function process_form()
{
// INITIAL DATA FETCHING
global $name, $email, $cell, $yog, $mailings;
// so that the show_form function can use these values later
$name = htmlentities(ucwords(trim(strtolower($_POST['name']), ' \\-\'')));
foreach (array('-', '\'') as $delimiter) {
if (strpos($name, $delimiter) !== false) {
$name = implode($delimiter, array_map('ucfirst', explode($delimiter, $name)));
}
}
// forces characters after spaces, hyphens and apostrophes to be capitalized
$name = preg_replace('/[\\s\']*\\-+[\\s\']*/', '-', $name);
// removes hyphens not between two characters
$name = preg_replace('/[\\s\\-]*\'+[\\s\\-]*/', '\'', $name);
// removes apostrophes not between two characters
$name = preg_replace('/\\s+/', ' ', $name);
// removes multiple consecutive spaces
$name = preg_replace('/\\-+/', '-', $name);
// removes multiple consecutive hyphens
$name = preg_replace('/\'+/', '\'', $name);
// removes multiple consecutive apostrophes
$email = htmlentities(strtolower($_POST['email']));
$cell = htmlentities($_POST['cell']);
$yog = $_POST['yog'];
$pass = $_POST['pass1'];
$mailings = '0';
if ($_POST['mailings'] == 'Yes') {
$mailings = '1';
}
// CHECK THAT THE NAME IS VALID
if (($name = sanitize_username($name)) === false) {
alert('Your name must have only letters, hyphens, apostrophes, and spaces, and be between 3 and 30 characters long', -1);
show_form();
return;
}
if (strpos($name, ' ') == false) {
alert('Please enter both your first <span class="i">and</span> last name', -1);
show_form();
return;
}
// CHECK THAT THE EMAIL ADDRESS IS VALID
if (!val('e', $email)) {
alert('That\'s not a valid email address', -1);
show_form();
return;
}
// CHECK AND FORMAT CELL PHONE NUMBER
if ($cell != '' && ($cell = format_phone_number($cell)) === false) {
//Validate the format of the cell phone number (if it's not left blank)
alert('That\'s not a valid cell phone number', -1);
show_form();
return;
}
// CHECK THAT THE YOG IS VALID
$grade = intval(getGradeFromYOG($yog));
if ($grade < 9 || $grade > 12) {
alert('That is not a valid YOG (' . $grade . 'you have to be in high school)', -1);
show_form();
return;
}
// CHECK THAT THE PASSWORDS MATCH, MEET MINIMUM LENGTH
if ($pass != $_POST['pass2']) {
alert('The passwords that you entered do not match', -1);
show_form();
return;
}
if (strlen($pass) < 6) {
alert('Please choose a password that has at least 6 characters', -1);
show_form();
return;
}
// CHECK THAT THEY ENTERED THE RECAPTCHA CORRECTLY
// CURRENTLY BROKEN: NEED TO UPDATE RECAPTCHA
/*
$recaptcha_msg = validate_recaptcha();
if ($recaptcha_msg !== true) {
alert($recaptcha_msg, -1);
show_form();
return;
}
*/
// CHECK THAT AN ACCOUNT WITH THAT EMAIL DOES NOT ALREADY EXIST
// this is done *after* checking the reCaptcha to prevent bots from harvesting our email
// addresses via a brute-force attack.
if (DBExt::queryCount('users', 'LOWER(email)=LOWER(%s)', $email) != 0) {
alert('An account with that email address already exists', -1);
show_form();
return;
}
// CHECK THAT AN ACCOUNT WITH THE SAME NAME IN THE SAME GRADE DOES NOT EXIST
// - with the exception that if it's permissions = 'E', they probably mistyped their email and are redoing it.
if (DBExt::queryCount('users', 'LOWER(name)=%s AND yog=%i AND permissions!="E"', strtolower($name), $yog) != 0) {
alert('An account in your grade with that name already exists', -1);
show_form();
return;
}
// ** All information has been validated at this point **
$verification_code = generate_code(5);
// for verifying ownership of the email address
// Check if email address has been pre-approved
if (isset($_SESSION['PREAPPROVED']) && $email === $_SESSION['PREAPPROVED']) {
$approved = '1';
// skip Captain approval
$verification_code = '1';
// skip email verification (already done)
} else {
$approved = '0';
}
// Create database entry
$passhash = hash_pass($email, $pass);
if ($cell == '') {
$cell = 'None';
} else {
$cell = preg_replace('#[^\\d]#', '', $_POST['cell']);
}
// remove non-numbers from cell phone # again
DB::insert('users', array('name' => $name, 'email' => $email, 'passhash' => $passhash, 'cell' => $cell, 'yog' => $yog, 'mailings' => $mailings, 'approved' => $approved, 'email_verification' => $verification_code, 'registration_ip' => htmlentities(strtolower($_SERVER['REMOTE_ADDR']))));
set_login_data(DB::insertId());
// LOG THEM IN
// For pre-approved members:
if ($approved == '1') {
global $WEBMASTER_EMAIL;
$to = array($email => $name);
$subject = 'Account Created';
$body = <<<HEREDOC
Welcome to the LHS Math Club website, {$name}!
Your account has been created. If you have any questions about the site, please email
the webmaster at {$WEBMASTER_EMAIL}
HEREDOC;
send_email($to, $subject, $body, $WEBMASTER_EMAIL);
$_SESSION['HOME_welcome'] = 'Welcome to the LHS Math Club website, ' . $name . '!';
header('Location: Home');
}
$_SESSION['ACCOUNT_do_send_verification_email'] = true;
header('Location: Verify_Email');
}
function process_login_form()
{
$email = strtolower($_POST['email']);
$passhash = hash_pass($email, $_POST['pass']);
// Check to see if the user/ip is temporarily banned:
// An IP is banned when 10 unsuccessful attempts are made to log in from a single IP/email within 10 minutes,
// regardless of whether any successful attempts were made.
$attempts = DBExt::queryCount('login_attempts', array('successful=0', '(remote_ip=%s OR email=%s)', DBExt::timeInInterval('request_time', '-10m', '')), $_SERVER['REMOTE_ADDR'], $email);
if ($attempts > 10) {
log_attempt($email, false);
alert('You have been temporarily locked out. Please wait 10 minutes before attempting to sign in again.', -1);
show_login_form('');
return;
}
// Check for super-user login:
// (the account LHSMATH and password set in CONFIG
if ($email == 'lhsmath') {
global $LHSMATH_PASSWORD;
if ($passhash == $LHSMATH_PASSWORD) {
// $LHSMATH_PASSWORD is pre-hashed
log_attempt('LHSMATH', true);
session_destroy();
session_name('Session');
session_start();
session_regenerate_id(true);
$_SESSION['user_name'] = 'LHSMATH Super-Admin';
$_SESSION['permissions'] = '+';
$_SESSION['login_time'] = time();
$_SESSION['user_id'] = '-999';
header('Location: ' . URL::root() . '/Admin/Super_Admin');
die;
}
}
// Validate credentials
$id = DB::queryFirstField('SELECT id FROM users WHERE LOWER(email)=%s AND passhash=%s LIMIT 1', $email, $passhash);
if (is_null($id)) {
log_attempt($email, false);
show_login_form($email);
alert('Incorrect email address or password', -1);
return;
}
// ** CREDENTIALS ARE VALIDATED AT THIS POINT ** //
log_attempt($email, true);
set_login_data($id);
alert('Logged in!', 1);
//If this page was being included, redirect back.
global $being_included;
if ($being_included) {
header('Location: ' . $_SERVER['REQUEST_URI']);
} else {
header('Location: ../Home');
}
}
function verify_code()
{
DB::query('UPDATE users SET email_verification=1 WHERE id=%i AND email_verification=%s LIMIT 1', $_GET['id'], $_GET['code']);
if (DB::affectedRows() != 1) {
trigger_error('ID or code incorrect', E_USER_ERROR);
}
set_login_data($id);
// LOG THEM IN
header('Location: Approve');
}
<?php
/*
* Account/My_Profile.php
* LHS Math Club Website
*
* Allows users to view and change their stored personal information
*/
require_once '../.lib/functions.php';
restrict_access('RLA');
set_login_data($_SESSION['user_id']);
// visiting this page will cause your cached data to reload
if (isset($_POST['do_change_email'])) {
change_email();
} else {
if (isset($_POST['do_change_cell'])) {
change_cell();
} else {
if (isset($_POST['do_change_password'])) {
change_password();
} else {
if (isset($_GET['Email'])) {
show_change_email_page('', 'email');
} else {
if (isset($_GET['Cell'])) {
show_change_cell_page('', 'cell');
} else {
if (isset($_GET['Password'])) {
show_change_password_page('');
} else {
if (isset($_GET['Mailings'])) {
function process_change_page()
{
// Check the XSRF token
if ($_POST['xsrf_token'] != $_SESSION['xsrf_token']) {
trigger_error('XSRF token invalid', E_USER_ERROR);
}
// Check that the passwords match, meet minimum length requirement
$pass = $_POST['pass1'];
if ($pass != $_POST['pass2']) {
show_new_password_page('The passwords that you entered do not match.', 'pass1');
return;
}
if (strlen($pass) < 8) {
show_new_password_page('Please choose a password that has at least 8 characters.', 'pass1');
return;
}
// Check that the user is allowed to change thier password
if (!isset($_SESSION['ACCOUNT_passreset_id'])) {
show_new_password_page('Error: You\'re not allowed to do this?!');
return;
}
// ** PASSWORD IS VALIDATED AT THIS POINT **
// Prevent from resubmitting this form
$id = $_SESSION['ACCOUNT_passreset_id'];
unset($_SESSION['ACCOUNT_passreset_id']);
unset($_SESSION['ACCOUNT_passreset_name']);
$query = 'SELECT email FROM users WHERE id="' . $id . '" LIMIT 1';
$result = DB::queryRaw($query);
$row = mysqli_fetch_assoc($result);
// Change password
$email = mysqli_real_escape_string(DB::get(), strtolower($row['email']));
$passhash = hash_pass($email, $pass);
$query = 'UPDATE users SET passhash="' . mysqli_real_escape_string(DB::get(), $passhash) . '", password_reset_code="0" WHERE id="' . $id . '" LIMIT 1';
DB::queryRaw($query);
// LOG IN
set_login_data($id);
// SHOW PAGE
page_header('Password Reset');
echo <<<HEREDOC
<h1>Password Reset</h1>
Your password has been changed successfully.
HEREDOC;
}
