/**
  * If we created an account for the customer, this logs them in and notes that the record was created for PayPal EC purposes
  */
 function user_login($email_address, $redirect = true)
 {
     global $db, $order;
     global $session_started;
     if ($session_started == false) {
         zen_redirect(zen_href_link(FILENAME_COOKIE_USAGE));
     }
     $sql = "SELECT * FROM " . TABLE_CUSTOMERS . "\r\n            WHERE customers_email_address = :custEmail ";
     $sql = $db->bindVars($sql, ':custEmail', $email_address, 'string');
     $check_customer = $db->Execute($sql);
     if ($check_customer->EOF) {
         $this->terminateEC(MODULE_PAYMENT_PAYPALWPP_TEXT_BAD_LOGIN, true);
     }
     if (SESSION_RECREATE == 'True') {
         zen_session_recreate();
     }
     $sql = "SELECT entry_country_id, entry_zone_id\r\n            FROM " . TABLE_ADDRESS_BOOK . "\r\n            WHERE customers_id = :custID\r\n            AND address_book_id = :addrID ";
     $sql = $db->bindVars($sql, ':custID', $check_customer->fields['customers_id'], 'integer');
     $sql = $db->bindVars($sql, ':addrID', $check_customer->fields['customers_default_address_id'], 'integer');
     $check_country = $db->Execute($sql);
     $_SESSION['customer_id'] = (int) $check_customer->fields['customers_id'];
     $_SESSION['customer_default_address_id'] = $check_customer->fields['customers_default_address_id'];
     $_SESSION['customer_first_name'] = $check_customer->fields['customers_firstname'];
     $_SESSION['customer_country_id'] = $check_country->fields['entry_country_id'];
     $_SESSION['customer_zone_id'] = $check_country->fields['entry_zone_id'];
     $order->customer['id'] = $_SESSION['customer_id'];
     $sql = "UPDATE " . TABLE_CUSTOMERS_INFO . "\r\n            SET customers_info_date_of_last_logon = now(),\r\n                customers_info_number_of_logons = customers_info_number_of_logons+1\r\n            WHERE customers_info_id = :custID ";
     $sql = $db->bindVars($sql, ':custID', $_SESSION['customer_id'], 'integer');
     $db->Execute($sql);
     $_SESSION['cart']->restore_contents();
     if ($redirect) {
         $this->terminateEC();
     }
     return true;
 }
 /**
  * If we created an account for the customer, this logs them in and notes that the record was created for PayPal EC purposes
  */
 function user_login($email_address, $redirect = true)
 {
     global $db, $order, $messageStack;
     global $session_started;
     if ($session_started == false) {
         zen_redirect(zen_href_link(FILENAME_COOKIE_USAGE));
     }
     $sql = "SELECT * FROM " . TABLE_CUSTOMERS . "\n            WHERE customers_email_address = :custEmail ";
     $sql = $db->bindVars($sql, ':custEmail', $email_address, 'string');
     $check_customer = $db->Execute($sql);
     if ($check_customer->EOF) {
         $this->terminateEC(MODULE_PAYMENT_PAYPALWPP_TEXT_BAD_LOGIN, true);
     }
     if (SESSION_RECREATE == 'True') {
         zen_session_recreate();
     }
     $sql = "SELECT entry_country_id, entry_zone_id\n            FROM " . TABLE_ADDRESS_BOOK . "\n            WHERE customers_id = :custID\n            AND address_book_id = :addrID ";
     $sql = $db->bindVars($sql, ':custID', $check_customer->fields['customers_id'], 'integer');
     $sql = $db->bindVars($sql, ':addrID', $check_customer->fields['customers_default_address_id'], 'integer');
     $check_country = $db->Execute($sql);
     $_SESSION['customer_id'] = (int) $check_customer->fields['customers_id'];
     $_SESSION['customer_default_address_id'] = $check_customer->fields['customers_default_address_id'];
     $_SESSION['customer_first_name'] = $check_customer->fields['customers_firstname'];
     $_SESSION['customer_country_id'] = $check_country->fields['entry_country_id'];
     $_SESSION['customer_zone_id'] = $check_country->fields['entry_zone_id'];
     $order->customer['id'] = $_SESSION['customer_id'];
     $sql = "UPDATE " . TABLE_CUSTOMERS_INFO . "\n            SET customers_info_date_of_last_logon = now(),\n                customers_info_number_of_logons = customers_info_number_of_logons+1\n            WHERE customers_info_id = :custID ";
     $sql = $db->bindVars($sql, ':custID', $_SESSION['customer_id'], 'integer');
     $db->Execute($sql);
     // bof: contents merge notice
     // save current cart contents count if required
     if (SHOW_SHOPPING_CART_COMBINED > 0) {
         $zc_check_basket_before = $_SESSION['cart']->count_contents();
     }
     // bof: not require part of contents merge notice
     // restore cart contents
     $_SESSION['cart']->restore_contents();
     // eof: not require part of contents merge notice
     // check current cart contents count if required
     if (SHOW_SHOPPING_CART_COMBINED > 0 && $zc_check_basket_before > 0) {
         $zc_check_basket_after = $_SESSION['cart']->count_contents();
         if ($zc_check_basket_before != $zc_check_basket_after && $_SESSION['cart']->count_contents() > 0 && SHOW_SHOPPING_CART_COMBINED > 0) {
             if (SHOW_SHOPPING_CART_COMBINED == 2) {
                 // warning only do not send to cart
                 $messageStack->add_session('header', WARNING_SHOPPING_CART_COMBINED, 'caution');
             }
             if (SHOW_SHOPPING_CART_COMBINED == 1) {
                 // show warning and send to shopping cart for review
                 $messageStack->add_session('shopping_cart', WARNING_SHOPPING_CART_COMBINED, 'caution');
                 zen_redirect(zen_href_link(FILENAME_SHOPPING_CART, '', 'NONSSL'));
             }
         }
     }
     // eof: contents merge notice
     if ($redirect) {
         $this->terminateEC();
     }
     return true;
 }
Exemple #3
0
/**
 * Verify login according to security requirements
 * @param $admin_name
 * @param $admin_pass
 */
function zen_validate_user_login($admin_name, $admin_pass)
{
    global $db;
    $camefrom = isset($_GET['camefrom']) ? $_GET['camefrom'] : FILENAME_DEFAULT;
    $error = $expired = false;
    $message = $redirect = '';
    $expired_token = 0;
    $result = zen_read_user($admin_name);
    if (!isset($result) || $result == FALSE || $admin_name != $result['admin_name']) {
        // invalid login
        $error = true;
        $message = ERROR_WRONG_LOGIN;
        zen_record_admin_activity(sprintf(TEXT_ERROR_FAILED_ADMIN_LOGIN_FOR_USER) . ' ' . $admin_name, 'warning');
    } else {
        if ($result['lockout_expires'] > time()) {
            // account locked
            $error = true;
            $message = ERROR_SECURITY_ERROR;
            // account locked. Simply give generic error, since otherwise we alert that the account name is correct
            zen_record_admin_activity(TEXT_ERROR_ATTEMPTED_TO_LOG_IN_TO_LOCKED_ACCOUNT . ' ' . $admin_name, 'warning');
        }
        if ($result['reset_token'] != '') {
            list($expired_token, $token) = explode('}', $result['reset_token']);
            if ($expired_token > 0) {
                if ($expired_token <= time() && $result['admin_pass'] != '') {
                    // reset the reset_token field to blank, since token has expired
                    $sql = "update " . TABLE_ADMIN . " set reset_token = '' where admin_name = :adminname: ";
                    $sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string');
                    $db->Execute($sql);
                    $expired = false;
                } else {
                    if (!zen_validate_password($admin_pass, $token)) {
                        $error = true;
                        $message = ERROR_WRONG_LOGIN;
                        zen_record_admin_activity(sprintf(TEXT_ERROR_INCORRECT_PASSWORD_DURING_RESET_FOR_USER) . ' ' . $admin_name, 'warning');
                    } else {
                        $error = true;
                        $expired = true;
                        $message = TEXT_TEMPORARY_PASSWORD_MUST_BE_CHANGED;
                    }
                }
            }
        }
        if ($result['admin_pass'] == '') {
            $error = true;
            $expired = true;
            $message = TEXT_TEMPORARY_PASSWORD_MUST_BE_CHANGED;
        } else {
            $token = $result['admin_pass'];
            if (!zen_validate_password($admin_pass, $token)) {
                $error = true;
                if (!$expired) {
                    $message = ERROR_WRONG_LOGIN;
                    zen_record_admin_activity(sprintf(TEXT_ERROR_FAILED_ADMIN_LOGIN_FOR_USER) . ' ' . $admin_name, 'warning');
                }
            }
        }
        if (password_needs_rehash($token, PASSWORD_DEFAULT)) {
            $token = zcPassword::getInstance(PHP_VERSION)->updateNotLoggedInAdminPassword($admin_pass, $admin_name);
        }
        // BEGIN 2-factor authentication
        if ($error == FALSE && defined('ZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICE') && ZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICE != '') {
            if (function_exists(ZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICE)) {
                $response = zen_call_function(ZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICE, array($result['admin_id'], $result['admin_email'], $result['admin_name']));
                if ($response !== TRUE) {
                    $error = TRUE;
                    $message = ERROR_WRONG_LOGIN;
                    zen_record_admin_activity('TFA Failure - Two-factor authentication failed', 'warning');
                } elseif ($response === TRUE) {
                    zen_record_admin_activity('TFA Passed - Two-factor authentication passed', 'warning');
                }
            }
        }
    }
    // BEGIN LOGIN SLAM PREVENTION
    if ($error == TRUE) {
        if (!isset($_SESSION['login_attempt'])) {
            $_SESSION['login_attempt'] = 0;
        }
        $_SESSION['login_attempt']++;
        $sql = "UPDATE " . TABLE_ADMIN . " SET failed_logins = failed_logins + 1, last_failed_attempt = now(), last_failed_ip = :ip: WHERE admin_name = :adminname: ";
        $sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string');
        $sql = $db->bindVars($sql, ':ip:', $_SERVER['REMOTE_ADDR'], 'string');
        $db->Execute($sql);
        if (($_SESSION['login_attempt'] > 3 || $result['failed_logins'] > 3) && isset($result['admin_email']) && $result['admin_email'] != '' && ADMIN_SWITCH_SEND_LOGIN_FAILURE_EMAILS == 'Yes') {
            $html_msg['EMAIL_CUSTOMERS_NAME'] = $result['admin_name'];
            $html_msg['EMAIL_MESSAGE_HTML'] = sprintf(TEXT_EMAIL_MULTIPLE_LOGIN_FAILURES, $_SERVER['REMOTE_ADDR']);
            zen_record_admin_activity(sprintf(TEXT_EMAIL_MULTIPLE_LOGIN_FAILURES, $_SERVER['REMOTE_ADDR']), 'warning');
            zen_mail($result['admin_name'], $result['admin_email'], TEXT_EMAIL_SUBJECT_LOGIN_FAILURES, sprintf(TEXT_EMAIL_MULTIPLE_LOGIN_FAILURES, $_SERVER['REMOTE_ADDR']), STORE_NAME, EMAIL_FROM, $html_msg, 'no_archive');
        }
        if ($expired_token < 10000) {
            if ($_SESSION['login_attempt'] > 6 || $result['failed_logins'] > 6) {
                $sql = "UPDATE " . TABLE_ADMIN . " SET lockout_expires = " . (time() + ADMIN_LOGIN_LOCKOUT_TIMER) . " WHERE admin_name = :adminname: ";
                $sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string');
                $db->Execute($sql);
                zen_session_destroy();
                zen_record_admin_activity('Too many login failures. Account locked for ' . ADMIN_LOGIN_LOCKOUT_TIMER / 60 . ' minutes', 'warning');
                sleep(15);
                $redirect = zen_href_link(FILENAME_DEFAULT, '', 'SSL');
                return array($error, $expired, $message, $redirect);
            } else {
                sleep(4);
            }
        }
    }
    // END LOGIN SLAM PREVENTION
    // deal with expireds for SSL change
    if ($error == FALSE && $result['pwd_last_change_date'] == '1990-01-01 14:02:22') {
        $expired = true;
        $error = true;
        $message = ($message == '' ? '' : $message . '<br /><br />') . EXPIRED_DUE_TO_SSL;
    }
    // deal with expireds for PA-DSS
    if ($error == FALSE && PADSS_PWD_EXPIRY_ENFORCED == 1 && $result['pwd_last_change_date'] < date('Y-m-d H:i:s', ADMIN_PASSWORD_EXPIRES_INTERVAL)) {
        $expired = true;
        $error = true;
    }
    if ($error == false) {
        unset($_SESSION['login_attempt']);
        $sql = "UPDATE " . TABLE_ADMIN . " SET failed_logins = 0, lockout_expires = 0, last_login_date = now(), last_login_ip = :ip: WHERE admin_name = :adminname: ";
        $sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string');
        $sql = $db->bindVars($sql, ':ip:', $_SERVER['REMOTE_ADDR'], 'string');
        $db->Execute($sql);
        $_SESSION['admin_id'] = $result['admin_id'];
        if (SESSION_RECREATE == 'True') {
            zen_session_recreate();
        }
        $redirect = zen_href_link($camefrom, zen_get_all_get_params(array('camefrom')), 'SSL');
    }
    return array($error, $expired, $message, $redirect);
}
   }
   }
   */
 // Check if email exists
 $check_customer_query = "SELECT customers_id, customers_firstname, customers_lastname, customers_password,\r\n                                    customers_email_address, customers_default_address_id,\r\n                                    customers_authorization, customers_referral\r\n                           FROM " . TABLE_CUSTOMERS . "\r\n                           WHERE customers_email_address = :email";
 $check_customer_query = $db->bindVars($check_customer_query, ':email', $email_address, 'string');
 $check_customer = $db->Execute($check_customer_query);
 if (!$check_customer->RecordCount()) {
     $error = true;
 } else {
     // Check that password is good
     if (!zen_validate_password($password, $check_customer->fields['customers_password'])) {
         $error = true;
     } else {
         if (SESSION_RECREATE == 'True') {
             zen_session_recreate();
         }
         $check_country_query = "SELECT entry_country_id, entry_zone_id\r\n                              FROM " . TABLE_ADDRESS_BOOK . "\r\n                              WHERE customers_id = :customersID\r\n                              AND address_book_id = :adressBookID";
         $check_country_query = $db->bindVars($check_country_query, ':customersID', $check_customer->fields['customers_id'], 'integer');
         $check_country_query = $db->bindVars($check_country_query, ':adressBookID', $check_customer->fields['customers_default_address_id'], 'integer');
         $check_country = $db->Execute($check_country_query);
         $_SESSION['customer_id'] = $check_customer->fields['customers_id'];
         $_SESSION['customer_default_address_id'] = $check_customer->fields['customers_default_address_id'];
         $_SESSION['customers_authorization'] = $check_customer->fields['customers_authorization'];
         $_SESSION['customer_first_name'] = $check_customer->fields['customers_firstname'];
         $_SESSION['customer_last_name'] = $check_customer->fields['customers_lastname'];
         $_SESSION['customer_country_id'] = $check_country->fields['entry_country_id'];
         $_SESSION['customer_zone_id'] = $check_country->fields['entry_zone_id'];
         $sql = "UPDATE " . TABLE_CUSTOMERS_INFO . "\r\n              SET customers_info_date_of_last_logon = now(),\r\n                  customers_info_number_of_logons = customers_info_number_of_logons+1\r\n              WHERE customers_info_id = :customersID";
         $sql = $db->bindVars($sql, ':customersID', $_SESSION['customer_id'], 'integer');
         $db->Execute($sql);
 function module_create_visitor($return = array())
 {
     global $db, $messageStack, $zco_notifier;
     $return = $this->zoneOptions($return);
     $process = false;
     /**
      * Process form contents
      */
     if (isset($_POST['action']) && $_POST['action'] == 'process') {
         $process = true;
         $return['error'] = false;
         $return['error_messages'] = array();
         $return = $this->prosessPrivacyConditions($return);
         $return = $this->processGender($return);
         $return = $this->processEmailFormat($return);
         $return = $this->processNames($return);
         $return = $this->processDOB($return);
         $return = $this->processEmailAddress($return);
         $return = $this->processAddress($return);
         $return = $this->processEmailFormat($return);
         $return = $this->processCustomersAuthorization($return);
         $return = $this->processCustomersReferral($return);
         if (count($return['error_messages']) > 0) {
             foreach ($return['error_messages'] as $error_message) {
                 $messageStack->add('create_visitor', $error_message['message'], $error_message['type']);
             }
         }
         if ($return['error'] == true) {
             // hook notifier class
             $zco_notifier->notify('NOTIFY_FAILURE_DURING_CREATE_VISITOR');
         } else {
             extract($return);
             $sql_data_array = array('customers_firstname' => $firstname, 'customers_lastname' => $lastname, 'customers_email_address' => $email_address, 'customers_nick' => '', 'customers_telephone' => $telephone, 'customers_fax' => $fax, 'customers_newsletter' => 0, 'customers_email_format' => $email_format, 'customers_default_address_id' => '0', 'customers_password' => '', 'customers_authorization' => (int) CUSTOMERS_APPROVAL_AUTHORIZATION);
             // ->furikana
             if (FURIKANA_NESESSARY) {
                 $sql_data_array['customers_firstname_kana'] = $firstname_kana;
                 $sql_data_array['customers_lastname_kana'] = $lastname_kana;
             }
             // <-furikana
             if (CUSTOMERS_REFERRAL_STATUS == '2' and $customers_referral != '') {
                 $sql_data_array['customers_referral'] = $customers_referral;
             }
             if (ACCOUNT_GENDER == 'true') {
                 $sql_data_array['customers_gender'] = $gender;
             }
             if (ACCOUNT_DOB == 'true') {
                 $sql_data_array['customers_dob'] = empty($_POST['dob']) ? zen_db_prepare_input('0001-01-01 00:00:00') : zen_date_raw($_POST['dob']);
             }
             zen_db_perform(TABLE_CUSTOMERS, $sql_data_array);
             $_SESSION['customer_id'] = $db->Insert_ID();
             // create a visitor
             $sql_data_array = array('visitors_id' => $_SESSION['customer_id'], 'visitors_email_address' => $email_address, 'visitors_info_date_account_created' => 'now()');
             zen_db_perform(TABLE_VISITORS, $sql_data_array);
             $_SESSION['visitors_id'] = $_SESSION['customer_id'];
             $sql_data_array = array('customers_id' => $_SESSION['customer_id'], 'entry_firstname' => $firstname, 'entry_lastname' => $lastname, 'entry_telephone' => $telephone, 'entry_fax' => $fax, 'entry_street_address' => $street_address, 'entry_postcode' => $postcode, 'entry_city' => $city, 'entry_country_id' => $country);
             // ->furikana
             if (FURIKANA_NESESSARY) {
                 $sql_data_array['entry_firstname_kana'] = $firstname_kana;
                 $sql_data_array['entry_lastname_kana'] = $lastname_kana;
             }
             // <-furikana
             if (ACCOUNT_GENDER == 'true') {
                 $sql_data_array['entry_gender'] = $gender;
             }
             if (ACCOUNT_COMPANY == 'true') {
                 $sql_data_array['entry_company'] = $company;
             }
             if (ACCOUNT_SUBURB == 'true') {
                 $sql_data_array['entry_suburb'] = $suburb;
             }
             if (ACCOUNT_STATE == 'true') {
                 if ($zone_id > 0) {
                     $sql_data_array['entry_zone_id'] = $return['zone_id'];
                     $sql_data_array['entry_state'] = '';
                 } else {
                     $sql_data_array['entry_zone_id'] = '0';
                     $sql_data_array['entry_state'] = $return['state'];
                 }
             }
             zen_db_perform(TABLE_ADDRESS_BOOK, $sql_data_array);
             $address_id = $db->Insert_ID();
             $sql = "\r\n            UPDATE " . TABLE_CUSTOMERS . "\r\n            SET customers_default_address_id = '" . (int) $address_id . "'\r\n            WHERE customers_id = '" . (int) $_SESSION['customer_id'] . "'";
             $db->Execute($sql);
             $sql = "\r\n            INSERT INTO " . TABLE_CUSTOMERS_INFO . "\r\n              (customers_info_id, customers_info_number_of_logons,\r\n              customers_info_date_account_created)\r\n            VALUES\r\n              ('" . (int) $_SESSION['customer_id'] . "', '0', now())\r\n            ;";
             $db->Execute($sql);
             if (SESSION_RECREATE == 'True') {
                 zen_session_recreate();
             }
             $_SESSION['customer_first_name'] = $firstname;
             $_SESSION['customer_last_name'] = $lastname;
             // ->furikana
             if (FURIKANA_NESESSARY) {
                 $_SESSION['customer_first_name_kana'] = $firstname_kana;
                 $_SESSION['customer_last_name_kana'] = $lastname_kana;
             }
             // <-furikana
             $_SESSION['customer_default_address_id'] = $address_id;
             $_SESSION['customer_country_id'] = $country;
             $_SESSION['customer_zone_id'] = $zone_id;
             $_SESSION['customers_authorization'] = $customers_authorization;
             // restore cart contents
             $_SESSION['cart']->restore_contents();
             // hook notifier class
             $zco_notifier->notify('NOTIFY_LOGIN_SUCCESS_VIA_CREATE_VISITOR');
             zen_redirect(zen_href_link(FILENAME_CHECKOUT_SHIPPING, '', 'SSL'));
         }
         //endif !error
     }
     $return['process'] = $process;
     return $return;
 }