function db($user, $password)
{
$_SESSION['UserID'] = $user;
$sql = "SELECT userid,\n\t\t\t\t\t\taccesslevel\n\t\t\t\tFROM www_users\n\t\t\t\tWHERE userid='" . DB_escape_string($user) . "'\n\t\t\t\tAND (password='******'\n\t\t\t\tOR password='******')";
$Auth_Result = DB_query($sql, $_SESSION['db']);
$myrow = DB_fetch_row($Auth_Result);
if (DB_num_rows($Auth_Result) > 0) {
$sql = 'SELECT tokenid FROM securitygroups
WHERE secroleid = ' . $_SESSION['AccessLevel'];
$Sec_Result = DB_query($sql, $db);
$_SESSION['AllowedPageSecurityTokens'] = array();
if (DB_num_rows($Sec_Result) == 0) {
return NoAuthorisation;
} else {
$i = 0;
while ($myrow = DB_fetch_row($Sec_Result)) {
$_SESSION['AllowedPageSecurityTokens'][$i] = $myrow[0];
$i++;
}
}
return $_SESSION['db'];
} else {
return NoAuthorisation;
}
}
function db($user, $password)
{
$_SESSION['UserID'] = $user;
$sql = "SELECT userid\n\t\t\tFROM www_users\n\t\t\tWHERE userid='" . DB_escape_string($user) . "'\n\t\t\tAND (password='******'\n\t\t\tOR password='******')";
$Auth_Result = DB_query($sql, $_SESSION['db']);
$myrow = DB_fetch_row($Auth_Result);
if (DB_num_rows($Auth_Result) > 0) {
return $_SESSION['db'];
} else {
return NoAuthorisation;
}
}
}
if (mb_strlen($_POST['BranchCode']) > 0 and $InputError != 1) {
// check that the entered branch is valid for the customer code
$sql = "SELECT defaultlocation\n\t\t\t\tFROM custbranch\n\t\t\t\tWHERE debtorno='" . $_SESSION['CustomerID'] . "'\n\t\t\t\tAND branchcode='" . $_POST['BranchCode'] . "'";
$ErrMsg = _('The check on validity of the customer code and branch failed because');
$DbgMsg = _('The SQL that was used to check the customer code and branch was');
$result = DB_query($sql, $db, $ErrMsg, $DbgMsg);
if (DB_num_rows($result) == 0) {
prnMsg(_('The entered Branch Code is not valid for the entered Customer Code'), 'error');
$InputError = 1;
} else {
$myrow = DB_fetch_row($result);
$InventoryLocation = $myrow[0];
}
if ($InputError != 1) {
$sql = "INSERT INTO www_users (userid,\n\t\t\t\t\t\t\t\t\t\trealname,\n\t\t\t\t\t\t\t\t\t\tcustomerid,\n\t\t\t\t\t\t\t\t\t\tbranchcode,\n\t\t\t\t\t\t\t\t\t\tpassword,\n\t\t\t\t\t\t\t\t\t\tphone,\n\t\t\t\t\t\t\t\t\t\temail,\n\t\t\t\t\t\t\t\t\t\tpagesize,\n\t\t\t\t\t\t\t\t\t\tfullaccess,\n\t\t\t\t\t\t\t\t\t\tdefaultlocation,\n\t\t\t\t\t\t\t\t\t\tmodulesallowed,\n\t\t\t\t\t\t\t\t\t\tdisplayrecordsmax,\n\t\t\t\t\t\t\t\t\t\ttheme,\n\t\t\t\t\t\t\t\t\t\tlanguage)\n\t\t\t\t\t\t\t\t\tVALUES ('" . $_POST['UserID'] . "',\n\t\t\t\t\t\t\t\t\t\t\t'" . $_POST['RealName'] . "',\n\t\t\t\t\t\t\t\t\t\t\t'" . $_SESSION['CustomerID'] . "',\n\t\t\t\t\t\t\t\t\t\t\t'" . $_POST['BranchCode'] . "',\n\t\t\t\t\t\t\t\t\t\t\t'" . CryptPass($_POST['Password']) . "',\n\t\t\t\t\t\t\t\t\t\t\t'" . $_POST['Phone'] . "',\n\t\t\t\t\t\t\t\t\t\t\t'" . $_POST['Email'] . "',\n\t\t\t\t\t\t\t\t\t\t\t'" . $_POST['PageSize'] . "',\n\t\t\t\t\t\t\t\t\t\t\t'7',\n\t\t\t\t\t\t\t\t\t\t\t'" . $InventoryLocation . "',\n\t\t\t\t\t\t\t\t\t\t\t'1,1,0,0,0,0,0,0',\n\t\t\t\t\t\t\t\t\t\t\t'" . $_SESSION['DefaultDisplayRecordsMax'] . "',\n\t\t\t\t\t\t\t\t\t\t\t'" . $_POST['Theme'] . "',\n\t\t\t\t\t\t\t\t\t\t\t'" . $_POST['UserLanguage'] . "')";
$ErrMsg = _('The user could not be added because');
$DbgMsg = _('The SQL that was used to insert the new user and failed was');
$result = DB_query($sql, $db, $ErrMsg, $DbgMsg);
prnMsg(_('A new customer login has been created'), 'success');
include 'includes/footer.inc';
exit;
}
}
}
echo '<form method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF'], ENT_QUOTES, 'UTF-8') . '">';
echo '<div>';
echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
echo '<table class="selection">
<tr>
<td>' . _('User Login') . ':</td>
$InputError = 1;
prnMsg(_('The password entered must be at least 5 characters long'), 'error');
} elseif (mb_strstr($_POST['Password'], $_POST['UserID']) != False) {
$InputError = 1;
prnMsg(_('The password cannot contain the user id'), 'error');
}
/* Make a comma separated list of modules allowed ready to update the database*/
$i = 0;
$ModulesAllowed = '';
while ($i < count($ModuleList)) {
$ModulesAllowed .= ' ' . ',';
//no any modules allowed for the suppliers
$i++;
}
if ($InputError != 1) {
$sql = "INSERT INTO www_users (userid,\n\t\t\t\t\t\t\t\t\t\trealname,\n\t\t\t\t\t\t\t\t\t\tsupplierid,\n\t\t\t\t\t\t\t\t\t\tpassword,\n\t\t\t\t\t\t\t\t\t\tphone,\n\t\t\t\t\t\t\t\t\t\temail,\n\t\t\t\t\t\t\t\t\t\tpagesize,\n\t\t\t\t\t\t\t\t\t\tfullaccess,\n\t\t\t\t\t\t\t\t\t\tdefaultlocation,\n\t\t\t\t\t\t\t\t\t\tlastvisitdate,\n\t\t\t\t\t\t\t\t\t\tmodulesallowed,\n\t\t\t\t\t\t\t\t\t\tdisplayrecordsmax,\n\t\t\t\t\t\t\t\t\t\ttheme,\n\t\t\t\t\t\t\t\t\t\tlanguage)\n\t\t\t\t\t\tVALUES ('" . $_POST['UserID'] . "',\n\t\t\t\t\t\t\t'" . $_POST['RealName'] . "',\n\t\t\t\t\t\t\t'" . $_SESSION['SupplierID'] . "',\n\t\t\t\t\t\t\t'" . CryptPass($_POST['Password']) . "',\n\t\t\t\t\t\t\t'" . $_POST['Phone'] . "',\n\t\t\t\t\t\t\t'" . $_POST['Email'] . "',\n\t\t\t\t\t\t\t'" . $_POST['PageSize'] . "',\n\t\t\t\t\t\t\t'" . $_POST['Access'] . "',\n\t\t\t\t\t\t\t'" . $_POST['DefaultLocation'] . "',\n\t\t\t\t\t\t\t'" . date($_SESSION['DefaultDateFormat']) . "',\n\t\t\t\t\t\t\t'" . $ModulesAllowed . "',\n\t\t\t\t\t\t\t'" . $_SESSION['DefaultDisplayRecordsMax'] . "',\n\t\t\t\t\t\t\t'" . $_POST['Theme'] . "',\n\t\t\t\t\t\t\t'" . $_POST['UserLanguage'] . "')";
$ErrMsg = _('The user could not be added because');
$DbgMsg = _('The SQL that was used to insert the new user and failed was');
$result = DB_query($sql, $ErrMsg, $DbgMsg);
prnMsg(_('A new supplier login has been created'), 'success');
include 'includes/footer.inc';
exit;
}
}
echo '<form method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF'], ENT_QUOTES, 'UTF-8') . '">';
echo '<div>';
echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
echo '<table class="selection">
<tr>
<td>' . _('User Login') . ':</td>
<td><input type="text" pattern="[^><+-]{4,20}" title="' . _('The user ID must has more than 4 legal characters') . '" required="required" placeholder="' . _('More than 4 characters') . '" name="UserID" size="22" maxlength="20" /></td>
function DBUpdate($db, $DatabaseName, $DBConnectType, $AdminPasswd, $AdminEmail, $AdminLanguage, $CompanyName)
{
$MysqlExt = $DBConnectType == 'mysql' ? true : false;
//select the database to connect
$Result = !$MysqlExt ? mysqli_select_db($db, $DatabaseName) : mysql_select_db($DatabaseName, $db);
$sql = "UPDATE www_users\n\t\t\t\tSET password = '******',\n\t\t\t\t\temail = '" . $AdminEmail . "',\n\t\t\t\t language = '" . $AdminLanguage . "'\n\t\t\t\tWHERE userid = 'admin'";
$Result = !$MysqlExt ? mysqli_query($db, $sql) : mysql_query($sql, $db);
if (!$Result) {
prnMsg(_('Failed to update the email address and password of the administrator and the error is') . (!$MysqlExt ? mysqli_error($db) : mysql_error($db)), 'error');
}
$sql = "UPDATE companies\n\t\t\tSET coyname = '" . (!$MysqlExt ? mysqli_real_escape_string($db, $CompanyName) : mysql_real_escape_string($CompanyName, $db)) . "'\n\t\t\tWHERE coycode = 1";
$Result = !$MysqlExt ? mysqli_query($db, $sql) : mysql_query($sql, $db);
if (!$Result) {
prnMsg(_('Failed to update the company name and the erroris') . (!$MysqlExt ? mysqli_error($db) : mysql_error($db)), 'error');
}
}
function userLogin($Name, $Password, $db)
{
global $debug;
if (!isset($_SESSION['AccessLevel']) or $_SESSION['AccessLevel'] == '' or isset($Name) and $Name != '') {
/* if not logged in */
$_SESSION['AccessLevel'] = '';
$_SESSION['CustomerID'] = '';
$_SESSION['UserBranch'] = '';
$_SESSION['SalesmanLogin'] = '';
$_SESSION['Module'] = '';
$_SESSION['PageSize'] = '';
$_SESSION['UserStockLocation'] = '';
$_SESSION['AttemptsCounter']++;
// Show login screen
if (!isset($Name) or $Name == '') {
return UL_SHOWLOGIN;
}
/* Temporary fix for old unencrypted password */
$sql = "UPDATE www_users\n\t\t\t\tSET password='******'\n\t\t\t\tWHERE password='******'";
$ErrMsg = _('Could not reset password');
$Result = DB_query($sql, $db, $ErrMsg);
/* End temporary fix */
$sql = "SELECT *\n\t\t\t\t\t\tFROM www_users\n\t\t\t\t\t\tWHERE www_users.userid='" . $Name . "'\n\t\t\t\t\t\tAND (www_users.password='******')";
$ErrMsg = _('Could not retrieve user details on login because');
$debug = 1;
$Auth_Result = DB_query($sql, $db, $ErrMsg);
// Populate session variables with data base results
if (DB_num_rows($Auth_Result) > 0) {
$myrow = DB_fetch_array($Auth_Result);
if ($myrow['blocked'] == 1) {
//the account is blocked
return UL_BLOCKED;
}
/*reset the attempts counter on successful login */
$_SESSION['UserID'] = $myrow['userid'];
$_SESSION['AttemptsCounter'] = 0;
$_SESSION['AccessLevel'] = $myrow['fullaccess'];
$_SESSION['CanCreateTender'] = $myrow['cancreatetender'];
$_SESSION['UserCustomerID'] = $myrow['customerid'];
$_SESSION['UserBranch'] = $myrow['branchcode'];
$_SESSION['UserSupplierID'] = $myrow['supplierid'];
$_SESSION['DefaultPageSize'] = $myrow['pagesize'];
$_SESSION['UserStockLocation'] = $myrow['defaultlocation'];
$_SESSION['DefaultTag'] = $myrow['defaulttag'];
$_SESSION['UserEmail'] = $myrow['email'];
$_SESSION['ModulesEnabled'] = explode(",", $myrow['modulesallowed']);
$_SESSION['UsersRealName'] = $myrow['realname'];
$_SESSION['Theme'] = $myrow['theme'];
$_SESSION['Language'] = $myrow['language'];
$_SESSION['SalesmanLogin'] = $myrow['salesman'];
if (isset($myrow['pdflanguage'])) {
$_SESSION['PDFLanguage'] = $myrow['pdflanguage'];
} else {
$_SESSION['PDFLanguage'] = '0';
//default to latin western languages
}
if ($myrow['displayrecordsmax'] > 0) {
$_SESSION['DisplayRecordsMax'] = $myrow['displayrecordsmax'];
} else {
$_SESSION['DisplayRecordsMax'] = $_SESSION['DefaultDisplayRecordsMax'];
// default comes from config.php
}
$sql = "UPDATE www_users SET lastvisitdate='" . date('Y-m-d H:i:s') . "'\n\t\t\t\t\t\t\tWHERE www_users.userid='" . $Name . "'";
$Auth_Result = DB_query($sql, $db);
$sql = "desc securityroles canviewprices";
$result = DB_query($sql, $db);
if (DB_num_rows($result) != 0) {
$sql = "SELECT canviewprices FROM securityroles\n\t\t\t\t\t\t\tWHERE secroleid = '" . $_SESSION['AccessLevel'] . "'";
$ViewPricesResult = DB_query($sql, $db);
$MyViewPricesRow = DB_fetch_array($ViewPricesResult);
$_SESSION['CanViewPrices'] = $MyViewPricesRow['canviewprices'];
}
/*get the security tokens that the user has access to */
$sql = "SELECT tokenid FROM securitygroups\n\t\t\t\t\t\t\tWHERE secroleid = '" . $_SESSION['AccessLevel'] . "'";
$Sec_Result = DB_query($sql, $db);
$_SESSION['AllowedPageSecurityTokens'] = array();
if (DB_num_rows($Sec_Result) == 0) {
return UL_CONFIGERR;
} else {
$i = 0;
while ($myrow = DB_fetch_row($Sec_Result)) {
$_SESSION['AllowedPageSecurityTokens'][$i] = $myrow[0];
$i++;
}
}
// Temporary shift - disable log messages - how temporary?
} else {
// Incorrect password
// 5 login attempts, show failed login screen
if (!isset($_SESSION['AttemptsCounter'])) {
$_SESSION['AttemptsCounter'] = 0;
} elseif ($_SESSION['AttemptsCounter'] >= 5 and isset($Name)) {
/*User blocked from future accesses until sysadmin releases */
$sql = "UPDATE www_users\n\t\t\t\t\t\t\tSET blocked=1\n\t\t\t\t\t\t\tWHERE www_users.userid='" . $Name . "'";
$Auth_Result = DB_query($sql, $db);
return UL_BLOCKED;
}
return UL_NOTVALID;
}
}
// End of userid/password check
// Run with debugging messages for the system administrator(s) but not anyone else
return UL_OK;
/* All is well */
}
}
$_POST['ModulesAllowed'] = $ModulesAllowed;
if (isset($SelectedUser) and $InputError != 1) {
/*SelectedUser could also exist if submit had not been clicked this code would not run in this case cos submit is false of course see the delete code below*/
if (!isset($_POST['Cust']) or $_POST['Cust'] == NULL or $_POST['Cust'] == '') {
$_POST['Cust'] = '';
$_POST['BranchCode'] = '';
}
$UpdatePassword = '';
if ($_POST['Password'] != '') {
$UpdatePassword = "******" . CryptPass($_POST['Password']) . "',";
}
$sql = "UPDATE www_users SET realname='" . $_POST['RealName'] . "',\n\t\t\t\t\t\tcustomerid='" . $_POST['Cust'] . "',\n\t\t\t\t\t\tphone='" . $_POST['Phone'] . "',\n\t\t\t\t\t\temail='" . $_POST['Email'] . "',\n\t\t\t\t\t\t" . $UpdatePassword . "\n\t\t\t\t\t\tbranchcode='" . $_POST['BranchCode'] . "',\n\t\t\t\t\t\tsupplierid='" . $_POST['SupplierID'] . "',\n\t\t\t\t\t\tsalesman='" . $_POST['Salesman'] . "',\n\t\t\t\t\t\tpagesize='" . $_POST['PageSize'] . "',\n\t\t\t\t\t\tfullaccess='" . $_POST['Access'] . "',\n\t\t\t\t\t\tcancreatetender='" . $_POST['CanCreateTender'] . "',\n\t\t\t\t\t\ttheme='" . $_POST['Theme'] . "',\n\t\t\t\t\t\tlanguage ='" . $_POST['UserLanguage'] . "',\n\t\t\t\t\t\tdefaultlocation='" . $_POST['DefaultLocation'] . "',\n\t\t\t\t\t\tmodulesallowed='" . $ModulesAllowed . "',\n\t\t\t\t\t\tblocked='" . $_POST['Blocked'] . "',\n\t\t\t\t\t\tpdflanguage='" . $_POST['PDFLanguage'] . "',\n\t\t\t\t\t\tdepartment='" . $_POST['Department'] . "'\n\t\t\t\t\tWHERE userid = '" . $SelectedUser . "'";
prnMsg(_('The selected user record has been updated'), 'success');
} elseif ($InputError != 1) {
$sql = "INSERT INTO www_users (userid,\n\t\t\t\t\t\trealname,\n\t\t\t\t\t\tcustomerid,\n\t\t\t\t\t\tbranchcode,\n\t\t\t\t\t\tsupplierid,\n\t\t\t\t\t\tsalesman,\n\t\t\t\t\t\tpassword,\n\t\t\t\t\t\tphone,\n\t\t\t\t\t\temail,\n\t\t\t\t\t\tpagesize,\n\t\t\t\t\t\tfullaccess,\n\t\t\t\t\t\tcancreatetender,\n\t\t\t\t\t\tdefaultlocation,\n\t\t\t\t\t\tmodulesallowed,\n\t\t\t\t\t\tdisplayrecordsmax,\n\t\t\t\t\t\ttheme,\n\t\t\t\t\t\tlanguage,\n\t\t\t\t\t\tpdflanguage,\n\t\t\t\t\t\tdepartment)\n\t\t\t\t\tVALUES ('" . $_POST['UserID'] . "',\n\t\t\t\t\t\t'" . $_POST['RealName'] . "',\n\t\t\t\t\t\t'" . $_POST['Cust'] . "',\n\t\t\t\t\t\t'" . $_POST['BranchCode'] . "',\n\t\t\t\t\t\t'" . $_POST['SupplierID'] . "',\n\t\t\t\t\t\t'" . $_POST['Salesman'] . "',\n\t\t\t\t\t\t'" . CryptPass($_POST['Password']) . "',\n\t\t\t\t\t\t'" . $_POST['Phone'] . "',\n\t\t\t\t\t\t'" . $_POST['Email'] . "',\n\t\t\t\t\t\t'" . $_POST['PageSize'] . "',\n\t\t\t\t\t\t'" . $_POST['Access'] . "',\n\t\t\t\t\t\t'" . $_POST['CanCreateTender'] . "',\n\t\t\t\t\t\t'" . $_POST['DefaultLocation'] . "',\n\t\t\t\t\t\t'" . $ModulesAllowed . "',\n\t\t\t\t\t\t'" . $_SESSION['DefaultDisplayRecordsMax'] . "',\n\t\t\t\t\t\t'" . $_POST['Theme'] . "',\n\t\t\t\t\t\t'" . $_POST['UserLanguage'] . "',\n\t\t\t\t\t\t'" . $_POST['PDFLanguage'] . "',\n\t\t\t\t\t\t'" . $_POST['Department'] . "')";
prnMsg(_('A new user record has been inserted'), 'success');
}
if ($InputError != 1) {
//run the SQL from either of the above possibilites
$ErrMsg = _('The user alterations could not be processed because');
$DbgMsg = _('The SQL that was used to update the user and failed was');
$result = DB_query($sql, $db, $ErrMsg, $DbgMsg);
unset($_POST['UserID']);
unset($_POST['RealName']);
unset($_POST['Cust']);
unset($_POST['BranchCode']);
unset($_POST['SupplierID']);
unset($_POST['Salesman']);
unset($_POST['Phone']);
unset($_POST['Email']);
$ErrMsg = _('The user alterations could not be processed because');
$DbgMsg = _('The SQL that was used to update the user and failed was');
$result = DB_query($sql, $db, $ErrMsg, $DbgMsg);
prnMsg(_('The user settings have been updated') . '. ' . _('Be sure to remember your password for the next time you login'), 'success');
$sql = "SELECT fullaccess FROM www_users\n\t\tWHERE userid= '" . trim($_SESSION['UserID']) . "'";
$result = DB_query($sql, $db);
$myrow = DB_fetch_row($result);
$user = $myrow[0];
if ($user == 7) {
$sql = "UPDATE debtorsmaster\n\t\t\t\tSET boxno='" . $_POST['boxno'] . "',\n\t\t\t\t\ttown='" . $_POST['town'] . "',\n\t\t\t\t\tzip='" . $_POST['zip'] . "',\n\t\t\t\t\tstate='" . $_POST['state'] . "',\n\t\t\t\t\tmobileno='" . $_POST['mobileno'] . "',\n\t\t\t\t\trelationship='" . $_POST['relationship'] . "',\n\t\t\t\t\tgname='" . $_POST['gname'] . "',\n\t\t\t\t\tgboxno='" . $_POST['gboxno'] . "',\n\t\t\t\t\tgtown='" . $_POST['gtown'] . "',\n\t\t\t\t\tgstate='" . $_POST['gstate'] . "',\n\t\t\t\t\tgmobileno='" . $_POST['gmobileno'] . "',\n\t\t\t\t\temail='" . $_POST['email'] . "'\n\t\t\t\tWHERE debtorno = '" . $_SESSION['UserID'] . "'";
$ErrMsg = _('The student alterations could not be processed because');
$DbgMsg = _('The SQL that was used to update the user and failed was');
$result = DB_query($sql, $db, $ErrMsg, $DbgMsg);
}
} else {
$sql = "UPDATE www_users\n\t\t\t\tSET email='" . $_POST['email'] . "',\n\t\t\t\t\tpassword='******'pass']) . "'\n\t\t\t\tWHERE userid = '" . $_SESSION['UserID'] . "'";
$ErrMsg = _('The user alterations could not be processed because');
$DbgMsg = _('The SQL that was used to update the user and failed was');
$result = DB_query($sql, $db, $ErrMsg, $DbgMsg);
prnMsg(_('The user settings have been updated'), 'success');
$sql = "SELECT fullaccess FROM www_users\n\t\tWHERE userid= '" . trim($_SESSION['UserID']) . "'";
$result = DB_query($sql, $db);
$myrow = DB_fetch_row($result);
$user = $myrow[0];
if ($user == 7) {
$sql = "UPDATE debtorsmaster\n\t\t\t\tSET boxno='" . $_POST['boxno'] . "',\n\t\t\t\t\ttown='" . $_POST['town'] . "',\n\t\t\t\t\tzip='" . $_POST['zip'] . "',\n\t\t\t\t\tstate='" . $_POST['state'] . "',\n\t\t\t\t\tmobileno='" . $_POST['mobileno'] . "',\n\t\t\t\t\trelationship='" . $_POST['relationship'] . "',\n\t\t\t\t\tgname='" . $_POST['gname'] . "',\n\t\t\t\t\tgboxno='" . $_POST['gboxno'] . "',\n\t\t\t\t\tgtown='" . $_POST['gtown'] . "',\n\t\t\t\t\tgstate='" . $_POST['gstate'] . "',\n\t\t\t\t\tgmobileno='" . $_POST['gmobileno'] . "',\n\t\t\t\t\temail='" . $_POST['email'] . "'\n\t\t\t\tWHERE debtorno = '" . $_SESSION['UserID'] . "'";
$ErrMsg = _('The student alterations could not be processed because');
$DbgMsg = _('The SQL that was used to update the user and failed was');
$result = DB_query($sql, $db, $ErrMsg, $DbgMsg);
}
}
$InputError = 1;
prnMsg(_('The password and password confirmation fields entered do not match'), 'error');
} else {
$UpdatePassword = '******';
}
}
if ($InputError != 1) {
// no errors
if ($UpdatePassword != 'Y') {
$sql = "UPDATE www_users\n\t\t\t\tSET displayrecordsmax='" . $_POST['DisplayRecordsMax'] . "',\n\t\t\t\t\ttheme='" . $_POST['Theme'] . "',\n\t\t\t\t\tlanguage='" . $_POST['Language'] . "',\n\t\t\t\t\temail='" . $_POST['email'] . "',\n\t\t\t\t\tpdflanguage='" . $_POST['PDFLanguage'] . "'\n\t\t\t\tWHERE userid = '" . $_SESSION['UserID'] . "'";
$ErrMsg = _('The user alterations could not be processed because');
$DbgMsg = _('The SQL that was used to update the user and failed was');
$result = DB_query($sql, $db, $ErrMsg, $DbgMsg);
prnMsg(_('The user settings have been updated') . '. ' . _('Be sure to remember your password for the next time you login'), 'success');
} else {
$sql = "UPDATE www_users\n\t\t\t\tSET displayrecordsmax='" . $_POST['DisplayRecordsMax'] . "',\n\t\t\t\t\ttheme='" . $_POST['Theme'] . "',\n\t\t\t\t\tlanguage='" . $_POST['Language'] . "',\n\t\t\t\t\temail='" . $_POST['email'] . "',\n\t\t\t\t\tpdflanguage='" . $_POST['PDFLanguage'] . "',\n\t\t\t\t\tpassword='******'Password']) . "'\n\t\t\t\tWHERE userid = '" . $_SESSION['UserID'] . "'";
$ErrMsg = _('The user alterations could not be processed because');
$DbgMsg = _('The SQL that was used to update the user and failed was');
$result = DB_query($sql, $db, $ErrMsg, $DbgMsg);
prnMsg(_('The user settings have been updated'), 'success');
}
// update the session variables to reflect user changes on-the-fly
$_SESSION['DisplayRecordsMax'] = $_POST['DisplayRecordsMax'];
$_SESSION['Theme'] = trim($_POST['Theme']);
/*already set by session.inc but for completeness */
$theme = $_SESSION['Theme'];
$_SESSION['Language'] = trim($_POST['Language']);
$_SESSION['PDFLanguage'] = $_POST['PDFLanguage'];
include 'includes/LanguageSetup.php';
}
}
$i++;
}
$_POST['ModulesAllowed'] = $ModulesAllowed;
if ($SelectedUser and $InputError != 1) {
if (!isset($_POST['Cust']) or $_POST['Cust'] == NULL or $_POST['Cust'] == '') {
$_POST['Cust'] = '';
$_POST['BranchCode'] = '';
}
$UpdatePassword = "";
if ($_POST['Password'] != "") {
$UpdatePassword = "******" . CryptPass($_POST['Password']) . "',";
}
$sql = "UPDATE www_users SET realname='" . $_POST['RealName'] . "',phone='" . $_POST['Phone'] . "',\n\t\temail='" . $_POST['Email'] . "'," . $UpdatePassword . "salesman='" . $_POST['Salesman'] . "',\n\t\tfullaccess='" . $_POST['Access'] . "',modulesallowed='" . $ModulesAllowed . "',blocked='" . $_POST['Blocked'] . "'\n\t\tWHERE userid = '" . $SelectedUser . "'";
prnMsg(_('The selected user record has been updated'), 'success');
} elseif ($InputError != 1) {
$sql = "INSERT INTO www_users (userid,realname,password,phone,email,fullaccess,modulesallowed,theme)\n\t\tVALUES ('" . $_POST['UserID'] . "','" . $_POST['RealName'] . "','" . CryptPass($_POST['Password']) . "',\n\t\t'" . $_POST['Phone'] . "','" . $_POST['Email'] . "','" . $_POST['Access'] . "','" . $ModulesAllowed . "','professional')";
prnMsg(_('A new user record has been inserted'), 'success');
}
if ($InputError != 1) {
$ErrMsg = _('The user alterations could not be processed because');
$DbgMsg = _('The SQL that was used to update the user and failed was');
$result = DB_query($sql, $db, $ErrMsg, $DbgMsg);
unset($_POST['UserID']);
unset($_POST['RealName']);
unset($_POST['Salesman']);
unset($_POST['Phone']);
unset($_POST['Email']);
unset($_POST['Password']);
unset($_POST['PageSize']);
unset($_POST['Access']);
unset($_POST['DefaultLocation']);
function userLogin($Name, $Password, $SysAdminEmail = '', $db)
{
global $debug;
if (!isset($_SESSION['AccessLevel']) or $_SESSION['AccessLevel'] == '' or isset($Name) and $Name != '') {
/* if not logged in */
$_SESSION['AccessLevel'] = '';
$_SESSION['CustomerID'] = '';
$_SESSION['UserBranch'] = '';
$_SESSION['SalesmanLogin'] = '';
$_SESSION['Module'] = '';
$_SESSION['PageSize'] = '';
$_SESSION['UserStockLocation'] = '';
$_SESSION['AttemptsCounter']++;
// Show login screen
if (!isset($Name) or $Name == '') {
$_SESSION['DatabaseName'] = '';
$_SESSION['CompanyName'] = '';
return UL_SHOWLOGIN;
}
/* The SQL to get the user info must use the * syntax because the field name could change between versions if the fields are specifed directly then the sql fails and the db upgrade will fail */
$sql = "SELECT *\n\t\t\t\tFROM www_users\n\t\t\t\tWHERE www_users.userid='" . $Name . "'\n\t\t\t\tAND (www_users.password='******'\n\t\t\t\tOR www_users.password='******')";
$ErrMsg = _('Could not retrieve user details on login because');
$debug = 1;
$Auth_Result = DB_query($sql, $db, $ErrMsg);
// Populate session variables with data base results
if (DB_num_rows($Auth_Result) > 0) {
$myrow = DB_fetch_array($Auth_Result);
if ($myrow['blocked'] == 1) {
//the account is blocked
return UL_BLOCKED;
}
/*reset the attempts counter on successful login */
$_SESSION['UserID'] = $myrow['userid'];
$_SESSION['AttemptsCounter'] = 0;
$_SESSION['AccessLevel'] = $myrow['fullaccess'];
$_SESSION['CustomerID'] = $myrow['customerid'];
$_SESSION['UserBranch'] = $myrow['branchcode'];
$_SESSION['DefaultPageSize'] = $myrow['pagesize'];
$_SESSION['UserStockLocation'] = $myrow['defaultlocation'];
$_SESSION['UserEmail'] = $myrow['email'];
$_SESSION['ModulesEnabled'] = explode(",", $myrow['modulesallowed']);
$_SESSION['UsersRealName'] = $myrow['realname'];
$_SESSION['Theme'] = $myrow['theme'];
$_SESSION['Language'] = $myrow['language'];
$_SESSION['SalesmanLogin'] = $myrow['salesman'];
$_SESSION['CanCreateTender'] = $myrow['cancreatetender'];
$_SESSION['AllowedDepartment'] = $myrow['department'];
if (isset($myrow['pdflanguage'])) {
$_SESSION['PDFLanguage'] = $myrow['pdflanguage'];
} else {
$_SESSION['PDFLanguage'] = '0';
//default to latin western languages
}
if ($myrow['displayrecordsmax'] > 0) {
$_SESSION['DisplayRecordsMax'] = $myrow['displayrecordsmax'];
} else {
$_SESSION['DisplayRecordsMax'] = $_SESSION['DefaultDisplayRecordsMax'];
// default comes from config.php
}
$sql = "UPDATE www_users SET lastvisitdate='" . date('Y-m-d H:i:s') . "'\n\t\t\t\t\t\t\tWHERE www_users.userid='" . $Name . "'";
$Auth_Result = DB_query($sql, $db);
/*get the security tokens that the user has access to */
$sql = "SELECT tokenid FROM securitygroups\n\t\t\t\t\t\t\tWHERE secroleid = '" . $_SESSION['AccessLevel'] . "'";
$Sec_Result = DB_query($sql, $db);
$_SESSION['AllowedPageSecurityTokens'] = array();
if (DB_num_rows($Sec_Result) == 0) {
return UL_CONFIGERR;
} else {
$i = 0;
$UserIsSysAdmin = FALSE;
while ($myrow = DB_fetch_row($Sec_Result)) {
if ($myrow[0] == 15) {
$UserIsSysAdmin = TRUE;
}
$_SESSION['AllowedPageSecurityTokens'][$i] = $myrow[0];
$i++;
}
}
// check if only maintenance users can access webERP
$sql = "SELECT confvalue FROM config WHERE confname = 'DB_Maintenance'";
$Maintenance_Result = DB_query($sql, $db);
if (DB_num_rows($Maintenance_Result) == 0) {
return UL_CONFIGERR;
} else {
$myMaintenanceRow = DB_fetch_row($Maintenance_Result);
if ($myMaintenanceRow[0] == -1 and $UserIsSysAdmin == FALSE) {
// the configuration setting has been set to -1 ==> Allow SysAdmin Access Only
// the user is NOT a SysAdmin
return UL_MAINTENANCE;
}
}
} else {
// Incorrect password
// 5 login attempts, show failed login screen
if (!isset($_SESSION['AttemptsCounter'])) {
$_SESSION['AttemptsCounter'] = 0;
} elseif ($_SESSION['AttemptsCounter'] >= 5 and isset($Name)) {
/*User blocked from future accesses until sysadmin releases */
$sql = "UPDATE www_users\n\t\t\t\t\t\t\tSET blocked=1\n\t\t\t\t\t\t\tWHERE www_users.userid='" . $Name . "'";
$Auth_Result = DB_query($sql, $db);
if ($SysAdminEmail != '') {
$EmailSubject = _('User access blocked') . ' ' . $Name;
$EmailText = _('User ID') . ' ' . $Name . ' - ' . $Password . ' - ' . _('has been blocked access at') . ' ' . Date('Y-m-d H:i:s') . ' ' . _('from IP') . ' ' . $_SERVER["REMOTE_ADDR"] . ' ' . _('due to too many failed attempts.');
if ($_SESSION['SmtpSetting'] == 0) {
mail($SysAdminEmail, $EmailSubject, $EmailText);
} else {
include 'includes/htmlMimeMail.php';
$mail = new htmlMimeMail();
$mail->setSubject($EmailSubject);
$mail->setText($EmailText);
$result = SendmailBySmtp($mail, array($SysAdminEmail));
}
}
return UL_BLOCKED;
}
return UL_NOTVALID;
}
}
// End of userid/password check
// Run with debugging messages for the system administrator(s) but not anyone else
return UL_OK;
/* All is well */
}
function userLogin($Name, $Password, $db)
{
if (!isset($_SESSION['AccessLevel']) or $_SESSION['AccessLevel'] == '' or isset($Name) and $Name != '') {
/* if not logged in */
$_SESSION['AccessLevel'] = '';
$_SESSION['CustomerID'] = '';
$_SESSION['UserBranch'] = '';
$_SESSION['SalesmanLogin'] = '';
$_SESSION['Module'] = '';
$_SESSION['PageSize'] = '';
$_SESSION['UserStockLocation'] = '';
$_SESSION['AttemptsCounter']++;
// Show login screen
if (!isset($Name) or $Name == '') {
return UL_SHOWLOGIN;
}
$sql = "SELECT www_users.fullaccess,\n\t\t\t\t\t\t\t\t\twww_users.customerid,\n\t\t\t\t\t\t\t\t\twww_users.lastvisitdate,\n\t\t\t\t\t\t\t\t\twww_users.pagesize,\n\t\t\t\t\t\t\t\t\twww_users.defaultlocation,\n\t\t\t\t\t\t\t\t\twww_users.branchcode,\n\t\t\t\t\t\t\t\t\twww_users.modulesallowed,\n\t\t\t\t\t\t\t\t\twww_users.blocked,\n\t\t\t\t\t\t\t\t\twww_users.realname,\n\t\t\t\t\t\t\t\t\twww_users.theme,\n\t\t\t\t\t\t\t\t\twww_users.displayrecordsmax,\n\t\t\t\t\t\t\t\t\twww_users.userid,\n\t\t\t\t\t\t\t\t\twww_users.language,\n\t\t\t\t\t\t\t\t\twww_users.salesman,\n\t\t\t\t\t\t\t\t\twww_users.pdflanguage\n\t\t\t\t\t\tFROM www_users\n\t\t\t\t\t\tWHERE www_users.userid='" . $Name . "'\n\t\t\t\t\t\tAND (www_users.password='******'\n\t\t\t\t\t\tOR www_users.password='******')";
$Auth_Result = DB_query($sql, $db);
// Populate session variables with data base results
if (DB_num_rows($Auth_Result) > 0) {
$myrow = DB_fetch_array($Auth_Result);
if ($myrow[7] == 1) {
//the account is blocked
return UL_BLOCKED;
}
/*reset the attempts counter on successful login */
$_SESSION['AttemptsCounter'] = 0;
$_SESSION['AccessLevel'] = $myrow['fullaccess'];
$_SESSION['CustomerID'] = $myrow['customerid'];
$_SESSION['UserBranch'] = $myrow['branchcode'];
$_SESSION['DefaultPageSize'] = $myrow['pagesize'];
$_SESSION['UserStockLocation'] = $myrow['defaultlocation'];
$_SESSION['ModulesEnabled'] = explode(",", $myrow['modulesallowed']);
$_SESSION['UsersRealName'] = $myrow['realname'];
$_SESSION['Theme'] = $myrow['theme'];
// $_SESSION['UserID'] = $myrow[11];
$_SESSION['Language'] = $myrow['language'];
$_SESSION['SalesmanLogin'] = $myrow['salesman'];
$_SESSION['PDFLanguage'] = $myrow['pdflanguage'];
if ($myrow[10] > 0) {
$_SESSION['DisplayRecordsMax'] = $myrow['displayrecordsmax'];
} else {
$_SESSION['DisplayRecordsMax'] = $_SESSION['DefaultDisplayRecordsMax'];
// default comes from config.php
}
$_SESSION['UserID'] = $myrow['userid'];
$sql = "UPDATE www_users SET lastvisitdate='" . date("Y-m-d H:i:s") . "'\n\t\t\t\t\tWHERE www_users.userid='" . $Name . "'";
$Auth_Result = DB_query($sql, $db);
/*get the security tokens that the user has access to */
$sql = 'SELECT tokenid FROM securitygroups
WHERE secroleid = ' . $_SESSION['AccessLevel'];
$Sec_Result = DB_query($sql, $db);
$_SESSION['AllowedPageSecurityTokens'] = array();
if (DB_num_rows($Sec_Result) == 0) {
return UL_CONFIGERR;
} else {
$i = 0;
while ($myrow = DB_fetch_row($Sec_Result)) {
$_SESSION['AllowedPageSecurityTokens'][$i] = $myrow[0];
$i++;
}
}
// Temporary shift - disable log messages.
} else {
// Incorrect password
// 5 login attempts, show failed login screen
if (!isset($_SESSION['AttemptsCounter'])) {
$_SESSION['AttemptsCounter'] = 0;
} elseif ($_SESSION['AttemptsCounter'] >= 5 and isset($Name)) {
/*User blocked from future accesses until sysadmin releases */
$sql = "UPDATE www_users\n\t\t\t\t\t\tSET blocked=1\n\t\t\t\t\tWHERE www_users.userid='" . $Name . "'";
$Auth_Result = DB_query($sql, $db);
return UL_BLOCKED;
}
return UL_NOTVALID;
}
}
// End of userid/password check
// Run with debugging messages for the system administrator(s) but not anyone else
return UL_OK;
/* All is well */
}
function userLogin($Name, $Password, $SysAdminEmail = '', $db)
{
global $debug;
global $PathPrefix;
if (!isset($_SESSION['AccessLevel']) or $_SESSION['AccessLevel'] == '' or isset($Name) and $Name != '') {
/* if not logged in */
$_SESSION['AccessLevel'] = '';
$_SESSION['CustomerID'] = '';
$_SESSION['UserBranch'] = '';
$_SESSION['SalesmanLogin'] = '';
$_SESSION['Module'] = '';
$_SESSION['PageSize'] = '';
$_SESSION['UserStockLocation'] = '';
$_SESSION['AttemptsCounter']++;
// Show login screen
if (!isset($Name) or $Name == '') {
$_SESSION['DatabaseName'] = '';
$_SESSION['CompanyName'] = '';
return UL_SHOWLOGIN;
}
/* The SQL to get the user info must use the * syntax because the field name could change between versions if the fields are specifed directly then the sql fails and the db upgrade will fail */
$sql = "SELECT *\n\t\t\t\tFROM www_users\n\t\t\t\tWHERE www_users.userid='" . $Name . "'";
$ErrMsg = _('Could not retrieve user details on login because');
$debug = 1;
$PasswordVerified = false;
$Auth_Result = DB_query($sql, $ErrMsg);
if (DB_num_rows($Auth_Result) > 0) {
$myrow = DB_fetch_array($Auth_Result);
if (VerifyPass($Password, $myrow['password'])) {
$PasswordVerified = true;
} elseif (isset($GLOBALS['CryptFunction'])) {
/*if the password stored in the DB was compiled the old way,
* the previous comparison will fail,
* try again with the old hashing algorithm,
* then re-hash the password using the new algorithm.
* The next version should not have $CryptFunction any more for new installs.
*/
switch ($GLOBALS['CryptFunction']) {
case 'sha1':
if ($myrow['password'] == sha1($Password)) {
$PasswordVerified = true;
}
break;
case 'md5':
if ($myrow['password'] == md5($Password)) {
$PasswordVerified = true;
}
break;
default:
if ($myrow['password'] == $Password) {
$PasswordVerified = true;
}
}
if ($PasswordVerified) {
$sql = "UPDATE www_users SET password = '******'" . " WHERE userid = '" . $Name . "';";
DB_query($sql);
}
}
}
// Populate session variables with data base results
if ($PasswordVerified) {
if ($myrow['blocked'] == 1) {
//the account is blocked
return UL_BLOCKED;
}
/*reset the attempts counter on successful login */
$_SESSION['UserID'] = $myrow['userid'];
$_SESSION['AttemptsCounter'] = 0;
$_SESSION['AccessLevel'] = $myrow['fullaccess'];
$_SESSION['CustomerID'] = $myrow['customerid'];
$_SESSION['UserBranch'] = $myrow['branchcode'];
$_SESSION['DefaultPageSize'] = $myrow['pagesize'];
$_SESSION['UserStockLocation'] = $myrow['defaultlocation'];
$_SESSION['UserEmail'] = $myrow['email'];
$_SESSION['ModulesEnabled'] = explode(",", $myrow['modulesallowed']);
$_SESSION['UsersRealName'] = $myrow['realname'];
$_SESSION['Theme'] = $myrow['theme'];
$_SESSION['Language'] = $myrow['language'];
$_SESSION['SalesmanLogin'] = $myrow['salesman'];
$_SESSION['CanCreateTender'] = $myrow['cancreatetender'];
$_SESSION['AllowedDepartment'] = $myrow['department'];
$_SESSION['ShowDashboard'] = $myrow['showdashboard'];
if (isset($myrow['pdflanguage'])) {
$_SESSION['PDFLanguage'] = $myrow['pdflanguage'];
} else {
$_SESSION['PDFLanguage'] = '0';
//default to latin western languages
}
if ($myrow['displayrecordsmax'] > 0) {
$_SESSION['DisplayRecordsMax'] = $myrow['displayrecordsmax'];
} else {
$_SESSION['DisplayRecordsMax'] = $_SESSION['DefaultDisplayRecordsMax'];
// default comes from config.php
}
$sql = "UPDATE www_users SET lastvisitdate='" . date('Y-m-d H:i:s') . "'\n\t\t\t\t\t\t\tWHERE www_users.userid='" . $Name . "'";
$Auth_Result = DB_query($sql);
/*get the security tokens that the user has access to */
$sql = "SELECT tokenid\n\t\t\t\t\tFROM securitygroups\n\t\t\t\t\tWHERE secroleid = '" . $_SESSION['AccessLevel'] . "'";
$Sec_Result = DB_query($sql);
$_SESSION['AllowedPageSecurityTokens'] = array();
if (DB_num_rows($Sec_Result) == 0) {
return UL_CONFIGERR;
} else {
$i = 0;
$UserIsSysAdmin = FALSE;
while ($myrow = DB_fetch_row($Sec_Result)) {
if ($myrow[0] == 15) {
$UserIsSysAdmin = TRUE;
}
$_SESSION['AllowedPageSecurityTokens'][$i] = $myrow[0];
$i++;
}
}
/*User is logged in so get configuration parameters - save in session*/
include $PathPrefix . 'includes/GetConfig.php';
if (isset($_SESSION['DB_Maintenance'])) {
if ($_SESSION['DB_Maintenance'] > 0) {
//run the DB maintenance script
if (DateDiff(Date($_SESSION['DefaultDateFormat']), ConvertSQLDate($_SESSION['DB_Maintenance_LastRun']), 'd') >= $_SESSION['DB_Maintenance']) {
/*Do the DB maintenance routing for the DB_type selected */
DB_Maintenance();
$_SESSION['DB_Maintenance_LastRun'] = Date('Y-m-d');
/* Audit trail purge only runs if DB_Maintenance is enabled */
if (isset($_SESSION['MonthsAuditTrail'])) {
$sql = "DELETE FROM audittrail\n\t\t\t\t\t\t\t\t\tWHERE transactiondate <= '" . Date('Y-m-d', mktime(0, 0, 0, Date('m') - $_SESSION['MonthsAuditTrail'])) . "'";
$ErrMsg = _('There was a problem deleting expired audit-trail history');
$result = DB_query($sql);
}
}
}
}
/*Check to see if currency rates need to be updated */
if (isset($_SESSION['UpdateCurrencyRatesDaily'])) {
if ($_SESSION['UpdateCurrencyRatesDaily'] != 0) {
/* Only run the update to currency rates if today is after the last update i.e. only runs once a day */
if (DateDiff(Date($_SESSION['DefaultDateFormat']), ConvertSQLDate($_SESSION['UpdateCurrencyRatesDaily']), 'd') > 0) {
if ($_SESSION['ExchangeRateFeed'] == 'ECB') {
$CurrencyRates = GetECBCurrencyRates();
// gets rates from ECB see includes/MiscFunctions.php
/*Loop around the defined currencies and get the rate from ECB */
if ($CurrencyRates != false) {
$CurrenciesResult = DB_query("SELECT currabrev FROM currencies");
while ($CurrencyRow = DB_fetch_row($CurrenciesResult)) {
if ($CurrencyRow[0] != $_SESSION['CompanyRecord']['currencydefault']) {
$UpdateCurrRateResult = DB_query("UPDATE currencies SET rate='" . GetCurrencyRate($CurrencyRow[0], $CurrencyRates) . "'\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tWHERE currabrev='" . $CurrencyRow[0] . "'", $db);
}
}
}
} else {
$CurrenciesResult = DB_query("SELECT currabrev FROM currencies");
while ($CurrencyRow = DB_fetch_row($CurrenciesResult)) {
if ($CurrencyRow[0] != $_SESSION['CompanyRecord']['currencydefault']) {
$UpdateCurrRateResult = DB_query("UPDATE currencies SET rate='" . google_currency_rate($CurrencyRow[0]) . "'\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tWHERE currabrev='" . $CurrencyRow[0] . "'", $db);
}
}
}
$_SESSION['UpdateCurrencyRatesDaily'] = Date('Y-m-d');
$UpdateConfigResult = DB_query("UPDATE config SET confvalue = '" . Date('Y-m-d') . "' WHERE confname='UpdateCurrencyRatesDaily'");
}
}
}
/* Set the logo if not yet set.
* will be done only once per session and each time
* we are not in session (i.e. before login)
*/
if (empty($_SESSION['LogoFile'])) {
/* find a logo in companies/CompanyDir */
if (file_exists($PathPrefix . 'companies/' . $_SESSION['DatabaseName'] . '/logo.png')) {
$_SESSION['LogoFile'] = 'companies/' . $_SESSION['DatabaseName'] . '/logo.png';
} elseif (file_exists($PathPrefix . 'companies/' . $_SESSION['DatabaseName'] . '/logo.jpg')) {
$_SESSION['LogoFile'] = 'companies/' . $_SESSION['DatabaseName'] . '/logo.jpg';
}
}
if (!isset($_SESSION['DB_Maintenance'])) {
return UL_CONFIGERR;
} else {
if ($_SESSION['DB_Maintenance'] == -1 and !in_array(15, $_SESSION['AllowedPageSecurityTokens'])) {
// the configuration setting has been set to -1 ==> Allow SysAdmin Access Only
// the user is NOT a SysAdmin
return UL_MAINTENANCE;
}
}
} else {
// Incorrect password
// 5 login attempts, show failed login screen
if (!isset($_SESSION['AttemptsCounter'])) {
$_SESSION['AttemptsCounter'] = 0;
} elseif ($_SESSION['AttemptsCounter'] >= 5 and isset($Name)) {
/*User blocked from future accesses until sysadmin releases */
$sql = "UPDATE www_users\n\t\t\t\t\t\t\tSET blocked=1\n\t\t\t\t\t\t\tWHERE www_users.userid='" . $Name . "'";
$Auth_Result = DB_query($sql);
if ($SysAdminEmail != '') {
$EmailSubject = _('User access blocked') . ' ' . $Name;
$EmailText = _('User ID') . ' ' . $Name . ' - ' . $Password . ' - ' . _('has been blocked access at') . ' ' . Date('Y-m-d H:i:s') . ' ' . _('from IP') . ' ' . $_SERVER["REMOTE_ADDR"] . ' ' . _('due to too many failed attempts.');
if ($_SESSION['SmtpSetting'] == 0) {
mail($SysAdminEmail, $EmailSubject, $EmailText);
} else {
include 'includes/htmlMimeMail.php';
$mail = new htmlMimeMail();
$mail->setSubject($EmailSubject);
$mail->setText($EmailText);
$result = SendmailBySmtp($mail, array($SysAdminEmail));
}
}
return UL_BLOCKED;
}
return UL_NOTVALID;
}
}
// End of userid/password check
// Run with debugging messages for the system administrator(s) but not anyone else
return UL_OK;
/* All is well */
}
