function process_login_form() { $email = strtolower($_POST['email']); $passhash = hash_pass($email, $_POST['pass']); // Check to see if the user/ip is temporarily banned: // An IP is banned when 10 unsuccessful attempts are made to log in from a single IP/email within 10 minutes, // regardless of whether any successful attempts were made. $attempts = DBExt::queryCount('login_attempts', array('successful=0', '(remote_ip=%s OR email=%s)', DBExt::timeInInterval('request_time', '-10m', '')), $_SERVER['REMOTE_ADDR'], $email); if ($attempts > 10) { log_attempt($email, false); alert('You have been temporarily locked out. Please wait 10 minutes before attempting to sign in again.', -1); show_login_form(''); return; } // Check for super-user login: // (the account LHSMATH and password set in CONFIG if ($email == 'lhsmath') { global $LHSMATH_PASSWORD; if ($passhash == $LHSMATH_PASSWORD) { // $LHSMATH_PASSWORD is pre-hashed log_attempt('LHSMATH', true); session_destroy(); session_name('Session'); session_start(); session_regenerate_id(true); $_SESSION['user_name'] = 'LHSMATH Super-Admin'; $_SESSION['permissions'] = '+'; $_SESSION['login_time'] = time(); $_SESSION['user_id'] = '-999'; header('Location: ' . URL::root() . '/Admin/Super_Admin'); die; } } // Validate credentials $id = DB::queryFirstField('SELECT id FROM users WHERE LOWER(email)=%s AND passhash=%s LIMIT 1', $email, $passhash); if (is_null($id)) { log_attempt($email, false); show_login_form($email); alert('Incorrect email address or password', -1); return; } // ** CREDENTIALS ARE VALIDATED AT THIS POINT ** // log_attempt($email, true); set_login_data($id); alert('Logged in!', 1); //If this page was being included, redirect back. global $being_included; if ($being_included) { header('Location: ' . $_SERVER['REQUEST_URI']); } else { header('Location: ../Home'); } }
function process_form() { // INITIAL DATA FETCHING global $name, $email, $cell, $yog, $mailings; // so that the show_form function can use these values later $name = htmlentities(ucwords(trim(strtolower($_POST['name']), ' \\-\''))); foreach (array('-', '\'') as $delimiter) { if (strpos($name, $delimiter) !== false) { $name = implode($delimiter, array_map('ucfirst', explode($delimiter, $name))); } } // forces characters after spaces, hyphens and apostrophes to be capitalized $name = preg_replace('/[\\s\']*\\-+[\\s\']*/', '-', $name); // removes hyphens not between two characters $name = preg_replace('/[\\s\\-]*\'+[\\s\\-]*/', '\'', $name); // removes apostrophes not between two characters $name = preg_replace('/\\s+/', ' ', $name); // removes multiple consecutive spaces $name = preg_replace('/\\-+/', '-', $name); // removes multiple consecutive hyphens $name = preg_replace('/\'+/', '\'', $name); // removes multiple consecutive apostrophes $email = htmlentities(strtolower($_POST['email'])); $cell = htmlentities($_POST['cell']); $yog = $_POST['yog']; $pass = $_POST['pass1']; $mailings = '0'; if ($_POST['mailings'] == 'Yes') { $mailings = '1'; } // CHECK THAT THE NAME IS VALID if (($name = sanitize_username($name)) === false) { alert('Your name must have only letters, hyphens, apostrophes, and spaces, and be between 3 and 30 characters long', -1); show_form(); return; } if (strpos($name, ' ') == false) { alert('Please enter both your first <span class="i">and</span> last name', -1); show_form(); return; } // CHECK THAT THE EMAIL ADDRESS IS VALID if (!val('e', $email)) { alert('That\'s not a valid email address', -1); show_form(); return; } // CHECK AND FORMAT CELL PHONE NUMBER if ($cell != '' && ($cell = format_phone_number($cell)) === false) { //Validate the format of the cell phone number (if it's not left blank) alert('That\'s not a valid cell phone number', -1); show_form(); return; } // CHECK THAT THE YOG IS VALID $grade = intval(getGradeFromYOG($yog)); if ($grade < 9 || $grade > 12) { alert('That is not a valid YOG (' . $grade . 'you have to be in high school)', -1); show_form(); return; } // CHECK THAT THE PASSWORDS MATCH, MEET MINIMUM LENGTH if ($pass != $_POST['pass2']) { alert('The passwords that you entered do not match', -1); show_form(); return; } if (strlen($pass) < 6) { alert('Please choose a password that has at least 6 characters', -1); show_form(); return; } // CHECK THAT THEY ENTERED THE RECAPTCHA CORRECTLY // CURRENTLY BROKEN: NEED TO UPDATE RECAPTCHA /* $recaptcha_msg = validate_recaptcha(); if ($recaptcha_msg !== true) { alert($recaptcha_msg, -1); show_form(); return; } */ // CHECK THAT AN ACCOUNT WITH THAT EMAIL DOES NOT ALREADY EXIST // this is done *after* checking the reCaptcha to prevent bots from harvesting our email // addresses via a brute-force attack. if (DBExt::queryCount('users', 'LOWER(email)=LOWER(%s)', $email) != 0) { alert('An account with that email address already exists', -1); show_form(); return; } // CHECK THAT AN ACCOUNT WITH THE SAME NAME IN THE SAME GRADE DOES NOT EXIST // - with the exception that if it's permissions = 'E', they probably mistyped their email and are redoing it. if (DBExt::queryCount('users', 'LOWER(name)=%s AND yog=%i AND permissions!="E"', strtolower($name), $yog) != 0) { alert('An account in your grade with that name already exists', -1); show_form(); return; } // ** All information has been validated at this point ** $verification_code = generate_code(5); // for verifying ownership of the email address // Check if email address has been pre-approved if (isset($_SESSION['PREAPPROVED']) && $email === $_SESSION['PREAPPROVED']) { $approved = '1'; // skip Captain approval $verification_code = '1'; // skip email verification (already done) } else { $approved = '0'; } // Create database entry $passhash = hash_pass($email, $pass); if ($cell == '') { $cell = 'None'; } else { $cell = preg_replace('#[^\\d]#', '', $_POST['cell']); } // remove non-numbers from cell phone # again DB::insert('users', array('name' => $name, 'email' => $email, 'passhash' => $passhash, 'cell' => $cell, 'yog' => $yog, 'mailings' => $mailings, 'approved' => $approved, 'email_verification' => $verification_code, 'registration_ip' => htmlentities(strtolower($_SERVER['REMOTE_ADDR'])))); set_login_data(DB::insertId()); // LOG THEM IN // For pre-approved members: if ($approved == '1') { global $WEBMASTER_EMAIL; $to = array($email => $name); $subject = 'Account Created'; $body = <<<HEREDOC Welcome to the LHS Math Club website, {$name}! Your account has been created. If you have any questions about the site, please email the webmaster at {$WEBMASTER_EMAIL} HEREDOC; send_email($to, $subject, $body, $WEBMASTER_EMAIL); $_SESSION['HOME_welcome'] = 'Welcome to the LHS Math Club website, ' . $name . '!'; header('Location: Home'); } $_SESSION['ACCOUNT_do_send_verification_email'] = true; header('Location: Verify_Email'); }
$num_pending_approval = DBExt::queryCount('users', 'approved="0"'); //aka permissions == 'E' or 'P' $num_banned = DBExt::queryCount('users', 'approved="-1"'); //aka permissions == 'B' //Tests $num_tests = DBExt::queryCount('tests', 'archived="0"'); $num_old_tests = DBExt::queryCount('tests', 'archived="1"'); //Calendar //Anything from 3 days ago to 7 days ahead is considered "current". $num_past_events = DBExt::queryCount('events', DBExt::timeInInterval('date', '', '-3d')); $num_future_events = DBExt::queryCount('events', DBExt::timeInInterval('date', '+7d', '')); $num_current_events = DBExt::queryCount('events', DBExt::timeInInterval('date', '-3d', '+7d')); //Files $num_member_files = DBExt::queryCount('files', 'permissions="M"'); $num_public_files = DBExt::queryCount('files', 'permissions="P"'); $num_admin_files = DBExt::queryCount('files', 'permissions="A"'); $errors_file_size = 'File does not exist.'; if (file_exists(PATH::errfile())) { $errors_file_size = filesize(PATH::errfile()); } //Version checking //--MeekroDB $included_files = get_included_files(); foreach ($included_files as $f) { if (strpos($f, 'meekro')) { $meekro_file = $f; break; } } preg_match('@meekrodb\\.([0-9\\.]+)\\.class.php$@i', $meekro_file, $matches); if (!empty($matches)) {