public function login()
{
// Sanitize the username and store the password for hashing
if (SIV::validate($_POST['username'], SIV::USERNAME) === TRUE) {
$username = $_POST['username'];
$password = $_POST['password'];
} else {
return FALSE;
}
FB::log($username, "Username");
// Load user data that matches the supplied username
$userdata = $this->get_user_data($username);
FB::log($userdata);
// Make sure a user was loaded before continuing
if (array_key_exists('email', $userdata) || array_key_exists('password', $userdata) || array_key_exists('username', $userdata) || array_key_exists('display', $userdata) || array_key_exists('clearance', $userdata)) {
// Extract password hash
$db_pass = $userdata['password'];
FB::log($this->createSaltedHash($password, $db_pass), "Password Hash");
FB::log($db_pass === $this->createSaltedHash($password, $db_pass), "Passwords Match");
// Make sure the passwords match
if ($db_pass === $this->createSaltedHash($password, $db_pass) && AdminUtilities::check_session()) {
// Save the user data in a session variable
$_SESSION['user'] = array('name' => $userdata['display'], 'email' => $userdata['email'], 'clearance' => $userdata['clearance']);
FB::log($_SESSION, "Session");
// Set a cookie to store the username that expires in 30 days
setcookie('username', $username, time() + 2592000, '/');
return TRUE;
} else {
return FALSE;
}
} else {
return FALSE;
}
}
private static function _create_class()
{
// Make sure the page conforms to the slug format
if (SIV::validate($_REQUEST['page'], SIV::SLUG)) {
$page = strtolower($_REQUEST['page']);
$page_data = DB_Actions::get_page_data_by_slug($page);
} else {
// Throw an exception and die
ECMS_Error::log_exception(new Exception("Page \"{$page}\" isn't valid."));
}
// The Admin class is a special case, and needs to be loaded manually
if ($page === 'admin') {
require_once CMS_PATH . 'core/helper/class.admin.inc.php';
$class = 'Admin';
} else {
if ($page === 'menu') {
$class = 'Menu';
} else {
if ($page === 'comments') {
require_once CMS_PATH . 'core/helper/class.comments.inc.php';
$class = 'Comments';
} else {
if (is_object($page_data)) {
$class = $page_data->type;
if (empty($class)) {
// Throw an exception and die
ECMS_Error::log_exception(new Exception("Page \"{$page}\" doesn't actually exist."));
}
} else {
// Throw an exception and die
ECMS_Error::log_exception(new Exception("Unsupported page type \"{$page}\" supplied."));
}
}
}
}
// Create a new instance of the appropriate class
return new $class(array($page));
}
protected function get_comment_subscriptions_by_email($email)
{
$sql = "SELECT\n `" . DB_PREFIX . "comments`.`entry_id`,\n `" . DB_PREFIX . "entries`.`title`\n FROM `" . DB_NAME . "`.`" . DB_PREFIX . "comments`\n LEFT JOIN `" . DB_NAME . "`.`" . DB_PREFIX . "entries`\n USING( `entry_id` )\n WHERE `" . DB_PREFIX . "comments`.`email`=:email\n AND `subscribed`=1\n ORDER BY `title`";
try {
// Validate the email
if (SIV::validate($email, SIV::EMAIL)) {
$stmt = $this->db->prepare($sql);
$stmt->bindParam(":email", $email, PDO::PARAM_STR);
$stmt->execute();
$entries = $stmt->fetchAll(PDO::FETCH_OBJ);
$stmt->closeCursor();
return $entries;
} else {
ECMS_Error::log_exception(new Exception('Invalid email!'));
}
} catch (Exception $e) {
ECMS_Error::log_exception($e);
}
}
public function update_notification_settings()
{
// Make sure the user clicked the update button, not the cancel button
if (array_key_exists('comment-notification-submit', $_POST)) {
// Grab the entries for which the user still wants notifications
if (array_key_exists('entries', $_POST) && is_array($_POST['entries'])) {
foreach ($_POST['entries'] as $entry_id) {
if (!isset($where_clause)) {
$where_clause = ' `entry_id`<>' . (int) $entry_id;
} else {
$where_clause .= ' OR `entry_id`<>' . (int) $entry_id;
}
}
} else {
$where_clause = 1;
}
// Extract the email and validate it
$decoded_email = Utilities::hextostr($_POST['email']);
if (SIV::validate($decoded_email, SIV::EMAIL)) {
$email = $decoded_email;
} else {
ECMS_Error::log_exception(new Exception("Invalid email!"));
}
// Build the SQL query
$sql = "UPDATE `" . DB_NAME . "`.`" . DB_PREFIX . "comments`\n SET `subscribed`=0\n WHERE email = :email\n AND ( {$where_clause} )";
try {
$stmt = $this->db->prepare($sql);
$stmt->bindParam(":email", $email, PDO::PARAM_STR);
$stmt->execute();
$stmt->closeCursor();
return TRUE;
} catch (Exception $e) {
ECMS_Error::log_exception($e);
}
} else {
header('Location: ' . SITE_URL);
exit;
}
}
