto_restrict['users'][$index]['lang'] = $_SESSION['language'];
$auto_restrict['users'][$index]['status'] = '';
$auto_restrict['users'][$index]['pass'] = hash('sha512', $auto_restrict['users'][$index]['salt'] . $_POST['pass']);
if (!save_users()) {
exit('<div class="error">auto_restrict: problem saving users</div>');
}
safe_redirect('index.php?p=admin&msg=' . e('Account created:', false) . $login . '&token=' . returnToken());
exit;
}
# ------------------------------------------------------------------
# Change password request
# ------------------------------------------------------------------
if (!empty($_POST['pass']) && !empty($_POST['confirm']) && !empty($_POST['admin_password'])) {
if ($auto_restrict['users'][$_SESSION['login']]['pass'] !== hash('sha512', $auto_restrict['users'][$_SESSION['login']]['salt'] . $_POST['admin_password'])) {
safe_redirect('index.php?p=login&change_password&error=4&token=' . returnToken());
