function SpawnSession()
{
global $TABLE_USERS, $FORUM, $rpgDB;
// If forum software is being used for authentication, don't create sessions.
if ($FORUM) {
return;
}
// Ensure the session state is set correctly.
$this->_is_session_valid = false;
// Ensure we have both a username and password.
if (!(isset($_POST['user']) && isset($_POST['pwd']))) {
return false;
}
// Validate the data.
$err = array();
if (!(is_valid_pname($_POST['user'], $err) && is_valid_password($_POST['pwd'], $err))) {
return false;
}
// Check the user against the db.
$res = $rpgDB->query(sprintf("SELECT iplog, slength, email, dm FROM %s WHERE pname = '%s' " . "AND (pwd = PASSWORD('%s') OR pwd = OLD_PASSWORD('%s'))", $TABLE_USERS, addslashes($_POST['user']), addslashes($_POST['pwd']), addslashes($_POST['pwd'])));
if (!$res) {
__printFatalErr("Failed to query database.", __LINE__, __FILE__);
}
if ($rpgDB->num_rows() != 1) {
return false;
}
$row = $rpgDB->fetch_row($res);
// Record the userdata.
$this->_username = $_POST['user'];
$this->_iplog = unserialize(stripslashes($row['iplog']));
$this->_slength = $row['slength'];
$this->_email = $row['email'];
$this->_dm = $row['dm'] == 'Y';
// Update the iplog.
$this->update_iplog();
// Generate the sid.
$this->_sid = $this->GenerateId();
// Set the session cookie.
setcookie('sid', $this->_sid);
// Determine character access permissions.
$this->_permission = new CharPermission($this->_username, null);
// Update the db.
$res = $rpgDB->query(sprintf("UPDATE %s SET iplog = '%s', ip = '%s', sid = '%s', pwd_key = NULL WHERE pname = '%s'", $TABLE_USERS, addslashes(serialize($this->_iplog)), addslashes($this->_ip), addslashes($this->_sid), addslashes($this->_username)));
if (!$res) {
__printFatalErr("Failed to update database.", __LINE__, __FILE__);
}
if ($rpgDB->num_rows() != 1) {
__printFatalErr("Failed to update user data.", __LINE__, __FILE__);
}
// Now record that this session is valid.
$this->_is_session_valid = true;
// Return success.
return true;
}
$empfullname = $emp;
}
// from url or form entry
if (!$empfullname) {
die(error_msg("Unrecognized employee."));
}
// no employee specified
$h_empfullname = htmlentities($empfullname);
$u_empfullname = rawurlencode($empfullname);
$displayname = get_employee_name($empfullname);
$h_displayname = htmlentities($displayname);
$name_header = $show_display_name == 'yes' ? $h_displayname : $h_empfullname;
// Process form submission.
if ($old_password) {
// Validate password
if (is_valid_password($empfullname, $old_password)) {
// Check if new password is same as confirm password entry
if ($new_password === $confirm_password) {
// Save password.
if (save_employee_password($empfullname, $new_password)) {
$_SESSION['authenticated'] = $empfullname;
exit_next("entry.ajax.php?emp={$u_empfullname}");
} else {
print error_msg("Cannot save your new password. " . mysql_error());
}
} else {
print error_msg("Your new password and the confirm password do not match.<br/>Please re-enter and confirm your new password.");
}
} else {
print error_msg("Password is incorrect. Please try again.");
}
$errorString = "";
if ($_POST['token'] != $_SESSION['token']) {
$errorString[] = "Invalid token! (what are you doing??)<br />";
}
$token_age = time() - $_SESSION['token_time'];
// force to resubmit after 5 minutes
if ($token_age > 300) {
$errorString[] = "Timout value exceeded, resubmit<br />";
}
if ($_POST['realname'] != $user->data['real_name'] && !is_valid_real_name($_POST['realname']) && $_POST['realname'] != "") {
$errorString[] = "Invalid name";
}
if (!is_curr_password($_POST['curpassword'], $user)) {
$errorString[] = "Current password not correct";
}
if (!is_valid_password($_POST['passwordx'], $_POST['password2']) && ($_POST['passwordx'] != "" || $_POST['password2'] != "")) {
$errorString[] = "Passwords do not match or are not of required length";
}
if ($_POST['email'] != $user->data['email'] && !is_rfc3696_valid_email_address($_POST['email']) && $_POST['email'] != "") {
$errorString[] = "Invalid email address";
}
if ($_POST['email'] != $user->data['email'] && email_exists($_POST['email'], true)) {
$errorString[] = "Email address already in use";
}
if ($_POST['name_format'] != $user->data['name_format']) {
if ($_POST['name_format'] > 4 || $_POST['name_format'] < 1) {
$errorString[] = "Invalid name format! (what are you doing?)";
}
}
if (!is_valid_amount($_POST['amount']) && strtolower($_POST['amount']) != "always" && $_POST['amount'] != "" && $_POST['amount'] != "0" && $_POST['email_notify']) {
$errorString[] = "Invalid notify amount";
function user_change_password($post)
{
//testing if the old password is correct
$r = sql_fetch_array(sql_query("SELECT user_name FROM users WHERE user_id = " . $_SESSION['user_id'] . " LIMIT 1"));
$login = $r['user_name'];
if (user_check_password($login, $post['old_pw'])) {
//testing if the two new passwords coincide
if ($post['new_pw'] != $post['new_pw_re']) {
return 3;
}
if (!is_valid_password($post['new_pw'])) {
return 4;
}
$passwd = md5(md5($post['new_pw']) . substr($login, 0, 2));
sql_query("UPDATE `users` SET `user_passwd`='{$passwd}' WHERE `user_id`=" . $_SESSION['user_id'] . " LIMIT 1");
return 1;
} else {
return 2;
}
}
// User data was sent:
// Attempt to register the new user.
include_once "{$INCLUDE_PATH}/engine/validation.php";
include_once "{$INCLUDE_PATH}/engine/db.php";
include_once "{$INCLUDE_PATH}/error.php";
// Collect the user data.
$user = $_POST['user'];
$pwd1 = $_POST['pwd1'];
$pwd2 = $_POST['pwd2'];
$email = $_POST['email'];
// The error array.
$err = array();
// Validate the user data.
is_valid_pname($user, $err);
is_valid_password($pwd1, $err);
is_valid_password($pwd2, $err);
is_valid_email($email, $err);
// Check the passwords for consistency.
if ($pwd1 != $pwd2) {
array_push($err, "Your passwords do not match.");
}
$title = 'Error';
$error_page = 'register_error.php';
// Check for errors.
if (sizeof($err) > 0) {
$messages = $err;
draw_page($error_page);
exit;
}
// Check to see if the profile name already exists.
$_r = $rpgDB->query(sprintf("SELECT COUNT(pname) as cnt FROM %s WHERE pname = '%s'", $TABLE_USERS, addslashes($user)));
include "../model/cart.php";
$id = filter_input(INPUT_POST, 'custID');
$firstName = filter_input(INPUT_POST, 'fName');
$lastName = filter_input(INPUT_POST, 'lName');
$street = filter_input(INPUT_POST, 'street');
$postalCode = filter_input(INPUT_POST, 'postalCode');
$province = filter_input(INPUT_POST, 'province');
$phone = filter_input(INPUT_POST, 'phone');
$email_account = filter_input(INPUT_POST, 'email_account');
$password = filter_input(INPUT_POST, 'password');
$confirm_password = filter_input(INPUT_POST, 'confirm_password');
$action = filter_input(INPUT_POST, 'action');
$remember = filter_input(INPUT_POST, 'remember');
//create customer
if ($action == "register") {
if (is_valid_password($password, $confirm_password)) {
create_customer($firstName, $lastName, $street, $postalCode, $province, $phone, $email_account, $password);
echo "thank you for registering";
} else {
echo "Please make sure your password is the same";
}
} else {
if ($action == "login") {
if (is_valid_customer_login($email_account, $password)) {
echo "Logged in<br/>";
echo $remember . "<br/>";
if ($remember) {
echo "Email remembered!<br/>";
setcookie("email", $email_account, 0, "/");
}
start_cart_session();
include_once "{$INCLUDE_PATH}/engine/sid.php";
include_once "{$INCLUDE_PATH}/engine/templates.php";
include_once "{$INCLUDE_PATH}/error.php";
include_once "{$INCLUDE_PATH}/engine/validation.php";
// Respawn the user session.
$sid = RespawnSession(__LINE__, __FILE__);
$err = array();
global $FORUM;
if (!$FORUM) {
// Validate the passwords (if supplied).
if ($_POST['pwd1'] || $_POST['pwd2']) {
// Verify passwords.
if ($_POST['pwd1'] != $_POST['pwd2']) {
array_push($err, "Your passwords to not match.");
}
is_valid_password($_POST['pwd1'], $err);
}
// Validate the email.
is_valid_email($_POST['email'], $err);
// Validate the session length.
is_valid_slength($_POST['slength'], $err);
}
if (sizeof($err)) {
$title = 'Error';
$messages = $err;
draw_page('details_error.php');
} else {
if (!$FORUM) {
if ($_POST['pwd1'] && $_POST['pwd2']) {
update_password(addslashes($_POST['pwd1']), $sid);
}
case "processregister":
include "inc/email_validator.php";
// validate fields
$errorString = "";
if (!is_valid_name($_POST['username'])) {
$errorString[] = "Invalid username";
}
if (!is_valid_real_name($_POST['realname'])) {
$errorString[] = "Invalid name";
} elseif (username_exists($_POST['username'])) {
$errorString[] = "Username already in use";
}
/* elseif (realname_exists($_POST['realname'])) {
$errorString[] = "Name already in use";
} */
if (!is_valid_password($_POST['password'], $_POST['password2'])) {
$errorString[] = "Passwords do not match or are not of required length";
}
if (!is_rfc3696_valid_email_address($_POST['email'])) {
$errorString[] = "Invalid email address";
}
if (email_exists($_POST['email'], true)) {
$errorString[] = "Email address already in use";
}
if (!empty($_POST['code']) && !regcode_exists($_POST['code'])) {
$errorString[] = "Supplied registration code is not recognized or expired.";
}
/* if (!is_valid_group($_POST['group_id'])) {
$errorString .= "Invalid group! (how is this possible?) <br />";
} */
if (!empty($errorString)) {