$msg = "[color=red]Security alert[/color]\n Account: ID=" . $row['id'] . " Somebody (probably you, " . $username . " !) tried to login but failed!" . "\nTheir [b]Ip Address [/b] was : " . $ip . "\n If this wasn't you please report this event to a {$INSTALLER09['site_name']} staff member\n - Thank you.\n"; $sql = "INSERT INTO messages (sender, receiver, msg, subject, added) VALUES('System', '{$to}', " . sqlesc($msg) . ", " . sqlesc($subject) . ", {$added});"; $res = sql_query($sql) or sqlerr(__FILE__, __LINE__); stderr("Login failed !", "<b>Error</b>: Username or password entry incorrect <br />Have you forgotten your password? <a href='{$INSTALLER09['baseurl']}/resetpw.php'><b>Recover</b></a> your password !"); bark(); } ////Start IP logger //// $ip = sqlesc(getip()); $added = sqlesc(time()); $userid = sqlesc($row["id"]); $res = mysql_query("SELECT * FROM ips WHERE ip ={$ip} AND userid ={$userid}") or die(mysql_error()); if (mysql_num_rows($res) == 0) { sql_query("INSERT INTO ips (userid, ip, lastlogin, type) VALUES ({$userid}, {$ip} , {$added}, 'Login')") or die(mysql_error()); } else { sql_query("UPDATE ips SET lastlogin = {$added} where ip={$ip} AND userid = {$userid}") or sqlerr(__FILE__, __LINE__); } //// End Ip logger ///// if ($row['enabled'] == 'no') { bark($lang['tlogin_disabled']); } $passh = md5($row["passhash"] . $_SERVER["REMOTE_ADDR"]); logincookie($row["id"], $passh); if (isset($_POST['use_ssl']) && $_POST['use_ssl'] == 1 && !isset($_SERVER['HTTPS'])) { $INSTALLER09['baseurl'] = str_replace('http', 'https', $INSTALLER09['baseurl']); } if (isset($_POST['perm_ssl']) && $_POST['perm_ssl'] == 1) { mysql_query('UPDATE users SET ssluse = 2 WHERE id = ' . $row['id']) or sqlerr(__FILE__, __LINE__); } $ip = sqlesc(getip()); sql_query("DELETE FROM failedlogins WHERE ip = {$ip}"); header("Location: {$INSTALLER09['baseurl']}/index.php");
} if (!mkglobal("email:chpassword:passagain:chmailpass:secretanswer")) { stderr("Error", $lang['takeeditcp_no_data']); } if ($chpassword != "") { if (strlen($chpassword) > 40) { stderr("Error", $lang['takeeditcp_pass_long']); } if ($chpassword != $passagain) { stderr("Error", $lang['takeeditcp_pass_not_match']); } $secret = mksecret(); $passhash = make_passhash($secret, md5($chpassword)); $updateset[] = "secret = " . sqlesc($secret); $updateset[] = "passhash = " . sqlesc($passhash); logincookie($CURUSER["id"], md5($passhash . $_SERVER["REMOTE_ADDR"])); } if ($email != $CURUSER["email"]) { if (!validemail($email)) { stderr("Error", $lang['takeeditcp_not_valid_email']); } $r = @sql_query("SELECT id FROM users WHERE email=" . sqlesc($email)) or sqlerr(); if (mysql_num_rows($r) > 0 || $CURUSER["passhash"] != make_passhash($CURUSER['secret'], md5($chmailpass))) { stderr("Error", $lang['takeeditcp_address_taken']); } $changedemail = 1; } if ($secretanswer != '') { if (strlen($secretanswer) > 40) { stderr("Sorry", "secret answer is too long (max is 40 chars)"); }
stderr($lang['takesignup_user_error'], $lang['takesignup_email_used']); } // TIMEZONE STUFF if (isset($_POST["user_timezone"]) && preg_match('#^\\-?\\d{1,2}(?:\\.\\d{1,2})?$#', $_POST['user_timezone'])) { $time_offset = sqlesc($_POST['user_timezone']); } else { $time_offset = isset($TBDEV['time_offset']) ? sqlesc($TBDEV['time_offset']) : '0'; } // have a stab at getting dst parameter? $dst_in_use = localtime(time() + $time_offset * 3600, true); // TIMEZONE STUFF END $secret = mksecret(); $wantpasshash = md5($secret . $wantpassword . $secret); $editsecret = !$arr[0] ? "" : mksecret(); $ret = mysql_query("INSERT INTO users (username, passhash, secret, editsecret, email, status, " . (!$arr[0] ? "class, " : "") . "added, time_offset, dst_in_use) VALUES (" . implode(",", array_map("sqlesc", array($wantusername, $wantpasshash, $secret, $editsecret, $email, !$arr[0] ? 'confirmed' : 'pending'))) . ", " . (!$arr[0] ? UC_SYSOP . ", " : "") . "" . time() . " , {$time_offset}, {$dst_in_use['tm_isdst']})"); if (!$ret) { if (mysql_errno() == 1062) { stderr($lang['takesignup_user_error'], $lang['takesignup_user_exists']); } stderr($lang['takesignup_user_error'], $lang['takesignup_fatal_error']); } $id = mysql_insert_id(); //write_log("User account $id ($wantusername) was created"); $psecret = md5($editsecret); $body = str_replace(array('<#SITENAME#>', '<#USEREMAIL#>', '<#IP_ADDRESS#>', '<#REG_LINK#>'), array($TBDEV['site_name'], $email, $_SERVER['REMOTE_ADDR'], "{$TBDEV['baseurl']}/confirm.php?id={$id}&secret={$psecret}"), $lang['takesignup_email_body']); if ($arr[0]) { mail($email, "{$TBDEV['site_name']} {$lang['takesignup_confirm']}", $body, "{$lang['takesignup_from']} {$TBDEV['site_email']}"); } else { logincookie($id, $wantpasshash); } header("Refresh: 0; url=ok.php?type=" . (!$arr[0] ? "sysop" : "signup&email=" . urlencode($email)));
// | Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | // +--------------------------------------------------------------------------+ // | Do not remove above lines! | // +--------------------------------------------------------------------------+ */ require_once "include/bittorrent.php"; $id = intval($_GET["id"]); $md5 = strval($_GET["secret"]); if (!$id) { httperr(); } dbconn(); $res = sql_query("SELECT passhash, editsecret, status FROM users WHERE id = {$id}"); $row = mysql_fetch_array($res); if (!$row) { httperr(); } if ($row["status"] != "pending") { header("Location: ok.php?type=confirmed"); exit; } $sec = hash_pad($row["editsecret"]); if ($md5 != md5($sec)) { httperr(); } sql_query("UPDATE users SET status='confirmed', editsecret='' WHERE id = {$id} AND status = 'pending'"); if (!mysql_affected_rows()) { httperr(); } logincookie($id, $row["passhash"]); header("Location: ok.php?type=confirm");
if (!$id) { httperr(); } dbconn(); $res = sql_query("SELECT passhash, secret, editsecret, status FROM users WHERE id = " . sqlesc($id)) or sqlerr(__FILE__, __LINE__); $row = mysql_fetch_assoc($res); if (!$row) { httperr(); } if ($row["status"] != "pending") { header("Refresh: 0; url=ok.php?type=confirmed"); exit; } $confirm_sec = hash_pad($row["secret"]); if ($confirm_md5 != md5($confirm_sec)) { httperr(); } sql_query("UPDATE users SET status='confirmed', editsecret='' WHERE id=" . sqlesc($id) . " AND status='pending'") or sqlerr(__FILE__, __LINE__); if (!mysql_affected_rows()) { httperr(); } if ($securelogin == "yes") { $securelogin_indentity_cookie = true; $passh = md5($row["passhash"] . $_SERVER["REMOTE_ADDR"]); } else { $securelogin_indentity_cookie = false; $passh = md5($row["passhash"]); } logincookie($row["id"], $passh, 1, 0x7fffffff, $securelogin_indentity_cookie); //sessioncookie($row["id"], $passh,false); header("Refresh: 0; url=ok.php?type=confirm");
if ($_POST["securelogin"] == "yes") { $securelogin_indentity_cookie = true; $passh = md5($row["passhash"] . $_SERVER["REMOTE_ADDR"]); } else { $securelogin_indentity_cookie = false; $passh = md5($row["passhash"]); } if ($securelogin == 'yes' || $_POST["ssl"] == "yes") { $pprefix = "https://"; $ssl = true; } else { $pprefix = "http://"; $ssl = false; } if ($securetracker == 'yes' || $_POST["trackerssl"] == "yes") { $trackerssl = true; } else { $trackerssl = false; } if ($_POST["logout"] == "yes") { logincookie($row["id"], $passh, 1, 900, $securelogin_indentity_cookie, $ssl, $trackerssl); //sessioncookie($row["id"], $passh,true); } else { logincookie($row["id"], $passh, 1, 0x7fffffff, $securelogin_indentity_cookie, $ssl, $trackerssl); //sessioncookie($row["id"], $passh,false); } if (!empty($_POST["returnto"])) { header("Location: " . $pprefix . "{$BASEURL}/{$_POST['returnto']}"); } else { header("Location: " . $pprefix . "{$BASEURL}/index.php"); }
require_once "include/bittorrent.php"; require_once "include/user_functions.php"; $lang = array_merge(load_language('global'), load_language('confirm')); $id = isset($_GET['id']) ? intval($_GET['id']) : 0; $md5 = isset($_GET['secret']) ? $_GET['secret'] : ''; if (!is_valid_id($id)) { stderr("{$lang['confirm_user_error']}", "{$lang['confirm_invalid_id']}"); } if (!preg_match("/^(?:[\\d\\w]){32}\$/", $md5)) { stderr("{$lang['confirm_user_error']}", "{$lang['confirm_invalid_key']}"); } dbconn(); $res = @mysql_query("SELECT passhash, editsecret, status FROM users WHERE id = {$id}"); $row = @mysql_fetch_assoc($res); if (!$row) { stderr("{$lang['confirm_user_error']}", "{$lang['confirm_invalid_id']}"); } if ($row['status'] != 'pending') { header("Refresh: 0; url={$TBDEV['baseurl']}/ok.php?type=confirmed"); exit; } $sec = hash_pad($row['editsecret']); if ($md5 != md5($sec)) { stderr("{$lang['confirm_user_error']}", "{$lang['confirm_cannot_confirm']}"); } @mysql_query("UPDATE users SET status='confirmed', editsecret='' WHERE id={$id} AND status='pending'"); if (!mysql_affected_rows()) { stderr("{$lang['confirm_user_error']}", "{$lang['confirm_cannot_confirm']}"); } logincookie($id, $row['passhash']); header("Refresh: 0; url={$TBDEV['baseurl']}/ok.php?type=confirm");
} if (isset($_POST["uid"]) && isset($_POST["pwd"])) { $res = $db->query("SELECT * FROM users WHERE username = '******'"); $row = $res->fetch_array(MYSQLI_BOTH); if (!$row) { standardheader("Login"); print "<br /><br /><div align='center'><font size='2' color='#FF0000'>" . ERR_USERNAME_INCORRECT . "</font></div>"; login(); } elseif (md5($row["random"] . $row["password"] . $row["random"]) != md5($row["random"] . md5($pwd) . $row["random"])) { standardheader("Login"); print "<br /><br /><div align='center'><font size='2' color='#FF0000'>" . ERR_PASSWORD_INCORRECT . "</font></div>"; login(); } else { $db->query("UPDATE users SET loginhash = '" . md5(vars::$ip . $row['password']) . "' WHERE id = " . (int) $row['id']); $salted = md5($GLOBALS["salting"] . $row["random"] . $row["password"] . $row["random"]); logincookie((int) $row["id"], $salted); if (isset($_GET["returnto"])) { $url = security::html_safe(urldecode($_GET["returnto"])); } else { $url = "index.php"; } redirect($url); } } else { standardheader("Login"); login(); exit; } } else { if (isset($_GET["returnto"])) { $url = security::html_safe(urldecode($_GET["returnto"]));
} // $set = array(); $updateset = array(); $changedemail = 0; if ($chpassword != "") { if (strlen($chpassword) > 40) { bark("Sorry, password is too long (max is 40 chars)"); } if ($chpassword != $passagain) { bark("The passwords didn't match. Try again."); } $sec = mksecret(); $passhash = md5($sec . $chpassword . $sec); $updateset[] = "secret = " . sqlesc($sec); $updateset[] = "passhash = " . sqlesc($passhash); logincookie($CURUSER["id"], $passhash); } if ($email != $CURUSER["email"]) { if (!validemail($email)) { bark("That doesn't look like a valid email address."); } $r = mysql_query("SELECT id FROM users WHERE email=" . sqlesc($email)) or sqlerr(); if (mysql_num_rows($r) > 0 || $CURUSER["passhash"] != md5($CURUSER["secret"] . $chmailpass . $CURUSER["secret"])) { bark("Could not change email, address already taken or password mismatch."); } $changedemail = 1; } $acceptpms = $_POST["acceptpms"]; $deletepms = isset($_POST["deletepms"]) ? "yes" : "no"; $savepms = isset($_POST['savepms']) && $_POST["savepms"] != "" ? "yes" : "no"; $pmnotif = isset($_POST["pmnotif"]) ? $_POST["pmnotif"] : '';
$smf_pass = sha1(strtolower($user) . $pwd); } $res = do_sqlquery("SELECT u.id, u.random, u.password" . ($FORUMLINK == "smf" ? ", u.smf_fid, s.passwd, s.passwordSalt" : "") . " FROM {$TABLE_PREFIX}users u " . ($FORUMLINK == "smf" ? "LEFT JOIN {$db_prefix}members s ON u.smf_fid=s.ID_MEMBER" : "") . " WHERE u.username ='******'", true); $row = mysql_fetch_array($res); if (!$row) { $logintpl->set("FALSE_USER", true, true); $logintpl->set("FALSE_PASSWORD", false, true); $logintpl->set("login_username_incorrect", $language["ERR_USERNAME_INCORRECT"]); login(); } elseif (md5($row["random"] . $row["password"] . $row["random"]) != md5($row["random"] . md5($pwd) . $row["random"])) { $logintpl->set("FALSE_USER", false, true); $logintpl->set("FALSE_PASSWORD", true, true); $logintpl->set("login_password_incorrect", $language["ERR_PASSWORD_INCORRECT"]); login(); } else { logincookie($row["id"], md5($row["random"] . $row["password"] . $row["random"])); if ($FORUMLINK == "smf" && $smf_pass == $row["passwd"]) { set_smf_cookie($row["smf_fid"], $row["passwd"], $row["passwordSalt"]); } elseif ($FORUMLINK == "smf" && $row["password"] == $row["passwd"]) { $salt = substr(md5(rand()), 0, 4); @mysql_query("UPDATE {$db_prefix}members SET passwd='{$smf_pass}', passwordSalt='{$salt}' WHERE ID_MEMBER=" . $row["smf_fid"]); set_smf_cookie($row["smf_fid"], $smf_pass, $salt); } if (isset($_GET["returnto"])) { $url = urldecode($_GET["returnto"]); } else { $url = "index.php"; } redirect($url); die; }
$password = passhash($_POST["password"]); if (!empty($_POST["username"]) && !empty($_POST["password"])) { $res = SQL_Query_exec("SELECT id, password, secret, status, enabled FROM users WHERE username = "******"username"]) . ""); $row = mysql_fetch_assoc($res); if (!$row || $row["password"] != $password) { $message = T_("LOGIN_INCORRECT"); } elseif ($row["status"] == "pending") { $message = T_("ACCOUNT_PENDING"); } elseif ($row["enabled"] == "no") { $message = T_("ACCOUNT_DISABLED"); } } else { $message = T_("NO_EMPTY_FIELDS"); } if (!$message) { logincookie($row["id"], $row["password"], $row["secret"]); if (!empty($_POST["returnto"])) { header("Refresh: 0; url=" . $_POST["returnto"]); die; } else { header("Refresh: 0; url=index.php"); die; } } else { show_error_msg(T_("ACCESS_DENIED"), $message, 1); } } logoutcookie(); stdhead(T_("LOGIN")); if ($nowarn) { show_error_msg(T_("ERROR"), $nowarn, 0);
} session_start(); if (empty($captcha) || $_SESSION['captcha_id'] != strtoupper($captcha)) { header('Location: login.php'); exit; } dbconn(); $lang = array_merge(load_language('global'), load_language('takelogin')); function bark($text = 'Username or password incorrect') { global $lang; stderr($lang['tlogin_failed'], $text); } $res = mysql_query("SELECT id, passhash, secret, enabled FROM users WHERE username = "******" AND status = 'confirmed'"); $row = mysql_fetch_assoc($res); if (!$row) { bark(); } if ($row['passhash'] != md5($row['secret'] . $password . $row['secret'])) { bark(); } if ($row['enabled'] == 'no') { bark($lang['tlogin_disabled']); } logincookie($row['id'], $row['passhash']); //$returnto = str_replace('&', '&', htmlspecialchars($_POST['returnto'])); //$returnto = $_POST['returnto']; //if (!empty($returnto)) //header("Location: ".$returnto); //else header("Location: {$TBDEV['baseurl']}/my.php");
$changedemail = 0; if (!mkglobal("email:chpassword:passagain:secretanswer")) { bark("missing form data"); } if ($chpassword != "") { if (strlen($chpassword) > 40) { bark("Sorry, password is too long (max is 40 chars)"); } if ($chpassword != $passagain) { bark("The passwords didn't match. Try again."); } $sec = mksecret(); $passhash = md5($sec . $chpassword . $sec); $updateset[] = "secret = " . sqlesc($sec); $updateset[] = "passhash = " . sqlesc($passhash); logincookie($CURUSER['id'], md5($passhash . $_SERVER['REMOTE_ADDR'])); } if ($email != $CURUSER["email"]) { if (!validemail($email)) { bark("That doesn't look like a valid email address."); } $r = mysql_query("SELECT id FROM users WHERE email=" . sqlesc($email)) or sqlerr(); if (mysql_num_rows($r) > 0) { bark("The e-mail address you entered is already in use."); } $changedemail = 1; } // /////////secret hint and answer by neptune/////////// if ($secretanswer != '') { if (strlen($secretanswer) > 40) { bark("Sorry, secret answer is too long (max is 40 chars)");
} if (!preg_match("/^(?:[\\d\\w]){32}\$/", $md5)) { stderr("{$lang['confirm_user_error']}", "{$lang['confirm_invalid_key']}"); } dbconn(); $res = sql_query("SELECT passhash, editsecret, status FROM users WHERE id =" . sqlesc($id)); $row = mysqli_fetch_assoc($res); if (!$row) { stderr("{$lang['confirm_user_error']}", "{$lang['confirm_invalid_id']}"); } if ($row['status'] != 'pending') { header("Refresh: 0; url={$INSTALLER09['baseurl']}/ok.php?type=confirmed"); exit; } $sec = $row['editsecret']; if ($md5 != $sec) { stderr("{$lang['confirm_user_error']}", "{$lang['confirm_cannot_confirm']}"); } sql_query("UPDATE users SET status='confirmed', editsecret='' WHERE id=" . sqlesc($id) . " AND status='pending'"); $mc1->begin_transaction('MyUser_' . $id); $mc1->update_row(false, array('status' => 'confirmed')); $mc1->commit_transaction($INSTALLER09['expires']['curuser']); $mc1->begin_transaction('user' . $id); $mc1->update_row(false, array('status' => 'confirmed')); $mc1->commit_transaction($INSTALLER09['expires']['user_cache']); if (!mysqli_affected_rows($GLOBALS["___mysqli_ston"])) { stderr("{$lang['confirm_user_error']}", "{$lang['confirm_cannot_confirm']}"); } $passh = md5($row["passhash"] . $_SERVER["REMOTE_ADDR"]); logincookie($id, $passh); header("Refresh: 0; url={$INSTALLER09['baseurl']}/ok.php?type=confirm");
if ($row["password"] == $passtype[$row["pass_type"]]["hash"]) { // We have a correct password entry // If stored password type is not the same as the current set type if ($row["pass_type"] != $btit_settings["secsui_pass_type"]) { // We need to update the password do_sqlquery("UPDATE `{$TABLE_PREFIX}users` SET `password`='" . mysqli_real_escape_string($DBDT, $passtype[$btit_settings["secsui_pass_type"]]["rehash"]) . "', `salt`='" . mysqli_real_escape_string($DBDT, $passtype[$btit_settings["secsui_pass_type"]]["salt"]) . "', `pass_type`='" . mysqli_real_escape_string($DBDT, $btit_settings["secsui_pass_type"]) . "', `dupe_hash`='" . mysqli_real_escape_string($DBDT, $passtype[$btit_settings["secsui_pass_type"]]["dupehash"]) . "' WHERE `id`=" . $row["id"], true); // And update the values we got from the database earlier $row["pass_type"] = $btit_settings["secsui_pass_type"]; $row["password"] = $passtype[$btit_settings["secsui_pass_type"]]["rehash"]; $row["salt"] = $passtype[$btit_settings["secsui_pass_type"]]["salt"]; } // If we've reached this point we can set the cookies // call the logoutcookie function for good measure, just in case we have some old cookies that need destroying. logoutcookie(); // Then login logincookie($row, $user); if (substr($FORUMLINK, 0, 3) == "smf" && $smf_pass == $row["passwd"]) { $new_smf_salt = substr(md5(rand()), 0, 4); do_sqlquery("UPDATE `{$db_prefix}members` SET " . ($FORUMLINK == "smf" ? "`passwordSalt`" : "`password_salt`") . "='" . $new_smf_salt . "' WHERE " . ($FORUMLINK == "smf" ? "`ID_MEMBER`" : "`id_member`") . "=" . $row["smf_fid"], true); set_smf_cookie($row["smf_fid"], $row["passwd"], $new_smf_salt); } elseif (substr($FORUMLINK, 0, 3) == "smf" && $row["pass_type"] == 1 && $row["password"] == $row["passwd"]) { $salt = substr(md5(rand()), 0, 4); do_sqlquery("UPDATE `{$db_prefix}members` SET `passwd`='{$smf_pass}', " . ($FORUMLINK == "smf" ? "`passwordSalt`='{$salt}' WHERE `ID_MEMBER`" : "`password_salt`='{$salt}' WHERE `id_member`") . "=" . $row["smf_fid"]); set_smf_cookie($row["smf_fid"], $smf_pass, $salt); } elseif (substr($FORUMLINK, 0, 3) == "smf" && $row["passwd"] == "ffffffffffffffffffffffffffffffffffffffff") { $fix_pass = smf_passgen($user, $pwd); do_sqlquery("UPDATE `{$db_prefix}members` SET `passwd`='" . $fix_pass[0] . "', " . ($FORUMLINK == "smf" ? "`passwordSalt`='" . $fix_pass[1] . "' WHERE `ID_MEMBER`" : "`password_salt`='" . $fix_pass[1] . "' WHERE `id_member`") . "=" . $row["smf_fid"]); set_smf_cookie($row["smf_fid"], $fix_pass[0], $fix_pass[1]); } elseif ($FORUMLINK == "ipb") { if ($row["members_pass_hash"] == "ffffffffffffffffffffffffffffffff") { if (!defined('IPS_ENFORCE_ACCESS')) {
/** * 登录相关操作。 */ function dologon($cc98_id) { global $res; $user_lang = get_current_user_lang(); $sql = new_mysqli(); $query = $sql->prepare('SELECT `id`, `passhash`, `username` FROM `users` WHERE `cc98id` = ?'); $query->bind_param('s', $cc98_id); $query->execute(); $query->bind_result($id, $passhash, $username); // 是否匹配到结果。 if ($query->fetch()) { logincookie($id, md5($passhash)); ?> <meta http-equiv="refresh" content="3; url=/" /> <?php $title = $res['msg_logon_success_title']; $msg = MessageFormatter::formatMessage($user_lang, $res['msg_logon_success_text'], array($username)); stdhead($title); stdmsg($title, $msg); stdfoot(); die; break; // 没有关联到账户 } else { stderr($res['msg_no_associated_account_title'], $res['msg_no_associated_account_text']); die; } }
//print_r($_POST);exit(); require_once "include/bittorrent.php"; if (!mkglobal("username:password")) { die; } session_start(); dbconn(); function bark($text = "Username or password incorrect") { stderr("Login failed!", $text); } $res = mysql_query("SELECT id, passhash, secret, enabled,status FROM users WHERE username = "******""); $row = mysql_fetch_assoc($res); if (!$row) { bark(); } if ($row["passhash"] != md5($row["secret"] . $password . $row["secret"])) { bark(); } if ($row["status"] == "pending") { bark('You have not confirmed your email address yet. More information is <a href="faq.php#user1">here</a>.'); } if ($row["enabled"] == "no") { bark("This account has been disabled."); } logincookie($row["id"], $row["passhash"]); if (!empty($_POST["returnto"])) { header("Location: {$_POST['returnto']}"); } else { header("Location: browse.php"); }
$updateset[] = "secret = " . sqlesc($sec); $updateset[] = "passhash = " . sqlesc($passhash); //die($securelogin . base64_decode($_COOKIE["c_secure_login"])); if ($_COOKIE["c_secure_login"] == base64("yeah")) { $passh = md5($passhash . $_SERVER["REMOTE_ADDR"]); $securelogin_indentity_cookie = true; } else { $passh = md5($passhash); $securelogin_indentity_cookie = false; } if ($_COOKIE["c_secure_ssl"] == base64("yeah")) { $ssl = true; } else { $ssl = false; } logincookie($CURUSER["id"], $passh, 1, 0x7fffffff, $securelogin_indentity_cookie, $ssl); //sessioncookie($CURUSER["id"], $passh); $passupdated = 1; } if ($disableemailchange != 'no' && $smtptype != 'none' && $email != $CURUSER["email"]) { if (EmailBanned($email)) { bark($lang_usercp['std_email_address_banned']); } if (!EmailAllowed($email)) { bark($lang_usercp['std_wrong_email_address_domains'] . allowedemails()); } if (!validemail($email)) { stderr($lang_usercp['std_error'], $lang_usercp['std_wrong_email_address_format'] . goback("-2"), 0); die; } $r = sql_query("SELECT id FROM users WHERE email=" . sqlesc($email)) or sqlerr();
$email = mysqli_real_escape_string($DBDT, $user->email); $regex = "/^[_+a-z0-9-]+(\\.[_+a-z0-9-]+)*" . "@[a-z0-9-]+(\\.[a-z0-9-]{1,})*" . "\\.([a-z]{2,}){1}\$/i"; if (!preg_match($regex, $email)) { stderr($language["SORRY"], "E-mail is not valid"); exit; } if ($btit_settings["fbadmin"]) { $res2 = do_sqlquery("SELECT `ul`.`admin_access` FROM `{$TABLE_PREFIX}users` `u` INNER JOIN `{$TABLE_PREFIX}users_level` `ul` ON `u`.`id_level`=`ul`.`id` WHERE `u`.`email` ='" . $email . "'", true); $row2 = mysqli_fetch_assoc($res2); if ($row2["admin_access"] == "yes") { stderr($language["SORRY"], "I'm sorry Staff are not allowed to log in this way"); exit; } } $res = do_sqlquery("SELECT `u`.`salt`, `u`.`pass_type`, `u`.`username`, `u`.`id`, `u`.`random`, `u`.`password`" . (substr($FORUMLINK, 0, 3) == "smf" ? ", `u`.`smf_fid`, `s`.`passwd`" : ($FORUMLINK == "ipb" ? ", `u`.`ipb_fid`, `i`.`members_pass_hash`, `i`.`members_pass_salt`, `i`.`name`, `i`.`member_group_id`" : "")) . " FROM `{$TABLE_PREFIX}users` `u` " . (substr($FORUMLINK, 0, 3) == "smf" ? "LEFT JOIN `{$db_prefix}members` `s` ON `u`.`smf_fid`=`s`." . ($FORUMLINK == "smf" ? "`ID_MEMBER`" : "`id_member`") . "" : ($FORUMLINK == "ipb" ? "LEFT JOIN `{$ipb_prefix}members` `i` ON `u`.`ipb_fid`=`i`.`member_id`" : "")) . " WHERE `u`.`email` ='" . $email . "'", true); $row = mysqli_fetch_assoc($res); if (!$row) { stderr($language["SORRY"], "You can not log in, your e-mail used with Facebook does not correspond with the e-mail you used here"); exit; } else { logoutcookie(); logincookie($row, $row["username"]); if (substr($FORUMLINK, 0, 3) == "smf" && $email == $row["emailAddress"]) { set_smf_cookie($row["smf_fid"], $row["passwd"], $row["passwordSalt"]); } elseif ($FORUMLINK == "ipb") { set_ipb_cookie($row["ipb_fid"], $row["name"], $row["member_group_id"]); } redirect($url); die; } }