function dummyUser($db)
{
$pass = hashPassword("admin");
$key = generateRandomString();
$sql = "INSERT INTO users VALUES (NULL,'admin','{$pass}','{$key}',NULL);";
execSql($db, $sql, "add admin user");
}
function login($email, $password)
{
$mysqli = new Connection();
$db = $mysqli->connect();
//hash the password
$password = hashPassword($password);
//prepare the query
$query = $db->prepare("SELECT id FROM users WHERE email = ? AND password = ? LIMIT 1") or die("error");
$query->bind_param('ss', $email, $password);
//excuting
$query->execute();
//store results
$query->store_result();
//bind results
$query->bind_result($id);
$query->fetch();
//get the num rows
if ($query->num_rows == 1) {
$user_browser = $_SERVER['HTTP_USER_AGENT'];
session_start();
$_SESSION['login_string'] = array();
$_SESSION['login_string']['browserInfo'] = hash('sha512', $user_browser);
$_SESSION['login_string']['id'] = hash('sha512', $id);
return TRUE;
} else {
return FALSE;
}
//close the query
$db->close();
}
function insertUser($user, $conn)
{
$salt = createSalt();
$password = hashPassword($user['password'], $salt);
$sql = "INSERT INTO users(username, salt, password, f_name, l_name, email, group, permissions) \n\t\t\tVALUES(:username, :salt, :password, :f_name, :l_name, :email, :group, :permissions)";
$psql = $conn->prepare($sql);
$psql->execute(array(":username" => $user['username'], ":salt" => $salt, ":password" => $password, ":f_name" => $user['f_name'], ":l_name" => $user['l_name'], ":email" => $user['email'], ":group" => $user['group'], ":permissions" => $user['permissions']));
}
function testPassword($password, $db_password)
{
$hashedPassword = hashPassword($password);
if (strcmp($hashedPassword, $db_password) == 0) {
return true;
} else {
return false;
}
}
/**
* LDAP Password Driver
*
* Driver for passwords stored in LDAP
* This driver use the PEAR Net_LDAP2 class (http://pear.php.net/package/Net_LDAP2).
*
* @version 1.0 (2009-06-24)
* @author Edouard MOREAU <*****@*****.**>
*
* function hashPassword based on code from the phpLDAPadmin development team (http://phpldapadmin.sourceforge.net/).
* function randomSalt based on code from the phpLDAPadmin development team (http://phpldapadmin.sourceforge.net/).
*
*/
function password_save($curpass, $passwd)
{
$rcmail = rcmail::get_instance();
require_once 'Net/LDAP2.php';
// Building user DN
$userDN = str_replace('%login', $_SESSION['username'], $rcmail->config->get('password_ldap_userDN_mask'));
$parts = explode('@', $_SESSION['username']);
if (count($parts) == 2) {
$userDN = str_replace('%name', $parts[0], $userDN);
$userDN = str_replace('%domain', $parts[1], $userDN);
}
if (empty($userDN)) {
return PASSWORD_CONNECT_ERROR;
}
// Connection Method
switch ($rcmail->config->get('password_ldap_method')) {
case 'user':
$binddn = $userDN;
$bindpw = $curpass;
break;
case 'admin':
$binddn = $rcmail->config->get('password_ldap_adminDN');
$bindpw = $rcmail->config->get('password_ldap_adminPW');
break;
default:
$binddn = $userDN;
$bindpw = $curpass;
break;
// default is user mode
}
// Configuration array
$ldapConfig = array('binddn' => $binddn, 'bindpw' => $bindpw, 'basedn' => $rcmail->config->get('password_ldap_basedn'), 'host' => $rcmail->config->get('password_ldap_host'), 'port' => $rcmail->config->get('password_ldap_port'), 'starttls' => $rcmail->config->get('password_ldap_starttls'), 'version' => $rcmail->config->get('password_ldap_version'));
// Connecting using the configuration array
$ldap = Net_LDAP2::connect($ldapConfig);
// Checking for connection error
if (PEAR::isError($ldap)) {
return PASSWORD_CONNECT_ERROR;
}
// Crypting new password
$newCryptedPassword = hashPassword($passwd, $rcmail->config->get('password_ldap_encodage'));
if (!$newCryptedPassword) {
return PASSWORD_CRYPT_ERROR;
}
// Writing new crypted password to LDAP
$userEntry = $ldap->getEntry($userDN);
if (Net_LDAP2::isError($userEntry)) {
return PASSWORD_CONNECT_ERROR;
}
if (!$userEntry->replace(array($rcmail->config->get('password_ldap_pwattr') => $newCryptedPassword), $rcmail->config->get('password_ldap_force_replace'))) {
return PASSWORD_CONNECT_ERROR;
}
if (Net_LDAP2::isError($userEntry->update())) {
return PASSWORD_CONNECT_ERROR;
}
// All done, no error
return PASSWORD_SUCCESS;
}
/**
* LDAP Password Driver
*
* Driver for passwords stored in LDAP
* This driver use the PEAR Net_LDAP2 class (http://pear.php.net/package/Net_LDAP2).
*
* @version 1.1 (2010-04-07)
* @author Edouard MOREAU <*****@*****.**>
*
* function hashPassword based on code from the phpLDAPadmin development team (http://phpldapadmin.sourceforge.net/).
* function randomSalt based on code from the phpLDAPadmin development team (http://phpldapadmin.sourceforge.net/).
*
*/
function password_save($curpass, $passwd)
{
$rcmail = rcmail::get_instance();
require_once 'Net/LDAP2.php';
// Building user DN
if ($userDN = $rcmail->config->get('password_ldap_userDN_mask')) {
$userDN = substitute_vars($userDN);
} else {
$userDN = search_userdn($rcmail);
}
if (empty($userDN)) {
return PASSWORD_CONNECT_ERROR;
}
// Connection Method
switch ($rcmail->config->get('password_ldap_method')) {
case 'admin':
$binddn = $rcmail->config->get('password_ldap_adminDN');
$bindpw = $rcmail->config->get('password_ldap_adminPW');
break;
case 'user':
default:
$binddn = $userDN;
$bindpw = $curpass;
break;
}
// Configuration array
$ldapConfig = array('binddn' => $binddn, 'bindpw' => $bindpw, 'basedn' => $rcmail->config->get('password_ldap_basedn'), 'host' => $rcmail->config->get('password_ldap_host'), 'port' => $rcmail->config->get('password_ldap_port'), 'starttls' => $rcmail->config->get('password_ldap_starttls'), 'version' => $rcmail->config->get('password_ldap_version'));
// Connecting using the configuration array
$ldap = Net_LDAP2::connect($ldapConfig);
// Checking for connection error
if (PEAR::isError($ldap)) {
return PASSWORD_CONNECT_ERROR;
}
// Crypting new password
$newCryptedPassword = hashPassword($passwd, $rcmail->config->get('password_ldap_encodage'));
if (!$newCryptedPassword) {
return PASSWORD_CRYPT_ERROR;
}
// Writing new crypted password to LDAP
$userEntry = $ldap->getEntry($userDN);
if (Net_LDAP2::isError($userEntry)) {
return PASSWORD_CONNECT_ERROR;
}
$pwattr = $rcmail->config->get('password_ldap_pwattr');
$force = $rcmail->config->get('password_ldap_force_replace');
if (!$userEntry->replace(array($pwattr => $newCryptedPassword), $force)) {
return PASSWORD_CONNECT_ERROR;
}
if (Net_LDAP2::isError($userEntry->update())) {
return PASSWORD_CONNECT_ERROR;
}
// All done, no error
return PASSWORD_SUCCESS;
}
function checkUserPassword($username, $givenPassword)
{
$rep = false;
if (isset($username) && isset($givenPassword)) {
if (checkUserExists($username)) {
if (getPassword($username) == hashPassword($username, $givenPassword)) {
$rep = true;
}
}
}
return $rep;
}
function changePassword($email, $pass)
{
$hash = hashPassword($pass);
$con = connectDatabase();
while (1) {
$stmt = $con->prepare("CALL changePassword(?,?)");
$stmt->bind_param("ss", $email, $hash);
$stmt->execute();
$stmt->close();
break;
}
$con->close();
}
function validateUser($pUsername, $pPassword)
{
// See if the username and password are valid.
$sql = "SELECT username FROM user_data\n\t\tWHERE username = '******' AND password = '******' LIMIT 1";
$query = mysql_query($sql) or trigger_error("Query Failed: " . mysql_error());
// If one row was returned, the user was logged in!
if (mysql_num_rows($query) == 1) {
$row = mysql_fetch_assoc($query);
$_SESSION['username'] = $row['username'];
$_SESSION['loggedin'] = true;
return true;
}
return false;
}
function submitPassword($username, $newPassword)
{
try {
$connection = new PDO("mysql:host=" . DB_HOST_NAME . ";dbname=" . DB_NAME . ";charset=utf8", DB_USER_NAME, DB_PASSWORD);
// Exceptions fire when occur
$connection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$accountInformationUpdate = $connection->prepare('UPDATE ' . ADMIN_CREDENTIAL_TABLE . ' SET PASSWORD = :newPassword WHERE EMAIL = :username');
$accountInformationUpdate->execute(array(':newPassword' => hashPassword($newPassword), ':username' => $username));
} catch (PDOException $e) {
echo "\r\n <div>\r\n Error: " . $e->getMessage() . "</div>";
return FALSE;
}
return TRUE;
}
function logUserIn($name, $password, $keepLog = false)
{
$name = secureString($name);
$password = hashPassword(secureString($password), getUserData(array('name' => $name))['salt']);
$userData = getUserData(array('name' => $name, 'password' => $password));
if ($userData) {
setSessionVar('login', true);
setSessionVar('userID', $userData['id']);
if ($keepLog) {
setSessionVar('saveKeepLog', true);
}
return true;
} else {
return false;
}
}
function addInformation($mysql_host, $mysql_username, $mysql_password, $mysql_database, $account_email, $account_pass)
{
$conn = mysql_connect($mysql_host, $mysql_username, $mysql_password) or die('Error connecting to MySQL server: ' . mysql_error());
mysql_select_db($mysql_database, $conn);
$sql = "INSERT INTO lb_sys_accounts(account_email,account_password,account_created_date,account_status) VALUES ('" . $account_email . "','" . hashPassword($account_pass) . "','" . Date("Y-m-d H:i:s") . "',1)";
if (mysql_query($sql)) {
$sql = "Select * from lb_sys_accounts";
$result = mysql_query($sql);
$row = mysql_fetch_array($result);
$id = $row['account_id'];
$sql = "INSERT INTO lb_sys_account_profiles(account_id,account_profile_given_name) VALUES (" . $id . ",'Admin')";
mysql_query($sql);
// add subcription
$sql1 = "INSERT INTO lb_sys_account_subscriptions(account_id,account_subscription_package_id,account_subscription_start_date,account_subscription_status_id,subscription_name) VALUES (" . $id . ",0,'" . Date("Y-m-d H:i:s") . "',1,'My Company')";
mysql_query($sql1);
}
}
public function add()
{
if ($_POST) {
$this->form_validation->set_rules('first_name', 'First Name', 'trim|required|max_length[12]');
$this->form_validation->set_rules('last_name', 'Last Name', 'trim|required|max_length[24]');
$this->form_validation->set_rules('email', 'Email', 'required|valid_email|is_unique[users.email]');
$this->form_validation->set_rules('password', 'Password', 'required|min_length[8]|matches[confirm_password]');
$this->form_validation->set_rules('confirm_password', 'Confirm Password', 'required');
$this->form_validation->set_rules('phone', 'Phone', 'required');
$this->form_validation->set_rules('mobile', 'Mobile', 'required');
$this->form_validation->set_rules('company', 'Company', 'required');
$this->form_validation->set_rules('position', 'Position', 'required');
$this->form_validation->set_message('is_unique', 'The %s is already exist');
if ($this->_data['type'] == 'superadmin') {
$this->form_validation->set_rules('type', 'Type', 'required');
}
if ($this->form_validation->run()) {
$info['first_name'] = $_POST['first_name'];
$info['last_name'] = $_POST['last_name'];
$info['email'] = $_POST['email'];
$info['salt'] = $salt = salt();
$info['password'] = hashPassword($_POST['password'], $salt);
$info['phone'] = $_POST['phone'];
$info['mobile'] = $_POST['mobile'];
$info['company'] = $_POST['company'];
$info['position'] = $_POST['position'];
if ($this->_data['type'] == 'superadmin') {
$info['type'] = $_POST['type'];
} else {
$info['type'] = 'user';
}
$new_user_id = $this->user_model->newUser($info);
$details['user_id'] = $new_user_id;
$details['field'] = 'creator_id';
$details['value'] = $this->session->userdata('user_id');
$this->db->insert('user_details', $details);
//$this->_send_email($info);
redirect('user/user');
}
}
$this->_data['breadcrumb'] = 'user/add_user';
$this->_data['page_title'] = "Create User";
$this->_data['companyList'] = $this->user_model->companyList();
$this->_data['view'] = 'user_add';
$this->load->view('user/home', $this->_data);
}
public function chk_user()
{
$val = $this->db->get_where('users', array('email' => $_POST['username']))->row();
$salt = $val->salt;
$pass = hashPassword($_POST['password'], $salt);
$user = $this->db->get_where('users', array('email' => $_POST['username'], 'password' => $pass));
if ($user->num_rows() > 0) {
$user = $user->row_array();
$type = $user['type'];
if ($user['status'] != 'Y') {
$this->form_validation->set_message('chk_user', 'Your account is not active');
return false;
}
return true;
} else {
$this->form_validation->set_message('chk_user', "Invalid Email or Password");
return false;
}
}
public function login($username, $password, $remember_me, $CONF)
{
$result = $this->db->select("users", "username=? AND password=?", array($username, $password));
if ($result) {
$user = new User($result, $this->db);
$_SESSION[$CONF['session_prefix'] . "user"] = serialize($user);
$_SESSION[$CONF['session_prefix'] . "logged_in"] = 1;
if ($remember_me) {
$identifier = hashPassword($username, $this->conf);
$token = bin2hex(openssl_random_pseudo_bytes(20));
$data = array("user_id" => $user->id, "identifier" => $identifier, "token" => $token, "timeout" => date("Y-m-d H:i:s", time() + 60 * 60 * 24 * 7));
$this->db->insert($data, "sessions");
setcookie($CONF['session_prefix'] . 'auth', "{$identifier}:{$token}", time() + 60 * 60 * 24 * 7, '/', '.' . $this->conf['host']);
}
return true;
} else {
return false;
}
}
public function actionRun()
{
//First need to check has_install or not ?
if (file_exists(COMMON_FOLDER . DIRECTORY_SEPARATOR . '.locked')) {
echo 'Remove locked file for install first bro!';
Yii::app()->end();
} else {
//Start working with Yii Database Components
$connection = Yii::app()->db;
// assuming you have configured a "db" connection
// If not, you may explicitly create a connection:
// $connection=new CDbConnection($dsn,$username,$password);
// Get SQL Script
$sql = file_get_contents(COMMON_FOLDER . DIRECTORY_SEPARATOR . 'data' . DIRECTORY_SEPARATOR . 'data.sql', true);
if ($sql) {
//Replace some default attributes
$sql = str_replace("{{SITE_NAME}}", serialize(SITE_NAME), $sql);
$sql = str_replace("{{SUPPORT_EMAIL}}", serialize(SUPPORT_EMAIL), $sql);
$sql = str_replace("{{SLOGAN}}", serialize(SLOGAN), $sql);
$sql = str_replace("{{time}}", time(), $sql);
$sql = str_replace("{{password_salt}}", USER_SALT, $sql);
//Generate password 123456
$password = hashPassword('123456', USER_SALT);
$sql = str_replace("{{password}}", $password, $sql);
$command = $connection->createCommand($sql);
if ($command->execute() !== false) {
echo "Install successfully";
//Create lock file in COMMON folder
if (!file_put_contents(COMMON_FOLDER . DIRECTORY_SEPARATOR . '.locked', 'installed')) {
echo "Error while creating locking install file!";
}
} else {
echo "Error while installing! Please check config file and try again";
}
} else {
echo "Can't file data.sql file in COMMON FOLDER";
}
Yii::app()->end();
}
}
/**
* Register a user
*/
public function register($username, $password, $password2, $emailAddress)
{
$database = new \Database();
// Test if logged in
if (isset($_SESSION['userID']) and $database->doesUserExist($_SESSION['userID'])) {
$this->registerMessage = ' <div class="alert alert-danger"><strong>You are already logged in.</strong></div>';
return false;
}
// Test if username already exists
if ($database->doesUserNameExist($username)) {
$this->registerMessage = '<div class="alert alert-danger"><strong>Username already exists, please choose a different one.</strong></div>';
return false;
}
// Test if username is too short
if (strlen($username) <= 3) {
$this->registerMessage = '<div class="alert alert-danger"><strong>Your username must be longer than 3 characters.</strong></div>';
return false;
}
// Test if passwords are the same
if ($password != $password2) {
$this->registerMessage = '<div class="alert alert-danger"><strong>Passwords do not match.</strong></div>';
return false;
}
// Test if password is too short
if (strlen($password) <= 3) {
$this->registerMessage = '<div class="alert alert-danger"><strong>Your password must be longer than 3 characters.</strong></div>';
return false;
}
// Test if email address is valid
if (!filter_var($emailAddress, FILTER_VALIDATE_EMAIL)) {
$this->registerMessage = '<div class="alert alert-danger"><strong>Your emailaddress is invalid.</strong></div>';
return false;
}
$salt = $this->generateSalt();
$hashedPassword = hashPassword($password, $salt);
$id = $database->registerUser($username, $salt, $hashedPassword, $emailAddress);
$this->registerMessage = '<div class="alert alert-success">Congratulations, account was successfully created.</strong></div>';
return true;
}
public function updatePassword()
{
$user_id = $this->session->userdata('user_id');
$user = $this->db->get_where('users', array('id' => $user_id))->row_array();
$current_password = $_POST['current_password'];
$password = $_POST['password'];
$confirm_password = $_POST['confirm_password'];
$data = array();
if (hashPassword($current_password, $user['salt']) == $user['password']) {
if ($password == $confirm_password) {
$new_password = hashPassword($password, $user['salt']);
$this->db->update('users', array('password' => $new_password), array('id' => $user_id));
$data['error'] = 0;
} else {
$data['error'] = 1;
$data['error_type'] = 'passwor_confirm_did_not_matched';
}
} else {
$data['error'] = 1;
$data['error_type'] = 'password_not_matched';
}
echo json_encode($data);
}
function validate()
{
global $dbh;
$type = $_POST['type'];
$email = $_POST['email'];
$password = $_POST['password'];
$code = '';
if (!empty($_POST['code'])) {
$code = $_POST['code'];
}
if (empty($_POST['email']) || empty($_POST['password'])) {
$_SESSION['notification']['type'] = 'error';
$_SESSION['notification']['message'] = '<strong>Oops!</strong> Looks like you missed some details.';
header("Location: " . $_SERVER['HTTP_REFERER']);
exit;
}
if ($type == 'login') {
$query = $dbh->prepare("select * from users where email = ? and password = ? and active = 1");
$query->execute(array($email, hashPassword($password)));
$account = $query->fetch();
if (!empty($account['id'])) {
$_SESSION['user']['loggedin'] = $account['id'];
$_SESSION['user']['email'] = $account['email'];
$_SESSION['user']['type'] = $account['type'];
header("Location: " . BASE_URL);
exit;
} else {
$_SESSION['notification']['type'] = 'error';
$_SESSION['notification']['message'] = '<strong>Oops!</strong> Looks like your login information is incorrect.';
header("Location: " . $_SERVER['HTTP_REFERER']);
exit;
}
} else {
if ($type == 'register') {
$query = $dbh->prepare("select * from users");
$query->execute(array());
$accounts = $query->fetchAll();
foreach ($accounts as $account) {
if (!empty($account['id'])) {
error404();
}
}
$query = $dbh->prepare("select * from users where email = ?");
$query->execute(array($email));
$account = $query->fetch();
if (!empty($account['id'])) {
$_SESSION['notification']['type'] = 'error';
$_SESSION['notification']['message'] = 'Looks like you already have an account. Please use our forgot password facility.';
header("Location: " . $_SERVER['HTTP_REFERER']);
exit;
}
$sql = "INSERT INTO users (email,password,active,type) VALUES (?,?,?,?)";
$query = $dbh->prepare($sql);
$query->execute(array($email, hashPassword($password), 1, 1));
$_SESSION['user']['loggedin'] = $dbh->lastInsertId();
$_SESSION['user']['email'] = $email;
$_SESSION['user']['type'] = 1;
header("Location: " . BASE_URL);
exit;
} else {
if ($type == 'invite') {
$query = $dbh->prepare("select * from users where email = ?");
$query->execute(array($email));
$account = $query->fetch();
if (!empty($account['id'])) {
$_SESSION['notification']['type'] = 'error';
$_SESSION['notification']['message'] = 'Looks like you already have an account. We currently support only 1 team per email, sorry!';
header('Location: ' . $_SERVER['HTTP_REFERER']);
exit;
}
$sql = "INSERT INTO users (email,password,active,type) VALUES (?,?,?,?)";
$query = $dbh->prepare($sql);
$query->execute(array($email, hashPassword($password), 1, 100));
$_SESSION['user']['loggedin'] = $dbh->lastInsertId();
$_SESSION['user']['email'] = $email;
$_SESSION['user']['type'] = 150;
header("Location: " . BASE_URL);
exit;
}
}
}
}
$row = $psql->fetch();
// validate that it should be inserted
$status = "failed";
$query = false;
if ($username == "" || $password == "" || $password2 == "" || $fname == "" || $lname == "" || $email == "" || $groupName == "") {
// passwords don't match
$errorMessage = "One or more fields are blank!";
} else {
if ($password != $password2) {
// passwords don't match
$errorMessage = "Passwords don't match";
} else {
if ($row[0] != '0') {
// username exists
$errorMessage = "Username " . $username . " already exists!";
} else {
$salt = createSalt();
$password = hashPassword($data['password'], $salt);
$sql = "INSERT INTO Users (username, salt, password, fname, lname, email, groupName, permissions) \n\t\t\tVALUES (:username,:salt,:password,:fname,:lname,:email,:groupName,:permissions)";
$psql = $conn->prepare($sql);
$query = $psql->execute(array(":username" => $data['username'], ":salt" => $salt, ":password" => $password, ":fname" => $data['fname'], ":lname" => $data['lname'], ":email" => $data['email'], ":groupName" => $data['groupName'], ":permissions" => $data['permissions']));
if ($query) {
$status = "inserted";
} else {
$status = "not inserted";
}
//check to make sure the query happened!!!
}
}
}
echo json_encode(array("username" => $username, "status" => $status, "errorMessage" => $errorMessage, "password" => $password));
if ($_POST['email']) {
$email = $_POST['email'];
}
//Er moet ook een paswoord gegenereerd worden.
$generatedPassword = generatePassword(TRUE, TRUE, TRUE, TRUE, 14);
}
if (isset($_POST['submit'])) {
foreach ($_POST as $key => $value) {
switch ($key) {
case 'submit':
// Wanneer de key submit is, moet er niets gebeuren (dit is de key van de submit-knop)
break;
case 'password':
// Wanneer de key het paswoord is, moet deze eerst gehashed worden alvorens deze verder te gebruiken.
// Dit is het veiligst omdat het paswoord dan op geen enkel moment blootgesteld staat
$_SESSION['registration'][$key] = hashPassword(mysql_real_escape_string($value));
break;
default:
//Wanneer de key niet gelijk is aan password of submit, mag deze zo in de sessie geplaatst worden (bv. bij e-mail)
$_SESSION['registration'][$key] = mysql_real_escape_string($value);
}
}
header('location: phpoefening030-registration-complete.php');
}
//Registratieveld
$dump .= '<h1>Registreer online</h1>';
if (isset($_SESSION['registrationNotification'])) {
//Wanneer iemand van de log-outpagina komt of wanneer er iemand foutief inlogt, moet een boodschap getoond worden.
//Wanneer iemand refresht moet deze boodschap verdwijnen. Werk daarom met de session en unset de key wanneer de boodschap wordt getoond.
$dump .= '<p>' . $_SESSION['registrationNotification'] . '</p>';
unset($_SESSION['registrationNotification']);
/**
* LDAP Password Driver
*
* Driver for passwords stored in LDAP
* This driver use the PEAR Net_LDAP2 class (http://pear.php.net/package/Net_LDAP2).
*
* @version 1.1 (2010-04-07)
* @author Edouard MOREAU <*****@*****.**>
*
* function hashPassword based on code from the phpLDAPadmin development team (http://phpldapadmin.sourceforge.net/).
* function randomSalt based on code from the phpLDAPadmin development team (http://phpldapadmin.sourceforge.net/).
*
*/
function password_save($curpass, $passwd)
{
$rcmail = rcmail::get_instance();
require_once 'Net/LDAP2.php';
// Building user DN
if ($userDN = $rcmail->config->get('password_ldap_userDN_mask')) {
$userDN = substitute_vars($userDN);
} else {
$userDN = search_userdn($rcmail);
}
if (empty($userDN)) {
return PASSWORD_CONNECT_ERROR;
}
// Connection Method
switch ($rcmail->config->get('password_ldap_method')) {
case 'admin':
$binddn = $rcmail->config->get('password_ldap_adminDN');
$bindpw = $rcmail->config->get('password_ldap_adminPW');
break;
case 'user':
default:
$binddn = $userDN;
$bindpw = $curpass;
break;
}
// Configuration array
$ldapConfig = array('binddn' => $binddn, 'bindpw' => $bindpw, 'basedn' => $rcmail->config->get('password_ldap_basedn'), 'host' => $rcmail->config->get('password_ldap_host'), 'port' => $rcmail->config->get('password_ldap_port'), 'starttls' => $rcmail->config->get('password_ldap_starttls'), 'version' => $rcmail->config->get('password_ldap_version'));
// Connecting using the configuration array
$ldap = Net_LDAP2::connect($ldapConfig);
// Checking for connection error
if (PEAR::isError($ldap)) {
return PASSWORD_CONNECT_ERROR;
}
$crypted_pass = hashPassword($passwd, $rcmail->config->get('password_ldap_encodage'));
$force = $rcmail->config->get('password_ldap_force_replace');
$pwattr = $rcmail->config->get('password_ldap_pwattr');
$lchattr = $rcmail->config->get('password_ldap_lchattr');
$smbpwattr = $rcmail->config->get('password_ldap_samba_pwattr');
$smblchattr = $rcmail->config->get('password_ldap_samba_lchattr');
$samba = $rcmail->config->get('password_ldap_samba');
// Support password_ldap_samba option for backward compat.
if ($samba && !$smbpwattr) {
$smbpwattr = 'sambaNTPassword';
$smblchattr = 'sambaPwdLastSet';
}
// Crypt new password
if (!$crypted_pass) {
return PASSWORD_CRYPT_ERROR;
}
// Crypt new samba password
if ($smbpwattr && !($samba_pass = hashPassword($passwd, 'samba'))) {
return PASSWORD_CRYPT_ERROR;
}
// Writing new crypted password to LDAP
$userEntry = $ldap->getEntry($userDN);
if (Net_LDAP2::isError($userEntry)) {
return PASSWORD_CONNECT_ERROR;
}
if (!$userEntry->replace(array($pwattr => $crypted_pass), $force)) {
return PASSWORD_CONNECT_ERROR;
}
// Updating PasswordLastChange Attribute if desired
if ($lchattr) {
$current_day = (int) (time() / 86400);
if (!$userEntry->replace(array($lchattr => $current_day), $force)) {
return PASSWORD_CONNECT_ERROR;
}
}
// Update Samba password and last change fields
if ($smbpwattr) {
$userEntry->replace(array($smbpwattr => $samba_pass), $force);
}
// Update Samba password last change field
if ($smblchattr) {
$userEntry->replace(array($smblchattr => time()), $force);
}
if (Net_LDAP2::isError($userEntry->update())) {
return PASSWORD_CONNECT_ERROR;
}
// All done, no error
return PASSWORD_SUCCESS;
}
<?php
/**
* Created by PhpStorm.
* User: Tuan
* Date: 10/14/2015
* Time: 16:52
*/
if (isLoggedIn()) {
redirect('index');
}
if (isPostRequest()) {
$email = _post('email');
$password = hashPassword(_post('password'));
$user = findUser($email);
if (!empty($user) && $user['password'] == $password) {
loggedIn($user);
redirect('index');
} else {
$G['errors'][] = 'login fail';
}
}
render('login', array('header' => false, 'footer' => false));
<td><font color=white>New Email Address:</font></td>
<td><input type="text" name="email"></td>
</table>
<div class="subBtn">
<input type="submit" class="btn rc05 f10 p05 dk blue" value="Change Details" name="submit"/>
</div>
</table>
</div>
</form>
<?php
if (isset($_POST['submit'])) {
$username = secureForDB($_POST['user']);
$password = hashPassword(secureForDB($_POST['password']));
$email = secureForDB($_POST['email']);
$somethingChanged = false;
$id = getUserData($username, "id");
$newUsername = secureForDB($_POST['newUsername']);
$newMail = "";
$newPassword = "";
if (!$_SESSION['account_position'] == "Admin") {
if ($_SESSION['CurrentUser'] == $username) {
die("<font color=\"red\">You cannot edit your own details</font>");
}
}
if (getUserData($username, "account_position") == "Admin") {
die("<br><font color=\"red\">You cannot edit an administrator's details.</font>");
}
if (isset($user)) {
function addInformation($mysql_host, $mysql_username, $mysql_password, $mysql_database, $account_email, $account_pass, $lang, $financial_day, $financial_month, $currency_symbol, $thousand_separator, $decimal_separator, $tax_name, $tax_value, $tax_checkbox, $company_name, $company_regis, $company_website, $company_address_1, $compnay_address_2, $company_city, $company_country, $company_postal, $company_state, $company_phone, $company_fax)
{
$conn = mysql_connect($mysql_host, $mysql_username, $mysql_password) or die('Error connecting to MySQL server: ' . mysql_error());
mysql_select_db($mysql_database, $conn);
$sql = "INSERT INTO lb_sys_accounts(account_email,account_password,account_created_date,account_status) VALUES ('" . $account_email . "','" . hashPassword($account_pass) . "','" . Date("Y-m-d H:i:s") . "',1)";
if (mysql_query($sql)) {
$sql = "Select * from lb_sys_accounts";
$result = mysql_query($sql);
$row = mysql_fetch_array($result);
$id = $row['account_id'];
$sql = "INSERT INTO lb_sys_account_profiles(account_id,account_profile_given_name) VALUES (" . $id . ",'Admin')";
mysql_query($sql);
// add subcription
$sql1 = "INSERT INTO lb_sys_account_subscriptions(account_id,account_subscription_package_id,account_subscription_start_date,account_subscription_status_id,subscription_name) VALUES (" . $id . ",0,'" . Date("Y-m-d H:i:s") . "',1,'My Company')";
mysql_query($sql1);
$sql2 = "INSERT INTO lb_language_user(lb_user_id,lb_language_name) VALUES (" . $id . ",'" . $lang . "')";
mysql_query($sql2);
// $sql3 = "INSERT INTO lb_user_list(system_list_code,system_list_item_day,system_list_item_month) VALUES ('financial_year','".$financial_day."','".$financial_month."')";
$sql3 = "INSERT INTO lb_user_list(system_list_code,system_list_item_code,system_list_item_name,system_list_item_active,system_list_item_day,system_list_item_month) VALUES ('financial_year','financial_year','Financial Year',1,'" . $financial_day . "','" . $financial_month . "')";
mysql_query($sql3);
$sql4 = "INSERT INTO lb_genera(lb_genera_currency_symbol, lb_thousand_separator, lb_decimal_symbol) VALUE ('" . $currency_symbol . "','" . $thousand_separator . "','" . $decimal_separator . "')";
mysql_query($sql4);
$sql5 = "INSERT INTO lb_taxes(lb_tax_name, lb_tax_value, lb_tax_is_default) VALUE ('" . $tax_name . "','" . $tax_value . "','" . $tax_checkbox . "')";
mysql_query($sql5);
$sql6 = "INSERT INTO lb_customers(lb_customer_name, lb_customer_registration, lb_customer_website_url) VALUE ('" . $company_name . "','" . $company_regis . "','" . $company_website . "')";
if (mysql_query($sql6)) {
$q = "Select * from lb_customers";
$r = mysql_query($q);
$row1 = mysql_fetch_array($r);
$customer_id = $row1['lb_record_primary_key'];
$sql7 = "INSERT INTO lb_customer_addresses (lb_customer_id, lb_customer_address_line_1, lb_customer_address_2, lb_customer_address_city, lb_customer_address_state, lb_customer_address_country, lb_customer_address_postal_code, lb_customer_address_phone_1, lb_customer_address_fax) VALUE ('" . $customer_id . "','" . $company_address_1 . "','" . $compnay_address_2 . "','" . $company_city . "','" . $company_state . "','" . $company_country . "','" . $company_postal . "','" . $company_phone . "','" . $company_fax . "')";
mysql_query($sql7);
}
}
}
if (!$tables['user']) {
$stmt = $db->prepare('CREATE TABLE "user" (id integer NOT NULL, email character varying(255) NOT NULL, password character varying(255), name character varying(255))');
$stmt->execute();
$stmt = $db->prepare('CREATE SEQUENCE user_id_seq_' . $t . ' START WITH 1 INCREMENT BY 1 NO MINVALUE NO MAXVALUE CACHE 1');
$stmt->execute();
$stmt = $db->prepare('ALTER SEQUENCE user_id_seq_' . $t . ' OWNED BY "user".id');
$stmt->execute();
$stmt = $db->prepare('ALTER TABLE ONLY "user" ALTER COLUMN id SET DEFAULT nextval(\'user_id_seq_' . $t . '\'::regclass)');
$stmt->execute();
$stmt = $db->prepare('ALTER TABLE ONLY "user" ADD CONSTRAINT user_email_key_' . $t . ' UNIQUE (email)');
$stmt->execute();
$stmt = $db->prepare('ALTER TABLE ONLY "user" ADD CONSTRAINT user_pkey_' . $t . ' PRIMARY KEY (id)');
$stmt->execute();
// first user admin/test
$stmt = $db->prepare('INSERT INTO "user"("email","password","name") VALUES (:email,:password,:name)');
$stmt->execute(array(':email' => 'admin', ':password' => hashPassword('test'), 'name' => 'Admin'));
}
if (!$tables['post']) {
$stmt = $db->prepare('CREATE TABLE post (id integer NOT NULL, title text, abstract text, content text, file1 text, up_file1 text, file2 text, up_file2 text, file3 text, up_file3 text, file4 text, up_file4 text, file5 text, up_file5 text, status integer, created_author integer, modified_author integer, created_date integer, updated_date integer)');
$stmt->execute();
$stmt = $db->prepare('CREATE SEQUENCE post_id_seq_' . $t . ' START WITH 1 INCREMENT BY 1 NO MINVALUE NO MAXVALUE CACHE 1');
$stmt->execute();
$stmt = $db->prepare('ALTER SEQUENCE post_id_seq_' . $t . ' OWNED BY post.id');
$stmt->execute();
$stmt = $db->prepare('ALTER TABLE ONLY post ALTER COLUMN id SET DEFAULT nextval(\'post_id_seq_' . $t . '\'::regclass)');
$stmt->execute();
$stmt = $db->prepare('ALTER TABLE ONLY post ADD CONSTRAINT post_pkey_' . $t . ' PRIMARY KEY (id);');
$stmt->execute();
}
?>
<h3>INSTALL SUCCESSFULLY</h3>
function validateUser_Name($pName, $pPassword)
{
global $dbc;
// See if the email and password are valid.
//$sql = "SELECT username FROM nctf_accounts WHERE mail = '" . mysqli_real_escape_string($dbc,$pEmail) . "' AND password = '******' LIMIT 1";
$sql = "SELECT username,user_id FROM nctf_accounts WHERE username = '******' AND password = '******' LIMIT 1";
$query = mysqli_query($dbc, $sql) or trigger_error("Query Failed: " . mysql_error());
// If one row was returned, the user was logged in!
if (mysqli_num_rows($query) == 1) {
$row = mysqli_fetch_assoc($query);
$_SESSION['username'] = $row['username'];
$_SESSION['user_id'] = $row['user_id'];
$_SESSION['loggedin'] = true;
return true;
}
return false;
}
/**
* Checks if a username and password are valid and updates the last login date & time
*
* @param string $username
* @param string $password
*
* @return null
*/
function checkLogin($username, $password)
{
global $mysql;
// See if we have a valid user
$select = "SELECT * FROM users WHERE Username = '******'";
$result = mysql_query($select, $mysql);
if ($result && mysql_num_rows($result) === 1) {
// See if the password matches
$user = mysql_fetch_assoc($result);
$passwordSalt = $user['PasswordSalt'];
if ($user['PasswordHash'] === hashPassword($password, $passwordSalt)) {
// Update the last login
$today = date('Y-m-d H:i:s', time());
$update = "UPDATE users SET LastLogin = '******' WHERE UserID = " . $user['UserID'];
mysql_query($update, $mysql);
// Finally, provide the caller with the UserID
return $user['UserID'];
}
}
return null;
}
<?php
include_once 'database.php';
include_once 'hash.php';
session_start();
$connection = @new mysqli($host, $db_user, $db_password, $db_name);
if ($connection->connect_errno != 0) {
$_SESSION['userAdderMessage'] = "Error" . $connection->connect_errno . $connection->connect_error;
} else {
$token = htmlentities($_POST['token'], ENT_QUOTES, "UTF-8");
$password = htmlentities($_POST['password'], ENT_QUOTES, "UTF-8");
if ($result = @$connection->query(sprintf("SELECT * FROM users WHERE token='{$token}'", mysqli_real_escape_string($connection, $token)))) {
if ($result->num_rows > 0) {
$row = $result->fetch_assoc();
$token_time = $row['tokentime'];
$old_token = $row['token'];
$result->free_result();
if (time() - $token_time <= 100) {
$token = md5(uniqid(mt_rand(), true));
$hashedPassword = hashPassword(mysqli_real_escape_string($connection, $password));
$result = @$connection->query(sprintf("UPDATE users SET password = '******' , token='%s' WHERE token='%s' ", $hashedPassword, $token, $old_token));
$_SESSION['reset'] = "Hasło zostało zrestartowane";
} else {
$_SESSION['reset'] = "Link wygasł wygeneruj ponownie";
}
}
}
$connection->close();
}
header('Location: ../restarter.php');
}
}
do {
if ($r = $server->store_result()) {
$r->free();
}
} while ($server->more_results() && $server->next_result());
$result = $server->query("SELECT id FROM settings WHERE name='title'");
if ($result->num_rows == 1) {
if (!@chmod('../install', 0777)) {
echo "PLEASE DELETE install/ FOLDER MANUALLY. THEN GO TO yourwebsite.com/feedback/admin/ TO LOG IN.";
exit;
}
unlink('index.php');
unlink('install1.php');
unlink('database_tables.sql');
unlink('index2.php');
unlink('install2.php');
header('Location: ../admin');
exit;
} else {
$server->query("INSERT INTO users(id,name,email,pass,votes,isadmin,banned) VALUES('','" . $_POST['adminname'] . "','" . $_POST['adminemail'] . "','" . hashPassword($_POST['adminpass']) . "', 20, 3,0)");
if (!@chmod('../install', 0777)) {
echo "PLEASE DELETE install/index.php, install/install1.php AND install/database_tables.sql FILES MANUALLY.<br />\n THEN GO TO yourwebsite.com/feedback/install/index2.php TO CONTINUE THE INSTALLATION.";
exit;
}
unlink('index.php');
unlink('install1.php');
unlink('database_tables.sql');
header('Location: index2.php');
}
