function checkLogin($u, $p) { global $seed; // global because $seed is declared in the header.php file if (!valid_username($u) || !valid_password($p) || !user_exists($u)) { return false; // the name was not valid, or the password, or the username did not exist } //Now let us look for the user in the database. $query = sprintf("\n\t\tSELECT loginid \n\t\tFROM login \n\t\tWHERE \n\t\tusername = '******' AND password = '******' \n\t\tAND disabled = 0 AND activated = 1 \n\t\tLIMIT 1;", mysql_real_escape_string($u), mysql_real_escape_string(sha1($p . $seed))); $result = mysql_query($query); // If the database returns a 0 as result we know the login information is incorrect. // If the database returns a 1 as result we know the login was correct and we proceed. // If the database returns a result > 1 there are multple users // with the same username and password, so the login will fail. if (mysql_num_rows($result) != 1) { return false; } else { // Login was successfull $row = mysql_fetch_array($result); // Save the user ID for use later $_SESSION['loginid'] = $row['loginid']; // Save the username for use later $_SESSION['username'] = $u; // Now we show the userbox return true; } return false; }
private function validateRegistration() { loadLibrary("validation.lib"); $user = secure($_POST["username"]); $display = secure($_POST["display"]); $pass1 = secure($_POST["pass1"]); $pass2 = secure($_POST["pass2"]); $email1 = secure($_POST["email1"]); $email2 = secure($_POST["email2"]); $res = valid_username($user); if ($res !== true) { $this->errors[] = $res; } $res = valid_displayname($display); if ($res !== true) { $this->errors[] = $res; } if ($pass1 !== $pass2) { $this->errors[] = "passwords_dont_match"; } else { $res = valid_password($pass1); if ($res !== true) { $this->errors[] = $res; } } if ($email1 !== $email2) { $this->errors[] = "emails_dont_match"; } else { $res = valid_email($email1); if ($res !== true) { $this->errors[] = $res; } } // Validate these next two for the most protective method. if ($_POST["hideemail"] == "no") { $hideemail = false; } else { $hideemail = true; } if ($_POST["receiveemail"] == "yes") { $receiveemail = true; } else { $receiveemail = false; } // Check ToS box if (!$_POST["tos"]) { $this->errors[] = "tos_not_checked"; } if (count($this->errors) == 0) { // Add the user global $yakbb; $yakbb->db->insert("users", array("id" => 0, "username" => $user, "displayname" => $display, "password" => sha256($pass1), "email" => $email1, "emailshow" => $hideemail ? 0 : 1, "emailoptin" => $receiveemail ? 1 : 0, "activated" => 1, "activationcode" => "", "pending" => 0, "registeredtime" => time(), "lastip" => $yakbb->ip, "template" => $yakbb->config["default_template"], "language" => $yakbb->config["default_language"], "timezone" => $yakbb->config["default_timezone"])); redirect("?action=login®=true"); } }
function lostPassword($username, $email) { global $seed; if (!valid_username($username) || !user_exists($username) || !valid_email($email)) { return false; } $query = sprintf("select loginid from login where username = '******' and email = '%s' limit 1", $username, $email); $result = mysql_query($query); if (mysql_num_rows($result) != 1) { return false; } $newpass = generate_code(8); $query = sprintf("update login set password = '******' where username = '******'", mysql_real_escape_string(sha1($newpass . $seed)), mysql_real_escape_string($username)); if (mysql_query($query)) { if (sendLostPasswordEmail($username, $email, $newpass)) { return true; } else { return false; } } else { return false; } return false; }
/** * Process information given to new/edit account form * * @global array $SUPPORTED_LANGS Languages that are supported by the AUR * @param string $TYPE Either "edit" for editing or "new" for registering an account * @param string $A Form to use, either UpdateAccount or NewAccount * @param string $U The username for the account * @param string $T The account type for the user * @param string $S Whether or not the account is suspended * @param string $E The e-mail address for the user * @param string $H Whether or not the e-mail address should be hidden * @param string $P The password for the user * @param string $C The confirmed password for the user * @param string $R The real name of the user * @param string $L The language preference of the user * @param string $I The IRC nickname of the user * @param string $K The PGP fingerprint of the user * @param string $PK The list of public SSH keys * @param string $J The inactivity status of the user * @param string $UID The user ID of the modified account * @param string $N The username as present in the database * * @return array Boolean indicating success and message to be printed */ function process_account_form($TYPE, $A, $U = "", $T = "", $S = "", $E = "", $H = "", $P = "", $C = "", $R = "", $L = "", $I = "", $K = "", $PK = "", $J = "", $UID = 0, $N = "") { global $SUPPORTED_LANGS; $error = ''; $message = ''; if (is_ipbanned()) { $error = __('Account registration has been disabled ' . 'for your IP address, probably due ' . 'to sustained spam attacks. Sorry for the ' . 'inconvenience.'); } $dbh = DB::connect(); if (isset($_COOKIE['AURSID'])) { $editor_user = uid_from_sid($_COOKIE['AURSID']); } else { $editor_user = null; } if (empty($E) || empty($U)) { $error = __("Missing a required field."); } if ($TYPE != "new" && !$UID) { $error = __("Missing User ID"); } if (!$error && !valid_username($U)) { $length_min = config_get_int('options', 'username_min_len'); $length_max = config_get_int('options', 'username_max_len'); $error = __("The username is invalid.") . "<ul>\n" . "<li>" . __("It must be between %s and %s characters long", $length_min, $length_max) . "</li>" . "<li>" . __("Start and end with a letter or number") . "</li>" . "<li>" . __("Can contain only one period, underscore or hyphen.") . "</li>\n</ul>"; } if (!$error && $P && $C && $P != $C) { $error = __("Password fields do not match."); } if (!$error && $P != '' && !good_passwd($P)) { $length_min = config_get_int('options', 'passwd_min_len'); $error = __("Your password must be at least %s characters.", $length_min); } if (!$error && !valid_email($E)) { $error = __("The email address is invalid."); } if (!$error && $K != '' && !valid_pgp_fingerprint($K)) { $error = __("The PGP key fingerprint is invalid."); } if (!$error && !empty($PK)) { $ssh_keys = array_filter(array_map('trim', explode("\n", $PK))); $ssh_fingerprints = array(); foreach ($ssh_keys as &$ssh_key) { if (!valid_ssh_pubkey($ssh_key)) { $error = __("The SSH public key is invalid."); break; } $ssh_fingerprint = ssh_key_fingerprint($ssh_key); if (!$ssh_fingerprint) { $error = __("The SSH public key is invalid."); break; } $tokens = explode(" ", $ssh_key); $ssh_key = $tokens[0] . " " . $tokens[1]; $ssh_fingerprints[] = $ssh_fingerprint; } /* * Destroy last reference to prevent accidentally overwriting * an array element. */ unset($ssh_key); } if (isset($_COOKIE['AURSID'])) { $atype = account_from_sid($_COOKIE['AURSID']); if ($atype == "User" && $T > 1 || $atype == "Trusted User" && $T > 2) { $error = __("Cannot increase account permissions."); } } if (!$error && !array_key_exists($L, $SUPPORTED_LANGS)) { $error = __("Language is not currently supported."); } if (!$error) { /* * Check whether the user name is available. * TODO: Fix race condition. */ $q = "SELECT COUNT(*) AS CNT FROM Users "; $q .= "WHERE Username = "******"edit") { $q .= " AND ID != " . intval($UID); } $result = $dbh->query($q); $row = $result->fetch(PDO::FETCH_NUM); if ($row[0]) { $error = __("The username, %s%s%s, is already in use.", "<strong>", htmlspecialchars($U, ENT_QUOTES), "</strong>"); } } if (!$error) { /* * Check whether the e-mail address is available. * TODO: Fix race condition. */ $q = "SELECT COUNT(*) AS CNT FROM Users "; $q .= "WHERE Email = " . $dbh->quote($E); if ($TYPE == "edit") { $q .= " AND ID != " . intval($UID); } $result = $dbh->query($q); $row = $result->fetch(PDO::FETCH_NUM); if ($row[0]) { $error = __("The address, %s%s%s, is already in use.", "<strong>", htmlspecialchars($E, ENT_QUOTES), "</strong>"); } } if (!$error && count($ssh_keys) > 0) { /* * Check whether any of the SSH public keys is already in use. * TODO: Fix race condition. */ $q = "SELECT Fingerprint FROM SSHPubKeys "; $q .= "WHERE Fingerprint IN ("; $q .= implode(',', array_map(array($dbh, 'quote'), $ssh_fingerprints)); $q .= ")"; if ($TYPE == "edit") { $q .= " AND UserID != " . intval($UID); } $result = $dbh->query($q); $row = $result->fetch(PDO::FETCH_NUM); if ($row) { $error = __("The SSH public key, %s%s%s, is already in use.", "<strong>", htmlspecialchars($row[0], ENT_QUOTES), "</strong>"); } } if ($error) { $message = "<ul class='errorlist'><li>" . $error . "</li></ul>\n"; return array(false, $message); } if ($TYPE == "new") { /* Create an unprivileged user. */ $salt = generate_salt(); if (empty($P)) { $send_resetkey = true; $email = $E; } else { $send_resetkey = false; $P = salted_hash($P, $salt); } $U = $dbh->quote($U); $E = $dbh->quote($E); $P = $dbh->quote($P); $salt = $dbh->quote($salt); $R = $dbh->quote($R); $L = $dbh->quote($L); $I = $dbh->quote($I); $K = $dbh->quote(str_replace(" ", "", $K)); $q = "INSERT INTO Users (AccountTypeID, Suspended, "; $q .= "InactivityTS, Username, Email, Passwd, Salt, "; $q .= "RealName, LangPreference, IRCNick, PGPKey) "; $q .= "VALUES (1, 0, 0, {$U}, {$E}, {$P}, {$salt}, {$R}, {$L}, "; $q .= "{$I}, {$K})"; $result = $dbh->exec($q); if (!$result) { $message = __("Error trying to create account, %s%s%s.", "<strong>", htmlspecialchars($U, ENT_QUOTES), "</strong>"); return array(false, $message); } $uid = $dbh->lastInsertId(); account_set_ssh_keys($uid, $ssh_keys, $ssh_fingerprints); $message = __("The account, %s%s%s, has been successfully created.", "<strong>", htmlspecialchars($U, ENT_QUOTES), "</strong>"); $message .= "<p>\n"; if ($send_resetkey) { send_resetkey($email, true); $message .= __("A password reset key has been sent to your e-mail address."); $message .= "</p>\n"; } else { $message .= __("Click on the Login link above to use your account."); $message .= "</p>\n"; } } else { /* Modify an existing account. */ $q = "SELECT InactivityTS FROM Users WHERE "; $q .= "ID = " . intval($UID); $result = $dbh->query($q); $row = $result->fetch(PDO::FETCH_NUM); if ($row[0] && $J) { $inactivity_ts = $row[0]; } elseif ($J) { $inactivity_ts = time(); } else { $inactivity_ts = 0; } $q = "UPDATE Users SET "; $q .= "Username = "******", AccountTypeID = " . intval($T); } if ($S) { /* Ensure suspended users can't keep an active session */ delete_user_sessions($UID); $q .= ", Suspended = 1"; } else { $q .= ", Suspended = 0"; } $q .= ", Email = " . $dbh->quote($E); if ($H) { $q .= ", HideEmail = 1"; } else { $q .= ", HideEmail = 0"; } if ($P) { $salt = generate_salt(); $hash = salted_hash($P, $salt); $q .= ", Passwd = '{$hash}', Salt = '{$salt}'"; } $q .= ", RealName = " . $dbh->quote($R); $q .= ", LangPreference = " . $dbh->quote($L); $q .= ", IRCNick = " . $dbh->quote($I); $q .= ", PGPKey = " . $dbh->quote(str_replace(" ", "", $K)); $q .= ", InactivityTS = " . $inactivity_ts; $q .= " WHERE ID = " . intval($UID); $result = $dbh->exec($q); $ssh_key_result = account_set_ssh_keys($UID, $ssh_keys, $ssh_fingerprints); if ($result === false || $ssh_key_result === false) { $message = __("No changes were made to the account, %s%s%s.", "<strong>", htmlspecialchars($U, ENT_QUOTES), "</strong>"); } else { $message = __("The account, %s%s%s, has been successfully modified.", "<strong>", htmlspecialchars($U, ENT_QUOTES), "</strong>"); } } return array(true, $message); }
function callPluginMethod($method, $args = '') { foreach ($GLOBALS['plugin']->pluginslist as $value) { if (!valid_username($value)) { echo 'Sorry, your plugin ' . e::h($value) . ' is not setup properly'; } $plugin_obj = new $value(); $plugin_obj->{$method}($args); } }
urlto("main.php"); } include_once "_jack1.php"; //nopost -> return if (isset($_POST['un'])) { $un = $_POST['un']; } else { urlto("index.php"); } if (isset($_POST['pw'])) { $pw = $_POST['pw']; } else { urlto("index.php"); } //check data if (!valid_username($un)) { urlto("index.php?msg=2"); } if (!valid_password($pw)) { urlto("index.php?msg=2"); } $con = mysql_connectEx(); $sql = "SELECT * FROM `motal_users` WHERE `username`='" . $un . "'"; echo $sql . "<hr>"; $result = mysql_query($sql); $row = @mysql_fetch_array($result); if (isset($row['username'])) { //check hashed data $pw = sha1($un . $pw); if ($pw == $row['password']) { $_SESSION['uid'] = $row['id'];
function insert_user($userdat) { // Creates a new user on the forum global $yakbb; // List fields that this function can provide. $valid_fields = array("username", "displayname", "password", "email", "emailshow", "emailoptin"); $required_fields = array("username", "password", "email"); // Validate that ONLY these fields are provided. Then, validate required fields $fields_provided = array_keys($userdat); foreach ($fields_provided as $k => $item) { if (!in_array($item, $valid_fields)) { unset($userdat[$item]); // Remove the invalid item } } foreach ($required_fields as $k => $item) { if (!in_array($item, $fields_provided)) { record_yakbb_error("Missed field \"" . $item . "\" in call to insert_user()."); return false; } } // Set the data that will ALWAYS be this way $userdat["group"] = 0; $userdat["activated"] = 1; $userdat["activationcode"] = ""; // Sent via e-mail $userdat["pending"] = 0; // Admin approval required? $userdat["registeredtime"] = time(); $userdat["lastip"] = $yakbb->ip; $userdat["template"] = $yakbb->config["default_template"]; $userdat["language"] = $yakbb->config["default_language"]; $userdat["timezone"] = $yakbb->config["default_timezone"]; // Set the data that is optional. intval() is used to force integer value upon certain ones $userdat["emailshow"] = isset($userdat["emailshow"]) ? intval($userdat["emailshow"]) : 0; $userdat["emailoptin"] = isset($userdat["emailoptin"]) ? intval($userdat["emailoptin"]) : 0; $userdat["displayname"] = isset($userdat["displayname"]) ? $userdat["displayname"] : $userdat["username"]; // Validate inputted data if (!function_exists("valid_username")) { loadLibrary("validation.lib"); } $errors = array(); $res = valid_username($userdat["username"]); if ($res !== true) { $errors[] = $res; } $res = valid_displayname($userdat["displayname"]); if ($res !== true) { $errors[] = $res; } $res = valid_password($userdat["password"]); if ($res !== true) { $errors[] = $res; } $res = valid_email($userdat["email"]); if ($res !== true) { $errors[] = $res; } if (count($errors) == 0) { $yakbb->db->insert("users", $userdat); return true; } else { return $errors; } }
<?php include "config/config.php"; include "include/function.php"; include "include/logincheck.php"; if (isset($_POST['submit'])) { $error = ""; if (!valid_mail($_POST['email'])) { $error .= "Email is already registered<br>"; } if (!valid_username($_POST['username'])) { $error .= "Username is already registered<br>"; } if ($error == "") { $form_data = array('usertype' => $_POST['usertype'], 'username' => $_POST['username'], 'email' => $_POST['email'], 'fname' => $_POST['fname'], 'lname' => $_POST['lname'], 'phone' => $_POST['phone'], 'password' => $_POST['password'], 'debut' => date("Y-m-d H:i:s")); InsertData(USER, $form_data); $id = mysql_insert_id(); log_add_user($id); email_add_user($id); header("location:add-user.php?addsuccess"); } } ?> <!DOCTYPE html> <!--[if IE 8]> <html lang="en" class="ie8 no-js"> <![endif]--> <!--[if IE 9]> <html lang="en" class="ie9 no-js"> <![endif]--> <!--[if !IE]><!--> <html lang="en" class="no-js"> <!--<![endif]--> <!-- BEGIN HEAD -->
function valid_username($str) { if (!valid_username($str) || $str != preg_replace('/\\s+/', ' ', $str)) { $this->form_validation->set_message('valid_username', "Username contains invalid characters"); return FALSE; } elseif (!$this->user_dal->is_username_available($str)) { $this->form_validation->set_message('valid_username', "That username is already in use"); return FALSE; } return TRUE; }
private function loadUser() { $this->user = array("id" => 0, "username" => "Guest", "group" => -1, "template" => $this->config["default_template"], "language" => $this->config["default_language"]); $this->smarty->assign("guest", true); $this->smarty->assign("admin_access", false); if (getYakCookie("username") != "" && getYakCookie("password") != "") { // Check login $user = secure(getYakCookie("username")); $pass = getYakCookie("password"); loadLibrary("validation.lib"); if (valid_username($user) === true && valid_password($pass) === true) { $this->db->query("\r\n\t\t\t\t\tSELECT\r\n\t\t\t\t\t\t*\r\n\t\t\t\t\tFROM\r\n\t\t\t\t\t\tyakbb_users\r\n\t\t\t\t\tWHERE\r\n\t\t\t\t\t\tusername = '******'\r\n\t\t\t\t\tLIMIT\r\n\t\t\t\t\t\t1\r\n\t\t\t\t"); if ($this->db->numRows() == 1) { $x = $this->db->fetch(); if ($x["password"] === $pass) { $this->user = $x; $this->smarty->assign("guest", false); } } } } }
$department = cleanvar($_REQUEST['department']); $address1 = cleanvar($_REQUEST['address1']); $address2 = cleanvar($_REQUEST['address2']); $county = cleanvar($_REQUEST['county']); $country = cleanvar($_REQUEST['country']); $postcode = cleanvar($_REQUEST['postcode']); $phone = cleanvar($_REQUEST['phone']); $mobile = cleanvar($_REQUEST['mobile']); $fax = cleanvar($_REQUEST['fax']); $email = cleanvar($_REQUEST['email']); $newpass = cleanvar($_REQUEST['newpassword']); $newpass2 = cleanvar($_REQUEST['newpassword2']); $errors = 0; // VALIDATION CHECKS */ if ($CONFIG['portal_usernames_can_be_changed'] and $oldusername != $username) { if (!valid_username($username)) { $errors++; $_SESSION['formerrors']['portalcontactdetails'] .= "<p class='error'>{$strInvalidUsername}</p>\n"; } } if (!empty($newpass) and empty($newpass2)) { $errors++; $_SESSION['formerrors']['portalcontactdetails'] .= "<p class='error'>{$strYouMustEnterYourNewPasswordTwice}</p>\n"; } elseif ($newpass != $newpass2) { $errors++; $_SESSION['formerrors']['portalcontactdetails'] .= "<p class='error'>{$strPasswordsDoNotMatch}</p>"; } if ($surname == '') { $errors++; $_SESSION['formerrors']['portalcontactdetails'] .= "<p class='error'>" . sprintf($strYouMustEnter, $strSurname) . "</p>\n"; }
} $model = $_POST; if ($_GET["mac"] != "") { $model["mac"] = $_GET["mac"]; $model["mode"] = "edit"; $model["focus"] = "password"; } else { $model["mode"] = "add"; $model["focus"] = "mac"; } if ($_SERVER["REQUEST_METHOD"] == "POST") { /* validate all the entries */ if (valid_mac($model["mac"]) === false) { invalid_entry($model, "mac"); } if (valid_username($model["username"]) === false) { invalid_entry($model, "username"); } if (valid_password($model["password"]) === false) { invalid_entry($model, "password"); } $model["mac"] = strtoupper($model["mac"]); foreach ($model["switch"] as $i => $switch) { if (valid_ip($switch["host"]) === false) { invalid_entry($model, "switch[{$i}][host]"); } if (valid_call_limit($switch["call-limit"]) === false) { invalid_entry($model, "switch[{$i}][call-limit]"); } } foreach ($model["gateway"] as $i => $gateway) {
If the above link does not work, copy and paste the following URL into your address bar: http://' . $_SERVER['SERVER_NAME'] . $_SERVER['PHP_SELF'] . '?action=CONFIRM&username='******'username']) . '&activationkey=' . urlencode($values['activationkey']) . ' Thank you for registering.'; // TODO: Actually send the email. For now, we just echo it out. echo $email; } else { die("ERROR: There was a problem during registration. Please contact an administrator.\n"); } } } else { if ($input['action'] == 'CONFIRM') { // Verify that we have received a valid username if (!isset($input['username']) || !valid_username($input['username'])) { die("ERROR: A valid username was not specified. Usernames must use only " . "alphanumeric characters, hyphens, underscores, or periods. Must be " . "2 to 25 characters long.\n"); } // Verify we have an activation key if (!isset($input['activationkey']) || strlen($input['activationkey']) != $config['activation']['keyLength']) { die("ERROR: Invalid activation key specified.\n"); } // Load the DataLayer @(include_once 'includes/datalayer.class.php'); // Make sure the DataLayer class loaded sucessfully if (!class_exists('DataLayer')) { die("ERROR: Unable to load DataLayer class.\n"); } $dl = new DataLayer($config['datalayer']); if ($dl === false) { die("ERROR: Unable to connect to database.\n");
private function validate() { loadLibrary("validation.lib"); $user = secure($_POST["username"]); $pass = $_POST["password"]; $reg = valid_username($user); if ($reg !== true) { $this->errors[] = $reg; } $reg = valid_password($pass); if ($reg !== true) { $this->errors[] = $reg; } if (count($this->errors) == 0) { // Check actual login data now global $yakbb; $yakbb->db->query("\r\n\t\t\t\tSELECT\r\n\t\t\t\t\tpassword\r\n\t\t\t\tFROM\r\n\t\t\t\t\tyakbb_users\r\n\t\t\t\tWHERE\r\n\t\t\t\t\tusername = '******'\r\n\t\t\t\tLIMIT\r\n\t\t\t\t\t1\r\n\t\t\t"); $x = $yakbb->db->fetch(); if ($yakbb->db->numRows() == 0) { $this->errors[] = "user_doesnt_exist"; } else { if (sha256($pass) !== $x["password"]) { $this->errors[] = "password_incorrect"; } else { // Login setYakCookie("username", $user, time() + 60 * 60 * 24 * 180); setYakCookie("password", sha256($pass), time() + 60 * 60 * 24 * 180); redirect("?"); } } } }