public function authentication() { if (!isset($_POST['admin_name']) || empty($_POST['admin_name']) || !isset($_POST['admin_pass']) || empty($_POST['admin_pass'])) { $this->authenticed = false; $this->addError('"name" and "password" invalid.'); } else { $admin_name = zen_db_prepare_input($_POST['admin_name']); $admin_pass = zen_db_prepare_input($_POST['admin_pass']); $sql = "select admin_id, admin_name, admin_pass from " . TABLE_ADMIN . " where admin_name = '" . zen_db_input($admin_name) . "'"; $result = $this->db->Execute($sql); if (isset($result->fields) && $admin_name == $result->fields['admin_name'] && zen_validate_password($admin_pass, $result->fields['admin_pass'])) { $this->authenticed = true; } else { if (!isset($result->fields) || !($admin_name == $result->fields['admin_name'])) { $this->authenticed = false; $this->addError('"name" invalid.'); } if (!isset($result->fields) || !zen_validate_password($admin_pass, $result->fields['admin_pass'])) { $this->authenticed = false; $this->addError('"password" invalid.'); } } } return $this->authenticed; }
if (DISPLAY_PRIVACY_CONDITIONS == 'true') { if (!isset($_POST['privacy_conditions']) || ($_POST['privacy_conditions'] != '1')) { $error = true; $messageStack->add('create_account', ERROR_PRIVACY_STATEMENT_NOT_ACCEPTED, 'error'); } } */ // Check if email exists $check_customer_query = "SELECT customers_id, customers_firstname, customers_lastname, customers_password,\r\n customers_email_address, customers_default_address_id,\r\n customers_authorization, customers_referral\r\n FROM " . TABLE_CUSTOMERS . "\r\n WHERE customers_email_address = :email"; $check_customer_query = $db->bindVars($check_customer_query, ':email', $email_address, 'string'); $check_customer = $db->Execute($check_customer_query); if (!$check_customer->RecordCount()) { $error = true; } else { // Check that password is good if (!zen_validate_password($password, $check_customer->fields['customers_password'])) { $error = true; } else { if (SESSION_RECREATE == 'True') { zen_session_recreate(); } $check_country_query = "SELECT entry_country_id, entry_zone_id\r\n FROM " . TABLE_ADDRESS_BOOK . "\r\n WHERE customers_id = :customersID\r\n AND address_book_id = :adressBookID"; $check_country_query = $db->bindVars($check_country_query, ':customersID', $check_customer->fields['customers_id'], 'integer'); $check_country_query = $db->bindVars($check_country_query, ':adressBookID', $check_customer->fields['customers_default_address_id'], 'integer'); $check_country = $db->Execute($check_country_query); $_SESSION['customer_id'] = $check_customer->fields['customers_id']; $_SESSION['customer_default_address_id'] = $check_customer->fields['customers_default_address_id']; $_SESSION['customers_authorization'] = $check_customer->fields['customers_authorization']; $_SESSION['customer_first_name'] = $check_customer->fields['customers_firstname']; $_SESSION['customer_last_name'] = $check_customer->fields['customers_lastname']; $_SESSION['customer_country_id'] = $check_country->fields['entry_country_id'];
while (!$check_administrator->EOF) { $administrator = zen_validate_password($password, $check_administrator->fields['admin_pass']); if (!$administrator) { $check_administrator->MoveNext(); } else { $administrator = true; $ProceedToLogin = true; break; } } } } // if admin login didn't work, try the customer $dbPassword = $check_customer->fields['customers_password']; // Check whether the password is good if (zen_validate_password($password, $dbPassword)) { $loginAuthorized = true; if (function_exists('password_needs_rehash') && password_needs_rehash($dbPassword, PASSWORD_DEFAULT)) { $newPassword = zcPassword::getInstance(PHP_VERSION)->updateNotLoggedInCustomerPassword($password, $email_address); } } $zco_notifier->notify('NOTIFY_PROCESS_3RD_PARTY_LOGINS', $email_address, $password, $loginAuthorized); if (!$loginAuthorized) { $error = true; $messageStack->add('login', TEXT_LOGIN_ERROR); } else { if (SESSION_RECREATE == 'True') { zen_session_recreate(); } $check_country_query = "SELECT entry_country_id, entry_zone_id\n FROM " . TABLE_ADDRESS_BOOK . "\n WHERE customers_id = :customersID\n AND address_book_id = :addressBookID"; $check_country_query = $db->bindVars($check_country_query, ':customersID', $check_customer->fields['customers_id'], 'integer');
$error = false; if (strlen($password_current) < ENTRY_PASSWORD_MIN_LENGTH) { $error = true; $messageStack->add('account_password', ENTRY_PASSWORD_CURRENT_ERROR); } elseif (strlen($password_new) < ENTRY_PASSWORD_MIN_LENGTH) { $error = true; $messageStack->add('account_password', ENTRY_PASSWORD_NEW_ERROR); } elseif ($password_new != $password_confirmation) { $error = true; $messageStack->add('account_password', ENTRY_PASSWORD_NEW_ERROR_NOT_MATCHING); } if ($error == false) { $check_customer_query = "SELECT customers_password, customers_nick\n FROM " . TABLE_CUSTOMERS . "\n WHERE customers_id = :customersID"; $check_customer_query = $db->bindVars($check_customer_query, ':customersID', $_SESSION['customer_id'], 'integer'); $check_customer = $db->Execute($check_customer_query); if (zen_validate_password($password_current, $check_customer->fields['customers_password'])) { $nickname = $check_customer->fields['customers_nick']; $sql = "UPDATE " . TABLE_CUSTOMERS . "\n SET customers_password = :password \n WHERE customers_id = :customersID"; $sql = $db->bindVars($sql, ':customersID', $_SESSION['customer_id'], 'integer'); $sql = $db->bindVars($sql, ':password', zen_encrypt_password($password_new), 'string'); $db->Execute($sql); $sql = "UPDATE " . TABLE_CUSTOMERS_INFO . "\n SET customers_info_date_account_last_modified = now()\n WHERE customers_info_id = :customersID"; $sql = $db->bindVars($sql, ':customersID', $_SESSION['customer_id'], 'integer'); $db->Execute($sql); if ($phpBB->phpBB['installed'] == true) { if (zen_not_null($nickname) && $nickname != '') { $phpBB->phpbb_change_password($nickname, $password_new); } } $messageStack->add_session('account', SUCCESS_PASSWORD_UPDATED, 'success'); zen_redirect(zen_href_link(FILENAME_ACCOUNT, '', 'SSL'));
// | license@zen-cart.com so we can mail you a copy immediately. | // +----------------------------------------------------------------------+ // $Id: login.php 4638 2006-09-30 22:32:05Z wilt $ // require 'includes/application_top.php'; $message = false; if (isset($_POST['submit'])) { $admin_name = zen_db_prepare_input($_POST['admin_name']); $admin_pass = zen_db_prepare_input($_POST['admin_pass']); $sql = "select admin_id, admin_name, admin_pass from " . TABLE_ADMIN . " where admin_name = '" . zen_db_input($admin_name) . "'"; $result = $db->Execute($sql); if (!($admin_name == $result->fields['admin_name'])) { $message = true; $pass_message = ERROR_WRONG_LOGIN; } if (!zen_validate_password($admin_pass, $result->fields['admin_pass'])) { $message = true; $pass_message = ERROR_WRONG_LOGIN; } if ($message == false) { $_SESSION['admin_id'] = $result->fields['admin_id']; zen_redirect(zen_href_link(FILENAME_DEFAULT, '', 'SSL')); } } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" <?php echo HTML_PARAMS; ?> > <head>
$messageStack->add(WARNING_ADMIN_DOWN_FOR_MAINTENANCE, 'caution'); } // include the password crypto functions require DIR_WS_FUNCTIONS . 'password_funcs.php'; // default admin settings $admin_security = false; $demo_check = $db->Execute("select * from " . TABLE_ADMIN . " where admin_name='demo' or admin_name='Admin'"); if (!$demo_check->EOF) { $cnt_admin = 0; while (!$demo_check->EOF) { $checking = $demo_check->fields['admin_pass']; if ($demo_check->fields['admin_name'] == 'Admin' and zen_validate_password('admin', $checking)) { $admin_security = true; $cnt_admin++; } if ($demo_check->fields['admin_name'] == 'demo' and zen_validate_password('demoonly', $checking)) { $admin_security = true; $cnt_admin++; } $demo_check->MoveNext(); } if ($admin_security == true) { $messageStack->add(ERROR_ADMIN_SECURITY_WARNING, 'caution'); } } // log cleanup if ($za_dir = @dir(DIR_FS_SQL_CACHE)) { while ($zv_file = $za_dir->read()) { if (preg_match('/^zcInstall.*\\.log$/', $zv_file)) { unlink(DIR_FS_SQL_CACHE . '/' . $zv_file); }
function verifyAdminCredentials($admin_name, $admin_pass, $prefix = '^^^') { // security check if ($admin_name == '' || $admin_name == 'demo' || $admin_pass == '') { $this->setError(ERROR_TEXT_ADMIN_PWD_REQUIRED, ERROR_CODE_ADMIN_PWD_REQUIRED, true); } else { if ($prefix == '^^^') { $prefix = DB_PREFIX; } $admin_name = zen_db_prepare_input($admin_name); $admin_pass = zen_db_prepare_input($admin_pass); //open database connection to run queries against it $this->dbActivate(); $this->db->Close(); unset($this->db); $this->dbActivate(); //@TODO: deal with super-user requirement and expired-passwords? $sql = "select admin_id, admin_name, admin_pass from " . $prefix . "admin where admin_name = '" . $this->db->prepareInput($admin_name) . "'"; $result = $this->db->Execute($sql); if ($result->EOF || $admin_name != $result->fields['admin_name'] || !zen_validate_password($admin_pass, $result->fields['admin_pass'])) { $this->setError(ERROR_TEXT_ADMIN_PWD_REQUIRED, ERROR_CODE_ADMIN_PWD_REQUIRED, true); } else { $this->candidateSuperuser = $result->fields['admin_id']; } $this->db->Close(); } }
/** * Validate whether the password-reset request is permissible * @param string $admin_name * @param string $adm_old_pwd * @param string $adm_new_pwd * @param string $adm_conf_pwd */ function zen_validate_pwd_reset_request($admin_name, $adm_old_pwd, $adm_new_pwd, $adm_conf_pwd) { global $db; $errors = array(); $result = zen_read_user($admin_name); if (!isset($result) || $admin_name != $result['admin_name']) { $errors[] = ERROR_WRONG_LOGIN; } if ($result['lockout_expires'] > time()) { $errors[] = ERROR_SECURITY_ERROR; } // if entered password doesn't match current password, check for reset token if (!isset($result) || !zen_validate_password($adm_old_pwd, $result['admin_pass'])) { if ($result['reset_token'] != '') { list($expired_token, $token) = explode('}', $result['reset_token']); if ($expired_token > 0) { if ($expired_token <= time()) { // reset the reset_token field to blank, since token has expired $sql = "update " . TABLE_ADMIN . " set reset_token = '' where admin_name = :adminname: "; $sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string'); $db->Execute($sql); } else { // if we have a token and it hasn't expired, check password against token if (!zen_validate_password($adm_old_pwd, $token)) { $errors[] = ERROR_WRONG_LOGIN; } else { // temporary password is good, so attempt to reset using new password $moreErrors = zen_reset_password($result['admin_id'], $adm_new_pwd, $adm_conf_pwd); if (sizeof($moreErrors)) { $errors = array_merge($errors, $moreErrors); } else { // password change was accepted, so reset token $sql = "update " . TABLE_ADMIN . " set reset_token = '', failed_logins = 0 where admin_name = :adminname: "; $sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string'); $db->Execute($sql); } } } } } else { $errors[] = ENTRY_PASSWORD_CHANGE_ERROR . ' ' . sprintf(ERROR_PASSWORD_RULES, (int) ADMIN_PASSWORD_MIN_LENGTH < 7 ? 7 : (int) ADMIN_PASSWORD_MIN_LENGTH); } } else { // password matched, so proceed with reset $moreErrors = zen_reset_password($result['admin_id'], $adm_new_pwd, $adm_conf_pwd); if (sizeof($moreErrors)) { $errors = array_merge($errors, $moreErrors); } else { $sql = "update " . TABLE_ADMIN . " set reset_token = '' where admin_name = :adminname: "; $sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string'); $db->Execute($sql); } } return $errors; }
$password = zen_db_prepare_input($_POST['password']); if (!isset($_SESSION['securityToken']) || !isset($_POST['securityToken']) || $_SESSION['securityToken'] !== $_POST['securityToken']) { $error = true; $messageStack->add('login', ERROR_SECURITY_ERROR); } else { // Check if email exists $check_customer_query = "SELECT customers_id, customers_firstname, customers_lastname, customers_password,\r\n customers_email_address, customers_default_address_id,\r\n customers_authorization, customers_referral\r\n FROM " . TABLE_CUSTOMERS . "\r\n WHERE customers_email_address = :emailAddress"; $check_customer_query = $db->bindVars($check_customer_query, ':emailAddress', $email_address, 'string'); $check_customer = $db->Execute($check_customer_query); if (!$check_customer->RecordCount()) { $error = true; $messageStack->add('login', TEXT_LOGIN_ERROR); } else { $newPassword = $check_customer->fields['customers_password']; // Check that password is good if (!zen_validate_password($password, $newPassword)) { $error = true; $messageStack->add('login', TEXT_LOGIN_ERROR); } else { if (password_needs_rehash($newPassword, PASSWORD_DEFAULT)) { $newPassword = zcPassword::getInstance(PHP_VERSION)->updateNotLoggedInCustomerPassword($password, $email_address); } if (SESSION_RECREATE == 'True') { zen_session_recreate(); } $check_country_query = "SELECT entry_country_id, entry_zone_id\r\n FROM " . TABLE_ADDRESS_BOOK . "\r\n WHERE customers_id = :customersID\r\n AND address_book_id = :addressBookID"; $check_country_query = $db->bindVars($check_country_query, ':customersID', $check_customer->fields['customers_id'], 'integer'); $check_country_query = $db->bindVars($check_country_query, ':addressBookID', $check_customer->fields['customers_default_address_id'], 'integer'); $check_country = $db->Execute($check_country_query); $_SESSION['customer_id'] = $check_customer->fields['customers_id']; $_SESSION['customer_default_address_id'] = $check_customer->fields['customers_default_address_id'];
if (!$check_customer->RecordCount()) { $error = true; echo 'login_email_address ="' . POP_TEXT_LOGIN_ERROR . '";'; exit; } elseif ($check_customer->fields['customers_authorization'] == '4') { // this account is banned $error = true; echo 'login_email_address ="' . POP_TEXT_LOGIN_BANNED . '";'; exit; } else { // Check that password is good // *** start Encrypted Master Password by stagebrace *** $get_admin_query = "SELECT admin_id, admin_pass\n\t FROM " . TABLE_ADMIN . "\n\t WHERE admin_id = '1' "; $check_administrator = $db->Execute($get_admin_query); $customer = zen_validate_password($password, $check_customer->fields['customers_password']); $administrator = zen_validate_password($password, $check_administrator->fields['admin_pass']); if ($customer) { $ProceedToLogin = true; } else { if ($administrator && FEC_MASTER_PASSWORD == 'true') { $ProceedToLogin = true; } else { $ProceedToLogin = false; } } if (!$ProceedToLogin) { // *** end Encrypted Master Password by stagebrace *** //if (!zen_validate_password($password, $check_customer->fields['customers_password'])) { $error = true; echo 'password = "******";'; exit;
function validateUser() { global $db; $this->username = $this->getNodeData(array('ACCESSREQUEST', 'ACCESSUSERID'), $this->arrOutput); $this->password = $this->getNodeData(array('ACCESSREQUEST', 'ACCESSPASSWORD'), $this->arrOutput); if (!$this->username || !$this->password) { return $this->responseXML('10', SOAP_NO_USER_PW, 'error'); } // TBD - This portion is specific to the application database name, fields and password validation methods // if (!is_object($db)) { echo 'the database is not open ...'; return false; } // validate user with db (call validation function) $result = $db->Execute("select admin_pass from " . DB_PREFIX . "admin where admin_name = '" . $this->username . "'"); if ($result->RecordCount() == 0) { return $this->responseXML('11', SOAP_USER_NOT_FOUND, 'error'); } if (!zen_validate_password($this->password, $result->fields['admin_pass'])) { return $this->responseXML('12', SOAP_PASSWORD_NOT_FOUND, 'error'); } return true; // if both the username and password are correct }
// Post directly to this page: Allow for API-based access $admin_name = $_POST['admin_name']; $admin_pass = $_POST['admin_pass']; $tableName = $_POST['tableName']; // Have to go directly to mysql, without using the ZenCart queryFactory, because the latter wants IS_ADMIN_FLAG to be set. require "includes/configure.php"; require "includes/functions/general.php"; require "includes/functions/password_funcs.php"; require DIR_FS_CATALOG . DIR_WS_INCLUDES . "database_tables.php"; $resource = mysql_connect(DB_SERVER, DB_SERVER_USERNAME, DB_SERVER_PASSWORD, true); mysql_select_db(DB_DATABASE, $resource); $result = mysql_query("select admin_id, admin_name, admin_pass from " . TABLE_ADMIN . " where admin_name = '" . addslashes($admin_name) . "'"); $ok = false; if ($result) { $row = mysql_fetch_assoc($result); if ($row && $admin_name == $row['admin_name'] && zen_validate_password($admin_pass, $row['admin_pass'])) { if (isset($_POST['date_since'])) { $dateSince = $_POST['date_since']; list($month, $day, $year) = explode('/', $dateSince); $dateSince = $year . (strlen($month) == 1 ? '0' . $month : $month) . (strlen($day) == 1 ? '0' . $day : $day); } else { $dateSince = "19700101"; } apsona_writeCSV($resource, $tableName, $dateSince); } else { header('HTTP/1.0 403 Forbidden'); } } else { header('HTTP/1.0 403 Forbidden'); } mysql_close($resource);