function LT_can_edit_character($character) { global $LT_SQL; if (!isset($_SESSION['user'])) { return FALSE; } // you must be logged in // only owners may edit $user = $LT_SQL->real_escape_string($_SESSION['user']); if (LT_call_silent('read_character_owner', $user, $character)) { return TRUE; } return FALSE; // a FALSE result could also mean an SQL error or bad id }
<?php // User opens Live Tabletop and might already be logged in. include 'db_config.php'; include 'include/query.php'; include 'include/output.php'; session_start(); if (!isset($_SESSION['user'])) { header('HTTP/1.1 401 Unauthorized', true, 401); exit('You are not logged in.'); } if ($rows = LT_call_silent('read_user', $_SESSION['user'])) { LT_output_object($rows[0], array('boolean' => array('subscribed'), 'integer' => array('id'), 'blocked' => array('logged_in'))); } ?>
<?php // User creates a new account for himself include 'db_config.php'; include 'include/query.php'; include 'include/password.php'; include 'include/output.php'; session_start(); // Interpret the Request $email = $LT_SQL->real_escape_string($_REQUEST['email']); $subscribed = intval($_REQUEST['subscribed']); // 0 or 1 // Query the Database if ($rows = LT_call_silent('read_user_login', $email)) { // don't create a new user if one with this email already exists header('HTTP/1.1 401 Unauthorized', true, 401); exit("You may not create an account with this e-mail address."); } else { // create a new user and return the user id $reset_code = LT_random_salt(); $unsubscribe_code = LT_random_salt(); $rows = LT_call('create_user', $email, $reset_code, $subscribed, $unsubscribe_code); LT_output_object($rows[0], array('integer' => array('id'))); // compose and send the confirmation e-mail $subject = "Welcome to Live Tabletop"; $message = wordwrap("Click on this link to activate your Live Tabletop account.", 70) . "\r\nhttp://{$_SERVER['HTTP_HOST']}" . str_replace("/php/User.create.php", "", $_SERVER['REQUEST_URI']) . "?resetCode={$reset_code}&email={$email}"; $headers = 'From: Live Tabletop <*****@*****.**>'; mail($email, $subject, $message, $headers); }
<?php // Admin tries to log in include 'db_config.php'; include 'include/query.php'; include 'include/password.php'; session_start(); // Interpret the Request $login = $LT_SQL->real_escape_string($_REQUEST['login']); $password = $LT_SQL->real_escape_string($_REQUEST['password']); // Query the Database and Generate Output if ($rows = LT_call_silent('read_admin', $login)) { $hash = LT_hash_password($password, $rows[0]['salt']); if (strcmp($hash, $rows[0]['hash']) == 0) { $_SESSION['admin'] = $login; exit; } } // We return same failure result regardless of the reason for failure so that // we don't help password crackers figure out if they got the wrong password // or the wrong username or the wrong argument names. header('HTTP/1.1 401 Unauthorized', true, 401); exit("Invalid username or password."); ?>