function OS_CaptchaOnRegistration() { if (isset($_SESSION["r_code"]) and $_SESSION["r_code"] == "OK") { /* CAPTCHA OK */ } else { $code = rand(100, 10000); $_SESSION["r_code"] = $code; $trap1 = generate_hash(16); $trap2 = generate_hash(8); $_SESSION["r_trap1"] = $trap1; $_SESSION["r_trap2"] = $trap2; ?> <tr> <td class="padLeft">Captcha:</td> <td class="padLeft"> <input type="text" size="1" value="" name="r_captcha"/> <input type="hidden" name="<?php echo $trap1; ?> " value="<?php echo $trap2; ?> " /> <span style="font-size:26px; font-weight:bold;"><?php echo $code; ?> </span> </td> </tr> <?php } }
function check_login(){ $user=db_easy("SELECT `name`, `password_hash` FROM `users` WHERE `name`='".mysql_real_escape_string(@$_POST['user'])."'"); if(generate_hash($user['name'], @$_POST['password'])==$user['password_hash']){ return true; }else{ return false; } }
public function change_password(IChangePasswordInput $input) { // Prepare data $this->load->helper('crypto'); $passwordsalt = generate_salt(); $passwordhash = generate_hash($input->get_password(), $passwordsalt); $this->db->where('email', $input->get_email()); $this->db->where('passwordresetcode', $input->get_resetcode()); $this->db->update("users", array("passwordresetcode" => NULL, "passwordhash" => $passwordhash, "passwordsalt" => $passwordsalt)); return $this->db->affected_rows() > 0; }
function OS_CheckCaptcha() { if (isset($_POST["post_comment"])) { if (isset($_GET["post_id"]) and is_numeric($_GET["post_id"])) { $backTo = OS_HOME . '?post_id=' . safeEscape($_GET["post_id"]) . "&" . generate_hash(12) . "#SubmitComment"; } else { $backTo = ''; } $CaptchaError = '<h2>Invalid captcha</h2><div><a href="' . $backTo . '">« Back</a></div>'; if (!isset($_POST["c_code"]) or !isset($_SESSION["c_code"])) { os_trigger_error($CaptchaError); } if ($_POST["c_code"] != $_SESSION["c_code"]) { os_trigger_error($CaptchaError . " "); } else { $code = generate_hash(5); $code = str_replace(array("o", "0"), array("x", "x"), $code); $_SESSION["c_code"] = $code; } } }
function login($username, $password, $dbh) { if ($query = $dbh->prepare("SELECT uid, username, password FROM accounts WHERE username = ? LIMIT 1")) { $query->bindValue(1, $username); // Bind "$username" to parameter. $query->execute(); // Execute the prepared query. $result = $query->fetch(); $user_id = $result['uid']; $username = $result['username']; $storedpass = $result['password']; $storedsalt = substr($storedpass, 0, 32); // break salt from stored hash $password = generate_hash($password, $storedsalt); // hash the attempted password with the unique salt from database. if ($result) { // If the user exists if ($storedpass == $password) { // Check if the password in the database matches the password the user submitted. // Password is correct! $ip_address = $_SERVER['REMOTE_ADDR']; // Get the IP address of the user. $user_browser = $_SERVER['HTTP_USER_AGENT']; // Get the user-agent string of the user. $user_id = preg_replace("/[^0-9]+/", "", $user_id); // XSS protection as we might print this value $_SESSION['user_id'] = $user_id; $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username); // XSS protection as we might print this value $_SESSION['username'] = $username; $_SESSION['login_string'] = hash('sha512', $password . $ip_address . $user_browser); // Login successful. return true; } } } else { // No user exists. return false; } }
public function __construct($processed_array) { $this->entrada_url = isset($processed_array["entrada_url"]) ? $processed_array["entrada_url"] : ""; $this->entrada_relative = isset($processed_array["entrada_relative"]) ? $processed_array["entrada_relative"] : ""; $this->entrada_absolute = isset($processed_array["entrada_absolute"]) ? $processed_array["entrada_absolute"] : ""; $this->entrada_storage = isset($processed_array["entrada_storage"]) ? $processed_array["entrada_storage"] : ""; $this->database_adapter = isset($processed_array["database_adapter"]) ? $processed_array["database_adapter"] : "mysql"; $this->database_host = isset($processed_array["database_host"]) ? $processed_array["database_host"] : ""; $this->database_username = isset($processed_array["database_username"]) ? $processed_array["database_username"] : ""; $this->database_password = isset($processed_array["database_password"]) ? $processed_array["database_password"] : ""; $this->entrada_database = isset($processed_array["entrada_database"]) ? $processed_array["entrada_database"] : ""; $this->auth_database = isset($processed_array["auth_database"]) ? $processed_array["auth_database"] : ""; $this->clerkship_database = isset($processed_array["clerkship_database"]) ? $processed_array["clerkship_database"] : ""; $this->admin_username = isset($processed_array["admin_username"]) ? $processed_array["admin_username"] : ""; $this->admin_password_hash = isset($processed_array["admin_password_hash"]) ? $processed_array["admin_password_hash"] : ""; $this->admin_firstname = isset($processed_array["admin_firstname"]) ? $processed_array["admin_firstname"] : ""; $this->admin_lastname = isset($processed_array["admin_lastname"]) ? $processed_array["admin_lastname"] : ""; $this->admin_email = isset($processed_array["admin_email"]) ? $processed_array["admin_email"] : ""; $this->auth_username = isset($processed_array["auth_username"]) ? $processed_array["auth_username"] : generate_hash(); $this->auth_password = isset($processed_array["auth_password"]) ? $processed_array["auth_password"] : generate_hash(); $this->config_file_path = $this->entrada_absolute . "/core/config/config.inc.php"; }
/** * Add new user * * @param array $user_data * * @return bool */ public function create($user_data) { $user_data = $this->validate($user_data); if (!$user_data) { return false; } $user_exist = $this->checkExist($user_data); if ($user_exist) { $this->setAttributes($user_exist); return true; } $hash = generate_hash(); $date_start = date("Y-m-d H-i-s"); $sql = "INSERT INTO\n {$this->table_name} (\n name,\n email,\n phone,\n hash,\n date_start,\n conference_id\n ) VALUES (\n :name,\n :email,\n :phone,\n :hash,\n :date_start,\n :conference_id\n )"; $prepare_statement = $this->connection->prepare($sql, [PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY]); $status = $prepare_statement->execute([':name' => $user_data['name'], ':email' => $user_data['email'], ':phone' => $user_data['phone'], ':conference_id' => $user_data['conference_id'], ':date_start' => $date_start, ':hash' => $hash]); if (!$status) { return false; } $user_data['hash'] = $hash; $user_data['date_start'] = $date_start; $this->setAttributes($user_data); return true; }
$TOTAL_ERRORS = $ERROR; $STEP = 2; } case 2: /** * Keys to allow Entrada to access the authentication web-service. */ if (isset($_POST["auth_username"]) && ($auth_username = clean_input($_POST["auth_username"], "alphanumeric"))) { $PROCESSED["auth_username"] = $auth_username; } else { $PROCESSED["auth_username"] = generate_hash(); } if (isset($_POST["auth_password"]) && ($auth_password = clean_input($_POST["auth_password"], "alphanumeric"))) { $PROCESSED["auth_password"] = $auth_password; } else { $PROCESSED["auth_password"] = generate_hash(); } case 1: default: continue; break; } $setup = new Entrada_Setup($PROCESSED); /** * Post-Error Check Data Processing */ switch ($STEP) { case 6: if (@file_exists($PROCESSED["entrada_absolute"] . "/.htaccess")) { if (@file_exists($PROCESSED["entrada_absolute"] . "/core/config/config.inc.php")) { try {
/** * Creates a user account and updates object, returns true or false. * $user_data requires: "username", "firstname", "lastname", "email", "password", "organisation_id" * $user_access requires: "group", "role", "app_id" * * @param array $user_data User data array, keys match table fields. Ex: array("id" => "1", "username" => "foo"). * @param array $user_access User access array, keys match table fields. Ex: array("group" => "admin"). * @return boolean */ public function createUser(array $user_data, array $user_access) { global $db; $required_user_data = array("username", "firstname", "lastname", "email", "password", "organisation_id"); $required_user_access = array("group", "role", "app_id"); foreach ($required_user_data as $data) { if (!array_key_exists($data, $user_data)) { $error = true; } } foreach ($required_user_access as $data) { if (!array_key_exists($data, $user_access)) { $error = true; } } if (!$error) { foreach ($user_data as $fieldname => $data) { $processed["user_data"][$fieldname] = clean_input($data, array("trim", "striptags")); } foreach ($user_access as $fieldname => $data) { $processed["user_access"][$fieldname] = clean_input($data, array("trim", "striptags")); } if ($db->AutoExecute("`" . AUTH_DATABASE . "`.`user_data`", $processed["user_data"], "INSERT")) { $processed["user_data"]["id"] = $db->Insert_ID(); $processed["user_access"]["user_id"] = $processed["user_data"]["id"]; if (!isset($processed["user_access"]["organisation_id"])) { $processed["user_access"]["organisation_id"] = $processed["user_data"]["organisation_id"]; } if (!isset($processed["user_access"]["access_starts"])) { $processed["user_access"]["access_starts"] = time(); } if (!isset($processed["user_access"]["account_active"])) { $processed["user_access"]["account_active"] = "true"; } if (!isset($processed["user_access"]["private_hash"])) { $processed["user_access"]["private_hash"] = generate_hash(); } if (!$db->AutoExecute("`" . AUTH_DATABASE . "`.`user_access`", $processed["user_access"], "INSERT")) { application_log("error", "Failed to add user, DB said: " . $db->ErrorMsg()); $return = false; } else { $params = get_class_vars(__CLASS__); foreach ($params as $param_name => $param) { $this->{$param_name} = isset($processed["user_data"][$param_name]) ? $processed["user_data"][$param_name] : (isset($processed["user_access"][$param_name]) ? $processed["user_access"][$param_name] : $param); } $return = true; } } else { application_log("error", "Failed to add user, DB said: " . $db->ErrorMsg()); $return = false; } } else { $return = false; } return $return; }
$pw = trim($_POST["password"]); $email = trim($_POST["email"]); if (strlen($admin) <= 2 or strlen($pw) <= 2) { $admin = "admin"; $pw = "admin"; $email = "*****@*****.**"; ?> <div>Admin username or password have too few characters</div> <div>Inserting default admin username and password</div> <div><b>Admin username:</b> admin</div> <div><b>Admin password:</b> admin</div> <div> </div> <div>Don't forget to change admin username and password via admin panel</div> <?php } $hash = generate_hash(16, 1); $pass = generate_password($pw, $hash); $userLevel = 10; // 10 - root admin, 9 - administrator $sth = $dbh->prepare("INSERT INTO oh_users(user_name, user_password, password_hash, user_email, user_joined, user_level,user_ip, confirm, can_comment) VALUES('{$admin}', '{$pass}', '{$hash}', '{$email}', '" . time() . "', '" . $userLevel . "', '" . $_SERVER["REMOTE_ADDR"] . "', '', '1')"); $sth->execute(); $result = 1; flush(); if ($result) { ?> <div> </div> <div><b>Admin successfully created.</b></div> <div style="display:none;">Please delete <b>install.php</b>, <b>sql_data.sql</b> and <b>sql_heroes_items.sql</b> from install directory.</div> <div style="display:none;">Please delete or rename <b>install/</b> folder.</div>
function check_hash($proper, $check) { $len = strlen($proper); $nhash = generate_hash($check, substr($proper, $len - SALT_LENGTH)); if ($proper == $nhash) { return true; } return false; }
<?php if (!isset($website)) { header('HTTP/1.1 404 Not Found'); die; } $code = generate_hash(8); $_SESSION["code"] = $code; if (isset($errors) and !empty($errors)) { ?> <div><?php echo $errors; ?> </div> <?php } ?> <a name="comments"></a><?php if (isset($CommentsData) and !empty($CommentsData)) { ?> <div class="comments" id="comments"> <h4><?php echo $lang["comments"]; ?> (<?php echo $CommentsData[0]["total_comments"]; ?> )</h4> <div class="comments-content"> <div id="comment-holder"> <ol>
function get_hash_thold_template($id) { $hash = db_fetch_cell("SELECT hash FROM thold_template WHERE id={$id}"); if (preg_match("/[a-fA-F0-9]{32}/", $hash)) { return $hash; } else { return generate_hash(); } }
img/fb_connect.png" width="300" height="50" alt="FB CONNECT" /></a> <div>Click on the button above to sign in with your FB account</div> <div style="margin-top: 360px;"> </div> </div> </div> </div> </div> </div> <?php } if ($user and isset($email) and strlen($email) >= 5) { $result = $db->query("SELECT * FROM users WHERE user_email = '" . $email . "' AND user_fbid = '" . $user . "' "); if ($db->num_rows($result) <= 0) { $pass = generate_hash(5); $hash = generate_hash(12); $password_db = generate_password($pass, $hash); $avatar = 'https://graph.facebook.com/' . $user . '/picture?type=large'; $www = 'http://www.facebook.com/profile.php?id=' . $user . ''; if ($gender == "male") { $gen = 1; } else { if ($gender == "female") { $gen = 2; } else { $gen = 0; } } $insert = $db->query("INSERT INTO users(user_name, user_fbid, user_password, password_hash, user_email, user_joined, user_level, user_last_login, user_ip, user_avatar, user_website, user_gender) \n\t VALUES('" . safeEscape($name) . "', '" . $user . "', '" . $password_db . "', '" . $hash . "', '" . safeEscape($email) . "', '" . (int) time() . "', '0', '" . (int) time() . "', '" . safeEscape($_SERVER["REMOTE_ADDR"]) . "', '" . strip_tags($avatar) . "', '" . $www . "', '" . $gen . "')"); $id = $db->get_insert_id(); $_SESSION["user_id"] = $id;
/** * Creates user data / user access records * @global type $db * @param type $member_ldap_data * @return int $status */ private function handleUser($member_ldap_data) { global $db; $number = str_replace("S", "", $member_ldap_data[LDAP_USER_QUERY_FIELD]); $GRAD = date("Y", time()) + 4; $user_id = ""; $query = "SELECT * FROM `" . AUTH_DATABASE . "`.`user_data` WHERE `number` = ?"; $result = $db->GetRow($query, array($number)); if (!$result) { if (isset($member_ldap_data["sn"]) && isset($member_ldap_data["givenName"]) && $member_ldap_data["sn"] && $member_ldap_data["givenName"]) { $names[0] = $member_ldap_data["givenName"]; $names[1] = $member_ldap_data["sn"]; } else { $names = explode(" ", $member_ldap_data["cn"]); } $student = array("number" => $number, "username" => strtolower($member_ldap_data[LDAP_MEMBER_ATTR]), "password" => md5(generate_password(8)), "organisation_id" => $this->course["organisation_id"], "firstname" => trim($names[0]), "lastname" => trim($names[1]), "prefix" => "", "email" => isset($member_ldap_data["mail"]) ? $member_ldap_data["mail"] : strtolower($member_ldap_data[LDAP_MEMBER_ATTR]) . "@queensu.ca", "email_alt" => "", "email_updated" => time(), "telephone" => "", "fax" => "", "address" => "", "city" => DEFAULT_CITY, "postcode" => DEFAULT_POSTALCODE, "country" => "", "country_id" => DEFAULT_COUNTRY_ID, "province" => "", "province_id" => DEFAULT_PROVINCE_ID, "notes" => "", "privacy_level" => "0", "notifications" => "0", "entry_year" => date("Y", time()), "grad_year" => $GRAD, "gender" => "0", "clinical" => "0", "updated_date" => time(), "updated_by" => "1"); if ($db->AutoExecute("`" . AUTH_DATABASE . "`.`user_data`", $student, "INSERT")) { $user_id = $db->Insert_ID(); $access = array("user_id" => $user_id, "app_id" => $this->app_id, "organisation_id" => $this->course["organisation_id"], "account_active" => "true", "access_starts" => time(), "access_expires" => "0", "last_login" => "0", "last_ip" => "", "role" => $GRAD, "group" => "student", "extras" => "", "private_hash" => generate_hash(32), "notes" => ""); if ($db->AutoExecute("`" . AUTH_DATABASE . "`.`user_access`", $access, "INSERT")) { application_log("error", "Failed to create user access record, DB said: " . $db->ErrorMsg()); } } else { application_log("error", "Failed to create user data record, DB said: " . $db->ErrorMsg()); } } else { $user_id = $result["id"]; $query = "SELECT * FROM `" . AUTH_DATABASE . "`.`user_access`\n WHERE `user_id` = " . $db->qstr($result["id"]) . " AND `organisation_id` = " . $db->qstr($this->course["organisation_id"]); $access_record = $db->GetRow($query); if (!$access_record) { $access = array("user_id" => $user_id, "app_id" => $this->app_id, "organisation_id" => $this->course["organisation_id"], "account_active" => "true", "access_starts" => time(), "access_expires" => "0", "last_login" => "0", "last_ip" => "", "role" => $GRAD, "group" => "student", "extras" => "", "private_hash" => generate_hash(32), "notes" => ""); if (!$db->AutoExecute("`" . AUTH_DATABASE . "`.`user_access`", $access, "INSERT")) { application_log("error", "Failed to create user access record, DB said: " . $db->ErrorMsg()); } } } $query = "SELECT * FROM `group_members` \n WHERE `proxy_id` = " . $db->qstr($user_id) . "\n AND `group_id` = " . $db->qstr($this->group_id); $group_member = $db->GetRow($query); if (!$group_member) { $values = array("group_id" => $this->group_id, "proxy_id" => $user_id, "start_date" => $this->course["start_date"], "expire_date" => $this->course["end_date"], "member_active" => "1", "entrada_only" => "0", "updated_date" => time(), "updated_by" => "1"); if (!$db->AutoExecute("group_members", $values, "INSERT")) { application_log("error", "User was not added to group_members table, DB said: " . $db->ErrorMsg()); } } if ($this->community_id) { $query = "SELECT * FROM `community_members` WHERE `proxy_id` = ? AND `community_id` = ?"; $community_membership = $db->GetRow($query, array($user_id, $this->community_id)); if (!$community_membership) { $values = array("community_id" => $this->community_id, "proxy_id" => $user_id, "member_active" => "1", "member_joined" => time(), "member_acl" => "0"); if (!$db->AutoExecute("`community_members`", $values, "INSERT")) { application_log("error", "Failed to add user to community, DB said: " . $db->ErrorMsg()); } } } unset($this->community_audience[$user_id]); }
////////////////// VOTE /////////////////// //HERO 1 vs HERO 2 require_once 'inc/class.database.php'; require_once 'inc/db_connect.php'; $sth = $db->prepare("SELECT * FROM heroes WHERE summary!= '-' ORDER BY RAND() LIMIT 2"); $result = $sth->execute(); $c = 0; $HeroVoteData = array(); while ($row = $sth->fetch(PDO::FETCH_ASSOC)) { $HeroVoteData[$c]["id"] = strtoupper($row["heroid"]); $HeroVoteData[$c]["original"] = $row["original"]; $HeroVoteData[$c]["description"] = $row["description"]; $HeroVoteData[$c]["summary"] = $row["summary"]; $c++; } $code = generate_hash(14); $_SESSION["code"] = $code; ?> <div align="center"> <form action="" method="post"> <table width="460" style="width:460px;"> <tr> <th class="padLeft"><?php echo $lang["vote_title"]; ?> </th><th></th><th></th> </tr> <tr style="height: 154px; vertical-align: middle;"> <td align="center" style="height: 154px; vertical-align: middle; width:200px;" > <label for="h1"> <img style="vertical-align:middle; padding-right:8px; cursor:pointer;" width="64" height="64" border=0 src="<?php
$access["last_ip"] = ""; $access["role"] = "communityinvite"; $access["group"] = "guest"; if ($db->AutoExecute(AUTH_DATABASE . ".user_access", $access, "INSERT")) { $community = array(); $community["community_id"] = $user["community_id"]; $community["proxy_id"] = $proxy_id; $community["member_active"] = 1; $community["member_joined"] = time(); $community["member_acl"] = 0; if ($db->AutoExecute("community_members", $community, "INSERT")) { if ($SKIP_EMAIL_NOTIFICATION) { output_success("[Row " . $row_count . "]\tSuccessfully added username [" . $user["username"] . "] and skipped e-mail notification."); } else { do { $hash = generate_hash(); } while ($db->GetRow("SELECT `id` FROM `" . AUTH_DATABASE . "`.`password_reset` WHERE `hash` = " . $db->qstr($hash))); if ($db->AutoExecute(AUTH_DATABASE . ".password_reset", array("ip" => "127.0.0.1", "date" => time(), "user_id" => $proxy_id, "hash" => $hash, "complete" => 0), "INSERT")) { $notification_search = array("%firstname%", "%lastname%", "%username%", "%password_reset_url%", "%application_url%", "%application_name%", "%community_name%", "%community_url%"); $notification_replace = array(stripslashes($user["firstname"]), stripslashes($user["lastname"]), stripslashes($user["username"]), PASSWORD_RESET_URL . "?hash=" . rawurlencode($proxy_id . ":" . $hash), ENTRADA_URL, APPLICATION_NAME, $community_info["community_title"], COMMUNITY_URL . $community_info["community_url"]); $message = str_ireplace($notification_search, $notification_replace, $NEW_GUEST_NOTIFICATION); if ($SEND_ADMIN_NOTIFICATION) { $user["email"] = $AGENT_CONTACTS["administrator"]["email"]; } if (@mail($user["email"], "New User Account: " . APPLICATION_NAME, $message, "From: \"" . $AGENT_CONTACTS["administrator"]["name"] . "\" <" . $AGENT_CONTACTS["administrator"]["email"] . ">\nReply-To: \"" . $AGENT_CONTACTS["administrator"]["name"] . "\" <" . $AGENT_CONTACTS["administrator"]["email"] . ">")) { output_success("[Row " . $row_count . "]\tSuccessfully added username [" . $user["username"] . "] and sent e-mail notification to [" . $user["email"] . "]."); } else { output_error("[Row " . $row_count . "]\tAdded username [" . $user["username"] . "] to the database, but could not send e-mail notification to [" . $user["email"] . "]."); } } else { output_error("[Row " . $row_count . "]\tAdded username [" . $user["username"] . "] to the database, but could not insert password reset entry into password_reset table. Database said: " . $db->ErrorMsg());
foreach ($publications as $publication) { $query = "INSERT INTO `profile_publications` (`pub_type`, `pub_id`, `dep_id`, `proxy_id`) VALUES (" . $db->qstr($pub_type) . ", " . $db->qstr($publication) . ", " . $db->qstr($dep_id) . ", " . $db->qstr($ENTRADA_USER->getID()) . ")"; $db->Execute($query); } } } } } $url = ENTRADA_URL . "/admin/users/manage?id=" . $PROXY_ID; $SUCCESS++; $SUCCESSSTR[] = "You have successfully updated the <strong>" . html_encode($PROCESSED["firstname"] . " " . $PROCESSED["lastname"]) . "</strong> account in the authentication system.<br /><br />You will now be redirected to the users profile page; this will happen <strong>automatically</strong> in 5 seconds or <a href=\"" . $url . "\" style=\"font-weight: bold\">click here</a> to continue."; header("refresh:5;url=" . $url); if (isset($_POST["send_notification"]) && (int) $_POST["send_notification"] == 1) { $PROXY_ID = $PROCESSED_ACCESS["user_id"]; do { $HASH = generate_hash(); } while ($db->GetRow("SELECT `id` FROM `" . AUTH_DATABASE . "`.`password_reset` WHERE `hash` = " . $db->qstr($HASH))); if ($db->AutoExecute(AUTH_DATABASE . ".password_reset", array("ip" => $_SERVER["REMOTE_ADDR"], "date" => time(), "user_id" => $PROXY_ID, "hash" => $HASH, "complete" => 0), "INSERT")) { // Send welcome & password reset e-mail. $notification_search = array("%firstname%", "%lastname%", "%username%", "%password_reset_url%", "%application_url%", "%application_name%"); $notification_replace = array($PROCESSED["firstname"], $PROCESSED["lastname"], $PROCESSED["username"], PASSWORD_RESET_URL . "?hash=" . rawurlencode($PROXY_ID . ":" . $HASH), ENTRADA_URL, APPLICATION_NAME); $message = str_ireplace($notification_search, $notification_replace, isset($_POST["notification_message"]) ? html_encode($_POST["notification_message"]) : $DEFAULT_EDIT_USER_NOTIFICATION); if (!@mail($PROCESSED["email"], "Updated User Account: " . APPLICATION_NAME, $message, "From: \"" . $AGENT_CONTACTS["administrator"]["name"] . "\" <" . $AGENT_CONTACTS["administrator"]["email"] . ">\nReply-To: \"" . $AGENT_CONTACTS["administrator"]["name"] . "\" <" . $AGENT_CONTACTS["administrator"]["email"] . ">")) { $NOTICE++; $NOTICESTR[] = "The user was successfully added; however, we could not send them a new account e-mail notice. The MEdTech Unit has been informed of this problem, please send this new user a password reset notice manually.<br /><br />You will now be redirected back to the user index; this will happen <strong>automatically</strong> in 5 seconds or <a href=\"" . $url . "\" style=\"font-weight: bold\">click here</a> to continue."; application_log("error", "New user [" . $PROCESSED["username"] . "] was given access to OCR but the e-mail notice failed to send."); } } else { $NOTICE++; $NOTICESTR[] = "The user was successfully added; however, we could not send them a new account e-mail notice. The MEdTech Unit has been informed of this problem, please send this new user a password reset notice manually.<br /><br />You will now be redirected back to the user index; this will happen <strong>automatically</strong> in 5 seconds or <a href=\"" . $url . "\" style=\"font-weight: bold\">click here</a> to continue."; application_log("error", "New user [" . $PROCESSED["username"] . "] was given access to OCR but the e-mail notice failed to send. Database said: " . $db->ErrorMsg());
} else { $gen = 0; } } $sql .= "user_gender = '" . $gen . "' "; $sql .= " WHERE user_name = '" . $_SESSION["username"] . "' "; $update = $db->prepare($sql); $result = $update->execute(); /* //======================================================= UPLOAD AVATAR */ //======================================================= if ($AllowUploadAvatar == 1 and isset($_FILES["avatar_upload"]) and !empty($_FILES["avatar_upload"])) { $imagename = strtolower($_FILES['avatar_upload']['name']); $fileExt = end(explode('.', $imagename)); $savedName = generate_hash(4) . "_" . generate_hash(12) . "." . $fileExt; $savedName = uniqid(time()) . "." . $fileExt; $source = $_FILES['avatar_upload']['tmp_name']; $target = "img/avatars/" . $savedName; //die($fileExt); $allowtype = array('gif', 'jpg', 'jpe', 'jpeg', 'png'); if (in_array($fileExt, $allowtype)) { move_uploaded_file($source, $target); list($width, $height) = getimagesize($target); if ($width > $MaxImageSize) { $modwidth = $MaxImageSize; } else { $modwidth = $width; } $diff = $width / $modwidth; $modheight = $height / $diff;
$r = $sth->fetch(PDO::FETCH_NUM); if ($r[0] >= 1) { $registration_errors .= "<div>" . $lang["error_un_taken"] . "</div>"; } $sth = $db->prepare("SELECT COUNT(*) FROM " . OSDB_USERS . " WHERE user_email=:user_email LIMIT 1"); $sth->bindValue(':user_email', $email, PDO::PARAM_STR); $result = $sth->execute(); $r = $sth->fetch(PDO::FETCH_NUM); if ($r[0] >= 1) { $registration_errors .= "<div>" . $lang["error_email_taken"] . "</div>"; } if (empty($registration_errors)) { $hash = generate_hash(16, 1); $password_db = generate_password($password, $hash); if ($UserActivation == 1) { $code = generate_hash(16, 0); } else { $code = ''; } //FIND user location if (file_exists("inc/geoip/geoip.inc")) { include "inc/geoip/geoip.inc"; $GeoIPDatabase = geoip_open("inc/geoip/GeoIP.dat", GEOIP_STANDARD); $GeoIP = 1; $Letter = geoip_country_code_by_addr($GeoIPDatabase, $UserIP); $Country = geoip_country_name_by_addr($GeoIPDatabase, $UserIP); geoip_close($GeoIPDatabase); } if (!empty($Country)) { $location = $Country; } else {
function get_hash_round_robin_archive($rra_id) { $hash = db_fetch_cell_prepared('SELECT hash FROM rra WHERE id = ?', array($rra_id)); if (preg_match('/[a-fA-F0-9]{32}/', $hash)) { return $hash; } else { return generate_hash(); } }
$add = ""; if (isset($_POST[$var]) && trim($_POST[$var]) != "") { $add = trim($_POST[$var]); } if ($var == "pagination") { if (!is_numeric($add)) { $add = 0; } else { $add = intval($add); } } else { if ($var == "login_pass" && strlen($add) > 0) { if ($add == HASH_PASS) { continue; } $add = generate_hash($add); } } if (isset($config->{$var})) { $config->{$var} = $add; } else { $config->addChild($var, $add); } } $plentry = null; if (isset($config->plentry)) { $plentry = $config->plentry; } else { $plentry = $config->addChild("plentry"); } foreach ($pl_fields as $field) {
function OS_PMSystem() { if (OS_GetAction("pm")) { global $db; $sth = $db->prepare("SET NAMES 'utf8'"); $result = $sth->execute(); global $lang; global $DateFormat; $errors = ""; ?> <div class="clr"></div> <div class="ct-wrapper" id="content" class="s-c-x"> <div class="outer-wrapper wrapper"> <div class="content section" id="main-column"> <div class="widget Blog padding"> <div class="blog-posts hfeed padLeft padTop padBottom inner"> <h2>Private Messages</h2> <div> <a class="menuButtons" href="<?php echo OS_HOME; ?> ?action=pm&inbox">INBOX</a> <a class="menuButtons" href="<?php echo OS_HOME; ?> ?action=pm&sent_items">SENT ITEMS</a> <a class="menuButtons" href="<?php echo OS_HOME; ?> ?action=pm&new_message">NEW MESSAGE</a> </div> <?php //NEW MESSAGE if (isset($_GET["new_message"])) { $PMName = ""; $PMText = ""; if (isset($_POST["pm_message"]) and isset($_POST["pm_name"]) and isset($_SESSION["code"]) and isset($_POST["code"])) { $PMText = $_POST['pm_message']; $PMText = strip_tags($PMText); $PMName = safeEscape(trim($_POST["pm_name"])); if ($_SESSION["code"] != $_POST["code"]) { $errors .= "<h4>Form is not valid. Try again.</h4>"; } if (strlen($PMText) <= 2) { $errors .= "<h4>There are not enough characters in the message</h4>"; } if (strlen($PMName) <= 2) { $errors .= "<h4>Please, write a valid username</h4>"; } if (strtolower($PMName) == $_SESSION["username"]) { $errors .= "<h4>You can not send messages to yourself</h4>"; } if (empty($errors)) { $sth = $db->prepare("SELECT * FROM " . OSDB_USERS . " \n\t\t\tWHERE LOWER(user_name) = ? LIMIT 1"); $sth->bindValue(1, strtolower($PMName), PDO::PARAM_STR); $result = $sth->execute(); if ($sth->rowCount() <= 0) { $errors .= "<h4>User not found</h4>"; } else { $row = $sth->fetch(PDO::FETCH_ASSOC); $userID = $row["user_id"]; } } if (!empty($errors)) { echo $errors; } else { if (isset($userID) and is_numeric($userID) and $userID != OS_GetUserID()) { OS_add_custom_field($userID, time() . "|" . OS_GetUserID() . "||p.m.0", $PMText); $MailText = $PMText; $PMName = ""; $PMText = ""; ?> <h4>Message was sent successfully</h4><?php //SEND EMAIL NOTIFICATION if (!isset($_SESSION["mail_sent"])) { //$row = $sth->fetch(PDO::FETCH_ASSOC); $_SESSION["mail_sent"] = 1; global $lang; global $mail; global $DefaultHomeTitle; $message = "You have just received a private message from " . $_SESSION["username"] . "<br />"; $message .= "Click on the following link to read the message<br />"; $message .= "" . OS_HOME . "?action=pm&inbox"; $message .= "<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />"; $message .= convEnt($MailText); $message .= "<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />{$DefaultHomeTitle}"; require "inc/class.phpmailer.php"; $mail = new PHPMailer(); $mail->CharSet = 'UTF-8'; $mail->SetFrom($lang["email_from"], $lang["email_from_full"]); $mail->AddReplyTo($lang["email_from"], $lang["email_from_full"]); $mail->AddAddress($row["user_email"], ""); $mail->Subject = "New Private Message"; $mail->MsgHTML($message); $mail->AltBody = "This is the body in plain text for non-HTML mail clients"; $mail->Send(); } } else { ?> <h4>The message could not be sent</h4><?php } } } $code = generate_hash(8); $_SESSION["code"] = $code; ?> <form action="" method="post" accept-charset="UTF-8"> <table> <tr class="row"> <td width="70" class="padLeft"><b>To:</b></td> <td><input type="text" value="<?php echo $PMName; ?> " size="65" name="pm_name" /></td> </tr> <tr class="row"> <td width="70" class="padLeft"><b>Message:</b></td> <td><textarea name="pm_message" rows="9" cols="80" ><?php echo $PMText; ?> </textarea></td> </tr> <tr class="row"> <td width="70" class="padLeft"></td> <td><input type="submit" value="Send PM" class="menuButtons" /></td> </tr> </table> <input type="hidden" name="code" value="<?php echo $code; ?> " /> </form> <?php } //SEND MESSAGE (USER ID) if (isset($_GET["send"]) and is_numeric($_GET["send"])) { $uid = safeEscape((int) $_GET["send"]); if (OS_GetUserID() == $uid) { ?> <h4>You can not send messages to yourself</h4> <?php } else { if (isset($_POST["pm_message"]) and isset($_SESSION["code"]) and isset($_POST["code"])) { if ($_SESSION["code"] != $_POST["code"]) { $errors .= "<div>Form is not valid. Try again.</div>"; } $PMText = strip_tags($_POST['pm_message']); if (strlen($PMText) <= 2) { $errors .= "<div>There are not enough characters in the message</div>"; } if (!empty($errors)) { ?> <h4><?php echo $errors; ?> </h4><?php } else { //ADD MESSAGE //ARG: TO - user ID, FROM - time_UserID, message $sth = $db->prepare("SELECT * FROM " . OSDB_USERS . " WHERE user_id = ? LIMIT 1"); $sth->bindValue(1, $uid, PDO::PARAM_INT); $result = $sth->execute(); if ($sth->rowCount() >= 1) { OS_add_custom_field($uid, time() . "|" . OS_GetUserID() . "||p.m.0", $PMText); } ?> <h4>Message was sent successfully</h4><?php } } $code = generate_hash(8); $_SESSION["code"] = $code; $sth = $db->prepare("SELECT * FROM " . OSDB_USERS . " WHERE user_id = ? LIMIT 1"); $sth->bindValue(1, $uid, PDO::PARAM_INT); $result = $sth->execute(); if ($sth->rowCount() >= 1) { $row = $sth->fetch(PDO::FETCH_ASSOC); $sendTo = $row["user_name"]; ?> <form action="" method="post" accept-charset="UTF-8"> <table> <tr class="row"> <td width="120" class="padLeft"><b>Send to:</b></td> <td><?php echo $sendTo; ?> </td> </tr> <tr class="row"> <td width="120" class="padLeft"><b>Message:</b></td> <td><textarea name="pm_message" rows="9" cols="80" ></textarea></td> </tr> <tr class="row"> <td width="120" class="padLeft"></td> <td><input type="submit" value="Send PM" class="menuButtons" /></td> </tr> </table> <input type="hidden" name="code" value="<?php echo $code; ?> " /> </form> <?php if (isset($_GET["m"])) { $sth = $db->prepare("SELECT * FROM " . OSDB_CUSTOM_FIELDS . " WHERE field_name = ? "); $sth->bindValue(1, safeEscape($_GET["m"]), PDO::PARAM_STR); $result = $sth->execute(); $row = $sth->fetch(PDO::FETCH_ASSOC); $dateFor = explode("|", $row["field_name"]); $date = (int) $dateFor[0]; //print_r($dateFor); ?> <div class="padTop"></div> <table> <tr class="row"> <td class="padLeft"><b><?php echo $sendTo; ?> </b>, <?php echo date($DateFormat, $date); ?> </td> </tr> <tr> <td><?php echo convEnt($row["field_value"]); ?> </td> </tr> </table> <?php } } else { ?> <h4>User not found</h4><?php } } } //SENT ITEMS if (isset($_GET["sent_items"]) and is_logged()) { ?> <h4>Sent items</h4><?php //GET ALL MESSAGES if (!empty($_GET["sent_items"]) and is_numeric($_GET["sent_items"]) and isset($_GET["m"])) { $id = safeEscape((int) $_GET["sent_items"]); $field = safeEscape($_GET["m"]); $sql = "AND c.field_name = ? "; } else { $sql = ""; } $sth = $db->prepare("SELECT COUNT(*) FROM " . OSDB_CUSTOM_FIELDS . " as c\n\t\tWHERE c.field_name LIKE ? {$sql}"); $sth->bindValue(1, "%|" . (int) $_SESSION["user_id"] . "||p.m.%", PDO::PARAM_STR); if (!empty($sql)) { $sth->bindValue(2, $field, PDO::PARAM_STR); } $result = $sth->execute(); $r = $sth->fetch(PDO::FETCH_NUM); $numrows = $r[0]; $result_per_page = 10; $offset = os_offset($numrows, $result_per_page); $sth = $db->prepare("SELECT c.field_id, c.field_name, c.field_value, u.user_name, u.user_avatar\n\t\tFROM " . OSDB_CUSTOM_FIELDS . " as c\n\t\tLEFT JOIN " . OSDB_USERS . " as u ON u.user_id = c.field_id\n\t\tWHERE c.field_name LIKE ? {$sql}\n\t\tORDER BY c.field_name DESC\n\t\tLIMIT {$offset}, {$result_per_page}"); $sth->bindValue(1, "%|" . OS_GetUserID() . "||p.m.%", PDO::PARAM_STR); if (!empty($sql)) { $sth->bindValue(2, $field, PDO::PARAM_STR); } $result = $sth->execute(); ?> <table> <?php while ($row = $sth->fetch(PDO::FETCH_ASSOC)) { $dateFor = explode("|", $row["field_name"]); $date = $dateFor[0]; if (!isset($_GET["m"])) { $text = limit_words(convEnt($row["field_value"]), 40); } else { $text = AutoLinkShort(convEnt($row["field_value"])); } ?> <tr class="row"> <td width="140"><a href="<?php echo OS_HOME; ?> ?action=pm&sent_items=<?php echo $row["field_id"]; ?> &m=<?php echo $row["field_name"]; ?> "><b><?php echo $row["user_name"]; ?> </b>, <?php echo date($DateFormat, $date); ?> </a></td> <td><?php echo $text; ?> <?php if (isset($_GET["m"])) { ?> <div class="padTop"> <a class="menuButtons" href="<?php echo OS_HOME; ?> ?action=pm&send=<?php echo $row["field_id"]; ?> &m=<?php echo $_GET["m"]; ?> ">[SEND MESSAGE]</a> <a class="menuButtons" href="<?php echo OS_HOME; ?> ?action=pm&sent_items">« Back</a> </div> <?php } else { ?> <a href="<?php echo OS_HOME; ?> ?action=pm&sent_items=<?php echo $row["field_id"]; ?> &m=<?php echo $row["field_name"]; ?> ">more » </a> <?php } ?> </td> </tr> <?php } if ($sth->rowCount() <= 0) { ?> <tr><td>No new messages</td></tr><?php } ?> </table> <?php os_pagination($numrows, $result_per_page, 5, 1, '&sent_items'); } //INBOX MESSAGES if (isset($_GET["inbox"]) and is_logged()) { ?> <h4>Inbox</h4><?php if (!empty($_GET["inbox"]) and is_numeric($_GET["inbox"]) and isset($_GET["m"])) { $id = safeEscape((int) $_GET["inbox"]); $field = safeEscape($_GET["m"]); $sql = "AND c.field_name = :field_name "; $field_name = substr($field, 0, -1) . "1"; } else { $sql = ""; } $sth = $db->prepare("SELECT COUNT(*) FROM " . OSDB_CUSTOM_FIELDS . " as c\n\t\tWHERE c.field_id = '" . OS_GetUserID() . "' {$sql}"); //$sth->bindValue(':field_id', "%_".OS_GetUserID()."__p.m.%", PDO::PARAM_STR); //$sth->bindValue(1, "%_".OS_GetUserID()."__p.m.%", PDO::PARAM_STR); if (!empty($sql)) { $sth->bindValue(':field_name', $field, PDO::PARAM_STR); } //$sth->bindValue(2, $field, PDO::PARAM_STR); $result = $sth->execute(); $r = $sth->fetch(PDO::FETCH_NUM); $numrows = $r[0]; $result_per_page = 10; $offset = os_offset($numrows, $result_per_page); $sth = $db->prepare("SELECT c.field_id, c.field_name, c.field_value, u.user_name, u.user_avatar\n\t\tFROM " . OSDB_CUSTOM_FIELDS . " as c\n\t\tLEFT JOIN " . OSDB_USERS . " as u ON u.user_id = c.field_id\n\t\tWHERE c.field_id = '" . OS_GetUserID() . "'\n\t\tAND field_name LIKE('%||p.m.%')\n\t\t{$sql}\n\t\tORDER BY c.field_name DESC\n\t\tLIMIT {$offset}, {$result_per_page}"); //$sth->bindValue(':field_id', "%_".OS_GetUserID()."__p.m.%", PDO::PARAM_STR); if (!empty($sql)) { $sth->bindValue(':field_name', $field, PDO::PARAM_STR); } $result = $sth->execute(); //UPDATE "read" message if (!empty($_GET["inbox"]) and is_numeric($_GET["inbox"]) and isset($_GET["m"])) { $field = safeEscape($_GET["m"]); $field_name = substr($field, 0, -1) . "1"; $result = $db->update(OSDB_CUSTOM_FIELDS, array("field_name" => $field_name), "field_name = '" . $field . "'"); } ?> <table> <?php while ($row = $sth->fetch(PDO::FETCH_ASSOC)) { $dateFor = explode("|", $row["field_name"]); $date = $dateFor[0]; $FromID = $dateFor[1]; $read = substr($row["field_name"], strlen($row["field_name"]) - 1, 1); if ($read == 1) { $col = '686A6B'; $readTxt = 'read'; } else { $col = 'A41600'; $readTxt = '<b>new</b>'; } if (!isset($_GET["m"])) { $text = limit_words(convEnt($row["field_value"]), 12); if ($read == 0) { $text = '<span style="color: #000;"><b>' . convEnt($text) . '<b/></span>'; } if ($read == 1) { $text = '<span style="color: #686A6B;">' . convEnt($text) . '</span>'; } } else { $text = AutoLinkShort(convEnt($row["field_value"])); } ?> <?php if (!isset($_GET["m"])) { ?> <tr class="row"> <td width="120" class="padLeft"> <a href="<?php echo OS_HOME; ?> ?action=pm&inbox=<?php echo $FromID; ?> &m=<?php echo $row["field_name"]; ?> "><span style="color: #<?php echo $col; ?> "><b><?php echo OS_GetUsernameByUserID($FromID); ?> </b></span></a> </td> <td width="600"><a href="<?php echo OS_HOME; ?> ?action=pm&inbox=<?php echo $FromID; ?> &m=<?php echo $row["field_name"]; ?> "><?php echo $text; ?> </a></td> <td><?php echo date($DateFormat, $date); ?> </td> </tr> <?php } else { ?> <tr class="row"> <td class="padLeft"><span style="color: #<?php echo $col; ?> "><b><?php echo OS_GetUsernameByUserID($FromID); ?> </b>, <?php echo date($DateFormat, $date); ?> </span></td> </tr> <tr> <td><?php echo $text; ?> </td> </tr> <tr> <td><div class="padTop padBottom"> <a class="menuButtons" href="<?php echo OS_HOME; ?> ?action=pm&send=<?php echo $FromID; ?> &m=<?php echo $_GET["m"]; ?> ">[SEND MESSAGE]</a> <a class="menuButtons" href="<?php echo OS_HOME; ?> ?action=pm&inbox">« Back</a> </div></td> </tr> <?php } ?> <?php } if ($sth->rowCount() <= 0) { ?> <tr><td>No new messages</td></tr><?php } ?> </table> <?php os_pagination($numrows, $result_per_page, 5, 1, '&inbox'); } ?> <div class="padTop" style="margin-top:124px;"></div> </div> </div> </div> </div> </div> <?php } }
$sth = $db->prepare("SELECT * FROM " . OSDB_GUIDES . " WHERE id = '" . $id . "' "); $result = $sth->execute(); if ($sth->rowCount() >= 1) { $hrow = $sth->fetch(PDO::FETCH_ASSOC); $hid = $hrow["hid"]; $title = $hrow["title"]; $link = $hrow["link"]; $button = "Edit guide"; } } else { $hid = ""; $title = ""; $link = ""; $button = "Submit guide"; } $code = generate_hash(10); $_SESSION["code"] = $code; ?> <form action="" method="post"> <table> <tr> <th></th> <th></th> </tr> <tr> <td class="padLeft"> <div style="margin-bottom:12px;"> <img id="himg" style="vertical-align: top;" src="<?php
function verify_hash($hash, $str, $salt = '') { $newhash = generate_hash($str, $salt); return $hash === $newhash; }
$photo_record = $db->GetRow($query); if ($photo_record) { $photo_active = $photo_record["photo_active"] == "1" ? "0" : "1"; $query = "UPDATE `" . AUTH_DATABASE . "`.`user_photos` SET `photo_active` = " . $db->qstr($photo_active) . " WHERE `proxy_id` = " . $db->qstr($ENTRADA_USER->getID()); if ($db->Execute($query)) { echo json_encode(array("status" => "success", "data" => array("imgurl" => webservice_url("photo", array($ENTRADA_USER->getID(), $photo_active == "1" ? "upload" : "official")) . "/" . time(), "imgtype" => $photo_active == "1" ? "uploaded" : "official"))); } else { application_log("error", "An error occurred while attempting to update user photo active flag for user [" . $ENTRADA_USER->getID() . "], DB said: " . $db->ErrorMsg()); echo json_encode(array("status" => "error")); } } else { echo json_encode(array("status" => "error", "data" => "No uploaded photo record on file. You must upload a photo before you can toggle photos.")); } break; case "generatehash": $new_private_hash = generate_hash(); $query = "UPDATE IGNORE `" . AUTH_DATABASE . "`.`user_access` SET `private_hash` = " . $db->qstr($new_private_hash) . " WHERE `user_id` = " . $db->qstr($ENTRADA_USER->getID()) . " AND `organisation_id` = " . $db->qstr($ENTRADA_USER->getActiveOrganisation()); $result = $db->Execute($query); if ($result) { echo json_encode(array("status" => "success", "data" => $new_private_hash)); $_SESSION["details"]["private_hash"] = $new_private_hash; } else { echo json_encode(array("status" => "error")); } break; case "resetpw": if ($_POST["current_password"] && ($tmp_input = clean_input($_POST["current_password"], array("trim", "striptags")))) { $PROCESSED["current_password"] = $tmp_input; } if ($_POST["new_password"] && ($tmp_input = clean_input($_POST["new_password"], array("trim", "striptags")))) { $PROCESSED["new_password"] = $tmp_input;
function OS_CheckFacebookLogin() { if (isset($_POST["fb_name"]) and isset($_POST["fb_email"]) and isset($_POST["fb_id"])) { global $db; $errors = ''; $FBID = trim($_POST["fb_id"]); $gender = safeEscape(trim($_POST["fb_gender"])); $name = strip_tags(trim($_POST["fb_name"])); $email = safeEscape(trim($_POST["fb_email"])); $IP = safeEscape($_SERVER["REMOTE_ADDR"]); $avatar = 'https://graph.facebook.com/' . $FBID . '/picture/?type=large'; $www = 'http://www.facebook.com/profile.php?id=' . $FBID . ''; $pass = generate_hash(5); $hash = generate_hash(12); $password_db = generate_password($pass, $hash); if (empty($FBID) or strlen($FBID) <= 6) { $errors = '1'; } if (strlen($name) <= 3) { $errors = '2'; } if (strlen($email) <= 6) { $errors = '3'; } if (!empty($errors)) { header('location:' . OS_HOME . '?action=facebook&error=' . $errors); die; } if ($gender == "male") { $gen = 1; } else { if ($gender == "female") { $gen = 2; } else { $gen = 0; } } $sth = $db->prepare("SELECT * FROM " . OSDB_USERS . " WHERE user_fbid =:FBID AND user_email =:email"); $sth->bindValue(':FBID', $FBID, PDO::PARAM_STR); $sth->bindValue(':email', $email, PDO::PARAM_STR); $result = $sth->execute(); //echo $FBID ; //echo $db->num_rows($result); //NEW USER if ($sth->rowCount() <= 0) { //Check if username already exists $sth = $db->prepare("SELECT * FROM " . OSDB_USERS . " WHERE LOWER(user_name) =:name "); $sth->bindValue(':name', strtolower($name), PDO::PARAM_STR); if ($sth->rowCount() >= 1) { $name .= " " . rand(100, 1000); } $db->insert(OSDB_USERS, array("user_name" => $name, "user_fbid" => $FBID, "user_password" => $password_db, "password_hash" => $hash, "user_email" => $email, "user_joined" => (int) time(), "user_level" => 0, "user_last_login" => (int) time(), "user_ip" => $IP, "user_avatar" => $avatar, "user_website" => $www, "user_gender" => $gen)); $id = $db->lastInsertId(); $_SESSION["user_id"] = $id; $_SESSION["username"] = $name; $_SESSION["email"] = $email; $_SESSION["level"] = 0; $_SESSION["can_comment"] = 1; $_SESSION["logged"] = time(); $_SESSION["fb"] = $FBID; $_SESSION["bnet"] = ""; $_SESSION["bnet_username"] = ""; header("location: " . OS_HOME . ""); die; } else { //UPDATE USER DATA if ($gen >= 1) { $sql_update = ", user_gender = '" . (int) $gen . "'"; } else { $sql_update = ""; } $update = $db->prepare("UPDATE " . OSDB_USERS . " SET user_last_login = '******',user_avatar = '" . strip_tags($avatar) . "', user_website = '" . strip_tags($www) . "' {$sql_update} \n\t\tWHERE user_email = '" . $email . "' AND user_fbid = '" . $FBID . "' LIMIT 1"); $result = $update->execute(); $row = $sth->fetch(PDO::FETCH_ASSOC); $id = $row["user_id"]; $_SESSION["user_id"] = $id; $_SESSION["username"] = $row["user_name"]; $_SESSION["email"] = $row["user_email"]; $_SESSION["level"] = $row["user_level"]; $_SESSION["can_comment"] = $row["can_comment"]; $_SESSION["logged"] = time(); $_SESSION["fb"] = $FBID; $_SESSION["bnet"] = $row["user_bnet"]; $_SESSION["bnet_username"] = $row["bnet_username"]; header("location: " . OS_HOME . ""); die; } } }
public function config_system() { global $LANG; if (!empty($_SESSION['step2']) && is_file(PH7_ROOT_PUBLIC . '_constants.php')) { session_regenerate_id(true); if (empty($_SESSION['val'])) { $_SESSION['db']['type_name'] = 'MySQL'; $_SESSION['db']['type'] = 'mysql'; $_SESSION['db']['hostname'] = 'localhost'; $_SESSION['db']['name'] = 'PHS-SOFTWARE'; $_SESSION['db']['username'] = '******'; $_SESSION['db']['prefix'] = 'PH7_'; $_SESSION['db']['port'] = '3306'; $_SESSION['db']['charset'] = 'UTF8'; $_SESSION['val']['bug_report_email'] = ''; $_SESSION['val']['ffmpeg_path'] = is_windows() ? 'C:\\ffmpeg\\ffmpeg.exe' : '/usr/bin/ffmpeg'; } if ($_SERVER['REQUEST_METHOD'] == 'POST' && !empty($_POST['config_system_submit'])) { if (filled_out($_POST)) { foreach ($_POST as $sKey => $sVal) { $_SESSION['db'][str_replace('db_', '', $sKey)] = trim($sVal); } $_SESSION['val']['bug_report_email'] = trim($_POST['bug_report_email']); $_SESSION['val']['ffmpeg_path'] = trim($_POST['ffmpeg_path']); if (validate_email($_SESSION['val']['bug_report_email'])) { try { require_once PH7_ROOT_INSTALL . 'inc/_db_connect.inc.php'; @(require_once PH7_ROOT_PUBLIC . '_constants.php'); @(require_once PH7_PATH_APP . 'configs/constants.php'); // Config File @chmod(PH7_PATH_APP_CONFIG, 0777); $sConfigContent = file_get_contents(PH7_ROOT_INSTALL . 'data/configs/config.ini'); $sConfigContent = str_replace('%bug_report_email%', $_SESSION['val']['bug_report_email'], $sConfigContent); $sConfigContent = str_replace('%ffmpeg_path%', clean_string($_SESSION['val']['ffmpeg_path']), $sConfigContent); $sConfigContent = str_replace('%db_type_name%', $_SESSION['db']['type_name'], $sConfigContent); $sConfigContent = str_replace('%db_type%', $_SESSION['db']['type'], $sConfigContent); $sConfigContent = str_replace('%db_hostname%', $_SESSION['db']['hostname'], $sConfigContent); $sConfigContent = str_replace('%db_name%', clean_string($_SESSION['db']['name']), $sConfigContent); $sConfigContent = str_replace('%db_username%', clean_string($_SESSION['db']['username']), $sConfigContent); $sConfigContent = str_replace('%db_password%', clean_string($_SESSION['db']['password']), $sConfigContent); $sConfigContent = str_replace('%db_prefix%', clean_string($_SESSION['db']['prefix']), $sConfigContent); $sConfigContent = str_replace('%db_charset%', $_SESSION['db']['charset'], $sConfigContent); $sConfigContent = str_replace('%db_port%', $_SESSION['db']['port'], $sConfigContent); $sConfigContent = str_replace('%private_key%', generate_hash(40), $sConfigContent); $sConfigContent = str_replace('%rand_id%', generate_hash(5), $sConfigContent); if (!@file_put_contents(PH7_PATH_APP_CONFIG . 'config.ini', $sConfigContent)) { $aErrors[] = $LANG['no_app_config_writable']; } else { if (!($DB->getAttribute(\PDO::ATTR_DRIVER_NAME) == 'mysql' && version_compare($DB->getAttribute(\PDO::ATTR_SERVER_VERSION), PH7_REQUIRE_SQL_VERSION, '>='))) { $aErrors[] = $LANG['require_mysql_version']; } else { $aDumps = array('pH7_SchemaGame', 'pH7_DataGame', 'pH7_Core', 'pH7_GeoCountry', 'pH7_GeoCity', 'pH7_GeoCity2', 'pH7_GeoCity3', 'pH7_GeoCity4', 'pH7_GeoCity5', 'pH7_GeoCity6', 'pH7_GeoCity7', 'pH7_GeoCity8', 'pH7_GeoState', 'pH7_SampleData'); for ($i = 0, $iCount = count($aDumps); $i < $iCount; $i++) { exec_query_file($DB, PH7_ROOT_INSTALL . 'data/sql/' . $_SESSION['db']['type_name'] . '/' . $aDumps[$i] . '.sql'); } unset($DB); $_SESSION['step3'] = 1; unset($_SESSION['val']); redirect(PH7_URL_SLUG_INSTALL . 'config_site'); } } } catch (\PDOException $oE) { $aErrors[] = $LANG['database_error'] . escape($oE->getMessage()); } } else { $aErrors[] = $LANG['bad_email']; } } else { $aErrors[] = $LANG['all_fields_mandatory']; } } } else { redirect(PH7_URL_SLUG_INSTALL . 'config_path'); } $this->oView->assign('sept_number', 3); $this->oView->assign('errors', @$aErrors); unset($aErrors); $this->oView->display('config_system.tpl'); }
function get_hash_round_robin_archive($rra_id) { $hash = db_fetch_cell("select hash from rra where id=$rra_id"); if (ereg("[a-fA-F0-9]{32}", $hash)) { return $hash; }else{ return generate_hash(); } }
function OS_ForgotPassword() { $errors = ""; global $db; global $mail; global $lang; if (isset($_POST["reset_password"]) and isset($_POST["reset_password_submit"])) { global $lang; $email = EscapeStr(trim($_POST["reset_password"])); if (isset($_SESSION["password_send"])) { $errors .= "<h4>You have already sent a request to reset the password. Please check your mail.</h4>"; } if (!preg_match("/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\\.[A-Z]{2,6}\$/i", $email)) { $errors .= "<h4>Invalid Email address</h4>"; } if (empty($errors)) { $sth = $db->prepare("SELECT * FROM " . OSDB_USERS . " WHERE user_email = :email LIMIT 1 "); $sth->bindValue(':email', $email, PDO::PARAM_STR); $result = $sth->execute(); if ($sth->rowCount() <= 0) { $errors .= "<h4>Email address does not exist in our database.</h4>"; } if (empty($errors)) { $code = generate_hash(16); OS_add_custom_field(0, 'reset_password|' . $email, $code); require "inc/class.phpmailer.php"; $message = "You have requested a password reset.<br />"; $message .= "Click on the link below to reset your password:<br /><br />"; $message .= OS_HOME . "?action=reset_password&e=" . $email . "&c=" . $code . "<br /><br />"; $message .= "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />"; $message .= "If you did not request a password reset just ignore this email and delete it.<br />"; $mail = new PHPMailer(); $mail->CharSet = 'UTF-8'; $mail->ContentType = 'text/plain'; $mail->IsHTML(true); $mail->SetFrom($lang["email_from"], $lang["email_from_full"]); //$mail->AddReplyTo( $lang["email_from"], $lang["email_from_full"] ); $mail->AddAddress($email, ""); $mail->Subject = "Password reset!"; $mail->MsgHTML($message); $mail->AltBody = "This is the body in plain text for non-HTML mail clients"; $mail->Send(); $_SESSION["password_send"] = time(); //Not error, just a message $errors = "<h4>You have successfully submitted a request to reset your password. Please check your mail.</h4>"; } } } ?> <div id="content" class="s-c-x"> <div class="wrapper"> <div id="main-column"> <div class="padding"> <div class="inner"> <h2>Reset password</h2> <div class="padTop"></div> <?php if (isset($errors) and !empty($errors)) { echo $errors; } ?> <?php if (!isset($_GET["c"]) and !isset($_GET["e"])) { ?> <form action="" method="post"> <table style="width:800px;"> <tr class="row"> <td></td> <td> <b>You can't retrieve your password, but you can set a new one by following a link sent to you by email.</b> <div>- This is the email address you used to register on the site.</div> <div>- If you do not receive an email, check your "Spam" folder.</div> </td> </tr> <tr class="row"> <td width="120" class="padLeft">Email address:</td> <td class="padLeft"> <input type="text" name="reset_password" size="39" value="" style="height:26px;" /> </td> </tr> <tr class="row"> <td width="120" class="padLeft"></td> <td class="padLeft"><input type="submit" name="reset_password_submit" class="menuButtons" value="Send" /> <div class="padBottom"></div> </td> </tr> </table> </form> <?php } else { if (isset($_GET["e"])) { $email = EscapeStr(trim($_GET["e"])); } else { $email = generate_hash(12); } if (isset($_GET["c"])) { $code = EscapeStr(trim($_GET["c"])); } else { $code = generate_hash(12); } if (!preg_match("/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\\.[A-Z]{2,6}\$/i", $email)) { $errors .= "<h4>Invalid Email address</h4>"; } if (empty($errors)) { $sth = $db->prepare("SELECT * FROM " . OSDB_USERS . " WHERE user_email = :email LIMIT 1 "); $sth->bindValue(':email', $email, PDO::PARAM_STR); $result = $sth->execute(); if ($sth->rowCount() <= 0) { $errors .= "<h4>Email address does not exist in our database.</h4>"; } } if (empty($errors)) { $value = OS_get_custom_field(0, 'reset_password|' . $email); if ($code != $value or strlen($code) <= 5) { $errors .= "<h4>Link has expired, or the password has already been reset</h4>"; } } //FINALLY RESET if (empty($errors) and isset($_POST["reset_1"]) and isset($_POST["reset_2"])) { $p1 = strip_tags($_POST["reset_1"]); $p2 = strip_tags($_POST["reset_2"]); if ($p1 != $p2) { $errors .= "<h4>Both passwords are not the same</h4>"; } else { $hash = generate_hash(16, 1); $password_db = generate_password($p1, $hash); $result = $db->update(OSDB_USERS, array("user_password" => $password_db, "password_hash" => $hash), "user_email = '" . $email . "'"); //OS_delete_custom_field( 0, 'reset_password|'.$email , $code); $delete = $db->exec("DELETE FROM " . OSDB_CUSTOM_FIELDS . " \n\t\t WHERE field_value='" . $code . "' AND field_name = 'reset_password|" . $email . "' LIMIT 1"); $PasswordReset = 1; } } if (isset($errors) and !empty($errors)) { echo $errors; } else { if (isset($PasswordReset) and $PasswordReset == 1) { ?> <h2>Password has been successfully changed. Now you can log in.</h2> <?php } else { ?> <form action="" method="post"> <table style="width:600px;"> <tr class="row"> <td class="padLeft">New password:</td> <td class="padLeft"><input type="password" name="reset_1" size="6" value="" /></td> </tr> <tr class="row"> <td class="padLeft">Repeat password:</td> <td class="padLeft"><input type="password" name="reset_2" size="6" value="" /></td> </tr> <tr class="row"> <td width="120" class="padLeft"></td> <td class="padLeft"><input type="submit" name="reset_pw" class="menuButtons" value="Reset your password" /> <div class="padBottom"></div> </td> </tr> </table> </form> <?php } } } ?> <div style="height:260px;"></div> </div> </div> </div> </div> </div> <?php }