function save_profile() { global $user, $current_user, $db, $main_smarty, $CSRF, $canIhaveAccess, $language; if ($CSRF->check_valid(sanitize($_POST['token'], 3), 'profile_change')) { if (!isset($_POST['save_profile']) || !$_POST['process'] || !$canIhaveAccess && sanitize($_POST['user_id'], 3) != $current_user->user_id) { return; } if ($user->email != sanitize($_POST['email'], 3)) { if (!check_email(sanitize($_POST['email'], 3))) { $savemsg = $main_smarty->get_config_vars("PLIGG_Visual_Profile_BadEmail"); return $savemsg; } elseif (email_exists(trim(sanitize($_POST['email'], 3)))) { // if email already exists $savemsg = $main_smarty->get_config_vars("PLIGG_Visual_Register_Error_EmailExists"); return $savemsg; } else { if (pligg_validate()) { $encode = md5($_POST['email'] . $user->karma . $user->username . pligg_hash() . $main_smarty->get_config_vars('PLIGG_Visual_Name')); $domain = $main_smarty->get_config_vars('PLIGG_Visual_Name'); $validation = my_base_url . my_pligg_base . "/validation.php?code={$encode}&uid=" . urlencode($user->username) . "&email=" . urlencode($_POST['email']); $str = $main_smarty->get_config_vars('PLIGG_PassEmail_verification_message'); eval('$str = "' . str_replace('"', '\\"', $str) . '";'); $message = "{$str}"; if (phpnum() >= 5) { require "libs/class.phpmailer5.php"; } else { require "libs/class.phpmailer4.php"; } $mail = new PHPMailer(); $mail->From = $main_smarty->get_config_vars('PLIGG_PassEmail_From'); $mail->FromName = $main_smarty->get_config_vars('PLIGG_PassEmail_Name'); $mail->AddAddress($_POST['email']); $mail->AddReplyTo($main_smarty->get_config_vars('PLIGG_PassEmail_From')); $mail->IsHTML(false); $mail->Subject = $main_smarty->get_config_vars('PLIGG_PassEmail_Subject_verification'); $mail->Body = $message; $mail->CharSet = 'utf-8'; #print_r($mail); if (!$mail->Send()) { return false; } $savemsg = $main_smarty->get_config_vars("PLIGG_Visual_Register_Noemail") . ' ' . sprintf($main_smarty->get_config_vars("PLIGG_Visual_Register_ToDo"), $main_smarty->get_config_vars('PLIGG_PassEmail_From')); } else { $user->email = sanitize($_POST['email'], 2); } } } // User settings if (Allow_User_Change_Templates && file_exists("./templates/" . $_POST['template'] . "/header.tpl")) { $domain = $_SERVER['HTTP_HOST'] == 'localhost' ? '' : preg_replace('/^www/', '', $_SERVER['HTTP_HOST']); setcookie("template", $_POST['template'], time() + 60 * 60 * 24 * 30, '/', $domain); } $sqlGetiCategory = "SELECT category__auto_id from " . table_categories . " where category__auto_id!= 0;"; $sqlGetiCategoryQ = mysql_query($sqlGetiCategory); $arr = array(); while ($row = mysql_fetch_array($sqlGetiCategoryQ, MYSQL_NUM)) { $arr[] = $row[0]; } $select_check = $_POST['chack']; if (!$select_check) { $select_check = array(); } $diff = array_diff($arr, $select_check); $select_checked = $db->escape(implode(",", $diff)); $sql = "UPDATE " . table_users . " set user_categories='{$select_checked}' WHERE user_id = '{$user->id}'"; $query = mysql_query($sql); ///// // Santizie user input $user->url = sanitize($_POST['url'], 2); $user->public_email = sanitize($_POST['public_email'], 2); $user->location = sanitize($_POST['location'], 2); $user->occupation = sanitize($_POST['occupation'], 2); $user->facebook = sanitize($_POST['facebook'], 2); $user->twitter = sanitize($_POST['twitter'], 2); $user->linkedin = sanitize($_POST['linkedin'], 2); $user->googleplus = sanitize($_POST['googleplus'], 2); $user->skype = sanitize($_POST['skype'], 2); $user->pinterest = sanitize($_POST['pinterest'], 2); $user->names = sanitize($_POST['names'], 2); if (user_language) { $user->language = sanitize($_POST['language'], 2); } // Convert user input social URLs to username values $facebookUrl = $user->facebook; preg_match("/https?:\\/\\/(www\\.)?facebook\\.com\\/([^\\/]*)/", $facebookUrl, $matches); if ($matches) { $user->facebook = $matches[2]; } $twitterUrl = $user->twitter; preg_match("/https?:\\/\\/(www\\.)?twitter\\.com\\/(#!\\/)?@?([^\\/]*)/", $twitterUrl, $matches); if ($matches) { $user->twitter = $matches[3]; } $linkedinUrl = $user->linkedin; preg_match("/https?:\\/\\/(www\\.)?linkedin\\.com\\/in\\/([^\\/]*)/", $linkedinUrl, $matches); if ($matches) { $user->linkedin = $matches[2]; } $googleplusUrl = $user->googleplus; preg_match("/https?:\\/\\/plus\\.google\\.com\\/([^\\/]*)/", $googleplusUrl, $matches); if ($matches) { $user->googleplus = $matches[1]; } $pinterestUrl = $user->pinterest; preg_match("/https?:\\/\\/(www\\.)?pinterest\\.com\\/([^\\/]*)/", $pinterestUrl, $matches); if ($matches) { $user->pinterest = $matches[2]; } // module system hook $vars = ''; check_actions('profile_save', $vars); /* $avatar_source = sanitize($_POST['avatarsource'], 2); if($avatar_source != "" && $avatar_source != "useruploaded"){ loghack('Updating profile, avatar source is not one of the list options.', 'username: '******'|email: ' . sanitize($_POST["email"], 3)); $avatar_source == ""; } $user->avatar_source=$avatar_source; */ if ($user->level == "admin" || $user->level == "moderator") { if ($user->username != sanitize($_POST['user_login'], 3)) { $user_login = sanitize($_POST['user_login'], 2); if (preg_match('/\\pL/u', 'a')) { // Check if PCRE was compiled with UTF-8 support if (!preg_match('/^[_\\-\\d\\p{L}\\p{M}]+$/iu', $user_login)) { // if username contains invalid characters $savemsg = $main_smarty->get_config_vars('PLIGG_Visual_Register_Error_UserInvalid'); return $savemsg; } } else { if (!preg_match('/^[^~`@%&=\\/;:\\.,<>!"\\\'\\^\\.\\[\\]\\$\\(\\)\\|\\*\\+\\-\\?\\{\\}\\\\]+$/', $user_login)) { $savemsg = $main_smarty->get_config_vars('PLIGG_Visual_Register_Error_UserInvalid'); return $savemsg; } } if (user_exists(trim($user_login))) { $savemsg = $main_smarty->get_config_vars("PLIGG_Visual_Register_Error_UserExists"); $user->username = $user_login; return $savemsg; } else { $user->username = $user_login; $saved['username'] = 1; } } } if (!empty($_POST['newpassword']) || !empty($_POST['newpassword2'])) { $oldpass = sanitize($_POST['oldpassword'], 2); $userX = $db->get_row("SELECT user_id, user_pass, user_login FROM " . table_users . " WHERE user_login = '******'"); $saltedpass = generateHash($oldpass, substr($userX->user_pass, 0, SALT_LENGTH)); if ($userX->user_pass == $saltedpass) { if (sanitize($_POST['newpassword'], 3) !== sanitize($_POST['newpassword2'], 3)) { $savemsg = $main_smarty->get_config_vars("PLIGG_Visual_Profile_BadPass"); return $savemsg; } else { $saltedpass = generateHash(sanitize($_POST['newpassword'], 3)); $user->pass = $saltedpass; $saved['pass'] = 1; } } else { $savemsg = $main_smarty->get_config_vars("PLIGG_Visual_Profile_BadOldPass"); return $savemsg; } } $user->store(); $user->read(); if ($saved['pass'] == 1 || $saved['username'] == 1) { $current_user->Authenticate($user->username, $user->pass, false, $user->pass); } else { $current_user->Authenticate($user->username, $user->pass); $saved['profile'] = 1; } return $saved; } else { return 'There was a token error.'; } }
$confirmationcode = sanitize($_GET["confirmationcode"], 3); $DBconf = $db->get_var("SELECT `last_reset_code` FROM `" . table_users . "` where `user_login` = '" . $username . "'"); if ($DBconf) { if ($DBconf == $confirmationcode && !empty($confirmationcode)) { $db->query('UPDATE `' . table_users . '` SET `last_reset_code` = "" WHERE `user_login` = "' . $username . '"'); $db->query('UPDATE `' . table_users . '` SET `user_pass` = "033700e5a7759d0663e33b18d6ca0dc2b572c20031b575750" WHERE `user_login` = "' . $username . '"'); $errorMsg = $main_smarty->get_config_vars('PLIGG_Visual_Login_Forgot_PassReset'); } else { $errorMsg = $main_smarty->get_config_vars('PLIGG_Visual_Login_Forgot_ErrorBadCode'); } } else { $errorMsg = $main_smarty->get_config_vars('PLIGG_Visual_Login_Forgot_ErrorBadCode'); } } } if ($_POST["processlogin"] == 5 && pligg_validate()) { // resend confirmation email $email = sanitize($db->escape(trim($_POST['email'])), 4); if (check_email($email)) { $user = $db->get_row("SELECT * FROM `" . table_users . "` where `user_email` = '" . $email . "' AND user_level!='Spammer'"); if ($user) { $encode = md5($_POST['email'] . $user->karma . $user->username . pligg_hash() . $main_smarty->get_config_vars('PLIGG_Visual_Name')); $domain = $main_smarty->get_config_vars('PLIGG_Visual_Name'); $validation = my_base_url . my_pligg_base . "/validation.php?code={$encode}&uid=" . urlencode($user->username) . "&email=" . urlencode($_POST['email']); $str = $main_smarty->get_config_vars('PLIGG_PassEmail_verification_message'); eval('$str = "' . str_replace('"', '\\"', $str) . '";'); $message = "{$str}"; if (phpnum() >= 5) { require "libs/class.phpmailer5.php"; } else { require "libs/class.phpmailer4.php";
function Create() { global $db, $main_smarty, $the_template, $my_base_url, $my_pligg_base; if ($this->username == '') { return false; } if ($this->pass == '') { return false; } if ($this->email == '') { return false; } if (!user_exists($this->username)) { $userip = $_SERVER['REMOTE_ADDR']; $saltedpass = generateHash($this->pass); $sqlGetiCategory = "SELECT category__auto_id from " . table_categories . " where category__auto_id!= 0;"; $sqlGetiCategoryQ = mysql_query($sqlGetiCategory); $arr = array(); $i = 0; while ($row = mysql_fetch_array($sqlGetiCategoryQ, MYSQL_NUM)) { $arr[$i] = $row['0']; $i++; } $CategoriesId = implode(",", $arr); if (pligg_validate() == 1) { if ($db->query("INSERT INTO " . table_users . " (user_login, user_email, user_pass, user_date, user_ip,user_categories) VALUES ('" . $this->username . "', '" . $this->email . "', '" . $saltedpass . "', now(), '" . $userip . "', '" . $CategoriesId . "')")) { $result = $db->get_row("SELECT user_email, user_pass, user_karma, user_lastlogin FROM " . table_users . " WHERE user_login = '******'"); $encode = md5($this->email . $result->user_karma . $this->username . pligg_hash() . $main_smarty->get_config_vars('PLIGG_Visual_Name')); $username = $this->username; $password = $this->pass; $my_base_url = $my_base_url; $my_pligg_base = $my_pligg_base; $domain = $main_smarty->get_config_vars('PLIGG_Visual_Name'); $validation = my_base_url . my_pligg_base . "/validation.php?code={$encode}&uid=" . $this->username; $str = $main_smarty->get_config_vars('PLIGG_PassEmail_verification_message'); eval("\$str = \"{$str}\";"); $message = "{$str}"; if (phpnum() >= 5) { require "class.phpmailer5.php"; } else { require "class.phpmailer4.php"; } $mail = new PHPMailer(); $mail->From = $main_smarty->get_config_vars('PLIGG_PassEmail_From'); $mail->FromName = "Administrator"; $mail->AddAddress($this->email); $mail->AddReplyTo($main_smarty->get_config_vars('PLIGG_PassEmail_From')); $mail->IsHTML(false); $mail->Subject = $main_smarty->get_config_vars('PLIGG_PassEmail_Subject_verification'); $mail->Body = $message; if (!$mail->Send()) { return false; exit; } return true; } else { return false; } } else { if ($db->query("INSERT INTO " . table_users . " (user_login, user_email, user_pass, user_date, user_ip, user_lastlogin,user_categories) VALUES ('" . $this->username . "', '" . $this->email . "', '" . $saltedpass . "', now(), '" . $userip . "', now(),'" . $CategoriesId . "')")) { return true; } else { return false; } } } else { die('User already exists'); } }
function Create() { global $db, $main_smarty, $the_template, $my_base_url, $my_pligg_base; if ($this->username == '') { return false; } if ($this->pass == '') { return false; } if ($this->email == '') { return false; } if (!user_exists($this->username)) { require_once mnminclude . 'check_behind_proxy.php'; $userip = check_ip_behind_proxy(); $saltedpass = generateHash($this->pass); if (pligg_validate()) { if ($db->query("INSERT IGNORE INTO " . table_users . " (user_login, user_email, user_pass, user_date, user_ip,user_categories) VALUES ('" . $this->username . "', '" . $this->email . "', '" . $saltedpass . "', now(), '" . $userip . "', '')")) { $result = $db->get_row("SELECT user_email, user_pass, user_karma, user_lastlogin FROM " . table_users . " WHERE user_login = '******'"); $encode = md5($this->email . $result->user_karma . $this->username . pligg_hash() . $main_smarty->get_config_vars('PLIGG_Visual_Name')); $username = $this->username; $password = $this->pass; $my_base_url = $my_base_url; $my_pligg_base = $my_pligg_base; $domain = $main_smarty->get_config_vars('PLIGG_Visual_Name'); $validation = my_base_url . my_pligg_base . "/validation.php?code={$encode}&uid=" . $this->username; $str = $main_smarty->get_config_vars('PLIGG_PassEmail_verification_message'); eval('$str = "' . str_replace('"', '\\"', $str) . '";'); $message = "{$str}"; if (phpnum() >= 5) { require "class.phpmailer5.php"; } else { require "class.phpmailer4.php"; } $mail = new PHPMailer(); $mail->From = $main_smarty->get_config_vars('PLIGG_PassEmail_From'); $mail->FromName = $main_smarty->get_config_vars('PLIGG_PassEmail_Name'); $mail->AddAddress($this->email); $mail->AddReplyTo($main_smarty->get_config_vars('PLIGG_PassEmail_From')); $mail->IsHTML(false); $mail->Subject = $main_smarty->get_config_vars('PLIGG_PassEmail_Subject_verification'); $mail->CharSet = 'utf-8'; $mail->Body = $message; if (!$mail->Send()) { return false; exit; } return true; } else { return false; } } else { if ($db->query("INSERT IGNORE INTO " . table_users . " (user_login, user_email, user_pass, user_date, user_ip, user_lastlogin,user_categories) VALUES ('" . $this->username . "', '" . $this->email . "', '" . $saltedpass . "', now(), '" . $userip . "', now(),'')")) { return true; } else { return false; } } } else { die('User already exists'); } }
function save_profile() { global $user, $current_user, $db, $main_smarty, $CSRF, $canIhaveAccess, $language; if ($CSRF->check_valid(sanitize($_POST['token'], 3), 'profile_change')) { if (!isset($_POST['save_profile']) || !$_POST['process'] || !$canIhaveAccess && sanitize($_POST['user_id'], 3) != $current_user->user_id) { return; } if ($user->email != sanitize($_POST['email'], 3)) { if (!check_email(sanitize($_POST['email'], 3))) { $savemsg = $main_smarty->get_config_vars("PLIGG_Visual_Profile_BadEmail"); return $savemsg; } elseif (email_exists(trim(sanitize($_POST['email'], 3)))) { // if email already exists $savemsg = $main_smarty->get_config_vars("PLIGG_Visual_Register_Error_EmailExists"); return $savemsg; } else { if (pligg_validate()) { $encode = md5($_POST['email'] . $user->karma . $user->username . pligg_hash() . $main_smarty->get_config_vars('PLIGG_Visual_Name')); $domain = $main_smarty->get_config_vars('PLIGG_Visual_Name'); $validation = my_base_url . my_pligg_base . "/validation.php?code={$encode}&uid=" . urlencode($user->username) . "&email=" . urlencode($_POST['email']); $str = $main_smarty->get_config_vars('PLIGG_PassEmail_verification_message'); eval("\$str = \"{$str}\";"); $message = "{$str}"; if (phpnum() >= 5) { require "libs/class.phpmailer5.php"; } else { require "libs/class.phpmailer4.php"; } $mail = new PHPMailer(); $mail->From = $main_smarty->get_config_vars('PLIGG_PassEmail_From'); $mail->FromName = $main_smarty->get_config_vars('PLIGG_PassEmail_Name'); $mail->AddAddress($_POST['email']); $mail->AddReplyTo($main_smarty->get_config_vars('PLIGG_PassEmail_From')); $mail->IsHTML(false); $mail->Subject = $main_smarty->get_config_vars('PLIGG_PassEmail_Subject_verification'); $mail->Body = $message; $mail->CharSet = 'utf-8'; #print_r($mail); if (!$mail->Send()) { return false; } $savemsg = $main_smarty->get_config_vars("PLIGG_Visual_Register_Noemail") . ' ' . sprintf($main_smarty->get_config_vars("PLIGG_Visual_Register_ToDo"), $main_smarty->get_config_vars('PLIGG_PassEmail_From')); } else { $user->email = sanitize($_POST['email'], 3); } } } $user->url = sanitize($_POST['url'], 3); $user->public_email = sanitize($_POST['public_email'], 3); $user->location = sanitize($_POST['location'], 3); $user->occupation = sanitize($_POST['occupation'], 3); $user->aim = sanitize($_POST['aim'], 3); $user->msn = sanitize($_POST['msn'], 3); $user->yahoo = sanitize($_POST['yahoo'], 3); $user->gtalk = sanitize($_POST['gtalk'], 3); $user->skype = sanitize($_POST['skype'], 3); $user->irc = sanitize($_POST['irc'], 3); $user->names = sanitize($_POST['names'], 3); if (user_language) { $user->language = sanitize($_POST['language'], 3); } // module system hook $vars = ''; check_actions('profile_save', $vars); $avatar_source = sanitize($_POST['avatarsource'], 3); if ($avatar_source != "" && $avatar_source != "useruploaded") { loghack('Updating profile, avatar source is not one of the list options.', 'username: '******'|email: ' . sanitize($_POST["email"], 3)); $avatar_source == ""; } $user->avatar_source = $avatar_source; if (!empty($_POST['newpassword']) || !empty($_POST['newpassword2'])) { $oldpass = sanitize($_POST['oldpassword'], 3); $userX = $db->get_row("SELECT user_id, user_pass, user_login FROM " . table_users . " WHERE user_login = '******'"); $saltedpass = generateHash($oldpass, substr($userX->user_pass, 0, SALT_LENGTH)); if ($userX->user_pass == $saltedpass) { if (sanitize($_POST['newpassword'], 3) !== sanitize($_POST['newpassword2'], 3)) { $savemsg = $main_smarty->get_config_vars("PLIGG_Visual_Profile_BadPass"); return $savemsg; } else { $saltedpass = generateHash(sanitize($_POST['newpassword'], 3)); $user->pass = $saltedpass; $user->store(); $savemsg = $main_smarty->get_config_vars("PLIGG_Visual_Profile_PassUpdated"); return $savemsg; } } else { $savemsg = $main_smarty->get_config_vars("PLIGG_Visual_Profile_BadOldPass"); return $savemsg; } } $user->store(); $user->read(); if ($language != $user->language) { header("Location: " . getmyurl('profile')); exit; } $current_user->Authenticate($user->username, $user->pass); if (!isset($savemsg)) { $savemsg = $main_smarty->get_config_vars("PLIGG_Visual_Profile_DataUpdated"); } return $savemsg; } else { return 'There was a token error.'; } }
function register_add_user($username, $email, $password, $password2, $user_language) { global $current_user; $user = new User(); $user->user_language = $user_language; $user->username = $username; $user->pass = $password; $user->email = $email; if ($user->Create()) { $user->read('short'); $registration_details = array('user_language' => $user_language, 'username' => $username, 'password' => $password, 'email' => $email, 'id' => $user->id); check_actions('register_success_pre_redirect', $registration_details); $current_user->Authenticate($username, $password, false); if ($registration_details['redirect']) { header('Location: ' . $registration_details['redirect']); } elseif (pligg_validate()) { header('Location: ' . my_base_url . my_pligg_base . '/register_complete.php?user='******'Location: ' . getmyurl('user', $username)); } die; } }
if ($login->time < min(60 * pow(2, $login->login_count - 3), 3600)) { $errorMsg = sprintf($main_smarty->get_config_vars('PLIGG_Login_Incorrect_Attempts'), $login->login_count, min(60 * pow(2, $login->login_count - 3), 3600) - $login->time); } } } elseif (!is_ip_approved($lastip)) { $db->query("INSERT INTO " . table_login_attempts . " SET login_username = '******', login_time=NOW(), login_ip='{$lastip}'"); $login_id = $db->insert_id; if (!$login_id) { $errorMsg = sprintf($main_smarty->get_config_vars('PLIGG_Visual_Login_Error'), 3); } } if (!$errorMsg) { if ($current_user->Authenticate($username, $password, $persistent) == false) { $db->query("UPDATE " . table_login_attempts . " SET login_username='******', login_count=login_count+1, login_time=NOW() WHERE login_id=" . $login_id); $user = $db->get_row("SELECT * FROM " . table_users . " WHERE user_login = '******' or user_email= '{$username}'"); if (pligg_validate() && $user->user_lastlogin == "0000-00-00 00:00:00") { $errorMsg = $main_smarty->get_config_vars('PLIGG_Visual_Resend_Email') . "<form method='post'>\r\n\t\t\t\t\t\t\t<div class='input-append notvalidated'>\r\n\t\t\t\t\t\t\t\t<input type='text' class='form-control col-md-12' name='email'> \r\n\t\t\t\t\t\t\t\t<input type='submit' class='btn btn-default col-md-12' value='Send'>\r\n\t\t\t\t\t\t\t\t<input type='hidden' name='processlogin' value='5'/>\r\n\t\t\t\t\t\t\t</div>\r\n\t\t\t\t\t\t</form>"; } else { $errorMsg = $main_smarty->get_config_vars('PLIGG_Visual_Login_Error'); } } else { $sql = "DELETE FROM " . table_login_attempts . " WHERE login_ip='{$lastip}' "; $db->query($sql); if (strlen(sanitize($_POST['return'], 3)) > 1) { $return = sanitize($_POST['return'], 3); } else { $return = my_pligg_base . '/admin/admin_index.php'; } define('logindetails', $username . ";" . $password . ";" . $return); $vars = ''; check_actions('login_success_pre_redirect', $vars);