function checkCredentials($username, $password)
{
$link = retrieve_mysqli();
//Test to see if their credentials are valid
$queryString = 'SELECT salt, hashed_password FROM user WHERE username = ?';
if ($stmt = mysqli_prepare($link, $queryString)) {
//Get the stored salt and hash as $dbSalt and $dbHash
mysqli_stmt_bind_param($stmt, "s", $username);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $dbSalt, $dbHash);
mysqli_stmt_fetch($stmt);
mysqli_stmt_close($stmt);
// close prepared statement
mysqli_close($link);
/* close connection */
//Generate the local hash to compare against $dbHash
$localhash = generateHash($dbSalt . $password);
//Compare the local hash and the database hash to see if they're equal
if ($localhash == $dbHash) {
return true;
}
// password hashes matched, this is a valid user
}
return false;
// password hashes did not match or username didn't exist
}
public function updatePassword()
{
if (!isset($this->clean->password) || !isValid($this->clean->password, 'password')) {
$this->data['message'] = reset(array_values(formatErrors(602)));
} else {
// Check current password
$current_password = isset($this->clean->current_password) ? $this->clean->current_password : null;
$res = $this->user->read($this->user_id, 1, 1, 'email,password');
if (!isset($res->password)) {
$this->data['message'] = 'We could not verify your current password.';
} elseif (verifyHash($current_password, $res->password) != $res->password) {
$this->data['message'] = 'Your current password does not match what we have on record.';
} else {
$password = generateHash($this->clean->password);
$user = $this->user->update($this->user_id, array('password' => $password));
if (isset($user->password) && $user->password == $password) {
$this->data['success'] = true;
// Send email
$this->load->library('email');
$this->email->initialize();
$sent = $this->email->updatePassword($user->email);
} else {
$this->data['message'] = 'Your password could not be updated at this time. Please try again.';
}
}
}
$this->renderJSON();
}
function LdapAuthenticationPlugin($input)
{
include_once "ldap_settings.php";
global $LDAPSynchUser;
// Authenticate the user.
$authenticated = $this->authenticate($input["username"], $input["password"]);
if ($authenticated) {
$_SESSION["Authenticated"] = true;
if (isset($LDAPSynchUser) && $LDAPSynchUser) {
global $db;
// Check to see if the user exists in the Pligg DB
$user = $db->get_row("SELECT user_id FROM " . table_users . " WHERE user_login = '******'");
$saltedpass = generateHash($input["password"]);
if ($user->user_id > 0) {
// User exists in system so update the Pligg DB with the latest email & password for the user
mysql_query("UPDATE " . table_users . " SET user_email = '" . $this->email . "' WHERE user_id = {$user->user_id} LIMIT 1");
mysql_query("UPDATE " . table_users . " SET user_pass = '******' WHERE user_id = {$user->user_id} LIMIT 1");
} else {
// User doesn't exist so dump it into the Pligg DB
$username = $db->escape(trim($input["username"]));
$userip = $_SERVER['REMOTE_ADDR'];
$email = $db->escape(trim($this->email));
$strsql = "INSERT INTO " . table_users . " (user_login, user_email, user_pass, user_date, user_ip) VALUES ('{$username}', '{$email}', '{$saltedpass}', now(), '{$userip}')";
$db->query($strsql);
}
}
}
}
public function userCakeAddUser()
{
global $db, $emailActivation, $websiteUrl, $db_table_prefix;
//Construct a secure hash for the plain text password
$secure_pass = generateHash($this->clean_password);
//Construct a unique activation token
$this->activation_token = generateActivationToken();
//Do we need to send out an activation email?
if ($emailActivation) {
//User must activate their account first
$this->user_active = 0;
$mail = new userCakeMail();
//Build the activation message
$activation_message = lang("ACTIVATION_MESSAGE", array($websiteUrl, $this->activation_token));
//Define more if you want to build larger structures
$hooks = array("searchStrs" => array("#ACTIVATION-MESSAGE", "#ACTIVATION-KEY", "#USERNAME#"), "subjectStrs" => array($activation_message, $this->activation_token, $this->unclean_username));
/* Build the template - Optional, you can just use the sendMail function
Instead to pass a message. */
if (!$mail->newTemplateMsg("new-registration.txt", $hooks)) {
$this->mail_failure = true;
} else {
//Send the mail. Specify users email here and subject.
//SendMail can have a third parementer for message if you do not wish to build a template.
if (!$mail->sendMail($this->clean_email, "Επιβεβαιώστε την εγγραφή σας στο Σύλλογο Αποφοίτων")) {
$this->mail_failure = true;
}
}
} else {
//Instant account activation
$this->user_active = 1;
}
//Insert the user into the database providing no errors have been found.
$sql = "INSERT INTO `" . $db_table_prefix . "Users` (\n\t\t\t\t`Username`,\n\t\t\t\t`Username_Clean`,\n\t\t\t\t`Password`,\n\t\t\t\t`Email`,\n\t\t\t\t`ActivationToken`,\n\t\t\t\t`LastActivationRequest`,\n\t\t\t\t`LostPasswordRequest`, \n\t\t\t\t`Active`,\n\t\t\t\t`Group_ID`,\n\t\t\t\t`SignUpDate`,\n\t\t\t\t`LastSignIn`\n\t\t\t\t)\n\t\t \t\tVALUES (\n\t\t\t\t'" . $db->sql_escape($this->unclean_username) . "',\n\t\t\t\t'" . $db->sql_escape($this->clean_username) . "',\n\t\t\t\t'" . $secure_pass . "',\n\t\t\t\t'" . $db->sql_escape($this->clean_email) . "',\n\t\t\t\t'" . $this->activation_token . "',\n\t\t\t\t'" . time() . "',\n\t\t\t\t'0',\n\t\t\t\t'" . $this->user_active . "',\n\t\t\t\t'1',\n\t\t\t\t'" . time() . "',\n\t\t\t\t'0'\n\t\t\t\t)";
return $db->sql_query($sql);
}
function Authenticate($username, $pass, $remember = false, $already_salted_pass = '')
{
global $db;
$dbusername = sanitize($db->escape($username), 4);
check_actions('login_start', $vars);
$user = $db->get_row("SELECT * FROM " . table_users . " WHERE user_login = '******' or user_email= '{$dbusername}' ");
if ($already_salted_pass == '') {
$saltedpass = generateHash($pass, substr($user->user_pass, 0, SALT_LENGTH));
} else {
$saltedpass = $already_salted_pass;
}
if ($user->user_id > 0 && $user->user_pass === $saltedpass && $user->user_lastlogin != "0000-00-00 00:00:00" && $user->user_enabled) {
$this->user_login = $user->user_login;
$this->user_id = $user->user_id;
$vars = array('user' => serialize($this), 'can_login' => true);
check_actions('login_pass_match', $vars);
if ($vars['can_login'] != true) {
return false;
}
$this->authenticated = TRUE;
$this->md5_pass = md5($user->user_pass);
$this->SetIDCookie(1, $remember);
require_once mnminclude . 'check_behind_proxy.php';
$lastip = check_ip_behind_proxy();
$sql = "UPDATE " . table_users . " SET user_lastip = '{$lastip}', user_lastlogin = now() WHERE user_id = {$user->user_id} LIMIT 1";
$db->query($sql);
return true;
}
return false;
}
public function userCakeAddUser()
{
global $mysqli, $emailActivation, $websiteUrl, $db_table_prefix;
//Prevent this function being called if there were construction errors
if ($this->status) {
//Construct a secure hash for the plain text password
$secure_pass = generateHash($this->clean_password);
//Construct a unique activation token
$this->activation_token = generateActivationToken();
//Do we need to send out an activation email?
if ($emailActivation == "true") {
//User must activate their account first
$this->user_active = 0;
$mail = new userCakeMail();
//Build the activation message
$activation_message = lang("ACCOUNT_ACTIVATION_MESSAGE", array($websiteUrl, $this->activation_token));
//Define more if you want to build larger structures
$hooks = array("searchStrs" => array("#ACTIVATION-MESSAGE", "#ACTIVATION-KEY", "#USERNAME#"), "subjectStrs" => array($activation_message, $this->activation_token, $this->displayname));
/* Build the template - Optional, you can just use the sendMail function
Instead to pass a message. */
if (!$mail->newTemplateMsg("new-registration.txt", $hooks)) {
$this->mail_failure = true;
} else {
//Send the mail. Specify users email here and subject.
//SendMail can have a third parementer for message if you do not wish to build a template.
if (!$mail->sendMail($this->clean_email, "New User")) {
$this->mail_failure = true;
}
}
$this->success = lang("ACCOUNT_REGISTRATION_COMPLETE_TYPE2");
} else {
//Instant account activation
$this->user_active = 1;
$this->success = lang("ACCOUNT_REGISTRATION_COMPLETE_TYPE1");
}
if (!$this->mail_failure) {
//Insert the user into the database providing no errors have been found.
$user = new UcUsers();
$user->setUserName($this->username);
$user->setDisplayName($this->displayname);
$user->setPassword($secure_pass);
$user->setEmail($this->clean_email);
$user->setActivationToken($this->activation_token);
$user->setLastActivationRequest(time());
$user->setLostPasswordRequest(0);
$user->setActive($this->user_active);
$user->setTitle('New Member');
$user->setSignUpStamp(time());
$user->setLastSignInStamp(0);
$user->save();
$inserted_id = $user->getId();
//Insert default permission into matches table
$permission = new UcUserPermissionMatches();
$permission->setUserId($inserted_id);
$permission->setPermissionId(1);
$permission->save();
}
}
}
public function updatePassword($pass)
{
$secure_pass = generateHash($pass);
$query = UcUsersQuery::create()->findById($this->user_id);
$user = $query[0];
$user->setPassword($secure_pass);
$user->save();
}
public function updatePassword($pass)
{
global $pdo;
$secure_pass = generateHash($pass);
$this->hash_pw = $secure_pass;
$stmt = $pdo->prepare("UPDATE users\n\t\t\tSET\n\t\t\tpassword = :pass \n\t\t\tWHERE\n\t\t\tid = :id");
$stmt->execute(array("pass" => $secure_pass, "id" => $this->user_id));
}
public function updatePassword($pass)
{
global $db, $db_table_prefix;
$secure_pass = generateHash($pass);
$this->hash_pw = $secure_pass;
$sql = "UPDATE " . $db_table_prefix . "Users SET Password = '******' WHERE User_ID = '" . (int) $this->user_id . "'";
return $db->sql_query($sql);
}
public function updatePassword($pass)
{
global $db, $db_table_prefix;
$secure_pass = generateHash($pass);
$this->hash_pw = $secure_pass;
$sql = "UPDATE " . $db_table_prefix . "Users\r\r\n\t\t SET\r\r\n\t\t\t Password = '******' \r\r\n\t\t\t WHERE\r\r\n\t\t\t User_ID = '" . $db->sql_escape($this->user_id) . "'";
return $db->sql_query($sql);
}
public function userCakeAddUser()
{
global $mysqli, $emailActivation, $websiteUrl, $db_table_prefix;
//Prevent this function being called if there were construction errors
if ($this->status) {
//Construct a secure hash for the plain text password and pin
$secure_pass = generateHash($this->clean_password);
$secure_pin = generateHash($this->clean_pin);
//Construct a unique activation token
$this->activation_token = generateActivationToken();
//Do we need to send out an activation email?
if ($emailActivation == "true") {
//User must activate their account first
$this->user_active = 0;
$mail = new userCakeMail();
//Build the activation message
$activation_message = lang("ACCOUNT_ACTIVATION_MESSAGE", array($websiteUrl, $this->activation_token));
//Define more if you want to build larger structures
$hooks = array("searchStrs" => array("#ACTIVATION-MESSAGE", "#ACTIVATION-KEY", "#USERNAME#"), "subjectStrs" => array($activation_message, $this->activation_token, $this->displayname));
/* Build the template - Optional, you can just use the sendMail function
Instead to pass a message. */
if (!$mail->newTemplateMsg("new-registration.txt", $hooks)) {
$this->mail_failure = true;
} else {
//Send the mail. Specify users email here and subject.
//SendMail can have a third parementer for message if you do not wish to build a template.
if (!$mail->sendMail($this->clean_email, "New User")) {
$this->mail_failure = true;
}
}
$this->success = lang("ACCOUNT_REGISTRATION_COMPLETE_TYPE2");
} else {
//Email the admins:
$themsg = "A new user has signed up, " . $this->clean_email . "\r\nBusiness: " . $this->displayname . "\r\nLocation: " . $this->location . "\r\nAbout: " . $this->about;
$mail = new userCakeMail();
$mail->sendMail("*****@*****.**", "New User", $themsg);
//Instant account activation
$this->user_active = 1;
$this->success = lang("ACCOUNT_REGISTRATION_COMPLETE_TYPE1");
}
if (!$this->mail_failure) {
//Insert the user into the database providing no errors have been found.
$stmt = $mysqli->prepare("INSERT INTO " . $db_table_prefix . "users (\r\n\t\t\t\t\tuser_name,\r\n\t\t\t\t\tdisplay_name,\r\n\t\t\t\t\tpassword,\r\n\t\t\t\t\tpin_hash,\r\n\t\t\t\t\temail,\r\n\t\t\t\t\tactivation_token,\r\n\t\t\t\t\tlast_activation_request,\r\n\t\t\t\t\tlost_password_request, \r\n\t\t\t\t\tactive,\r\n\t\t\t\t\ttitle,\r\n\t\t\t\t\tsign_up_stamp,\r\n\t\t\t\t\tlast_sign_in_stamp\r\n\t\t\t\t\t)\r\n\t\t\t\t\tVALUES (\r\n\t\t\t\t\t?,\r\n\t\t\t\t\t?,\r\n\t\t\t\t\t?,\r\n\t\t\t\t\t?,\r\n\t\t\t\t\t?,\r\n\t\t\t\t\t?,\r\n\t\t\t\t\t'" . time() . "',\r\n\t\t\t\t\t'0',\r\n\t\t\t\t\t?,\r\n\t\t\t\t\t'New Member',\r\n\t\t\t\t\t'" . time() . "',\r\n\t\t\t\t\t'0'\r\n\t\t\t\t\t)");
$stmt->bind_param("ssssssi", $this->username, $this->displayname, $secure_pass, $secure_pin, $this->clean_email, $this->activation_token, $this->user_active);
$stmt->execute();
$inserted_id = $mysqli->insert_id;
$this->userid = $inserted_id;
$stmt->close();
add_new_address($inserted_id, 'BOTH');
//Insert default permission into matches table
$stmt = $mysqli->prepare("INSERT INTO " . $db_table_prefix . "user_permission_matches (\r\n\t\t\t\t\tuser_id,\r\n\t\t\t\t\tpermission_id\r\n\t\t\t\t\t)\r\n\t\t\t\t\tVALUES (\r\n\t\t\t\t\t?,\r\n\t\t\t\t\t'3'\r\n\t\t\t\t\t)");
$stmt->bind_param("s", $inserted_id);
$stmt->execute();
$stmt->close();
}
}
}
public function updatePassword($pass)
{
global $mysqli, $db_table_prefix;
$secure_pass = generateHash($pass);
$this->hash_pw = $secure_pass;
$stmt = $mysqli->prepare("UPDATE " . $db_table_prefix . "users\n\t\t\tSET\n\t\t\tpassword = ? \n\t\t\tWHERE\n\t\t\tid = ?");
$stmt->bind_param("si", $secure_pass, $this->user_id);
$stmt->execute();
$stmt->close();
}
public function updatepassword($pass)
{
global $db, $db_table_prefix;
$secure_pass = generateHash($pass);
$this->hash_pw = $secure_pass;
if ($this->remember_me == 1) {
updateSessionObj();
}
$sql = "UPDATE " . $db_table_prefix . "users\n\t\t SET\n\t\t\t password = '******' \n\t\t\t WHERE\n\t\t\t user_id = '" . $db->sql_escape($this->user_id) . "'";
return $db->sql_query($sql);
}
public function updatepassword($pass)
{
global $db;
$secure_pass = generateHash($pass);
$this->hash_pw = $secure_pass;
if ($this->remember_me == 1) {
updateSessionObj();
}
$sql = "UPDATE {$db->users} SET password = '******' WHERE user_id = '" . $db->sql_escape($this->user_id) . "'";
return $db->sql_query($sql);
}
function newPlayer($wallet)
{
generate_:
$hash = generateHash(32);
if (mysql_num_rows(mysql_query("SELECT `id` FROM `players` WHERE `hash`='{$hash}' LIMIT 1")) != 0) {
goto generate_;
}
$alias = 'Player_';
$alias_i = mysql_fetch_array(mysql_query("SELECT `autoalias_increment` AS `data` FROM `system` LIMIT 1"));
$alias_i = $alias_i['data'];
mysql_query("UPDATE `system` SET `autoalias_increment`=`autoalias_increment`+1 LIMIT 1");
mysql_query("INSERT INTO `players` (`hash`,`alias`,`time_last_active`,`server_seed`) VALUES ('{$hash}','" . $alias . $alias_i . "',NOW(),'" . generateServerSeed() . "')");
header('Location: ./?unique=' . $hash . '# Do Not Share This URL!');
exit;
}
function SignInWithCredentials($mysqli)
{
$requestBody = file_get_contents('php://input');
$xml = simplexml_load_string($requestBody);
$emailAddress = escapeURLData($xml->emailAddress);
$password = escapeURLData($xml->password);
$appId = escapeURLData($_REQUEST["appId"]);
// Check for a matching guid before proceeding.
$stmt = $mysqli->prepare("SELECT guid FROM app_ids WHERE app_id = ?");
$stmt->bind_param("s", $appId);
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($guid);
$stmt->fetch();
if (!$guid) {
returnErrorResponse();
exit;
}
// Get the salt value for this guid and name.
$stmt = $mysqli->prepare("SELECT salt, password FROM users WHERE guid = ? AND name = ?");
$stmt->bind_param("ss", $guid, $emailAddress);
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($salt, $hashedPassword);
$stmt->fetch();
if ($stmt->num_rows == 0) {
// Invalid name so no salt.
returnErrorResponse();
exit;
}
if (generateHash($password, $salt) != $hashedPassword) {
// password does not match the hashed password.
returnErrorResponse();
exit;
} else {
// Create and insert a new authToken.
$authToken = createAuthToken($emailAddress . $appId);
$stmt = $mysqli->prepare("UPDATE users SET auth_token = ? WHERE guid = ? AND name = ? ");
$stmt->bind_param("sss", $authToken, $guid, $emailAddress);
$stmt->execute();
// Output the success xml.
header("Content-Type: application/xml");
$xml = simplexml_load_string("<result/>");
$xml->addAttribute("httpResponseCode", '200');
$xml->addChild("authToken", $authToken);
echo $xml->asXML();
}
}
public function userPieAddUser()
{
global $db, $emailActivation, $websiteUrl, $db_table_prefix;
//Prevent this function being called if there were construction errors
if ($this->status) {
//Construct a secure hash for the plain text password
$secure_pass = generateHash($this->clean_password);
//Construct a unique activation token
$this->activation_token = generateactivationtoken();
if (!$this->mail_failure) {
//Insert the user into the database providing no errors have been found.
$sql = "INSERT INTO `" . $db_table_prefix . "users` (\n\t\t\t\t\t\t\t`username`,\n\t\t\t\t\t\t\t`username_clean`,\n\t\t\t\t\t\t\t`password`,\n\t\t\t\t\t\t\t`email`,\n\t\t\t\t\t\t\t`activationtoken`,\n\t\t\t\t\t\t\t`last_activation_request`,\n\t\t\t\t\t\t\t`LostpasswordRequest`, \n\t\t\t\t\t\t\t`active`,\n\t\t\t\t\t\t\t`group_id`,\n\t\t\t\t\t\t\t`sign_up_date`,\n\t\t\t\t\t\t\t`last_sign_in`\n\t\t\t\t\t\t\t)\n\t\t\t\t\t \t\tVALUES (\n\t\t\t\t\t\t\t'" . $db->sql_escape($this->unclean_username) . "',\n\t\t\t\t\t\t\t'" . $db->sql_escape($this->clean_username) . "',\n\t\t\t\t\t\t\t'" . $secure_pass . "',\n\t\t\t\t\t\t\t'" . $db->sql_escape($this->clean_email) . "',\n\t\t\t\t\t\t\t'" . $this->activation_token . "',\n\t\t\t\t\t\t\t'" . time() . "',\n\t\t\t\t\t\t\t'0',\n\t\t\t\t\t\t\t'1',\n\t\t\t\t\t\t\t'1',\n\t\t\t\t\t\t\t'" . time() . "',\n\t\t\t\t\t\t\t'0'\n\t\t\t\t\t\t\t)";
return $db->sql_query($sql);
}
}
}
/**
* This function compares the submitted email & password to those in the user
* table for a match and starts a session with ['loggedIn'} = TRUE if found.
* @return boolean
*/
function userIsLoggedIn()
{
$salt = generateSalt($_POST['email']);
$password = generateHash($salt, $_POST['password']);
if (databaseContainsUser($_POST['email'], $password)) {
$_SESSION['loggedIn'] = TRUE;
$_SESSION['email'] = $_POST['email'];
$_SESSION['password'] = $password;
return TRUE;
} else {
unset($_SESSION['loggedIn']);
unset($_SESSION['email']);
unset($_SESSION['password']);
return FALSE;
}
}
public function userCakeAddUser()
{
global $db, $emailActivation, $websiteUrl, $db_table_prefix;
//Prevent this function being called if there were construction errors
if ($this->status) {
//Construct a secure hash for the plain text password
$secure_pass = generateHash($this->clean_password);
//Do we need to send out an activation email?
if ($emailActivation) {
//Construct a unique activation token
$this->activation_token = generateActivationToken();
//User must activate their account first
$this->user_active = 0;
$mail = new userCakeMail();
//Build the activation message
$activation_message = "<p>You will need first activate your account before you can login, follow the below link to activate your account.</p>";
$activation_message .= "<p><a href='" . $websiteUrl . "activate-account.php?token=" . $this->activation_token . "'>Activate my account!</a></p>";
//Define more if you want to build larger structures
$hooks = array("searchStrs" => array("#ACTIVATION-MESSAGE", "#ACTIVATION-KEY", "#USERNAME#"), "subjectStrs" => array($activation_message, $this->activation_token, $this->unclean_username));
/* Build the template - Optional, you can just use the sendMail function
Instead to pass a message. */
if (!$mail->newTemplateMsg("new-registration.txt", $hooks)) {
$this->mail_failure = true;
} else {
//Send the mail. Specify users email here and subject.
//SendMail can have a third parementer for message if you do not wish to build a template.
if (!$mail->sendMail($this->clean_email, "New User")) {
$this->mail_failure = true;
}
}
} else {
//Instant account activation
$this->user_active = 1;
}
if (!$this->mail_failure) {
//Insert the user into the database providing no errors have been found.
$sql = "INSERT INTO `" . $db_table_prefix . "Users` (`Username`, `Username_Clean`, `Password`, `Email`, `ActivationToken`, `LastActivationRequest`, `LostPasswordRequest`, `Active`, `Group_ID`, `SignUpDate`, `LastSignIn`)\r\n\t\t\t\t\t VALUES ('" . $db->sql_escape($this->unclean_username) . "', '" . $db->sql_escape($this->clean_username) . "', '" . $secure_pass . "', '" . $db->sql_escape($this->clean_email) . "','" . $this->activation_token . "','" . time() . "', 0, '" . $this->user_active . "', '1', '" . time() . "', '0')";
$db->sql_query($sql);
if ($db->sql_affectedrows() <= 0) {
$this->sql_failure = true;
} else {
$this->sql_failure = false;
}
}
}
}
function store()
{
global $db, $current_user;
if (!$this->date) {
$this->date = time();
}
$user_login = $db->escape($this->username);
$user_level = $this->level;
$user_karma = $this->karma;
$user_date = $this->date;
$user_pass = $db->escape($this->pass);
$user_lang = $this->lang;
$user_email = $db->escape($this->email);
$user_names = $db->escape($this->names);
$user_url = $db->escape(htmlentities($this->url));
$user_public_email = $db->escape($this->public_email);
$user_location = $db->escape($this->location);
$user_occupation = $db->escape($this->occupation);
$user_aim = $db->escape($this->aim);
$user_msn = $db->escape($this->msn);
$user_yahoo = $db->escape($this->yahoo);
$user_gtalk = $db->escape($this->gtalk);
$user_skype = $db->escape($this->skype);
$user_irc = $db->escape(htmlentities($this->irc));
$user_avatar_source = $db->escape($this->avatar_source);
if (strlen($user_pass) < 49) {
$saltedpass = generateHash($user_pass);
} else {
$saltedpass = $user_pass;
}
if ($this->id === 0) {
$this->id = $db->insert_id;
} else {
// Username is never updated
$sql = "UPDATE " . table_users . " set user_avatar_source='{$user_avatar_source}' ";
$extra_vars = $this->extra;
if (is_array($extra_vars)) {
foreach ($extra_vars as $varname => $varvalue) {
$sql .= ", " . $varname . " = '" . $varvalue . "' ";
}
}
$sql .= " , user_login='******', user_occupation='{$user_occupation}', user_location='{$user_location}', public_email='{$user_public_email}', user_level='{$user_level}', user_karma={$user_karma}, user_date=FROM_UNIXTIME({$user_date}), user_pass='******', user_lang={$user_lang}, user_email='{$user_email}', user_names='{$user_names}', user_url='{$user_url}', user_aim='{$user_aim}', user_msn='{$user_msn}', user_yahoo='{$user_yahoo}', user_gtalk='{$user_gtalk}', user_skype='{$user_skype}', user_irc='{$user_irc}' WHERE user_id={$this->id}";
//die($sql);
$db->query($sql);
}
}
/**
* Login processor for admin panel
*/
function login()
{
$this->set("title", "Sevasetu | Login Processor");
initiateSession();
$username = sqlSafe($_POST['username']);
$password = sqlSafe($_POST['password']);
$adminData = $this->Admin->getAdminByUsername($username);
if ($adminData == false) {
$this->set("message", "Database error");
return;
}
if (generateHash($password . $adminData['admins_salt']) == $adminData['admins_password']) {
setSessionData("admin_hash", md5($adminData['admins_salt']));
$this->set("message", "Login Successful. You will be redirected in a moment... If not then click here");
} else {
$this->set("message", "Username/Password Incorrect");
}
}
public function index()
{
$this->redirectIfInvalidCSRF();
$this->data['success'] = false;
// Find user
$this->load->model('users_model', 'user');
$user = $this->user->read("email = '" . $this->db_clean->email . "'", 1, 1);
if (!isset($user->user_id)) {
$this->data['message'] = sprintf(_('The email address `%s` was not found.'), $this->clean->email);
} elseif (!isset($user->active) || empty($user->active)) {
$this->data['message'] = _('Your account is no longer active. Please contact support.');
} else {
// Check proper password
if (strlen($user->password) == 32) {
$match = md5($this->clean->password) == $user->password ? true : false;
// Try to update to new password security since they are on old MD5
$hash = generateHash($this->clean->password);
// If hash is valid and match is valid
// Upgrade users to new encryption routine
if ($hash !== false && $match === true) {
$res = $this->user->update("user_id = '" . $user->user_id . "'", array('password' => $hash));
}
} else {
$match = verifyHash($this->clean->password, $user->password) == $user->password ? true : false;
}
// Check if passwords match
if ($match === false) {
$this->data['message'] = _('Your password is incorrect. Please try again.');
} else {
// At this point we are clear for takeoff
// Regenerate session
// Set session variables and send user on their way
$add_redirect = $this->session->userdata('add_redirect');
$redirect = empty($add_redirect) ? '/marks' : $add_redirect;
$this->session->unset_userdata('add_redirect');
$user->email = $this->clean->email;
$this->session->sess_update(true);
$this->sessionAddUser($user);
$this->data['success'] = true;
$this->data['redirect_url'] = $redirect;
}
}
$this->renderJSON();
}
function isLoggedIn()
{
if (empty($_SESSION)) {
return false;
} else {
if (empty($_SESSION[SESSION_KEY]) || empty($_SESSION[SESSION_KEY]['iLogin'])) {
return false;
} else {
if (empty($_SESSION[SESSION_KEY]['strKey'])) {
return false;
} else {
if ($_SESSION[SESSION_KEY]['strKey'] !== generateHash($_SESSION[SESSION_KEY]['username'] . $_SESSION[SESSION_KEY]['loginDate'])) {
return false;
}
}
}
}
return true;
}
public function notify($requestArray)
{
// $this->debug('notify()', $requestArray);
if (array_key_exists('CpiResultsCode', $requestArray) == false || $requestArray['CpiResultsCode'] != 0 || array_key_exists('OrderHash', $requestArray) == false) {
return new TransactionError('Transaction declined', $requestArray);
}
$data = $_POST;
unset($data['OrderHash']);
if ($requestArray['OrderHash'] != generateHash(array_values($data), $this->getConfigValue('key'))) {
return new TransactionError('Transaction declined', $requestArray);
}
$result = new TransactionResult();
$result->gatewayTransactionID->set($requestArray['OrderId']);
$result->amount->set($requestArray['PurchaseAmount'] / 100);
$result->currency->set(self::currencyFromNumeric3($requestArray['PurchaseCurrency']));
$result->rawResponse->set($requestArray);
$result->setTransactionType(TransactionResult::TYPE_SALE);
return $result;
}
function Authenticate($username, $pass, $remember = false)
{
global $db;
$dbusername = $db->escape($username);
$user = $db->get_row("SELECT user_id, user_pass, user_login FROM " . table_users . " WHERE user_login = '******'");
$saltedpass = generateHash($pass, substr($user->user_pass, 0, SALT_LENGTH));
if ($user->user_id > 0 && $user->user_pass === $saltedpass) {
$this->user_login = $user->user_login;
$this->user_id = $user->user_id;
$this->authenticated = TRUE;
$this->md5_pass = md5($user->user_pass);
$this->SetIDCookie(1, $remember);
$lastip = $_SERVER['REMOTE_ADDR'];
mysql_query("UPDATE " . table_users . " SET user_lastip = '{$lastip}' WHERE user_id = {$user->user_id} LIMIT 1");
mysql_query("UPDATE " . table_users . " SET user_lastlogin = now() WHERE user_id = {$user->user_id} LIMIT 1");
return true;
}
return false;
}
function createUser($username, $password)
{
global $db;
$stmt = $db->prepare('SELECT username FROM User WHERE username = :username');
$stmt->bindParam(':username', $username, PDO::PARAM_STR);
$stmt->execute();
$result = $stmt->fetchAll();
if (count($result) > 0) {
return false;
}
$password = generateHash($password);
$stmt = $db->prepare('INSERT INTO User(username,password) VALUES(:username, :password)');
$stmt->bindParam(':username', $username, PDO::PARAM_STR);
$stmt->bindParam(':password', $password, PDO::PARAM_STR);
try {
$stmt->execute();
} catch (PDOException $e) {
return -1;
}
return true;
}
public function userPieAddUser()
{
global $db, $emailActivation, $websiteUrl, $db_table_prefix;
//Prevent this function being called if there were construction errors
if ($this->status) {
//Construct a secure hash for the plain text password
$secure_pass = generateHash($this->clean_password);
//Construct a unique activation token
$this->activation_token = generateactivationtoken();
//Do we need to send out an activation email?
if ($emailActivation) {
//User must activate their account first
$this->user_active = 0;
$mail = new userPieMail();
//Build the activation message
$activation_message = lang("ACTIVATION_MESSAGE", array($websiteUrl, $this->activation_token));
//Define more if you want to build larger structures
$hooks = array("searchStrs" => array("#ACTIVATION-MESSAGE", "#ACTIVATION-KEY", "#USERNAME#"), "subjectStrs" => array($activation_message, $this->activation_token, $this->unclean_username));
/* Build the template - Optional, you can just use the sendMail function
Instead to pass a message. */
if (!$mail->newTemplateMsg("new-registration.txt", $hooks)) {
$this->mail_failure = true;
} else {
//Send the mail. Specify users email here and subject.
//SendMail can have a third parementer for message if you do not wish to build a template.
if (!$mail->sendMail($this->clean_email, "New User")) {
$this->mail_failure = true;
}
}
} else {
//Instant account activation
$this->user_active = 1;
}
if (!$this->mail_failure) {
//Insert the user into the database providing no errors have been found.
$sql = "INSERT INTO " . $db_table_prefix . "profiles (\n\t\t\t\t\t\t\tid,\n\t\t\t\t\t\t\tname,\n\t\t\t\t\t\t\tbirthday,\n\t\t\t\t\t\t\tgender,\n\t\t\t\t\t\t\tpermission_id,\n\n\t\t\t\t\t\t\tusername,\n\t\t\t\t\t\t\tusername_clean,\n\t\t\t\t\t\t\tpassword,\n\t\t\t\t\t\t\temail,\n\t\t\t\t\t\t\tactivationtoken,\n\t\t\t\t\t\t\tlast_activation_request,\n\t\t\t\t\t\t\tLostpasswordRequest,\n\t\t\t\t\t\t\tactive,\n\t\t\t\t\t\t\tgroup_id,\n\t\t\t\t\t\t\tsign_up_date,\n\t\t\t\t\t\t\tlast_sign_in\n\t\t\t\t\t\t\t)\n\t\t\t\t\t \t\tVALUES (\n\t\t\t\t\t \t\t'" . time() . "',\n\t\t\t\t\t \t\t'" . $db->sql_escape($this->clean_name) . "',\n\t\t\t\t\t \t\t'2011-01-01',\n\t\t\t\t\t \t\t'm',\n\t\t\t\t\t \t\t'1',\n\n\t\t\t\t\t\t\t'" . $db->sql_escape($this->unclean_username) . "',\n\t\t\t\t\t\t\t'" . $db->sql_escape($this->clean_username) . "',\n\t\t\t\t\t\t\t'" . $secure_pass . "',\n\t\t\t\t\t\t\t'" . $db->sql_escape($this->clean_email) . "',\n\t\t\t\t\t\t\t'" . $this->activation_token . "',\n\t\t\t\t\t\t\t'" . time() . "',\n\t\t\t\t\t\t\t'0',\n\t\t\t\t\t\t\t'" . $this->user_active . "',\n\t\t\t\t\t\t\t'1',\n\t\t\t\t\t\t\t'" . time() . "',\n\t\t\t\t\t\t\t'0'\n\t\t\t\t\t\t\t)";
return $db->sql_query($sql);
}
}
}
public function create($options = array())
{
if (!isValid($options['email'], 'email')) {
return formatErrors(604);
}
if (!isValid($options['password'], 'password')) {
return formatErrors(602);
}
// Make sure email does not exist already
$total = $this->count("email = '" . $options['email'] . "'");
if ($total > 0) {
return formatErrors(603);
}
// If you made it this far, we need to add the record to the DB
$options['password'] = generateHash($options['password']);
$options['created_on'] = date("Y-m-d H:i:s");
// Create user token
do {
$options['user_token'] = generateToken(30) . md5(time());
$total = $this->count("user_token = '" . $options['user_token'] . "'");
// If by some freak chance there is a collision
// Report it
if ($total > 0) {
log_message('debug', 'User token collision detected on key of `' . $options['user_token'] . '`');
}
} while ($total > 0);
// Add record
$q = $this->db->insert_string('users', $options);
$res = $this->db->query($q);
// Check for errors
$this->sendException();
if ($res === true) {
$user_id = $this->db->insert_id();
return $this->read($user_id);
} else {
return formatErrors(500);
}
}
public function UserAdminAddUser()
{
global $db, $emailActivation, $websiteUrl, $websiteName, $db_prefix;
//Prevent this function being called if there were construction errors
if ($this->status) {
//Construct a secure hash for the plain text password
$secure_pass = generateHash($this->clean_password);
//Construct a unique activation token
$this->activation_token = generateactivationtoken();
//Do we need to send out an activation email?
$user_count = $db->sql_query("SELECT * FROM {$db->users}");
if ($emailActivation && isset($user_count->num_rows) && $user_count->num_rows > 0) {
//User must activate their account first
$this->user_active = 0;
$mail = new UserAdminMail();
$activation_url = $websiteUrl . "lobby/activate-account.php?token=" . $this->activation_token;
//Define more if you want to build larger structures
$hooks = array("searchStrs" => array("#ACTIVATION-URL#", "#USERNAME#", "#WEBSITENAME#", "#WEBSITEURL#"), "subjectStrs" => array($activation_url, $this->unclean_username, $websiteName, $websiteUrl));
/* Build the template - Optional, you can just use the sendMail function
Instead to pass a message. */
if (!$mail->newTemplateMsg("new-registration.html", $hooks)) {
$this->mail_failure = true;
} else {
//Send the mail. Specify users email here and subject.
//SendMail can have a third parementer for message if you do not wish to build a template.
if (!$mail->sendMail($this->clean_email, "New User")) {
$this->mail_failure = true;
}
}
}
if (!$this->mail_failure) {
//Insert the user into the database providing no errors have been found.
$sql = "INSERT INTO {$db->users} (\r\n `username`,\r\n `username_clean`,\r\n `password`,\r\n `email`,\r\n `activationtoken`,\r\n `last_activation_request`,\r\n `LostpasswordRequest`, \r\n `active`,\r\n `group_id`,\r\n `sign_up_date`,\r\n `last_sign_in`\r\n )\r\n VALUES (\r\n '" . $db->sql_escape($this->unclean_username) . "',\r\n '" . $db->sql_escape($this->clean_username) . "',\r\n '" . $secure_pass . "',\r\n '" . $db->sql_escape($this->clean_email) . "',\r\n '" . $this->activation_token . "',\r\n '" . time() . "',\r\n '0',\r\n '" . $this->user_active . "',\r\n '" . $this->group_id . "',\r\n '" . time() . "',\r\n '0'\r\n )";
return $db->sql_query($sql);
}
}
}
unset($_SESSION['user_id']);
// To Log the user out
// If the user requested cancel go back to index.php
if (isset($_POST['cancel'])) {
header('Location: index.php');
exit;
}
function generateHash($password)
{
if (defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH) {
$salt = '$2y$11$' . substr(md5(uniqid(rand(), true)), 0, 22);
return crypt($password, $salt);
}
}
if (isset($_POST['uname']) && isset($_POST['email']) && isset($_POST['pass'])) {
$password = generateHash($_POST['pass']);
$sql = "INSERT INTO users (name, email, password) VALUES (:name, :email, :password)";
$stmt = $pdo->prepare($sql);
$stmt->execute(array(":name" => $_POST['uname'], ":email" => $_POST['email'], ":password" => $password));
header("Location: index.php");
exit;
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Register Page</title>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap-theme.min.css">
</head>
