Exemplo n.º 1
0
/**
 * @param string $code
 * @param string $user
 * @param string $pass
 */
function change_password($code, $user, $pass)
{
    $use_password_verify = defined('SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION') && (SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION === true || is_string(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION) && (trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'on' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'true' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === '1')) ? true : false;
    $link = connect();
    $sql = "SELECT recovery FROM users WHERE user = :user";
    $stmt = $link->prepare($sql);
    $stmt->bindValue(':user', $user, PDO::PARAM_STR);
    $stmt->execute();
    if ($ua = $stmt->fetch(PDO::FETCH_ASSOC)) {
        if ($use_password_verify && !password_verify($code, $ua['recovery']) || !$use_password_verify && !(hash("sha256", $code) === $ua['recovery'])) {
            $link = null;
            die("Error: Invalid request code (2).");
        }
    } else {
        $link = null;
        die("Error: User not found (2).");
    }
    $prng = new synapp\info\tools\passwordgenerator\cryptosecureprng\CryptoSecurePRNG();
    $recovery = $use_password_verify ? password_hash($prng->rand(), SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $prng->rand());
    if ($use_password_verify) {
        $hashedPassword = password_hash($pass, SYNAPP_PASSWORD_DEFAULT);
    } else {
        $hashedPassword = hash("sha256", $pass . NORAINBOW_SALT);
    }
    $sql = "UPDATE users SET pass = :hashedPassword, recovery = :recovery WHERE user = :user";
    $stmt = $link->prepare($sql);
    $stmt->bindValue(':hashedPassword', $hashedPassword, PDO::PARAM_STR);
    $stmt->bindValue(':recovery', $recovery, PDO::PARAM_STR);
    $stmt->bindValue(':user', $user, PDO::PARAM_STR);
    if ($stmt->execute() === false) {
        die("Error: " . var_export($link->errorInfo(), true));
    }
    $link = null;
    echo "<!DOCTYPE html><html><head><meta charset=\"utf-8\"><title>" . PR_TITLE_3 . " " . $user . "</title></head><body>\n    <p>" . PR_DONE_1 . " " . $user . " " . PR_DONE_2 . "</p>\n    <p><a href='../index.php'>" . PR_HOME . "</a></p>\n    </body></html>";
}
Exemplo n.º 2
0
/**
 * @param string $user
 * @param string $old
 * @param string $pass
 * @param PDO $link
 * @return bool
 */
function change_pass($user, $old, $pass, $link)
{
    $sql = "SELECT pass, last_login FROM users WHERE user = :user";
    $stmt = $link->prepare($sql);
    $stmt->bindValue(':user', $user);
    $use_password_verify = defined('SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION') && (SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION === true || is_string(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION) && (trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'on' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'true' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === '1')) ? true : false;
    if ($stmt->execute() !== false && ($ua = $stmt->fetch(PDO::FETCH_ASSOC))) {
        if ($ua['last_login'] >= PRENORAINBOW_TIMESTAMP && (!$use_password_verify || $ua['last_login'] < PRENOPHASH_TIMESTAMP) && $ua['pass'] !== hash("sha256", $old . NORAINBOW_SALT) || $ua['last_login'] < PRENORAINBOW_TIMESTAMP && $ua['pass'] !== hash("sha256", hash("sha256", $old) . NORAINBOW_SALT) || $use_password_verify && $ua['last_login'] >= PRENOPHASH_TIMESTAMP && !password_verify($old, $ua['pass'])) {
            return false;
        }
    } else {
        $link = null;
        die("Error: User not found.");
    }
    $prng = new synapp\info\tools\passwordgenerator\cryptosecureprng\CryptoSecurePRNG();
    $recovery = $use_password_verify ? password_hash($prng->rand(), SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $prng->rand());
    if ($use_password_verify) {
        $hashedPassword = password_hash($pass, SYNAPP_PASSWORD_DEFAULT);
    } else {
        $hashedPassword = hash("sha256", $pass . NORAINBOW_SALT);
    }
    $sql = "UPDATE users SET pass = :hashedpass, recovery = :recovery WHERE user = :user";
    $stmt = $link->prepare($sql);
    $stmt->bindValue(':hashedpass', $hashedPassword, PDO::PARAM_STR);
    $stmt->bindValue(':recovery', $recovery, PDO::PARAM_STR);
    $stmt->bindValue(':user', $user, PDO::PARAM_STR);
    if ($stmt->execute() === false) {
        die("Error: " . var_export($link->errorInfo(), true));
    }
    return true;
}
Exemplo n.º 3
0
/**
 * @param string $input
 */
function password_restore_email($input)
{
    $use_password_verify = defined('SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION') && (SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION === true || is_string(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION) && (trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'on' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'true' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === '1')) ? true : false;
    $link = connect();
    if (parse_email($input, 0) == 0) {
        $sql = "SELECT * FROM users WHERE email = :input AND confirmed_email = 1";
        $isemail = true;
    } else {
        $sql = "SELECT * FROM users WHERE user = :input";
        $isemail = false;
    }
    $stmt = $link->prepare($sql);
    $stmt->bindValue(':input', $input, PDO::PARAM_STR);
    $stmt->execute();
    $link = null;
    $ua = $stmt->fetch(PDO::FETCH_ASSOC);
    $emailnotfound = true;
    $usernotfound = true;
    if (isset($ua['email']) && $ua['email'] !== '') {
        $usernotfound = false;
        if ($ua['email'] != '' && parse_email($ua['email']) == 0 && $ua['confirmed_email'] == 1) {
            $emailnotfound = false;
        }
    }
    if (!$emailnotfound) {
        $user = $ua['user'];
        $link = connect();
        $sql = "UPDATE users SET recovery = :recovery WHERE user = :user";
        $stmt = $link->prepare($sql);
        $prng = new synapp\info\tools\passwordgenerator\cryptosecureprng\CryptoSecurePRNG();
        $code = $prng->rand();
        $stmt->bindValue(':recovery', $use_password_verify ? password_hash($code, SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $code), PDO::PARAM_STR);
        $stmt->bindValue(':user', $user);
        $stmt->execute();
        $email = $ua['email'];
        $to = $email;
        $subject = passresout('subject', $user);
        $mime_boundary = hash("sha256", time());
        $msg = passresout('email', $user, $email, $code, $mime_boundary);
        $headers = passresout('headers', $mime_boundary);
        mail($to, $subject, $msg, $headers);
        if ($isemail) {
            echo passresout('prmailsenttoaddress', $input);
        } else {
            echo passresout('prmailsenttouser', $input);
        }
    } else {
        if ($isemail) {
            echo passresout('emailnotfound', $input);
        } else {
            if ($usernotfound) {
                echo passresout('usernotfound', $input);
            } else {
                echo passresout('novalidemailassociated', $input);
            }
        }
    }
}
/**
 * @param string $email
 * @param \PDO $link
 */
function send_confirmation_email($email, $link)
{
    $use_password_verify = defined('SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION') && (SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION === true || is_string(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION) && (trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'on' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'true' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === '1')) ? true : false;
    $user = $_SESSION['user_array']['user'];
    $prng = new synapp\info\tools\passwordgenerator\cryptosecureprng\CryptoSecurePRNG();
    $code = $prng->rand();
    //validation code
    $sql = "UPDATE users SET email_confirmation_code = :confirmationcode, confirmed_email = b'0' WHERE user = :user";
    $stmt = $link->prepare($sql);
    $stmt->bindValue(':confirmationcode', $use_password_verify ? password_hash($code, SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $code), PDO::PARAM_STR);
    $stmt->bindValue(':user', $user, PDO::PARAM_STR);
    $stmt->execute();
    $subject = PR_MAIL_SUBJECT_1 . $user . PR_MAIL_SUBJECT_2;
    $mime_boundary = hash("sha256", time());
    $msg = PR_MAIL_TO . " " . $email;
    $msg .= " " . PR_MAIL_USR_1 . " " . $user;
    $msg .= PR_MAIL_USR_2 . PHP_EOL . PHP_EOL;
    $msg .= PR_MAIL_NR . PHP_EOL . PHP_EOL;
    $msg .= PR_MAIL_IGNORE . PHP_EOL . PHP_EOL;
    $msg .= PR_MAIL_DO . PHP_EOL . PHP_EOL;
    $msg .= SYNAPP_BASE_URL_HTTP . "/account/confirm_email.php?user="******"&code=" . $code . " " . PR_MAIL_DO_HTTP . PHP_EOL . PHP_EOL;
    $msg .= SYNAPP_BASE_URL_HTTPS . "/account/confirm_email.php?user="******"&code=" . $code . " " . PR_MAIL_DO_HTTPS;
    $msg .= PHP_EOL . PHP_EOL;
    $msg .= "--" . $mime_boundary . "--" . PHP_EOL . PHP_EOL;
    // finish with two eol's for better security. see Injection.
    # Common Headers
    $time = time();
    $now = (int) (date('Y', $time) . date('m', $time) . date('j', $time));
    $headers = 'From: SYNAPP mailer <' . SYNAPP_NO_REPLY . '@' . SYNAPP_MAIL_DOMAIN . '>' . PHP_EOL;
    $headers .= 'Reply-To: noreply <' . SYNAPP_NO_REPLY . '@' . SYNAPP_MAIL_DOMAIN . '>' . PHP_EOL;
    $headers .= 'Return-Path: noreply <' . SYNAPP_NO_REPLY . '@' . SYNAPP_MAIL_DOMAIN . '>' . PHP_EOL;
    // these two to set reply address
    $headers .= "Message-ID:<" . $now . " admin@" . $_SERVER['SERVER_NAME'] . ">" . PHP_EOL;
    $headers .= "X-Mailer: PHP v" . phpversion() . PHP_EOL;
    // These two to help avoid spam-filters
    # Boundry for marking the split & Multitype Headers
    $headers .= 'MIME-Version: 1.0' . PHP_EOL;
    $headers .= "Content-Type: text/plain; charset=\"utf-8\"" . PHP_EOL . PHP_EOL;
    mail($email, $subject, $msg, $headers);
    $sql = "UPDATE users SET confirmed_email = 0 WHERE user = :user";
    $stmt = $link->prepare($sql);
    $stmt->bindValue(':user', $user);
    $stmt->execute();
    $_SESSION['user_array']['confirmed_email'] = chr(0);
}
Exemplo n.º 5
0
/**
 * @param string $user
 * @param string $pass
 * @param PDO $link
 * @param bool $confirm
 * @return bool
 */
function process_login($user, $pass, $link, $confirm = false)
{
    $_SESSION['auth'] = false;
    $_SESSION['user'] = $user;
    if ($_SESSION['user_count'] > 6 && !captcha_verify_word()) {
        $_SESSION['login_err'] = 3;
        return false;
    }
    $sql = "SELECT * FROM users WHERE user = :user";
    $stmt = $link->prepare($sql);
    $stmt->bindValue(':user', $user, PDO::PARAM_STR);
    if ($stmt->execute() !== false && ($user_array = $stmt->fetch(PDO::FETCH_ASSOC))) {
        $_SESSION['pass_count'] = $user_array['missed_logins'];
        if ($user_array['active'] == 0) {
            $_SESSION['login_err'] = 403;
        }
        if (($user_array['missed_logins'] > 9 || $confirm) && !captcha_verify_word()) {
            $_SESSION['login_err'] = 3;
            return false;
        }
        $hashOK = false;
        $use_password_verify = defined('SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION') ? is_string(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION) ? strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION) : SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION : false;
        if ($use_password_verify === true || $use_password_verify === 'on' || $use_password_verify === 'true') {
            $use_password_verify = true;
            if (password_verify($pass, $user_array['pass'])) {
                $hashOK = true;
            }
        } else {
            if ($user_array['pass'] === hash("sha256", $pass . NORAINBOW_SALT)) {
                $hashOK = true;
            }
        }
        $prng = new synapp\info\tools\passwordgenerator\cryptosecureprng\CryptoSecurePRNG();
        if ($hashOK) {
            $_SESSION['user_array'] = $user_array;
            $_SESSION['auth'] = true;
            $_SESSION['justlogged'] = true;
            $_SESSION['if_lang'] = $_SESSION['user_array']['interface_language'];
            $_SESSION['user_count'] = 1;
            $_SESSION['pass_count'] = 0;
            $user_array['missed_logins'] = 0;
            $time = time();
            if (!$confirm) {
                $sql = "UPDATE users SET recovery = :recovery WHERE user = :user";
                $stmt = $link->prepare($sql);
                $stmt->bindValue(':recovery', $use_password_verify ? password_hash($prng->rand(), SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $prng->rand()), PDO::PARAM_STR);
                $stmt->bindValue(':user', $user, PDO::PARAM_STR);
                if ($stmt->execute() === false) {
                    error_log(var_export($link->errorInfo(), true));
                    die("Error performing database operation.");
                }
            }
            if (($ip = ip2long($_SERVER['REMOTE_ADDR'])) === false) {
                $ip = 0;
            }
            $sql = "UPDATE users SET missed_logins='0', last_login = :time, ip = :ip WHERE user = :user";
            $stmt = $link->prepare($sql);
            $stmt->bindValue(':time', $time, PDO::PARAM_INT);
            $stmt->bindValue(':ip', $ip, PDO::PARAM_INT);
            $stmt->bindValue(':user', $user, PDO::PARAM_STR);
            if ($stmt->execute() === false) {
                error_log(var_export($link->errorInfo(), true));
                die("Error performing database operation.");
            }
            return true;
        } else {
            if ($user_array['last_login'] < PRENORAINBOW_TIMESTAMP && $user_array['pass'] === hash("sha256", hash("sha256", $pass) . NORAINBOW_SALT) || $use_password_verify && $user_array['last_login'] < PRENOPHASH_TIMESTAMP && $user_array['pass'] === hash("sha256", $pass . NORAINBOW_SALT)) {
                $_SESSION['user_array'] = $user_array;
                $_SESSION['auth'] = true;
                $_SESSION['justlogged'] = true;
                $_SESSION['if_lang'] = $_SESSION['user_array']['interface_language'];
                $_SESSION['user_count'] = 1;
                $_SESSION['pass_count'] = 0;
                $user_array['missed_logins'] = 0;
                $time = time();
                if (!$confirm) {
                    $sql = "UPDATE users SET recovery = :recovery WHERE user = :user";
                    $stmt = $link->prepare($sql);
                    $stmt->bindValue(':recovery', $use_password_verify ? password_hash($prng->rand(), SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $prng->rand()), PDO::PARAM_STR);
                    $stmt->bindValue(':user', $user, PDO::PARAM_STR);
                    if ($stmt->execute() === false) {
                        error_log(var_export($link->errorInfo(), true));
                        die("Error performing database operation.");
                    }
                }
                if (($ip = ip2long($_SERVER['REMOTE_ADDR'])) === false) {
                    $ip = 0;
                }
                $passParamValue = $use_password_verify ? password_hash($pass, SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $pass . NORAINBOW_SALT);
                $sql = "UPDATE users SET missed_logins='0', last_login=:time, ip=:ip, pass = :pass WHERE user = :user";
                $stmt = $link->prepare($sql);
                $stmt->bindValue(':time', $time, PDO::PARAM_INT);
                $stmt->bindValue(':ip', $ip, PDO::PARAM_INT);
                $stmt->bindValue(':pass', $passParamValue, PDO::PARAM_STR);
                $stmt->bindValue(':user', $user, PDO::PARAM_STR);
                if ($stmt->execute() === false) {
                    error_log(var_export($link->errorInfo(), true));
                    die("Error performing database operation.");
                }
                return true;
            } else {
                $_SESSION['login_err'] = 1;
                $user_array['missed_logins']++;
                $_SESSION['pass_count'] = $user_array['missed_logins'];
                $sql = "UPDATE users SET missed_logins = :missed_logins WHERE user = :user";
                $stmt = $link->prepare($sql);
                $stmt->bindValue(':missed_logins', $user_array['missed_logins'], PDO::PARAM_INT);
                $stmt->bindValue(':user', $user, PDO::PARAM_STR);
                if ($stmt->execute() === false) {
                    error_log(var_export($link->errorInfo(), true));
                    die("Error performing database operation.");
                }
                return false;
            }
        }
    } else {
        $_SESSION['login_err'] = 2;
        $_SESSION['user_count']++;
        return false;
    }
}
Exemplo n.º 6
0
         $body = PR_ERR_MAIL_ALREADY_ASSOC;
         /* If the user matches the error would be the $code mismatch */
         $break = true;
     } else {
         $insert = false;
     }
 }
 if (!$break) {
     if ($insert) {
         $sql = "INSERT INTO confirmed_emails VALUES ( :user , :email )";
         $stmt = $link->prepare($sql);
         $stmt->bindValue(':user', $_POST['user'], PDO::PARAM_STR);
         $stmt->bindValue(':email', $row['email'], PDO::PARAM_STR);
         $stmt->execute();
     }
     $prng = new synapp\info\tools\passwordgenerator\cryptosecureprng\CryptoSecurePRNG();
     $newccode = $use_password_verify ? password_hash($prng->rand(), SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $prng->rand());
     $sql = "UPDATE users SET email_confirmation_code = :newccode , confirmed_email = b'1' WHERE user = :user";
     $stmt = $link->prepare($sql);
     $stmt->bindValue(':newccode', $newccode, PDO::PARAM_STR);
     $stmt->bindValue(':user', $user, PDO::PARAM_STR);
     $stmt->execute();
     if (isset($_SESSION['user_array'])) {
         if ($_SESSION['user_array']['user'] === $user) {
             $_SESSION['user_array']['confirmed_email'] = chr(1);
             $_SESSION['user_array']['email_confirmation_code'] = $newccode;
         }
     }
     $body = "<p>" . PR_CONFIRM_SUCCESS_1 . "</p>";
     $body .= "<p><a href='../index.php'>" . PR_CONFIRM_SUCCESS_2 . "</a></p>";
 }
/**
 * @param PDO $link
 * @param array $rd
 * @param bool $nocaptcha
 * @return array
 */
function process_registration_form($link, $rd, $nocaptcha = false)
{
    $use_password_verify = defined('SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION') && (SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION === true || is_string(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION) && (trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'on' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'true' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === '1')) ? true : false;
    $ea = array('err' => false, 'usr' => "", 'pass' => "", 'il' => "", 'capt' => "");
    $i = parse($rd['user'], USER_MINLENGTH, USER_MAXLENGTH);
    switch ($i) {
        case 0:
            $ea['usr'] = "";
            break;
        case 1:
            $ea['usr'] = REG_ERR_USR_1;
            break;
        case 2:
            $ea['usr'] = REG_ERR_USR_2;
            break;
        case 3:
            $ea['usr'] = REG_ERR_USR_3;
            break;
        case 4:
            $ea['usr'] = REG_ERR_USR_4;
            break;
    }
    if ($i !== 0) {
        $ea['err'] = true;
    } elseif ($rd['user'] == $rd['pass']) {
        $ea['pass'] = REG_ERR_PASS_1;
        $ea['err'] = true;
    }
    $i = parse($rd['pass'], PASS_MINLENGTH, PASS_MAXLENGTH, 1);
    switch ($i) {
        case 2:
            $ea['pass'] = REG_ERR_PASS_2;
            break;
        case 3:
            $ea['pass'] = REG_ERR_PASS_3;
            break;
        case 4:
            $ea['pass'] = REG_ERR_PASS_4;
            break;
        case 5:
            $ea['pass'] = REG_ERR_PASS_5;
            break;
    }
    if ($i !== 0) {
        $ea['err'] = true;
    } elseif (!($rd['pass'] === $rd['pass2'])) {
        $ea['pass'] = REG_ERR_PASS_6;
        $ea['err'] = true;
    }
    $found = false;
    foreach ($_SESSION['interface_languages'] as $lang) {
        if ($lang['val'] == $rd['ilang']) {
            $found = true;
            break;
        }
    }
    if ($rd['ilang'] == "" || !$found) {
        $ea['il'] = REG_ERR_ILANG;
        $ea['err'] = true;
    }
    if ($ea['err'] == false) {
        if (!$nocaptcha && !captcha_verify_word()) {
            $ea['capt'] = REG_ERR_CAPT;
            $ea['err'] = true;
        } elseif (user_exist($link, $rd['user'])) {
            $ea['usr'] = REG_ERR_USR_5;
            $ea['err'] = true;
        }
    }
    if (!$ea['err']) {
        if (($stmt = $link->query("SELECT name FROM groups ORDER BY RAND() LIMIT 1")) === false || ($row = $stmt->fetch(PDO::FETCH_ASSOC)) === false) {
            error_log("Database operation error retrieving user registration group.");
            die("Database operation error.");
        }
        $group = $row['name'];
        /* adding new user to users table */
        $use_password_hash = defined('SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION') && (SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION === true || is_string(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION) && (trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'on' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'true' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === '1')) ? true : false;
        $hashedPassword = $use_password_hash ? password_hash($rd['pass'], SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $rd['pass'] . NORAINBOW_SALT);
        $sql = "INSERT INTO users (\n              user\n            , pass \n            , recovery\n            , firstdate\n            , hfirstdate\n            , missed_logins\n            , last_login\n            , hlast_login\n            , ip\n            , last_update\n            , interface_language\n            , hinterface_language\n            , working_group\n            , hworking_group\n            , input_language\n            , hinput_language\n            , hprofile\n            , gender\n            , hgender\n            , birthday\n            , hbirthday\n            , studies\n            , hstudies\n            , studies_type\n            , hstudies_type\n            , studies_level\n            , hstudies_level\n            , occupation\n            , hoccupation\n            , email\n            , hemail\n            , email_confirmation_code\n            , confirmed_email\n            , avatar\n            , nocaptcha\n            , hstats\n            , ditloid_lock_timestamp\n            , ditloid_time_left_when_locked\n            , gotestbefore \n            , gotestafter\n            , timer_ctestb_start\n            , timer_ctestb_end\n            , timer_utestb_start\n            , timer_utestb_end\n            , timer_utesta_start\n            , timer_utesta_end\n            , timer_ctesta_start\n            , timer_ctesta_end\n            , fbid\n            , active\n        ) VALUES (\n              :user\n            , :hashedpass \n            , :recovery\n            , :firstdate\n            , b'0' -- hfirstdate\n            , 0 -- missed_logins\n            , :lastlogin -- last_login\n            , b'0' -- hlast_login\n            , 0 -- ip\n            , 0 -- last_update\n            , :ilang -- interface_language\n            , b'0' -- hinterface_language\n            , :group -- working_group\n            , b'0' -- hworking_group\n            , :iolang -- input_language\n            , b'0' -- hinput_language\n            , b'0' -- hprofile\n            , '' -- gender\n            , b'0' -- hgender\n            , NULL -- birthday\n            , b'0' -- hbirthday\n            , '' -- studies\n            , b'0' -- hstudies\n            , '' -- studies_type\n            , b'0' -- hstudies_type\n            , NULL -- studies_level\n            , b'0' -- hstudies_level\n            , '' -- occupation\n            , b'0' -- hoccupation\n            , '' -- email\n            , b'0' -- hemail\n            , :emailconfirmationcode\n            , 1 -- confirmed_email\n            , '' -- avatar\n            , b'0' -- nocaptcha\n            , b'0' -- hstats\n            , 0 -- ditloid_lock_timestamp\n            , 0 -- ditloid_time_left_when_locked\n            , 1 -- gotestbefore \n            , 0 -- gotestafter\n            , 0 -- timer_ctestb_start\n            , 0 -- timer_ctestb_end\n            , 0 -- timer_utestb_start\n            , 0 -- timer_utestb_end\n            , 0 -- timer_utesta_start\n            , 0 -- timer_utesta_end\n            , 0 -- timer_ctesta_start\n            , 0 -- timer_ctesta_end\n            , :fbid -- fbid\n            , 1 -- active\n        )";
        $stmt = $link->prepare($sql);
        $stmt->bindValue(':user', $rd['user'], PDO::PARAM_STR);
        $stmt->bindValue(':hashedpass', $hashedPassword, PDO::PARAM_STR);
        $prng = new synapp\info\tools\passwordgenerator\cryptosecureprng\CryptoSecurePRNG();
        $stmt->bindValue(':recovery', $use_password_verify ? password_hash($prng->rand(), SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $prng->rand()), PDO::PARAM_STR);
        $stmt->bindValue(':firstdate', time(), PDO::PARAM_INT);
        $stmt->bindValue(':lastlogin', time(), PDO::PARAM_INT);
        $stmt->bindValue(':ilang', $_SESSION['if_lang'], PDO::PARAM_STR);
        $stmt->bindValue(':group', $group, PDO::PARAM_STR);
        $stmt->bindValue(':iolang', $rd['ilang'], PDO::PARAM_STR);
        $stmt->bindValue(':fbid', isset($rd['fbid']) ? $rd['fbid'] : null, isset($rd['fbid']) ? PDO::PARAM_STR : PDO::PARAM_NULL);
        $prng = new synapp\info\tools\passwordgenerator\cryptosecureprng\CryptoSecurePRNG();
        $stmt->bindValue(':emailconfirmationcode', $use_password_hash ? password_hash($prng->rand(), SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $prng->rand()), PDO::PARAM_STR);
        if ($stmt->execute() === false) {
            die('Error: ' . var_export($link->errorInfo(), true) . PHP_EOL . $sql);
        }
    }
    return $ea;
}
Exemplo n.º 8
0
/**
 * @param PDO $link
 * @return bool|string
 */
function process_facebook_login($link)
{
    require_once dirname(__FILE__) . '/' . SYNAPP_CONFIG_DIRNAME . '/facebook_credentials.php';
    $fbLoginRedirectUrl = SYNAPP_FB_LOGIN_REDIRECT_URL . (isset($_GET['location']) ? '?location=' . $_GET['location'] : '');
    $fbAppId = SYNAPP_FB_APP_ID;
    $fbAppSecret = SYNAPP_FB_APP_SECRET;
    $use_password_verify = defined('SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION') && (SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION === true || is_string(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION) && (trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'on' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'true' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === '1')) ? true : false;
    try {
        if (isset($_SESSION['fb_token'])) {
            $session = new FacebookSession($_SESSION['fb_token']);
        } else {
            FacebookSession::setDefaultApplication($fbAppId, $fbAppSecret);
            $helper = new FacebookRedirectLoginHelper($fbLoginRedirectUrl);
            try {
                $session = $helper->getSessionFromRedirect();
                if (isset($session)) {
                    $_SESSION['fb_token'] = $session->getToken();
                } else {
                    return $helper->getLoginUrl(array('scope' => 'email'));
                }
            } catch (FacebookSDKException $ex) {
                // When Facebook returns an error
                return $helper->getLoginUrl(array('scope' => 'email'));
            } catch (Exception $ex) {
                // When validation fails or other local issues
                return $helper->getLoginUrl(array('scope' => 'email'));
            }
        }
        if (isset($session)) {
            // Logged in
            $graphObject = (new FacebookRequest($session, 'GET', '/me?fields=id,email,first_name,last_name'))->execute()->getGraphObject(GraphUser::className());
            $sql = "SELECT * FROM `users` WHERE fbid = :fbid OR email = :email AND confirmed_email = b'1'";
            $stmt = $link->prepare($sql);
            $stmt->bindValue(':fbid', $graphObject->getProperty('id'), PDO::PARAM_STR);
            $stmt->bindValue(':email', $graphObject->getProperty('email'), PDO::PARAM_STR);
            if ($stmt->execute() !== false && $stmt->rowCount() > 0) {
                $user_array = $stmt->fetch(PDO::FETCH_ASSOC);
                if ($user_array['active'] == 0) {
                    $_SESSION['login_err'] = 403;
                    return false;
                }
                $_SESSION['user_array'] = $user_array;
                $_SESSION['auth'] = true;
                $_SESSION['justlogged'] = true;
                $_SESSION['if_lang'] = $_SESSION['user_array']['interface_language'];
                $_SESSION['user_count'] = 1;
                $_SESSION['pass_count'] = 0;
                $_SESSION['user_array']['missed_logins'] = 0;
                $time = time();
                if (($ip = ip2long($_SERVER['REMOTE_ADDR'])) === false) {
                    $ip = 0;
                }
                $sql = "UPDATE users SET recovery = :recovery, missed_logins='0', last_login = :time, ip = :ip WHERE user = :user";
                $stmt = $link->prepare($sql);
                $prng = new synapp\info\tools\passwordgenerator\cryptosecureprng\CryptoSecurePRNG();
                $stmt->bindValue(':recovery', $use_password_verify ? password_hash($prng->rand(), SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $prng->rand()), PDO::PARAM_STR);
                $stmt->bindValue(':time', $time, PDO::PARAM_INT);
                $stmt->bindValue(':ip', $ip, PDO::PARAM_INT);
                $stmt->bindValue(':user', $_SESSION['user_array']['user'], PDO::PARAM_STR);
                if ($stmt->execute() === false) {
                    error_log(var_export($link->errorInfo(), true));
                    die("Error performing database operation.");
                }
                return true;
            }
            $rd['user'] = substr(preg_replace("/[^a-zA-Z0-9]+/", "", $graphObject->getProperty('first_name') . $graphObject->getProperty('last_name')), 0, USER_MAXLENGTH);
            $i = 0;
            while (user_exist($link, $rd['user'])) {
                $rd['user'] = substr(preg_replace("/[^a-zA-Z0-9]+/", "", $i . $graphObject->getProperty('first_name') . $graphObject->getProperty('last_name')), 0, USER_MAXLENGTH);
                $i++;
            }
            $rd['pass'] = substr(hash("sha256", $_SESSION['fb_token']), 0, PASS_MAXLENGTH);
            $rd['pass2'] = $rd['pass'];
            $rd['ilang'] = $_SESSION['if_lang'];
            $rd['fbid'] = $graphObject->getProperty('id');
            $ea = process_registration_form($link, $rd, true);
            if ($ea['err'] !== true) {
                $sql = "UPDATE `users` SET fbid = :fbid, email = :email, confirmed_email = b'1' WHERE user = :user";
                $stmt = $link->prepare($sql);
                $stmt->bindValue(':fbid', $graphObject->getProperty('id'), PDO::PARAM_STR);
                $stmt->bindValue(':email', $graphObject->getProperty('email'), PDO::PARAM_STR);
                $stmt->bindValue(':user', $rd['user'], PDO::PARAM_STR);
                return $stmt->execute() !== false;
            }
            return $ea['err'] !== true;
        } else {
            header('Location: account/logout.php');
            die;
        }
    } catch (FacebookSDKException $ex) {
        // When Facebook returns an error
        error_log("FacebookRequestException: " . $ex->getMessage());
        header('Location: account/logout.php');
        die;
    } catch (Exception $ex) {
        // When validation fails or other local issues
        error_log("Exception on facebook login: " . $ex->getMessage());
        header('Location: account/logout.php');
        die;
    }
}