function doedit_user()
{
global $lang_global, $realm_db, $mmfpm_db, $user_lvl, $user_name, $action_permission;
valid_login($action_permission['update']);
if ((!isset($_POST['pass']) || $_POST['pass'] === '') && (!isset($_POST['mail']) || $_POST['mail'] === '') && (!isset($_POST['expansion']) || $_POST['expansion'] === '') && (!isset($_POST['referredby']) || $_POST['referredby'] === '')) {
redirect("user.php?action=edit_user&&id={$_POST['id']}&error=1");
}
$sqlr = new SQL();
$sqlr->connect($realm_db['addr'], $realm_db['user'], $realm_db['pass'], $realm_db['name']);
$id = $sqlr->quote_smart($_POST['id']);
$username = $sqlr->quote_smart($_POST['username']);
$banreason = $sqlr->quote_smart($_POST['banreason']);
$pass = $sqlr->quote_smart($_POST['pass']);
$user_pass_change = $pass != sha1(strtoupper($username) . ":******") ? "username='******',sha_pass_hash='{$pass}'," : "";
$mail = isset($_POST['mail']) && $_POST['mail'] != '' ? $sqlr->quote_smart($_POST['mail']) : "";
$failed = isset($_POST['failed']) ? $sqlr->quote_smart($_POST['failed']) : 0;
$gmlevel = isset($_POST['gmlevel']) ? $sqlr->quote_smart($_POST['gmlevel']) : 0;
$expansion = isset($_POST['expansion']) ? $sqlr->quote_smart($_POST['expansion']) : 1;
$banned = isset($_POST['banned']) ? $sqlr->quote_smart($_POST['banned']) : 0;
$locked = isset($_POST['locked']) ? $sqlr->quote_smart($_POST['locked']) : 0;
$referredby = $sqlr->quote_smart(trim($_POST['referredby']));
//make sure username/pass at least 4 chars long and less than max
if (strlen($username) < 4 || strlen($username) > 15) {
redirect("user.php?action=edit_user&id={$id}&error=8");
}
if ($gmlevel >= $user_lvl) {
redirect("user.php?action=edit_user&&id={$_POST['id']}&error=16");
}
require_once "libs/valid_lib.php";
if (!valid_alphabetic($username)) {
redirect("user.php?action=edit_user&error=9&id={$id}");
}
//restricting accsess to lower gmlvl
$result = $sqlr->query("SELECT gmlevel,username FROM account WHERE id = '{$id}'");
if ($user_lvl <= $sqlr->result($result, 0, 'gmlevel') && $user_name != $sqlr->result($result, 0, 'username')) {
redirect("user.php?error=14");
}
if (!$banned) {
$sqlr->query("DELETE FROM account_banned WHERE id='{$id}'");
} else {
$result = $sqlr->query("SELECT count(*) FROM account_banned WHERE id = '{$id}'");
if (!$sqlr->result($result, 0)) {
$sqlr->query("INSERT INTO account_banned (id, bandate, unbandate, bannedby, banreason, active)\r\n VALUES ({$id}, " . time() . "," . (time() + 365 * 24 * 3600) . ",'{$user_name}','{$banreason}', 1)");
}
}
$sqlr->query("UPDATE account SET email='{$mail}', {$user_pass_change} v=0,s=0,failed_logins='{$failed}',locked='{$locked}',expansion='{$expansion}' WHERE id='{$id}'");
$sqlr->query("UPDATE account SET gmlevel='{$gmlevel}' WHERE id='{$id}'");
if (doupdate_referral($referredby, $id) || $sqlr->affected_rows()) {
redirect("user.php?action=edit_user&error=13&id={$id}");
} else {
redirect("user.php?action=edit_user&error=12&id={$id}");
}
}
function doregister()
{
global $lang_global, $characters_db, $realm_db, $mmfpm_db, $realm_id, $disable_acc_creation, $limit_acc_per_ip, $valid_ip_mask, $send_mail_on_creation, $create_acc_locked, $from_mail, $defaultoption, $require_account_verify, $mailer_type, $smtp_cfg, $title;
if ($_POST['security_code'] != $_SESSION['security_code']) {
redirect("register.php?err=13");
}
if (empty($_POST['pass']) || empty($_POST['email']) || empty($_POST['username'])) {
redirect("register.php?err=1");
}
if ($disable_acc_creation) {
redirect("register.php?err=4");
}
$last_ip = getenv('HTTP_X_FORWARDED_FOR') ? getenv('HTTP_X_FORWARDED_FOR') : getenv('REMOTE_ADDR');
if (sizeof($valid_ip_mask)) {
$qFlag = 0;
$user_ip_mask = explode('.', $last_ip);
foreach ($valid_ip_mask as $mask) {
$vmask = explode('.', $mask);
$v_count = 4;
$i = 0;
foreach ($vmask as $range) {
$vmask_h = explode('-', $range);
if (isset($vmask_h[1])) {
if ($vmask_h[0] >= $user_ip_mask[$i] && $vmask_h[1] <= $user_ip_mask[$i]) {
$v_count--;
}
} else {
if ($vmask_h[0] == $user_ip_mask[$i]) {
$v_count--;
}
}
$i++;
}
if (!$v_count) {
$qFlag++;
break;
}
}
if (!$qFlag) {
redirect("register.php?err=9&usr={$last_ip}");
}
}
$sql = new SQL();
$sql->connect($realm_db['addr'], $realm_db['user'], $realm_db['pass'], $realm_db['name']);
$user_name = $sql->quote_smart(trim($_POST['username']));
$pass = $sql->quote_smart($_POST['pass']);
$pass1 = $sql->quote_smart($_POST['pass1']);
//make sure username/pass at least 4 chars long and less than max
if (strlen($user_name) < 4 || strlen($user_name) > 15) {
$sql->close();
redirect("register.php?err=5");
}
require_once "libs/valid_lib.php";
//make sure it doesnt contain non english chars.
if (!valid_alphabetic($user_name)) {
$sql->close();
redirect("register.php?err=6");
}
//make sure the mail is valid mail format
$mail = $sql->quote_smart(trim($_POST['email']));
if (!valid_email($mail) || strlen($mail) > 224) {
$sql->close();
redirect("register.php?err=7");
}
$per_ip = $limit_acc_per_ip ? "OR last_ip='{$last_ip}'" : "";
$result = $sql->query("SELECT ip FROM ip_banned WHERE ip = '{$last_ip}'");
//IP is in ban list
if ($sql->num_rows($result)) {
$sql->close();
redirect("register.php?err=8&usr={$last_ip}");
}
//Email check
$result = $sql->query("SELECT email FROM account WHERE email='{$mail}' {$per_ip}");
if ($sql->num_rows($result)) {
$sql->close();
redirect("register.php?err=14");
}
//Username check
$result = $sql->query("SELECT username FROM account WHERE username='******' {$per_ip}");
if ($sql->num_rows($result)) {
$sql->close();
redirect("register.php?err=3");
}
//there is already someone with same account name
if ($sql->num_rows($result)) {
$sql->close();
redirect("register.php?err=3&usr={$user_name}");
} else {
if ($expansion_select) {
$expansion = isset($_POST['expansion']) ? $sql->quote_smart($_POST['expansion']) : 0;
} else {
$expansion = $defaultoption;
}
if ($require_account_verify) {
$sqlm = new SQL();
$sqlm->connect($mmfpm_db['addr'], $mmfpm_db['user'], $mmfpm_db['pass'], $mmfpm_db['name']);
$result2 = $sqlm->query("SELECT * FROM mm_account_verification WHERE username = '******' OR email = '{$mail}'");
if ($sqlm->num_rows($result2) > 0) {
redirect("register.php?err=15");
} else {
$client_ip = $_SERVER['REMOTE_ADDR'];
$authkey = sha1($client_ip . time());
$result = $sqlm->query("INSERT INTO mm_account_verification (username,sha_pass_hash,gmlevel,email, joindate,last_ip,failed_logins,locked,last_login,active_realm_id,expansion,authkey) VALUES (UPPER('{$user_name}'),'{$pass}',0,'{$mail}',now(),'{$last_ip}',0,{$create_acc_locked},NULL,0,{$expansion},{$authkey})");
do_verify_email();
redirect("login.php?error=7");
}
$sqlm->close();
} else {
$result = $sql->query("INSERT INTO account (username,sha_pass_hash,gmlevel,email, joindate,last_ip,failed_logins,locked,last_login,active_realm_id,expansion) VALUES (UPPER('{$user_name}'),'{$pass}',0,'{$mail}',now(),'{$last_ip}',0,{$create_acc_locked},NULL,0,{$expansion})");
}
$sql->close();
setcookie("terms", "", time() - 3600);
if ($send_mail_on_creation) {
require_once "libs/mailer/class.phpmailer.php";
$mailer = new PHPMailer();
$mailer->Mailer = $mailer_type;
if ($mailer_type == "smtp") {
$mailer->Host = $smtp_cfg['host'];
$mailer->Port = $smtp_cfg['port'];
if ($smtp_cfg['user'] != '') {
$mailer->SMTPAuth = true;
$mailer->Username = $smtp_cfg['user'];
$mailer->Password = $smtp_cfg['pass'];
}
}
$file_name = "mail_templates/mail_welcome.tpl";
$fh = fopen($file_name, 'r');
$subject = fgets($fh, 4096);
$body = fread($fh, filesize($file_name));
fclose($fh);
$subject = str_replace("<title>", $title, $subject);
$body = str_replace("\n", "<br />", $body);
$body = str_replace("\r", " ", $body);
$body = str_replace("<username>", $user_name, $body);
$body = str_replace("<password>", $pass1, $body);
$body = str_replace("<base_url>", $_SERVER['SERVER_NAME'], $body);
$mailer->WordWrap = 50;
$mailer->From = $from_mail;
$mailer->FromName = "{$title} Admin";
$mailer->Subject = $subject;
$mailer->IsHTML(true);
$mailer->Body = $body;
$mailer->AddAddress($mail);
$mailer->Send();
$mailer->ClearAddresses();
}
if ($result) {
redirect("login.php?error=6");
}
}
}
function doedit_user()
{
global $lang_global, $realm_db, $mmfpm_db, $user_lvl, $user_name, $action_permission;
valid_login($action_permission['update']);
if ((!isset($_POST['pass']) || $_POST['pass'] === '') && (!isset($_POST['mail']) || $_POST['mail'] === '') && (!isset($_POST['expansion']) || $_POST['expansion'] === '') && (!isset($_POST['referredby']) || $_POST['referredby'] === '')) {
redirect("user.php?action=edit_user&&id={$_POST['id']}&error=1");
}
$sqlr = new SQL();
$sqlr->connect($realm_db['addr'], $realm_db['user'], $realm_db['pass'], $realm_db['name']);
$id = $sqlr->quote_smart($_POST['id']);
$username = $sqlr->quote_smart($_POST['username']);
$banreason = $sqlr->quote_smart($_POST['banreason']);
$pass = $sqlr->quote_smart($_POST['pass']);
$user_pass_change = $pass != sha1(strtoupper($username) . ":******") ? "username='******',sha_pass_hash='{$pass}'," : "";
$mail = isset($_POST['mail']) && $_POST['mail'] != '' ? $sqlr->quote_smart($_POST['mail']) : "";
$failed = isset($_POST['failed']) ? $sqlr->quote_smart($_POST['failed']) : 0;
$gmlevel = isset($_POST['gmlevel']) ? $sqlr->quote_smart($_POST['gmlevel']) : 0;
$expansion = isset($_POST['expansion']) ? $sqlr->quote_smart($_POST['expansion']) : 1;
$banned = isset($_POST['banned']) ? $sqlr->quote_smart($_POST['banned']) : 0;
$locked = isset($_POST['locked']) ? $sqlr->quote_smart($_POST['locked']) : 0;
$referredby = $sqlr->quote_smart(trim($_POST['referredby']));
//make sure username/pass at least 4 chars long and less than max
if (strlen($username) < 4 || strlen($username) > 15) {
redirect("user.php?action=edit_user&id={$id}&error=8");
}
if ($gmlevel >= $user_lvl) {
redirect("user.php?action=edit_user&&id={$_POST['id']}&error=16");
}
if (!valid_alphabetic($username)) {
redirect("user.php?action=edit_user&error=9&id={$id}");
}
//restricting accsess to lower gmlvl
$result = $sqlr->query("SELECT account.username, IFNULL(account_access.gmlevel,0) as gmlevel FROM account LEFT JOIN account_access ON account.id=account_access.id WHERE account.id = '{$id}'");
if ($user_lvl <= $sqlr->result($result, 0, 'gmlevel') && $user_name != $sqlr->result($result, 0, 'username')) {
redirect("user.php?error=14");
}
$accgmlevel = $sqlr->result($result, 0, 'gmlevel');
if (!$banned) {
$sqlr->query("DELETE FROM account_banned WHERE id='{$id}'");
} else {
$result = $sqlr->query("SELECT count(*) FROM account_banned WHERE id = '{$id}'");
if (!$sqlr->result($result, 0)) {
$sqlr->query("INSERT INTO account_banned (id, bandate, unbandate, bannedby, banreason, active)\r\n VALUES ({$id}, " . time() . "," . (time() + 365 * 24 * 3600) . ",'{$user_name}','{$banreason}', 1)");
}
}
$error = false;
$sqlr->query("UPDATE account SET email='{$mail}', {$user_pass_change} v=0,s=0,failed_logins='{$failed}',locked='{$locked}',expansion='{$expansion}' WHERE id='{$id}'");
if (!$sqlr->affected_rows()) {
$error = true;
}
if ($gmlevel != $accgmlevel) {
if ($gmlevel == 0 && $accgmlevel > 0) {
$sqlr->query("DELETE FROM account_access WHERE id='{$id}'");
} elseif ($gmlevel > 0 && $accgmlevel == 0) {
//0 has no entry in account_access, add one; sometimes there's a bug so there's indeed a gmlevel 0 entry in the table -> replace
$sqlr->query("REPLACE INTO account_access (`id`,`gmlevel`,`RealmID`) VALUES ('{$id}','{$gmlevel}','-1')");
} else {
$sqlr->query("UPDATE account_access SET gmlevel='{$gmlevel}' WHERE id='{$id}'");
}
$sqlr->query("SELECT IFNULL((SELECT gmlevel FROM account_access WHERE id='{$id}'),0)");
if (!$sqlr->affected_rows() || $sqlr->result($result, 0) != $accgmlevel) {
//temporary errorhandling
$error = true;
}
}
if (doupdate_referral($referredby, $id) || $error) {
redirect("user.php?action=edit_user&error=13&id={$id}");
} else {
redirect("user.php?action=edit_user&error=12&id={$id}");
}
}
function doedit_user()
{
global $logon_db, $corem_db, $corem_db, $user_id, $user_lvl, $defaultoption, $user_name, $action_permission, $sql, $core;
valid_login($action_permission["update"]);
if ((!isset($_POST["pass"]) || $_POST["pass"] === '') && (!isset($_POST["mail"]) || $_POST["mail"] === '') && (!isset($_POST["expansion"]) || $_POST["expansion"] === '') && (!isset($_POST["referredby"]) || $_POST["referredby"] === '')) {
redirect("user.php?action=edit_user&acct={$_POST["acct"]}&error=1");
}
$acct = $sql["logon"]->quote_smart($_POST["acct"]);
$login = $sql["logon"]->quote_smart($_POST["login"]);
$screenname = $sql["mgr"]->quote_smart($_POST["screenname"]);
$banreason = $sql["logon"]->quote_smart($_POST["banreason"]);
$password = $sql["logon"]->quote_smart($_POST["pass"]);
//$user_password_change = ($password != sha1(strtoupper($login).":******")) ? "login='******',password='******'," : "";
$mail = isset($_POST["mail"]) && $_POST["mail"] != '' ? $sql["logon"]->quote_smart($_POST["mail"]) : "";
$failed = isset($_POST["failed"]) ? $sql["logon"]->quote_smart($_POST["failed"]) : 0;
$gmlevel = isset($_POST["gm"]) ? $sql["logon"]->quote_smart($_POST["gm"]) : 0;
$seclevel = isset($_POST["seclvl"]) ? $sql["logon"]->quote_smart($_POST["seclvl"]) : 0;
$webadmin = isset($_POST["webadmin"]) ? $sql["logon"]->quote_smart($_POST["webadmin"]) : 0;
$expansion = isset($_POST["expansion"]) ? $sql["logon"]->quote_smart($_POST["expansion"]) : $defaultoption;
$banned = isset($_POST["banned"]) ? $sql["logon"]->quote_smart($_POST["banned"]) : 0;
$locked = isset($_POST["locked"]) ? $sql["logon"]->quote_smart($_POST["locked"]) : 0;
$referredby = $sql["logon"]->quote_smart(trim($_POST["referredby"]));
$credits = $sql["logon"]->quote_smart($_POST["credits"]);
//make sure username/pass at least 4 chars long and less than max
if (strlen($login) < 4 || strlen($login) > 15) {
redirect("user.php?action=edit_user&acct=" . $acct . "&error=8");
}
// if we received a Screen Name, make sure it does not conflict with other Screen Names or with
// login names.
if ($screenname != $_POST["oldscreenname"]) {
$query = "SELECT * FROM config_accounts WHERE ScreenName='" . $screenname . "'";
$sn_result = $sql["mgr"]->query($query);
if ($sql["mgr"]->num_rows($sn_result) != 0) {
redirect('user.php?action=edit_user&acct=' . $acct . '&error=7&');
}
if ($core == 1) {
$query = "SELECT * FROM accounts WHERE login='******'";
} else {
$query = "SELECT * FROM account WHERE username='******'";
}
$sn_result = $sql["logon"]->query($query);
if ($sql["logon"]->num_rows($sn_result) != 0) {
redirect('user.php?action=edit_user&acct=' . $acct . '&error=7');
}
//make sure screen name is at least 4 chars long and less than max
if ($screenname) {
if (strlen($screenname) < 4 || strlen($screenname) > 15) {
redirect("user.php?action=edit_user&acct=" . $acct . "&error=8");
}
}
}
//restricting access to lower security level
if ($seclevel > $user_lvl || $user_lvl < $action_permission["delete"]) {
redirect("user.php?action=edit_user&acct=" . $_POST["acct"] . "&error=16");
}
require_once "libs/valid_lib.php";
if (!valid_alphabetic($login)) {
redirect("user.php?action=edit_user&error=9&acct=" . $acct);
}
// record changes to Banned status
if (!$banned) {
if ($core == 1) {
$sql["logon"]->query("UPDATE accounts SET banned=0 WHERE acct='" . $acct . "'");
} else {
$sql["logon"]->query("DELETE FROM account_banned WHERE id='" . $acct . "'");
}
} else {
if ($core == 1) {
$ban_count = "SELECT COUNT(*) FROM accounts WHERE banned<>0 AND acct='" . $acct . "'";
} else {
$ban_count = "SELECT COUNT(*) FROM account_banned WHERE active<>0 AND id='" . $acct . "'";
}
$result = $sql["logon"]->query($ban_count);
if (!$sql["logon"]->result($result, 0)) {
if ($core == 1) {
$ban_query = "INSERT INTO accounts (acct, banned, banreason) VALUES ('" . $acct . "', '" . (time() + 365 * 24 * 3600) . "', '" . $banreason . "')";
} else {
$ban_query = "INSERT INTO account_banned (id, bandate, unbandate, bannedby, banreason, active)\r\n VALUES (" . $acct . ", " . time() . ", " . (time() + 365 * 24 * 3600) . ", '" . $user_name . "', '" . $banreason . "', 1)";
}
} else {
// this_is_junk: I removed the SETs for when the ban expires because it was extending the ban
// hopefully this won't cause other problems
if ($core == 1) {
$ban_query = "UPDATE accounts SET banreason='" . $banreason . "' WHERE acct='" . $acct . "'";
} else {
$ban_query = "UPDATE account_banned SET banreason='" . $banreason . "', active=1 WHERE id='" . $acct . "'";
}
}
$sql["logon"]->query($ban_query);
}
// record changes in Credits
if ($core == 1) {
$acct_name_query = "SELECT login FROM `" . $logon_db["name"] . "`.accounts WHERE acct='" . $acct . "'";
} else {
$acct_name_query = "SELECT username AS login FROM `" . $logon_db["name"] . "`.account WHERE id='" . $acct . "'";
}
$acct_name_result = $sql["logon"]->query($acct_name_query);
$acct_name_result = $sql["logon"]->fetch_assoc($acct_name_result);
$credit_query = "UPDATE config_accounts SET Credits='" . $credits . "' WHERE Login='******'";
$credit_result = $sql["mgr"]->query($credit_query);
// record changes in Security Level
if ($core == 1) {
$acct_name_query = "SELECT login FROM `" . $logon_db["name"] . "`.accounts WHERE acct='" . $acct . "'";
} else {
$acct_name_query = "SELECT username AS login FROM `" . $logon_db["name"] . "`.account WHERE id='" . $acct . "'";
}
$sec_level_query = "SELECT * FROM config_accounts WHERE Login=(" . $acct_name_query . ") COLLATE utf8_general_ci";
$sec_level_result = $sql["mgr"]->query($sec_level_query);
$sec_level_fields = $sql["mgr"]->fetch_assoc($sec_level_result);
if ($sec_level_fields["SecurityLevel"] != NULL || $sec_level_fields["SecurityLevel"] != $seclevel) {
$sec_level_query = "UPDATE config_accounts SET SecurityLevel='" . ($seclevel + $webadmin) . "' WHERE Login=(" . $acct_name_query . ") COLLATE utf8_general_ci";
} else {
$sec_level_query = "INSERT INTO config_accounts (Login, SecurityLevel) VALUES ((" . $acct_name_query . "), '" . ($seclevel + $webadmin) . "')";
}
$sec_level_result = $sql["mgr"]->query($sec_level_query);
// record Screen Name
if ($screenname != $_POST["oldscreenname"] || $login != $_POST["oldlogin"]) {
if ($login == $_POST["oldlogin"]) {
$temp_login = $_POST["oldlogin"];
} else {
$temp_login = $login;
}
$query = "SELECT * FROM config_accounts WHERE Login='******'";
$sn_result = $sql["mgr"]->query($query);
if ($sql["mgr"]->num_rows($sn_result)) {
$s_result = $sql["mgr"]->query("UPDATE config_accounts SET Login='******', ScreenName='" . $screenname . "' WHERE Login='******'");
} else {
$s_result = $sql["mgr"]->query("INSERT INTO config_accounts (Login, ScreenName) VALUES ('" . $login . "', '" . $screenname . "')");
}
} else {
$s_result = true;
}
// ArcEmu: find out if we're using an encrypted password for this account
if ($core == 1) {
$pass_query = "SELECT * FROM accounts WHERE login='******' AND encrypted_password<>''";
$pass_result = $sql["logon"]->query($pass_query);
$arc_encrypted = $sql["logon"]->num_rows($pass_result);
}
// record changes to account
if ($password == "******") {
if ($core == 1) {
$a_result = $sql["logon"]->query("UPDATE accounts SET login='******', email='" . $mail . "', muted='" . $locked . "', gm='" . $gmlevel . "', flags='" . $expansion . "' WHERE acct=" . $acct);
} elseif ($core == 2) {
$a_result = $sql["logon"]->query("UPDATE account SET username='******', email='" . $mail . "', locked='" . $locked . "', gmlevel='" . $gmlevel . "', expansion='" . $expansion . "' WHERE id=" . $acct);
} else {
// Trinity makes things a little more complex
$a_result = $sql["logon"]->query("UPDATE account SET username='******', email='" . $mail . "', locked='" . $locked . "', expansion='" . $expansion . "' WHERE id=" . $acct);
$gm_query = "SELECT * FROM account_access WHERE id='" . $acct . "'";
$gm_result = $sql["logon"]->query($gm_query);
$gm = $sql["logon"]->fetch_assoc($gm_result);
if ($gm["gmlevel"] == NULL) {
$gm_result = $sql["logon"]->query("INSERT INTO account_access (id, gmlevel, RealmID) VALUES ('" . $acct . "', '" . $gmlevel . "', -1)");
} else {
$gm_result = $sql["logon"]->query("UPDATE account_access SET gmlevel='" . $gmlevel . "' WHERE id='" . $acct . "'");
}
}
} else {
if ($core == 1) {
if ($arc_encrypted) {
$a_result = $sql["logon"]->query("UPDATE accounts SET login='******', email='" . $mail . "', encrypted_password='******', muted='" . $locked . "', gm='" . $gmlevel . "', flags='" . $expansion . "' WHERE acct=" . $acct);
} else {
$a_result = $sql["logon"]->query("UPDATE accounts SET login='******', email='" . $mail . "', password='******', muted='" . $locked . "', gm='" . $gmlevel . "', flags='" . $expansion . "' WHERE acct=" . $acct);
}
} elseif ($core == 2) {
$a_result = $sql["logon"]->query("UPDATE account SET username='******', email='" . $mail . "', sha_pass_hash=UCASE('" . $password . "'), locked='" . $locked . "', gmlevel='" . $gmlevel . "', expansion='" . $expansion . "', v=0, s=0 WHERE id=" . $acct);
} else {
// Trinity makes things a little more complex
$a_result = $sql["logon"]->query("UPDATE account SET username='******', email='" . $mail . "', sha_pass_hash=UCASE('" . $password . "'), locked='" . $locked . "', expansion='" . $expansion . "', v=0, s=0 WHERE id=" . $acct);
$gm_query = "SELECT * FROM account_access WHERE id='" . $acct . "'";
$gm_result = $sql["logon"]->query($gm_query);
$gm = $sql["logon"]->fetch_assoc($gm_result);
if ($gm["gmlevel"] == NULL) {
$gm_result = $sql["logon"]->query("INSERT INTO account_access (id, gmlevel, RealmID) VALUES ('" . $acct . "', '" . $gmlevel . "', -1)");
} else {
$gm_result = $sql["logon"]->query("UPDATE account_access SET gmlevel='" . $gmlevel . "' WHERE id='" . $acct . "'");
}
}
}
$result = $s_result && $a_result;
if (doupdate_referral($referredby, $acct) || $result) {
redirect("user.php?action=edit_user&error=13&acct=" . $acct);
} else {
redirect("user.php?action=edit_user&error=12&acct=" . $acct);
}
}
function doregister()
{
global $characters_db, $logon_db, $corem_db, $realm_id, $disable_acc_creation, $invite_only, $lang, $limit_acc_per_ip, $valid_ip_mask, $send_mail_on_creation, $create_acc_locked, $from_mail, $mailer_type, $smtp_cfg, $title, $expansion_select, $defaultoption, $GMailSender, $format_mail_html, $enable_captcha, $use_recaptcha, $recaptcha_private_key, $send_confirmation_mail_on_creation, $sql, $url_path, $initial_credits, $core;
// ArcEmu: if one account has an encrypted password all new accounts will as well
if ($core == 1) {
$pass_query = "SELECT * FROM accounts WHERE encrypted_password<>'' LIMIT 1";
$pass_result = $sql["logon"]->query($pass_query);
$arc_encrypted = $sql["logon"]->num_rows($pass_result);
}
if ($enable_captcha) {
if ($use_recaptcha) {
require_once 'libs/recaptcha/recaptchalib.php';
$resp = recaptcha_check_answer($recaptcha_private_key, $_SERVER["REMOTE_ADDR"], $_POST["recaptcha_challenge_field"], $_POST["recaptcha_response_field"]);
if (!$resp->is_valid) {
redirect("register.php?err=13");
}
} else {
if ($_POST["security_code"] != $_SESSION["security_code"]) {
redirect("register.php?err=13");
}
}
}
if (empty($_POST["pass"]) || empty($_POST["email"]) || empty($_POST["username"])) {
redirect("register.php?err=1");
}
// if Disable Account Creation is enabled and Invitation Only is disabled then we error out
if ($disable_acc_creation && !$invite_only) {
redirect("register.php?err=4");
}
// if Invitation Only is enabled and we didn't get an Invitation Key then we error out
if ($invite_only && !isset($_POST["invitationkey"])) {
redirect("register.php?err=4");
}
if (filter_var(getenv("HTTP_X_FORWARDED_FOR"), FILTER_VALIDATE_IP)) {
$last_ip = $sql["mgr"]->quote_smart(getenv("HTTP_X_FORWARDED_FOR"));
} else {
$last_ip = $sql["mgr"]->quote_smart(getenv("REMOTE_ADDR"));
}
if (sizeof($valid_ip_mask)) {
$qFlag = 0;
$user_ip_mask = explode('.', $last_ip);
foreach ($valid_ip_mask as $mask) {
$vmask = explode('.', $mask);
$v_count = 4;
$i = 0;
foreach ($vmask as $range) {
$vmask_h = explode('-', $range);
if (isset($vmask_h[1])) {
if ($vmask_h[0] >= $user_ip_mask[$i] && $vmask_h[1] <= $user_ip_mask[$i]) {
$v_count--;
}
} else {
if ($vmask_h[0] == $user_ip_mask[$i]) {
$v_count--;
}
}
$i++;
}
if (!$v_count) {
$qFlag++;
break;
}
}
if (!$qFlag) {
redirect("register.php?err=9&usr="******"logon"]->quote_smart(trim($_POST["username"]));
$screenname = !empty($_POST["screenname"]) ? $sql["mgr"]->quote_smart(trim($_POST["screenname"])) : NULL;
$pass = $sql["logon"]->quote_smart($_POST["pass"]);
$pass1 = $sql["logon"]->quote_smart($_POST["pass1"]);
// get invitation key
$invite_key = isset($_POST["invitationkey"]) ? $sql["logon"]->quote_smart($_POST["invitationkey"]) : NULL;
// check it for XSS
if ($invite_key != htmlspecialchars($_POST["invitationkey"])) {
redirect("register.php?err=4");
}
// make sure username/pass at least 4 chars long and less than max
if (strlen($user_name) < 4 || strlen($user_name) > 15) {
redirect("register.php?err=5");
}
if ($core == 1 && !$arc_encrypted) {
if (strlen($pass) < 4 || strlen($pass) > 15) {
redirect("register.php?err=5");
}
} else {
if (strlen($pass1) < 4 || strlen($pass1) > 15) {
redirect("register.php?err=5");
}
}
// make sure screen name is at least 4 chars long and less than max
if (isset($screenname)) {
if (strlen($screenname) < 4 || strlen($screenname) > 15) {
redirect("register.php?err=5");
}
}
require_once "libs/valid_lib.php";
// make sure it doesnt contain non english chars.
if (!valid_alphabetic($user_name)) {
redirect("register.php?err=6");
}
// make sure screen name doesnt contain non english chars.
if (!valid_alphabetic($screenname)) {
redirect("register.php?err=6");
}
// make sure the mail is valid mail format
$mail = $sql["logon"]->quote_smart(trim($_POST["email"]));
if (!valid_email($mail) || strlen($mail) > 254) {
redirect("register.php?err=7");
}
// if we limit accounts per ip, we'll need to throw an error
if ($limit_acc_per_ip) {
if ($core == 1) {
$result = $sql["logon"]->query("SELECT login, email FROM accounts WHERE lastip='" . $last_ip . "'");
} else {
$result = $sql["logon"]->query("SELECT username AS login, email FROM account WHERE last_ip='" . $last_ip . "'");
}
if ($sql["logon"]->num_rows($result)) {
redirect("register.php?err=15");
}
}
// IP is in ban list
if ($core == 1) {
$result = $sql["logon"]->query("SELECT ip FROM ipbans WHERE ip='" . $last_ip . "'");
} else {
$result = $sql["logon"]->query("SELECT ip FROM ip_banned WHERE ip='" . $last_ip . "'");
}
if ($sql["logon"]->num_rows($result)) {
redirect("register.php?err=8&usr="******"logon"]->query("SELECT login, email FROM accounts WHERE email='" . $mail . "'");
} else {
$result = $sql["logon"]->query("SELECT username AS login, email FROM account WHERE email='" . $mail . "'");
}
if ($sql["logon"]->num_rows($result)) {
redirect("register.php?err=14");
}
// username check
if ($core == 1) {
$result = $sql["logon"]->query("SELECT login, email FROM accounts WHERE login='******' OR login='******'");
} else {
$result = $sql["logon"]->query("SELECT username AS login, email FROM account WHERE username='******' OR username='******'");
}
// make sure we got a valid Invitation Key
if ($invite_only) {
$check_invite_query = "SELECT * FROM invitations WHERE invited_email='" . $mail . "' AND invitation_key='" . $invite_key . "'";
$check_invite_result = $sql["mgr"]->query($check_invite_query);
$check_invite = $sql["mgr"]->num_rows($check_invite_result);
if ($check_invite == 0) {
redirect("register.php?err=17&by=" . $_POST["invitedby"] . "&key=" . $invite_key);
}
}
if ($sql["logon"]->num_rows($result)) {
// there is already someone with same account name
redirect("register.php?err=3&usr="******"SELECT * FROM config_accounts WHERE ScreenName='" . $screenname . "'";
$result = $sql["mgr"]->query($query);
if ($sql["mgr"]->num_rows($result)) {
redirect("register.php?err=3&usr="******"expansion"]) ? $sql["logon"]->quote_smart($_POST["expansion"]) : 0;
} else {
$expansion = $defaultoption;
}
// insert screen name (if we didn't get a screen name, we still need to exit registration correctly.
if ($screenname) {
$query = "INSERT INTO config_accounts (Login, ScreenName, Credits) VALUES ('" . $user_name . "', '" . $screenname . "', '" . $initial_credits . "')";
} else {
$query = "INSERT INTO config_accounts (Login, ScreenName, Credits) VALUES ('" . $user_name . "', '', '" . $initial_credits . "')";
}
$s_result = $sql["mgr"]->query($query);
if ($send_confirmation_mail_on_creation) {
// for email confirmation we save their real password to their config_accounts entry
// and a temporary (and incorrect) password into the logon database
$temppass = $pass;
$pass_gen_list = "abcdefghijklmnopqrstuvwxyz";
// generate a random, temporary pass
$pass = $pass_gen_list[rand(0, 25)];
$pass .= $pass_gen_list[rand(0, 25)];
$pass .= $pass_gen_list[rand(0, 25)];
$pass .= rand(1, 9);
$pass .= rand(1, 9);
$pass .= rand(1, 9);
$pass .= $pass_gen_list[rand(0, 25)];
// save their real password
$query = "UPDATE config_accounts SET TempPassword='******' WHERE Login='******'";
$q_result = $sql["mgr"]->query($query);
// now; we create their, temporarily crippled, account
if ($core == 1) {
$query = "INSERT INTO accounts (login, password, gm, banned, email, flags) VALUES ('" . $user_name . "', '" . $pass . "', '0', '0', '" . $mail . "', '" . $expansion . "')";
} else {
$query = "INSERT INTO account (username, sha_pass_hash, email, expansion) VALUES ('" . $user_name . "', '" . sha1(strtoupper($user_name . ":" . $pass)) . "', '" . $mail . "', '" . $expansion . "')";
}
$a_result = $sql["logon"]->query($query);
} else {
// otherwise, we just save
if ($core == 1) {
if ($arc_encrypted) {
$query = "INSERT INTO accounts (login, password, encrypted_password, gm, banned, email, flags) VALUES ('" . $user_name . "', '', '" . $pass . "', '0', '0', '" . $mail . "', '" . $expansion . "')";
} else {
$query = "INSERT INTO accounts (login, password, gm, banned, email, flags) VALUES ('" . $user_name . "', '" . $pass . "', '0', '0', '" . $mail . "', '" . $expansion . "')";
}
} else {
$query = "INSERT INTO account (username, sha_pass_hash, email, expansion) VALUES ('" . $user_name . "', '" . $pass . "', '" . $mail . "', '" . $expansion . "')";
}
$a_result = $sql["logon"]->query($query);
}
// if we got an Invitation Key then we need to remove the invitation
if (isset($invite_key)) {
$clear_invite_query = "DELETE FROM invitations WHERE invitation_key='" . $invite_key . "'";
$clear_invite_result = $sql["mgr"]->query($clear_invite_query);
}
// do referral
if ($core == 1) {
$our_acct_query = "SELECT acct AS id FROM accounts WHERE login='******'";
} else {
$our_acct_query = "SELECT id FROM account WHERE username='******'";
}
$our_acct_result = $sql["logon"]->query($our_acct_query);
$our_acct_result = $sql["logon"]->fetch_assoc($our_acct_result);
$our_acct = $our_acct_result["id"];
$referredby = isset($_POST["invitedby"]) ? $sql["logon"]->quote_smart($_POST["invitedby"]) : NULL;
$referralresult = doupdate_referral($referredby, $our_acct);
// Trinity uses a separate table for gm levels and realm access
if ($core == 3) {
$id_query = "SELECT * FROM account WHERE username='******'";
$id_result = $sql["logon"]->query($id_query);
$id_fields = $sql["logon"]->fetch_assoc($id_result);
$new_id = $id_fields["id"];
$query = "INSERT INTO account_access (id, gmlevel, RealmID) VALUES ('" . $new_id . "', '0', '-1')";
$aa_result = $sql["logon"]->query($query);
}
// compile results
if ($core != 3) {
$result = $s_result && $a_result;
} else {
$result = $s_result && $a_result && $aa_result;
}
// destroy the terms cookie
setcookie("terms", "", time() - 3600);
// set $lang global
if (empty($_POST["lang"])) {
redirect("register.php?error=1");
} else {
$lang = addslashes($_POST["lang"]);
}
// create lang cookie
if ($lang) {
setcookie("lang", $lang, time() + 60 * 60 * 24 * 30 * 6);
} else {
redirect("register.php?error=1");
}
// registration emails
if ($send_confirmation_mail_on_creation) {
// we send our confirmation message
// prepare message
if ($format_mail_html) {
$file_name = "lang/mail_templates/" . $lang . "/mail_activate.tpl";
} else {
$file_name = "lang/mail_templates/" . $lang . "/mail_activate_nohtml.tpl";
}
$fh = fopen($file_name, 'r');
$subject = fgets($fh, 4096);
$body = fread($fh, filesize($file_name));
fclose($fh);
$subject = str_replace("<title>", $title, $subject);
if ($format_mail_html) {
$body = str_replace("\n", "<br />", $body);
$body = str_replace("\r", " ", $body);
}
$body = str_replace("<core>", core_name($core), $body);
$body = str_replace("<username>", $user_name, $body);
if ($screenname) {
$body = str_replace("<screenname>", $screenname, $body);
} else {
$body = str_replace("<screenname>", "NONE GIVEN", $body);
}
$body = str_replace("<password>", $pass1, $body);
$server_addr = $_SERVER["SERVER_PORT"] != 80 ? $_SERVER["SERVER_NAME"] . ":" . $_SERVER["SERVER_PORT"] : $_SERVER["SERVER_NAME"];
// if we aren't installed in / then append the path to $server_addr
$server_addr .= $url_path != "" ? $url_path : "";
$body = str_replace("<base_url>", $server_addr, $body);
if ($core == 1) {
if ($arc_encrypted) {
$body = str_replace("<key>", $temppass, $body);
} else {
$body = str_replace("<key>", sha1(strtoupper($user_name . ":" . $temppass)), $body);
}
} else {
$body = str_replace("<key>", $temppass, $body);
}
if ($GMailSender) {
require_once "libs/mailer/authgMail_lib.php";
$fromName = $title . " Admin";
authgMail($from_mail, $fromName, $mail, $mail, $subject, $body, $smtp_cfg);
} else {
require_once "libs/mailer/class.phpmailer.php";
$mailer = new PHPMailer();
$mailer->Mailer = $mailer_type;
if ($mailer_type == "smtp") {
$mailer->Host = $smtp_cfg["host"];
$mailer->Port = $smtp_cfg["port"];
if ($smtp_cfg["user"] != "") {
$mailer->SMTPAuth = true;
$mailer->Username = $smtp_cfg["user"];
$mailer->Password = $smtp_cfg["pass"];
}
}
$mailer->WordWrap = 50;
$mailer->From = $from_mail;
$mailer->FromName = $title . " Admin";
$mailer->Subject = $subject;
$mailer->IsHTML($format_mail_html);
$mailer->Body = $body;
$mailer->AddAddress($mail);
$mailer->Send();
$mailer->ClearAddresses();
}
} else {
// we only send the welcome message if we don't send the confirmation
if ($send_mail_on_creation) {
// prepare message
if ($format_mail_html) {
$file_name = "lang/mail_templates/" . $lang . "/mail_welcome.tpl";
} else {
$file_name = "lang/mail_templates/" . $lang . "/mail_welcome_nohtml.tpl";
}
$fh = fopen($file_name, 'r');
$subject = fgets($fh, 4096);
$subject = str_replace("Subject: ", "", $subject);
$subject = trim($subject);
$body = fread($fh, filesize($file_name));
fclose($fh);
$subject = str_replace("<title>", $title, $subject);
if ($format_mail_html) {
$body = str_replace("\n", "<br />", $body);
$body = str_replace("\r", "", $body);
}
$body = str_replace("<core>", core_name($core), $body);
$body = str_replace("<username>", $user_name, $body);
if ($screenname) {
$body = str_replace("<screenname>", $screenname, $body);
} else {
$body = str_replace("<screenname>", "NONE GIVEN", $body);
}
$body = str_replace("<password>", $pass1, $body);
$server_addr = $_SERVER["SERVER_PORT"] != 80 ? $_SERVER["SERVER_NAME"] . ":" . $_SERVER["SERVER_PORT"] : $_SERVER["SERVER_NAME"];
// if we aren't installed in / then append the path to $server_addr
$server_addr .= $url_path != "" ? $url_path : "";
$body = str_replace("<base_url>", $server_addr, $body);
if ($GMailSender) {
require_once "libs/mailer/authgMail_lib.php";
$fromName = $title . " Admin";
authgMail($from_mail, $fromName, $mail, $mail, $subject, $body, $smtp_cfg);
} else {
require_once "libs/mailer/class.phpmailer.php";
$mailer = new PHPMailer();
$mailer->Mailer = $mailer_type;
if ($mailer_type == "smtp") {
$mailer->Host = $smtp_cfg["host"];
$mailer->Port = $smtp_cfg["port"];
if ($smtp_cfg["user"] != "") {
$mailer->SMTPAuth = true;
$mailer->Username = $smtp_cfg["user"];
$mailer->Password = $smtp_cfg["pass"];
}
}
$mailer->WordWrap = 50;
$mailer->From = $from_mail;
$mailer->FromName = $title . " Admin";
$mailer->Subject = $subject;
$mailer->IsHTML($format_mail_html);
$mailer->Body = $body;
$mailer->AddAddress($mail);
$mailer->Send();
$mailer->ClearAddresses();
}
}
}
if ($result) {
if ($referralresult) {
$appendinfo = "";
} else {
$appendinfo = "&info=1";
}
if ($send_confirmation_mail_on_creation) {
redirect("login.php?error=8" . $appendinfo);
} else {
redirect("login.php?error=6" . $appendinfo);
}
}
}
}
