/**
* @param string $code
* @param string $user
* @param string $pass
*/
function change_password($code, $user, $pass)
{
$use_password_verify = defined('SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION') && (SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION === true || is_string(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION) && (trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'on' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'true' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === '1')) ? true : false;
$link = connect();
$sql = "SELECT recovery FROM users WHERE user = :user";
$stmt = $link->prepare($sql);
$stmt->bindValue(':user', $user, PDO::PARAM_STR);
$stmt->execute();
if ($ua = $stmt->fetch(PDO::FETCH_ASSOC)) {
if ($use_password_verify && !password_verify($code, $ua['recovery']) || !$use_password_verify && !(hash("sha256", $code) === $ua['recovery'])) {
$link = null;
die("Error: Invalid request code (2).");
}
} else {
$link = null;
die("Error: User not found (2).");
}
$prng = new synapp\info\tools\passwordgenerator\cryptosecureprng\CryptoSecurePRNG();
$recovery = $use_password_verify ? password_hash($prng->rand(), SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $prng->rand());
if ($use_password_verify) {
$hashedPassword = password_hash($pass, SYNAPP_PASSWORD_DEFAULT);
} else {
$hashedPassword = hash("sha256", $pass . NORAINBOW_SALT);
}
$sql = "UPDATE users SET pass = :hashedPassword, recovery = :recovery WHERE user = :user";
$stmt = $link->prepare($sql);
$stmt->bindValue(':hashedPassword', $hashedPassword, PDO::PARAM_STR);
$stmt->bindValue(':recovery', $recovery, PDO::PARAM_STR);
$stmt->bindValue(':user', $user, PDO::PARAM_STR);
if ($stmt->execute() === false) {
die("Error: " . var_export($link->errorInfo(), true));
}
$link = null;
echo "<!DOCTYPE html><html><head><meta charset=\"utf-8\"><title>" . PR_TITLE_3 . " " . $user . "</title></head><body>\n <p>" . PR_DONE_1 . " " . $user . " " . PR_DONE_2 . "</p>\n <p><a href='../index.php'>" . PR_HOME . "</a></p>\n </body></html>";
}
/**
* @param string $user
* @param string $old
* @param string $pass
* @param PDO $link
* @return bool
*/
function change_pass($user, $old, $pass, $link)
{
$sql = "SELECT pass, last_login FROM users WHERE user = :user";
$stmt = $link->prepare($sql);
$stmt->bindValue(':user', $user);
$use_password_verify = defined('SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION') && (SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION === true || is_string(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION) && (trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'on' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'true' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === '1')) ? true : false;
if ($stmt->execute() !== false && ($ua = $stmt->fetch(PDO::FETCH_ASSOC))) {
if ($ua['last_login'] >= PRENORAINBOW_TIMESTAMP && (!$use_password_verify || $ua['last_login'] < PRENOPHASH_TIMESTAMP) && $ua['pass'] !== hash("sha256", $old . NORAINBOW_SALT) || $ua['last_login'] < PRENORAINBOW_TIMESTAMP && $ua['pass'] !== hash("sha256", hash("sha256", $old) . NORAINBOW_SALT) || $use_password_verify && $ua['last_login'] >= PRENOPHASH_TIMESTAMP && !password_verify($old, $ua['pass'])) {
return false;
}
} else {
$link = null;
die("Error: User not found.");
}
$prng = new synapp\info\tools\passwordgenerator\cryptosecureprng\CryptoSecurePRNG();
$recovery = $use_password_verify ? password_hash($prng->rand(), SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $prng->rand());
if ($use_password_verify) {
$hashedPassword = password_hash($pass, SYNAPP_PASSWORD_DEFAULT);
} else {
$hashedPassword = hash("sha256", $pass . NORAINBOW_SALT);
}
$sql = "UPDATE users SET pass = :hashedpass, recovery = :recovery WHERE user = :user";
$stmt = $link->prepare($sql);
$stmt->bindValue(':hashedpass', $hashedPassword, PDO::PARAM_STR);
$stmt->bindValue(':recovery', $recovery, PDO::PARAM_STR);
$stmt->bindValue(':user', $user, PDO::PARAM_STR);
if ($stmt->execute() === false) {
die("Error: " . var_export($link->errorInfo(), true));
}
return true;
}
/**
* @param string $input
*/
function password_restore_email($input)
{
$use_password_verify = defined('SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION') && (SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION === true || is_string(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION) && (trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'on' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'true' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === '1')) ? true : false;
$link = connect();
if (parse_email($input, 0) == 0) {
$sql = "SELECT * FROM users WHERE email = :input AND confirmed_email = 1";
$isemail = true;
} else {
$sql = "SELECT * FROM users WHERE user = :input";
$isemail = false;
}
$stmt = $link->prepare($sql);
$stmt->bindValue(':input', $input, PDO::PARAM_STR);
$stmt->execute();
$link = null;
$ua = $stmt->fetch(PDO::FETCH_ASSOC);
$emailnotfound = true;
$usernotfound = true;
if (isset($ua['email']) && $ua['email'] !== '') {
$usernotfound = false;
if ($ua['email'] != '' && parse_email($ua['email']) == 0 && $ua['confirmed_email'] == 1) {
$emailnotfound = false;
}
}
if (!$emailnotfound) {
$user = $ua['user'];
$link = connect();
$sql = "UPDATE users SET recovery = :recovery WHERE user = :user";
$stmt = $link->prepare($sql);
$prng = new synapp\info\tools\passwordgenerator\cryptosecureprng\CryptoSecurePRNG();
$code = $prng->rand();
$stmt->bindValue(':recovery', $use_password_verify ? password_hash($code, SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $code), PDO::PARAM_STR);
$stmt->bindValue(':user', $user);
$stmt->execute();
$email = $ua['email'];
$to = $email;
$subject = passresout('subject', $user);
$mime_boundary = hash("sha256", time());
$msg = passresout('email', $user, $email, $code, $mime_boundary);
$headers = passresout('headers', $mime_boundary);
mail($to, $subject, $msg, $headers);
if ($isemail) {
echo passresout('prmailsenttoaddress', $input);
} else {
echo passresout('prmailsenttouser', $input);
}
} else {
if ($isemail) {
echo passresout('emailnotfound', $input);
} else {
if ($usernotfound) {
echo passresout('usernotfound', $input);
} else {
echo passresout('novalidemailassociated', $input);
}
}
}
}
/**
* @param string $email
* @param \PDO $link
*/
function send_confirmation_email($email, $link)
{
$use_password_verify = defined('SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION') && (SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION === true || is_string(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION) && (trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'on' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'true' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === '1')) ? true : false;
$user = $_SESSION['user_array']['user'];
$prng = new synapp\info\tools\passwordgenerator\cryptosecureprng\CryptoSecurePRNG();
$code = $prng->rand();
//validation code
$sql = "UPDATE users SET email_confirmation_code = :confirmationcode, confirmed_email = b'0' WHERE user = :user";
$stmt = $link->prepare($sql);
$stmt->bindValue(':confirmationcode', $use_password_verify ? password_hash($code, SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $code), PDO::PARAM_STR);
$stmt->bindValue(':user', $user, PDO::PARAM_STR);
$stmt->execute();
$subject = PR_MAIL_SUBJECT_1 . $user . PR_MAIL_SUBJECT_2;
$mime_boundary = hash("sha256", time());
$msg = PR_MAIL_TO . " " . $email;
$msg .= " " . PR_MAIL_USR_1 . " " . $user;
$msg .= PR_MAIL_USR_2 . PHP_EOL . PHP_EOL;
$msg .= PR_MAIL_NR . PHP_EOL . PHP_EOL;
$msg .= PR_MAIL_IGNORE . PHP_EOL . PHP_EOL;
$msg .= PR_MAIL_DO . PHP_EOL . PHP_EOL;
$msg .= SYNAPP_BASE_URL_HTTP . "/account/confirm_email.php?user="******"&code=" . $code . " " . PR_MAIL_DO_HTTP . PHP_EOL . PHP_EOL;
$msg .= SYNAPP_BASE_URL_HTTPS . "/account/confirm_email.php?user="******"&code=" . $code . " " . PR_MAIL_DO_HTTPS;
$msg .= PHP_EOL . PHP_EOL;
$msg .= "--" . $mime_boundary . "--" . PHP_EOL . PHP_EOL;
// finish with two eol's for better security. see Injection.
# Common Headers
$time = time();
$now = (int) (date('Y', $time) . date('m', $time) . date('j', $time));
$headers = 'From: SYNAPP mailer <' . SYNAPP_NO_REPLY . '@' . SYNAPP_MAIL_DOMAIN . '>' . PHP_EOL;
$headers .= 'Reply-To: noreply <' . SYNAPP_NO_REPLY . '@' . SYNAPP_MAIL_DOMAIN . '>' . PHP_EOL;
$headers .= 'Return-Path: noreply <' . SYNAPP_NO_REPLY . '@' . SYNAPP_MAIL_DOMAIN . '>' . PHP_EOL;
// these two to set reply address
$headers .= "Message-ID:<" . $now . " admin@" . $_SERVER['SERVER_NAME'] . ">" . PHP_EOL;
$headers .= "X-Mailer: PHP v" . phpversion() . PHP_EOL;
// These two to help avoid spam-filters
# Boundry for marking the split & Multitype Headers
$headers .= 'MIME-Version: 1.0' . PHP_EOL;
$headers .= "Content-Type: text/plain; charset=\"utf-8\"" . PHP_EOL . PHP_EOL;
mail($email, $subject, $msg, $headers);
$sql = "UPDATE users SET confirmed_email = 0 WHERE user = :user";
$stmt = $link->prepare($sql);
$stmt->bindValue(':user', $user);
$stmt->execute();
$_SESSION['user_array']['confirmed_email'] = chr(0);
}
/**
* @param string $user
* @param string $pass
* @param PDO $link
* @param bool $confirm
* @return bool
*/
function process_login($user, $pass, $link, $confirm = false)
{
$_SESSION['auth'] = false;
$_SESSION['user'] = $user;
if ($_SESSION['user_count'] > 6 && !captcha_verify_word()) {
$_SESSION['login_err'] = 3;
return false;
}
$sql = "SELECT * FROM users WHERE user = :user";
$stmt = $link->prepare($sql);
$stmt->bindValue(':user', $user, PDO::PARAM_STR);
if ($stmt->execute() !== false && ($user_array = $stmt->fetch(PDO::FETCH_ASSOC))) {
$_SESSION['pass_count'] = $user_array['missed_logins'];
if ($user_array['active'] == 0) {
$_SESSION['login_err'] = 403;
}
if (($user_array['missed_logins'] > 9 || $confirm) && !captcha_verify_word()) {
$_SESSION['login_err'] = 3;
return false;
}
$hashOK = false;
$use_password_verify = defined('SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION') ? is_string(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION) ? strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION) : SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION : false;
if ($use_password_verify === true || $use_password_verify === 'on' || $use_password_verify === 'true') {
$use_password_verify = true;
if (password_verify($pass, $user_array['pass'])) {
$hashOK = true;
}
} else {
if ($user_array['pass'] === hash("sha256", $pass . NORAINBOW_SALT)) {
$hashOK = true;
}
}
$prng = new synapp\info\tools\passwordgenerator\cryptosecureprng\CryptoSecurePRNG();
if ($hashOK) {
$_SESSION['user_array'] = $user_array;
$_SESSION['auth'] = true;
$_SESSION['justlogged'] = true;
$_SESSION['if_lang'] = $_SESSION['user_array']['interface_language'];
$_SESSION['user_count'] = 1;
$_SESSION['pass_count'] = 0;
$user_array['missed_logins'] = 0;
$time = time();
if (!$confirm) {
$sql = "UPDATE users SET recovery = :recovery WHERE user = :user";
$stmt = $link->prepare($sql);
$stmt->bindValue(':recovery', $use_password_verify ? password_hash($prng->rand(), SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $prng->rand()), PDO::PARAM_STR);
$stmt->bindValue(':user', $user, PDO::PARAM_STR);
if ($stmt->execute() === false) {
error_log(var_export($link->errorInfo(), true));
die("Error performing database operation.");
}
}
if (($ip = ip2long($_SERVER['REMOTE_ADDR'])) === false) {
$ip = 0;
}
$sql = "UPDATE users SET missed_logins='0', last_login = :time, ip = :ip WHERE user = :user";
$stmt = $link->prepare($sql);
$stmt->bindValue(':time', $time, PDO::PARAM_INT);
$stmt->bindValue(':ip', $ip, PDO::PARAM_INT);
$stmt->bindValue(':user', $user, PDO::PARAM_STR);
if ($stmt->execute() === false) {
error_log(var_export($link->errorInfo(), true));
die("Error performing database operation.");
}
return true;
} else {
if ($user_array['last_login'] < PRENORAINBOW_TIMESTAMP && $user_array['pass'] === hash("sha256", hash("sha256", $pass) . NORAINBOW_SALT) || $use_password_verify && $user_array['last_login'] < PRENOPHASH_TIMESTAMP && $user_array['pass'] === hash("sha256", $pass . NORAINBOW_SALT)) {
$_SESSION['user_array'] = $user_array;
$_SESSION['auth'] = true;
$_SESSION['justlogged'] = true;
$_SESSION['if_lang'] = $_SESSION['user_array']['interface_language'];
$_SESSION['user_count'] = 1;
$_SESSION['pass_count'] = 0;
$user_array['missed_logins'] = 0;
$time = time();
if (!$confirm) {
$sql = "UPDATE users SET recovery = :recovery WHERE user = :user";
$stmt = $link->prepare($sql);
$stmt->bindValue(':recovery', $use_password_verify ? password_hash($prng->rand(), SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $prng->rand()), PDO::PARAM_STR);
$stmt->bindValue(':user', $user, PDO::PARAM_STR);
if ($stmt->execute() === false) {
error_log(var_export($link->errorInfo(), true));
die("Error performing database operation.");
}
}
if (($ip = ip2long($_SERVER['REMOTE_ADDR'])) === false) {
$ip = 0;
}
$passParamValue = $use_password_verify ? password_hash($pass, SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $pass . NORAINBOW_SALT);
$sql = "UPDATE users SET missed_logins='0', last_login=:time, ip=:ip, pass = :pass WHERE user = :user";
$stmt = $link->prepare($sql);
$stmt->bindValue(':time', $time, PDO::PARAM_INT);
$stmt->bindValue(':ip', $ip, PDO::PARAM_INT);
$stmt->bindValue(':pass', $passParamValue, PDO::PARAM_STR);
$stmt->bindValue(':user', $user, PDO::PARAM_STR);
if ($stmt->execute() === false) {
error_log(var_export($link->errorInfo(), true));
die("Error performing database operation.");
}
return true;
} else {
$_SESSION['login_err'] = 1;
$user_array['missed_logins']++;
$_SESSION['pass_count'] = $user_array['missed_logins'];
$sql = "UPDATE users SET missed_logins = :missed_logins WHERE user = :user";
$stmt = $link->prepare($sql);
$stmt->bindValue(':missed_logins', $user_array['missed_logins'], PDO::PARAM_INT);
$stmt->bindValue(':user', $user, PDO::PARAM_STR);
if ($stmt->execute() === false) {
error_log(var_export($link->errorInfo(), true));
die("Error performing database operation.");
}
return false;
}
}
} else {
$_SESSION['login_err'] = 2;
$_SESSION['user_count']++;
return false;
}
}
$body = PR_ERR_MAIL_ALREADY_ASSOC;
/* If the user matches the error would be the $code mismatch */
$break = true;
} else {
$insert = false;
}
}
if (!$break) {
if ($insert) {
$sql = "INSERT INTO confirmed_emails VALUES ( :user , :email )";
$stmt = $link->prepare($sql);
$stmt->bindValue(':user', $_POST['user'], PDO::PARAM_STR);
$stmt->bindValue(':email', $row['email'], PDO::PARAM_STR);
$stmt->execute();
}
$prng = new synapp\info\tools\passwordgenerator\cryptosecureprng\CryptoSecurePRNG();
$newccode = $use_password_verify ? password_hash($prng->rand(), SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $prng->rand());
$sql = "UPDATE users SET email_confirmation_code = :newccode , confirmed_email = b'1' WHERE user = :user";
$stmt = $link->prepare($sql);
$stmt->bindValue(':newccode', $newccode, PDO::PARAM_STR);
$stmt->bindValue(':user', $user, PDO::PARAM_STR);
$stmt->execute();
if (isset($_SESSION['user_array'])) {
if ($_SESSION['user_array']['user'] === $user) {
$_SESSION['user_array']['confirmed_email'] = chr(1);
$_SESSION['user_array']['email_confirmation_code'] = $newccode;
}
}
$body = "<p>" . PR_CONFIRM_SUCCESS_1 . "</p>";
$body .= "<p><a href='../index.php'>" . PR_CONFIRM_SUCCESS_2 . "</a></p>";
}
/**
* @param PDO $link
* @param array $rd
* @param bool $nocaptcha
* @return array
*/
function process_registration_form($link, $rd, $nocaptcha = false)
{
$use_password_verify = defined('SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION') && (SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION === true || is_string(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION) && (trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'on' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'true' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === '1')) ? true : false;
$ea = array('err' => false, 'usr' => "", 'pass' => "", 'il' => "", 'capt' => "");
$i = parse($rd['user'], USER_MINLENGTH, USER_MAXLENGTH);
switch ($i) {
case 0:
$ea['usr'] = "";
break;
case 1:
$ea['usr'] = REG_ERR_USR_1;
break;
case 2:
$ea['usr'] = REG_ERR_USR_2;
break;
case 3:
$ea['usr'] = REG_ERR_USR_3;
break;
case 4:
$ea['usr'] = REG_ERR_USR_4;
break;
}
if ($i !== 0) {
$ea['err'] = true;
} elseif ($rd['user'] == $rd['pass']) {
$ea['pass'] = REG_ERR_PASS_1;
$ea['err'] = true;
}
$i = parse($rd['pass'], PASS_MINLENGTH, PASS_MAXLENGTH, 1);
switch ($i) {
case 2:
$ea['pass'] = REG_ERR_PASS_2;
break;
case 3:
$ea['pass'] = REG_ERR_PASS_3;
break;
case 4:
$ea['pass'] = REG_ERR_PASS_4;
break;
case 5:
$ea['pass'] = REG_ERR_PASS_5;
break;
}
if ($i !== 0) {
$ea['err'] = true;
} elseif (!($rd['pass'] === $rd['pass2'])) {
$ea['pass'] = REG_ERR_PASS_6;
$ea['err'] = true;
}
$found = false;
foreach ($_SESSION['interface_languages'] as $lang) {
if ($lang['val'] == $rd['ilang']) {
$found = true;
break;
}
}
if ($rd['ilang'] == "" || !$found) {
$ea['il'] = REG_ERR_ILANG;
$ea['err'] = true;
}
if ($ea['err'] == false) {
if (!$nocaptcha && !captcha_verify_word()) {
$ea['capt'] = REG_ERR_CAPT;
$ea['err'] = true;
} elseif (user_exist($link, $rd['user'])) {
$ea['usr'] = REG_ERR_USR_5;
$ea['err'] = true;
}
}
if (!$ea['err']) {
if (($stmt = $link->query("SELECT name FROM groups ORDER BY RAND() LIMIT 1")) === false || ($row = $stmt->fetch(PDO::FETCH_ASSOC)) === false) {
error_log("Database operation error retrieving user registration group.");
die("Database operation error.");
}
$group = $row['name'];
/* adding new user to users table */
$use_password_hash = defined('SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION') && (SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION === true || is_string(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION) && (trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'on' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'true' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === '1')) ? true : false;
$hashedPassword = $use_password_hash ? password_hash($rd['pass'], SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $rd['pass'] . NORAINBOW_SALT);
$sql = "INSERT INTO users (\n user\n , pass \n , recovery\n , firstdate\n , hfirstdate\n , missed_logins\n , last_login\n , hlast_login\n , ip\n , last_update\n , interface_language\n , hinterface_language\n , working_group\n , hworking_group\n , input_language\n , hinput_language\n , hprofile\n , gender\n , hgender\n , birthday\n , hbirthday\n , studies\n , hstudies\n , studies_type\n , hstudies_type\n , studies_level\n , hstudies_level\n , occupation\n , hoccupation\n , email\n , hemail\n , email_confirmation_code\n , confirmed_email\n , avatar\n , nocaptcha\n , hstats\n , ditloid_lock_timestamp\n , ditloid_time_left_when_locked\n , gotestbefore \n , gotestafter\n , timer_ctestb_start\n , timer_ctestb_end\n , timer_utestb_start\n , timer_utestb_end\n , timer_utesta_start\n , timer_utesta_end\n , timer_ctesta_start\n , timer_ctesta_end\n , fbid\n , active\n ) VALUES (\n :user\n , :hashedpass \n , :recovery\n , :firstdate\n , b'0' -- hfirstdate\n , 0 -- missed_logins\n , :lastlogin -- last_login\n , b'0' -- hlast_login\n , 0 -- ip\n , 0 -- last_update\n , :ilang -- interface_language\n , b'0' -- hinterface_language\n , :group -- working_group\n , b'0' -- hworking_group\n , :iolang -- input_language\n , b'0' -- hinput_language\n , b'0' -- hprofile\n , '' -- gender\n , b'0' -- hgender\n , NULL -- birthday\n , b'0' -- hbirthday\n , '' -- studies\n , b'0' -- hstudies\n , '' -- studies_type\n , b'0' -- hstudies_type\n , NULL -- studies_level\n , b'0' -- hstudies_level\n , '' -- occupation\n , b'0' -- hoccupation\n , '' -- email\n , b'0' -- hemail\n , :emailconfirmationcode\n , 1 -- confirmed_email\n , '' -- avatar\n , b'0' -- nocaptcha\n , b'0' -- hstats\n , 0 -- ditloid_lock_timestamp\n , 0 -- ditloid_time_left_when_locked\n , 1 -- gotestbefore \n , 0 -- gotestafter\n , 0 -- timer_ctestb_start\n , 0 -- timer_ctestb_end\n , 0 -- timer_utestb_start\n , 0 -- timer_utestb_end\n , 0 -- timer_utesta_start\n , 0 -- timer_utesta_end\n , 0 -- timer_ctesta_start\n , 0 -- timer_ctesta_end\n , :fbid -- fbid\n , 1 -- active\n )";
$stmt = $link->prepare($sql);
$stmt->bindValue(':user', $rd['user'], PDO::PARAM_STR);
$stmt->bindValue(':hashedpass', $hashedPassword, PDO::PARAM_STR);
$prng = new synapp\info\tools\passwordgenerator\cryptosecureprng\CryptoSecurePRNG();
$stmt->bindValue(':recovery', $use_password_verify ? password_hash($prng->rand(), SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $prng->rand()), PDO::PARAM_STR);
$stmt->bindValue(':firstdate', time(), PDO::PARAM_INT);
$stmt->bindValue(':lastlogin', time(), PDO::PARAM_INT);
$stmt->bindValue(':ilang', $_SESSION['if_lang'], PDO::PARAM_STR);
$stmt->bindValue(':group', $group, PDO::PARAM_STR);
$stmt->bindValue(':iolang', $rd['ilang'], PDO::PARAM_STR);
$stmt->bindValue(':fbid', isset($rd['fbid']) ? $rd['fbid'] : null, isset($rd['fbid']) ? PDO::PARAM_STR : PDO::PARAM_NULL);
$prng = new synapp\info\tools\passwordgenerator\cryptosecureprng\CryptoSecurePRNG();
$stmt->bindValue(':emailconfirmationcode', $use_password_hash ? password_hash($prng->rand(), SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $prng->rand()), PDO::PARAM_STR);
if ($stmt->execute() === false) {
die('Error: ' . var_export($link->errorInfo(), true) . PHP_EOL . $sql);
}
}
return $ea;
}
/**
* @param PDO $link
* @return bool|string
*/
function process_facebook_login($link)
{
require_once dirname(__FILE__) . '/' . SYNAPP_CONFIG_DIRNAME . '/facebook_credentials.php';
$fbLoginRedirectUrl = SYNAPP_FB_LOGIN_REDIRECT_URL . (isset($_GET['location']) ? '?location=' . $_GET['location'] : '');
$fbAppId = SYNAPP_FB_APP_ID;
$fbAppSecret = SYNAPP_FB_APP_SECRET;
$use_password_verify = defined('SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION') && (SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION === true || is_string(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION) && (trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'on' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === 'true' || trim(strtolower(SYNAPP_USE_PASSWORD_HASH_AUTHENTICATION)) === '1')) ? true : false;
try {
if (isset($_SESSION['fb_token'])) {
$session = new FacebookSession($_SESSION['fb_token']);
} else {
FacebookSession::setDefaultApplication($fbAppId, $fbAppSecret);
$helper = new FacebookRedirectLoginHelper($fbLoginRedirectUrl);
try {
$session = $helper->getSessionFromRedirect();
if (isset($session)) {
$_SESSION['fb_token'] = $session->getToken();
} else {
return $helper->getLoginUrl(array('scope' => 'email'));
}
} catch (FacebookSDKException $ex) {
// When Facebook returns an error
return $helper->getLoginUrl(array('scope' => 'email'));
} catch (Exception $ex) {
// When validation fails or other local issues
return $helper->getLoginUrl(array('scope' => 'email'));
}
}
if (isset($session)) {
// Logged in
$graphObject = (new FacebookRequest($session, 'GET', '/me?fields=id,email,first_name,last_name'))->execute()->getGraphObject(GraphUser::className());
$sql = "SELECT * FROM `users` WHERE fbid = :fbid OR email = :email AND confirmed_email = b'1'";
$stmt = $link->prepare($sql);
$stmt->bindValue(':fbid', $graphObject->getProperty('id'), PDO::PARAM_STR);
$stmt->bindValue(':email', $graphObject->getProperty('email'), PDO::PARAM_STR);
if ($stmt->execute() !== false && $stmt->rowCount() > 0) {
$user_array = $stmt->fetch(PDO::FETCH_ASSOC);
if ($user_array['active'] == 0) {
$_SESSION['login_err'] = 403;
return false;
}
$_SESSION['user_array'] = $user_array;
$_SESSION['auth'] = true;
$_SESSION['justlogged'] = true;
$_SESSION['if_lang'] = $_SESSION['user_array']['interface_language'];
$_SESSION['user_count'] = 1;
$_SESSION['pass_count'] = 0;
$_SESSION['user_array']['missed_logins'] = 0;
$time = time();
if (($ip = ip2long($_SERVER['REMOTE_ADDR'])) === false) {
$ip = 0;
}
$sql = "UPDATE users SET recovery = :recovery, missed_logins='0', last_login = :time, ip = :ip WHERE user = :user";
$stmt = $link->prepare($sql);
$prng = new synapp\info\tools\passwordgenerator\cryptosecureprng\CryptoSecurePRNG();
$stmt->bindValue(':recovery', $use_password_verify ? password_hash($prng->rand(), SYNAPP_PASSWORD_DEFAULT) : hash("sha256", $prng->rand()), PDO::PARAM_STR);
$stmt->bindValue(':time', $time, PDO::PARAM_INT);
$stmt->bindValue(':ip', $ip, PDO::PARAM_INT);
$stmt->bindValue(':user', $_SESSION['user_array']['user'], PDO::PARAM_STR);
if ($stmt->execute() === false) {
error_log(var_export($link->errorInfo(), true));
die("Error performing database operation.");
}
return true;
}
$rd['user'] = substr(preg_replace("/[^a-zA-Z0-9]+/", "", $graphObject->getProperty('first_name') . $graphObject->getProperty('last_name')), 0, USER_MAXLENGTH);
$i = 0;
while (user_exist($link, $rd['user'])) {
$rd['user'] = substr(preg_replace("/[^a-zA-Z0-9]+/", "", $i . $graphObject->getProperty('first_name') . $graphObject->getProperty('last_name')), 0, USER_MAXLENGTH);
$i++;
}
$rd['pass'] = substr(hash("sha256", $_SESSION['fb_token']), 0, PASS_MAXLENGTH);
$rd['pass2'] = $rd['pass'];
$rd['ilang'] = $_SESSION['if_lang'];
$rd['fbid'] = $graphObject->getProperty('id');
$ea = process_registration_form($link, $rd, true);
if ($ea['err'] !== true) {
$sql = "UPDATE `users` SET fbid = :fbid, email = :email, confirmed_email = b'1' WHERE user = :user";
$stmt = $link->prepare($sql);
$stmt->bindValue(':fbid', $graphObject->getProperty('id'), PDO::PARAM_STR);
$stmt->bindValue(':email', $graphObject->getProperty('email'), PDO::PARAM_STR);
$stmt->bindValue(':user', $rd['user'], PDO::PARAM_STR);
return $stmt->execute() !== false;
}
return $ea['err'] !== true;
} else {
header('Location: account/logout.php');
die;
}
} catch (FacebookSDKException $ex) {
// When Facebook returns an error
error_log("FacebookRequestException: " . $ex->getMessage());
header('Location: account/logout.php');
die;
} catch (Exception $ex) {
// When validation fails or other local issues
error_log("Exception on facebook login: " . $ex->getMessage());
header('Location: account/logout.php');
die;
}
}
