public function login() { // Sanitize the username and store the password for hashing if (SIV::validate($_POST['username'], SIV::USERNAME) === TRUE) { $username = $_POST['username']; $password = $_POST['password']; } else { return FALSE; } FB::log($username, "Username"); // Load user data that matches the supplied username $userdata = $this->get_user_data($username); FB::log($userdata); // Make sure a user was loaded before continuing if (array_key_exists('email', $userdata) || array_key_exists('password', $userdata) || array_key_exists('username', $userdata) || array_key_exists('display', $userdata) || array_key_exists('clearance', $userdata)) { // Extract password hash $db_pass = $userdata['password']; FB::log($this->createSaltedHash($password, $db_pass), "Password Hash"); FB::log($db_pass === $this->createSaltedHash($password, $db_pass), "Passwords Match"); // Make sure the passwords match if ($db_pass === $this->createSaltedHash($password, $db_pass) && AdminUtilities::check_session()) { // Save the user data in a session variable $_SESSION['user'] = array('name' => $userdata['display'], 'email' => $userdata['email'], 'clearance' => $userdata['clearance']); FB::log($_SESSION, "Session"); // Set a cookie to store the username that expires in 30 days setcookie('username', $username, time() + 2592000, '/'); return TRUE; } else { return FALSE; } } else { return FALSE; } }
private static function _create_class() { // Make sure the page conforms to the slug format if (SIV::validate($_REQUEST['page'], SIV::SLUG)) { $page = strtolower($_REQUEST['page']); $page_data = DB_Actions::get_page_data_by_slug($page); } else { // Throw an exception and die ECMS_Error::log_exception(new Exception("Page \"{$page}\" isn't valid.")); } // The Admin class is a special case, and needs to be loaded manually if ($page === 'admin') { require_once CMS_PATH . 'core/helper/class.admin.inc.php'; $class = 'Admin'; } else { if ($page === 'menu') { $class = 'Menu'; } else { if ($page === 'comments') { require_once CMS_PATH . 'core/helper/class.comments.inc.php'; $class = 'Comments'; } else { if (is_object($page_data)) { $class = $page_data->type; if (empty($class)) { // Throw an exception and die ECMS_Error::log_exception(new Exception("Page \"{$page}\" doesn't actually exist.")); } } else { // Throw an exception and die ECMS_Error::log_exception(new Exception("Unsupported page type \"{$page}\" supplied.")); } } } } // Create a new instance of the appropriate class return new $class(array($page)); }
protected function get_comment_subscriptions_by_email($email) { $sql = "SELECT\n `" . DB_PREFIX . "comments`.`entry_id`,\n `" . DB_PREFIX . "entries`.`title`\n FROM `" . DB_NAME . "`.`" . DB_PREFIX . "comments`\n LEFT JOIN `" . DB_NAME . "`.`" . DB_PREFIX . "entries`\n USING( `entry_id` )\n WHERE `" . DB_PREFIX . "comments`.`email`=:email\n AND `subscribed`=1\n ORDER BY `title`"; try { // Validate the email if (SIV::validate($email, SIV::EMAIL)) { $stmt = $this->db->prepare($sql); $stmt->bindParam(":email", $email, PDO::PARAM_STR); $stmt->execute(); $entries = $stmt->fetchAll(PDO::FETCH_OBJ); $stmt->closeCursor(); return $entries; } else { ECMS_Error::log_exception(new Exception('Invalid email!')); } } catch (Exception $e) { ECMS_Error::log_exception($e); } }
public function update_notification_settings() { // Make sure the user clicked the update button, not the cancel button if (array_key_exists('comment-notification-submit', $_POST)) { // Grab the entries for which the user still wants notifications if (array_key_exists('entries', $_POST) && is_array($_POST['entries'])) { foreach ($_POST['entries'] as $entry_id) { if (!isset($where_clause)) { $where_clause = ' `entry_id`<>' . (int) $entry_id; } else { $where_clause .= ' OR `entry_id`<>' . (int) $entry_id; } } } else { $where_clause = 1; } // Extract the email and validate it $decoded_email = Utilities::hextostr($_POST['email']); if (SIV::validate($decoded_email, SIV::EMAIL)) { $email = $decoded_email; } else { ECMS_Error::log_exception(new Exception("Invalid email!")); } // Build the SQL query $sql = "UPDATE `" . DB_NAME . "`.`" . DB_PREFIX . "comments`\n SET `subscribed`=0\n WHERE email = :email\n AND ( {$where_clause} )"; try { $stmt = $this->db->prepare($sql); $stmt->bindParam(":email", $email, PDO::PARAM_STR); $stmt->execute(); $stmt->closeCursor(); return TRUE; } catch (Exception $e) { ECMS_Error::log_exception($e); } } else { header('Location: ' . SITE_URL); exit; } }