/**
* @param string $user
* @param string $pass
* @param PDO $link
* @param bool $confirm
* @return bool
*/
function process_login($user, $pass, $link, $confirm = false)
{
$_SESSION['auth'] = false;
$_SESSION['user'] = $user;
if ($_SESSION['user_count'] > 6 && !captcha_verify_word()) {
$_SESSION['login_err'] = 3;
return false;
}
$sql = "SELECT * FROM users WHERE user = :user";
$stmt = $link->prepare($sql);
$stmt->bindValue(':user', $user, PDO::PARAM_STR);
if ($stmt->execute() !== false && ($user_array = $stmt->fetch(PDO::FETCH_ASSOC))) {
$_SESSION['pass_count'] = $user_array['missed_logins'];
if ($user_array['active'] == 0) {
$_SESSION['login_err'] = 403;
}
if (($user_array['missed_logins'] > 9 || $confirm) && !captcha_verify_word()) {
$_SESSION['login_err'] = 3;
return false;
}
$hashOK = false;
$use_password_verify = defined('SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION') ? is_string(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION) ? strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION) : SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION : false;
if ($use_password_verify === true || $use_password_verify === 'on' || $use_password_verify === 'true') {
$use_password_verify = true;
if (password_verify($pass, $user_array['pass'])) {
$hashOK = true;
}
} else {
if ($user_array['pass'] === hash("sha256", $pass . NORAINBOW_SALT)) {
$hashOK = true;
}
}
$prng = new synapp\info\tools\passwordgenerator\cryptosecureprng\CryptoSecurePRNG();
if ($hashOK) {
$_SESSION['user_array'] = $user_array;
$_SESSION['auth'] = true;
$_SESSION['justlogged'] = true;
$_SESSION['if_lang'] = $_SESSION['user_array']['interface_language'];
$_SESSION['user_count'] = 1;
$_SESSION['pass_count'] = 0;
$user_array['missed_logins'] = 0;
$time = time();
if (!$confirm) {
$sql = "UPDATE users SET recovery = :recovery WHERE user = :user";
$stmt = $link->prepare($sql);
$stmt->bindValue(':recovery', $use_password_verify ? password_hash($prng->rand(), SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $prng->rand()), PDO::PARAM_STR);
$stmt->bindValue(':user', $user, PDO::PARAM_STR);
if ($stmt->execute() === false) {
error_log(var_export($link->errorInfo(), true));
die("Error performing database operation.");
}
}
if (($ip = ip2long($_SERVER['REMOTE_ADDR'])) === false) {
$ip = 0;
}
$sql = "UPDATE users SET missed_logins='0', last_login = :time, ip = :ip WHERE user = :user";
$stmt = $link->prepare($sql);
$stmt->bindValue(':time', $time, PDO::PARAM_INT);
$stmt->bindValue(':ip', $ip, PDO::PARAM_INT);
$stmt->bindValue(':user', $user, PDO::PARAM_STR);
if ($stmt->execute() === false) {
error_log(var_export($link->errorInfo(), true));
die("Error performing database operation.");
}
return true;
} else {
if ($user_array['last_login'] < PRENORAINBOW_TIMESTAMP && $user_array['pass'] === hash("sha256", hash("sha256", $pass) . NORAINBOW_SALT) || $use_password_verify && $user_array['last_login'] < PRENOPHASH_TIMESTAMP && $user_array['pass'] === hash("sha256", $pass . NORAINBOW_SALT)) {
$_SESSION['user_array'] = $user_array;
$_SESSION['auth'] = true;
$_SESSION['justlogged'] = true;
$_SESSION['if_lang'] = $_SESSION['user_array']['interface_language'];
$_SESSION['user_count'] = 1;
$_SESSION['pass_count'] = 0;
$user_array['missed_logins'] = 0;
$time = time();
if (!$confirm) {
$sql = "UPDATE users SET recovery = :recovery WHERE user = :user";
$stmt = $link->prepare($sql);
$stmt->bindValue(':recovery', $use_password_verify ? password_hash($prng->rand(), SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $prng->rand()), PDO::PARAM_STR);
$stmt->bindValue(':user', $user, PDO::PARAM_STR);
if ($stmt->execute() === false) {
error_log(var_export($link->errorInfo(), true));
die("Error performing database operation.");
}
}
if (($ip = ip2long($_SERVER['REMOTE_ADDR'])) === false) {
$ip = 0;
}
$passParamValue = $use_password_verify ? password_hash($pass, SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $pass . NORAINBOW_SALT);
$sql = "UPDATE users SET missed_logins='0', last_login=:time, ip=:ip, pass = :pass WHERE user = :user";
$stmt = $link->prepare($sql);
$stmt->bindValue(':time', $time, PDO::PARAM_INT);
$stmt->bindValue(':ip', $ip, PDO::PARAM_INT);
$stmt->bindValue(':pass', $passParamValue, PDO::PARAM_STR);
$stmt->bindValue(':user', $user, PDO::PARAM_STR);
if ($stmt->execute() === false) {
error_log(var_export($link->errorInfo(), true));
die("Error performing database operation.");
}
return true;
} else {
$_SESSION['login_err'] = 1;
$user_array['missed_logins']++;
$_SESSION['pass_count'] = $user_array['missed_logins'];
$sql = "UPDATE users SET missed_logins = :missed_logins WHERE user = :user";
$stmt = $link->prepare($sql);
$stmt->bindValue(':missed_logins', $user_array['missed_logins'], PDO::PARAM_INT);
$stmt->bindValue(':user', $user, PDO::PARAM_STR);
if ($stmt->execute() === false) {
error_log(var_export($link->errorInfo(), true));
die("Error performing database operation.");
}
return false;
}
}
} else {
$_SESSION['login_err'] = 2;
$_SESSION['user_count']++;
return false;
}
}
/**
* @param PDO $link
* @param array $rd
* @param bool $nocaptcha
* @return array
*/
function process_registration_form($link, $rd, $nocaptcha = false)
{
$use_password_verify = defined('SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION') && (SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION === true || is_string(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION) && (trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'on' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'true' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === '1')) ? true : false;
$ea = array('err' => false, 'usr' => "", 'pass' => "", 'il' => "", 'capt' => "");
$i = parse($rd['user'], USER_MINLENGTH, USER_MAXLENGTH);
switch ($i) {
case 0:
$ea['usr'] = "";
break;
case 1:
$ea['usr'] = REG_ERR_USR_1;
break;
case 2:
$ea['usr'] = REG_ERR_USR_2;
break;
case 3:
$ea['usr'] = REG_ERR_USR_3;
break;
case 4:
$ea['usr'] = REG_ERR_USR_4;
break;
}
if ($i !== 0) {
$ea['err'] = true;
} elseif ($rd['user'] == $rd['pass']) {
$ea['pass'] = REG_ERR_PASS_1;
$ea['err'] = true;
}
$i = parse($rd['pass'], PASS_MINLENGTH, PASS_MAXLENGTH, 1);
switch ($i) {
case 2:
$ea['pass'] = REG_ERR_PASS_2;
break;
case 3:
$ea['pass'] = REG_ERR_PASS_3;
break;
case 4:
$ea['pass'] = REG_ERR_PASS_4;
break;
case 5:
$ea['pass'] = REG_ERR_PASS_5;
break;
}
if ($i !== 0) {
$ea['err'] = true;
} elseif (!($rd['pass'] === $rd['pass2'])) {
$ea['pass'] = REG_ERR_PASS_6;
$ea['err'] = true;
}
$found = false;
foreach ($_SESSION['interface_languages'] as $lang) {
if ($lang['val'] == $rd['ilang']) {
$found = true;
break;
}
}
if ($rd['ilang'] == "" || !$found) {
$ea['il'] = REG_ERR_ILANG;
$ea['err'] = true;
}
if ($ea['err'] == false) {
if (!$nocaptcha && !captcha_verify_word()) {
$ea['capt'] = REG_ERR_CAPT;
$ea['err'] = true;
} elseif (user_exist($link, $rd['user'])) {
$ea['usr'] = REG_ERR_USR_5;
$ea['err'] = true;
}
}
if (!$ea['err']) {
if (($stmt = $link->query("SELECT name FROM groups ORDER BY RAND() LIMIT 1")) === false || ($row = $stmt->fetch(PDO::FETCH_ASSOC)) === false) {
error_log("Database operation error retrieving user registration group.");
die("Database operation error.");
}
$group = $row['name'];
/* adding new user to users table */
$use_password_hash = defined('SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION') && (SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION === true || is_string(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION) && (trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'on' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'true' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === '1')) ? true : false;
$hashedPassword = $use_password_hash ? password_hash($rd['pass'], SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $rd['pass'] . NORAINBOW_SALT);
$sql = "INSERT INTO users (\n user\n , pass \n , recovery\n , firstdate\n , hfirstdate\n , missed_logins\n , last_login\n , hlast_login\n , ip\n , last_update\n , interface_language\n , hinterface_language\n , working_group\n , hworking_group\n , input_language\n , hinput_language\n , hprofile\n , gender\n , hgender\n , birthday\n , hbirthday\n , studies\n , hstudies\n , studies_type\n , hstudies_type\n , studies_level\n , hstudies_level\n , occupation\n , hoccupation\n , email\n , hemail\n , email_confirmation_code\n , confirmed_email\n , avatar\n , nocaptcha\n , hstats\n , ditloid_lock_timestamp\n , ditloid_time_left_when_locked\n , gotestbefore \n , gotestafter\n , timer_ctestb_start\n , timer_ctestb_end\n , timer_utestb_start\n , timer_utestb_end\n , timer_utesta_start\n , timer_utesta_end\n , timer_ctesta_start\n , timer_ctesta_end\n , fbid\n , active\n ) VALUES (\n :user\n , :hashedpass \n , :recovery\n , :firstdate\n , b'0' -- hfirstdate\n , 0 -- missed_logins\n , :lastlogin -- last_login\n , b'0' -- hlast_login\n , 0 -- ip\n , 0 -- last_update\n , :ilang -- interface_language\n , b'0' -- hinterface_language\n , :group -- working_group\n , b'0' -- hworking_group\n , :iolang -- input_language\n , b'0' -- hinput_language\n , b'0' -- hprofile\n , '' -- gender\n , b'0' -- hgender\n , NULL -- birthday\n , b'0' -- hbirthday\n , '' -- studies\n , b'0' -- hstudies\n , '' -- studies_type\n , b'0' -- hstudies_type\n , NULL -- studies_level\n , b'0' -- hstudies_level\n , '' -- occupation\n , b'0' -- hoccupation\n , '' -- email\n , b'0' -- hemail\n , :emailconfirmationcode\n , 1 -- confirmed_email\n , '' -- avatar\n , b'0' -- nocaptcha\n , b'0' -- hstats\n , 0 -- ditloid_lock_timestamp\n , 0 -- ditloid_time_left_when_locked\n , 1 -- gotestbefore \n , 0 -- gotestafter\n , 0 -- timer_ctestb_start\n , 0 -- timer_ctestb_end\n , 0 -- timer_utestb_start\n , 0 -- timer_utestb_end\n , 0 -- timer_utesta_start\n , 0 -- timer_utesta_end\n , 0 -- timer_ctesta_start\n , 0 -- timer_ctesta_end\n , :fbid -- fbid\n , 1 -- active\n )";
$stmt = $link->prepare($sql);
$stmt->bindValue(':user', $rd['user'], PDO::PARAM_STR);
$stmt->bindValue(':hashedpass', $hashedPassword, PDO::PARAM_STR);
$prng = new synapp\info\tools\passwordgenerator\cryptosecureprng\CryptoSecurePRNG();
$stmt->bindValue(':recovery', $use_password_verify ? password_hash($prng->rand(), SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $prng->rand()), PDO::PARAM_STR);
$stmt->bindValue(':firstdate', time(), PDO::PARAM_INT);
$stmt->bindValue(':lastlogin', time(), PDO::PARAM_INT);
$stmt->bindValue(':ilang', $_SESSION['if_lang'], PDO::PARAM_STR);
$stmt->bindValue(':group', $group, PDO::PARAM_STR);
$stmt->bindValue(':iolang', $rd['ilang'], PDO::PARAM_STR);
$stmt->bindValue(':fbid', isset($rd['fbid']) ? $rd['fbid'] : null, isset($rd['fbid']) ? PDO::PARAM_STR : PDO::PARAM_NULL);
$prng = new synapp\info\tools\passwordgenerator\cryptosecureprng\CryptoSecurePRNG();
$stmt->bindValue(':emailconfirmationcode', $use_password_hash ? password_hash($prng->rand(), SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $prng->rand()), PDO::PARAM_STR);
if ($stmt->execute() === false) {
die('Error: ' . var_export($link->errorInfo(), true) . PHP_EOL . $sql);
}
}
return $ea;
}
} else {
$_SESSION['if_lang'] = "eng";
}
}
$langfile = 'profiletxt.php';
if (file_exists(dirname(__FILE__) . '/../languages/' . $_SESSION['if_lang'] . '/' . $langfile)) {
/** @noinspection PhpIncludeInspection */
require_once dirname(__FILE__) . '/../languages/' . $_SESSION['if_lang'] . '/' . $langfile;
} else {
/** @noinspection PhpIncludeInspection */
require_once dirname(__FILE__) . '/../languages/eng/' . $langfile;
}
if (isset($_POST['user']) && isset($_POST['code'])) {
$user = $_POST['user'];
$code = $_POST['code'];
if (captcha_verify_word()) {
$link = connect();
$sql = "SELECT * FROM users WHERE user = :user";
$stmt = $link->prepare($sql);
$stmt->bindValue(':user', $user, PDO::PARAM_STR);
if ($stmt->execute() === false || $stmt->rowCount() < 1) {
die("Invalid request.");
}
$row = $stmt->fetch(PDO::PARAM_STR);
$_SESSION['if_lang'] = $row['interface_language'];
$use_password_verify = defined('SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION') && (SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION === true || is_string(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION) && (trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'on' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'true' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === '1')) ? true : false;
if ($use_password_verify && password_verify($code, $row['email_confirmation_code']) || !$use_password_verify && $row['email_confirmation_code'] === hash('sha256', $code)) {
$break = false;
$insert = true;
$sql = "SELECT * FROM confirmed_emails WHERE email = :email";
$stmt = $link->prepare($sql);
/**
* @param string $edit
* @param PDO $link
* @return bool
*/
function change_email($edit, $link)
{
$error = 0;
if (isset($_POST[$edit])) {
$_POST[$edit] = trim($_POST[$edit]);
}
$change = isset($_POST['edit']) ? $_POST['edit'] == $edit && ($error = parse_email($_POST[$edit])) === 0 ? true : false : false;
if ($change) {
if ($_POST[$edit] === $_SESSION['user_array']['email']) {
change($edit, $link);
return true;
}
}
if ($change) {
if ($_POST[$edit] === "") {
change($edit, $link);
$_SESSION['user_array']['confirmed_email'] = chr(0);
return true;
}
if (captcha_verify_word()) {
$sql = "SELECT user, email FROM confirmed_emails where email = :email";
$stmt = $link->prepare($sql);
$stmt->bindValue(':email', $_POST[$edit], PDO::PARAM_STR);
if ($stmt->execute() !== false && ($row = $stmt->fetch(PDO::FETCH_ASSOC))) {
if ($row['user'] !== $_SESSION['user_array']['user']) {
$error = 3;
}
}
if (!$error) {
if (change($edit, $link)) {
send_confirmation_email($_POST[$edit], $link);
$_SESSION['user_array']['email'] = $_POST[$edit];
echo PR_EMAIL . ': ' . $_SESSION['user_array']['email'] . " ";
echo (ord($_SESSION['user_array']['hemail']) ? PR_HIDDEN : PR_VISIBLE) . " [<a href=\"profile.phtml?user="******"&edit=email\">" . PR_EDIT . "</a>] <span style=color:red>" . PR_SENT_1_A . "</span><script type='text/javascript'>alert(\"" . PR_SENT_1 . "\\n" . PR_SENT_2 . "\")</script><br />" . PHP_EOL;
return false;
}
}
} else {
$error = 4;
}
}
echo "<form id=\"editForm\" method=\"POST\">" . PR_EMAIL . ": <input type=\"text\" id=\"" . $edit . "\" name=\"" . $edit . "\" value=\"" . $_SESSION['user_array'][$edit] . "\" onfocus=\"javascript:document.getElementById('focusId').value='" . $edit . "';\" />";
echo "<input type=\"hidden\" id=\"focusId\" name=\"focusId\" value=\"" . $edit . "\">" . PHP_EOL;
echo "<input type=\"hidden\" name=\"edit\" value=\"" . $edit . "\">" . PHP_EOL;
echo "<input type=\"hidden\" name=\"user\" value=\"" . $_SESSION['user_array']['user'] . "\">" . PHP_EOL;
echo "<input type=\"checkbox\" name=\"h" . $edit . "\" value=\"true\"";
if (ord($_SESSION['user_array']['h' . $edit])) {
echo " checked=\"checked\" ";
}
echo '/>' . PR_HIDE;
switch ($error) {
case 1:
echo "<span style=\"color:red\"> " . PR_ERR_MAIL_LONG . "</span><script type='text/javascript'>focusId='" . $edit . "'</script>";
break;
case 2:
echo "<span style=\"color:red\"> " . PR_ERR_MAIL_INVALID . "</span><script type='text/javascript'>focusId='" . $edit . "'</script>";
break;
case 3:
echo "<span style=\"color:red\"> " . PR_ERR_MAIL_ALREADY_ASSOC . "</span><script type='text/javascript'>focusId='" . $edit . "';document.getElementById('" . $edit . "').value='" . $_POST[$edit] . "';</script>";
break;
}
echo "<br /><span id=\"captchaImage\" style=\"border:0;width:140px;\"><img src=\"." . SYNAPP_CAPTCHA_PATH . "/captcha.image.php?nocache=" . hash("sha256", time() . mt_rand()) . "\" alt=\"captcha\"/></span><a \nhref=\"#\" onclick=\"updateCaptcha(null, '." . SYNAPP_CAPTCHA_PATH . "' );return false;\"><img src=\"." . SYNAPP_UI_RESOURCES_PATH . "/images/refresh.png\" style=\"border:0\" alt=\"" . PR_REFRESH . "\" title=\"" . PR_REFRESH . "\"/></a>";
echo "<br />" . PR_CAPT . "<input type=\"text\" id=\"magicword\" " . "onfocus=\"javascript:document.getElementById('focusId').value='magicword';\" name=\"magicword\" autocomplete=\"off\" />";
if ($error == 4) {
echo "<span style=\"color:red\"> " . PR_ERR_CAPT . "</span><script type='text/javascript'>" . "focusId='magicword';document.getElementById('" . $edit . "').value='" . $_POST[$edit] . "';</script>";
}
echo '<br /></form>' . PHP_EOL;
if (isset($_GET['alert']) && !count($_POST)) {
if ($_GET['alert'] === "true") {
echo "<script type='text/javascript'>alert(\"" . PR_VALIDATE_MAIL . "\")</script>";
}
}
return false;
}