function doedit_user() { global $lang_global, $realm_db, $mmfpm_db, $user_lvl, $user_name, $action_permission; valid_login($action_permission['update']); if ((!isset($_POST['pass']) || $_POST['pass'] === '') && (!isset($_POST['mail']) || $_POST['mail'] === '') && (!isset($_POST['expansion']) || $_POST['expansion'] === '') && (!isset($_POST['referredby']) || $_POST['referredby'] === '')) { redirect("user.php?action=edit_user&&id={$_POST['id']}&error=1"); } $sqlr = new SQL(); $sqlr->connect($realm_db['addr'], $realm_db['user'], $realm_db['pass'], $realm_db['name']); $id = $sqlr->quote_smart($_POST['id']); $username = $sqlr->quote_smart($_POST['username']); $banreason = $sqlr->quote_smart($_POST['banreason']); $pass = $sqlr->quote_smart($_POST['pass']); $user_pass_change = $pass != sha1(strtoupper($username) . ":******") ? "username='******',sha_pass_hash='{$pass}'," : ""; $mail = isset($_POST['mail']) && $_POST['mail'] != '' ? $sqlr->quote_smart($_POST['mail']) : ""; $failed = isset($_POST['failed']) ? $sqlr->quote_smart($_POST['failed']) : 0; $gmlevel = isset($_POST['gmlevel']) ? $sqlr->quote_smart($_POST['gmlevel']) : 0; $expansion = isset($_POST['expansion']) ? $sqlr->quote_smart($_POST['expansion']) : 1; $banned = isset($_POST['banned']) ? $sqlr->quote_smart($_POST['banned']) : 0; $locked = isset($_POST['locked']) ? $sqlr->quote_smart($_POST['locked']) : 0; $referredby = $sqlr->quote_smart(trim($_POST['referredby'])); //make sure username/pass at least 4 chars long and less than max if (strlen($username) < 4 || strlen($username) > 15) { redirect("user.php?action=edit_user&id={$id}&error=8"); } if ($gmlevel >= $user_lvl) { redirect("user.php?action=edit_user&&id={$_POST['id']}&error=16"); } require_once "libs/valid_lib.php"; if (!valid_alphabetic($username)) { redirect("user.php?action=edit_user&error=9&id={$id}"); } //restricting accsess to lower gmlvl $result = $sqlr->query("SELECT gmlevel,username FROM account WHERE id = '{$id}'"); if ($user_lvl <= $sqlr->result($result, 0, 'gmlevel') && $user_name != $sqlr->result($result, 0, 'username')) { redirect("user.php?error=14"); } if (!$banned) { $sqlr->query("DELETE FROM account_banned WHERE id='{$id}'"); } else { $result = $sqlr->query("SELECT count(*) FROM account_banned WHERE id = '{$id}'"); if (!$sqlr->result($result, 0)) { $sqlr->query("INSERT INTO account_banned (id, bandate, unbandate, bannedby, banreason, active)\r\n VALUES ({$id}, " . time() . "," . (time() + 365 * 24 * 3600) . ",'{$user_name}','{$banreason}', 1)"); } } $sqlr->query("UPDATE account SET email='{$mail}', {$user_pass_change} v=0,s=0,failed_logins='{$failed}',locked='{$locked}',expansion='{$expansion}' WHERE id='{$id}'"); $sqlr->query("UPDATE account SET gmlevel='{$gmlevel}' WHERE id='{$id}'"); if (doupdate_referral($referredby, $id) || $sqlr->affected_rows()) { redirect("user.php?action=edit_user&error=13&id={$id}"); } else { redirect("user.php?action=edit_user&error=12&id={$id}"); } }
function doedit_user() { global $output, $user_name, $dbc_db, $logon_db, $corem_db, $send_mail_on_email_change, $lang, $defaultoption, $achievement_point_points, $achievement_point_credits, $credits_fractional, $url_path, $format_mail_html, $GMailSender, $smtp_cfg, $title, $sql, $core; if ((empty($_POST["pass"]) || $_POST["pass"] == "") && (empty($_POST["mail"]) || $_POST["mail"] == "") && (empty($_POST["expansion"]) || $_POST["expansion"] == "") && (empty($_POST["referredby"]) || $_POST["referredby"] == "")) { redirect("edit.php?error=1"); } // ArcEmu: find out if we're using an encrypted password for this account if ($core == 1) { $pass_query = "SELECT * FROM accounts WHERE login='******' AND encrypted_password<>''"; $pass_result = $sql["logon"]->query($pass_query); $arc_encrypted = $sql["logon"]->num_rows($pass_result); } // password if ($_POST["user_pass"] != "******") { if ($core == 1) { if ($arc_encrypted) { $new_pass = "******" . $sql["logon"]->quote_smart($_POST["pass"]) . "', "; } else { $new_pass = "******" . $sql["logon"]->quote_smart($_POST["pass"]) . "', "; } } else { $new_pass = "******" . $sql["logon"]->quote_smart($_POST["pass"]) . "', "; } } // other $screenname = $sql["logon"]->quote_smart(trim($_POST["screenname"])); $new_mail = $sql["logon"]->quote_smart(trim($_POST["mail"])); $new_expansion = isset($_POST["expansion"]) ? $sql["logon"]->quote_smart(trim($_POST["expansion"])) : $defaultoption; $referredby = $sql["logon"]->quote_smart(trim($_POST["referredby"])); $points_to_spend = is_numeric($_POST["points_to_spend"]) && $_POST["points_to_spend"] >= 0 ? $_POST["points_to_spend"] : 0; // if we received a Screen Name, make sure it does not conflict with other Screen Names or with // the game server's login names. if ($screenname) { $query = "SELECT * FROM config_accounts WHERE ScreenName='" . $screenname . "'"; $sn_result = $sql["mgr"]->query($query); $sn = $sql["mgr"]->fetch_assoc($sn_result); if ($sn["Login"] != $user_name) { if ($sql["mgr"]->num_rows($sn_result) != 0) { redirect("edit.php?error=6"); } if ($core == 1) { $query = "SELECT * FROM accounts WHERE login='******'"; } else { $query = "SELECT * FROM account WHERE username='******'"; } $sn_result = $sql["logon"]->query($query); if ($sql["logon"]->num_rows($sn_result) != 0) { redirect("edit.php?error=6"); } } } // set screen name if ($screenname) { $sn_check_query = "SELECT * FROM config_accounts WHERE Login='******'"; $sn_check_result = $sql["mgr"]->query($sn_check_query); // don't add a new entry if we already have one if ($sql["mgr"]->num_rows($sn_check_result) == 0) { $sn_result = $sql["mgr"]->query("INSERT INTO config_accounts (Login, ScreenName) VALUES ('" . $user_name . "', '" . $screenname . "')"); } else { $sn_result = $sql["mgr"]->query("UPDATE config_accounts SET ScreenName='" . $screenname . "' WHERE Login='******'"); } } //make sure the mail is valid mail format require_once "libs/valid_lib.php"; if (!(valid_email($new_mail) && strlen($new_mail) < 225)) { redirect("edit.php?error=2"); } // find out if our email changed if ($core == 1) { $email_query = "SELECT email FROM accounts WHERE login='******'"; } else { $email_query = "SELECT email FROM account WHERE username='******'"; } $email_result = $sql["logon"]->query($email_query); $email = $sql["logon"]->fetch_assoc($email_result); // if it did change, then save it // if we didn't have an email address already, we just accept the new one if ($email["email"] != "" && $email["email"] != $new_mail) { // if we have to send a confirm message, do so // if not, we're clear to just save it as usual if ($send_mail_on_email_change) { // generate a private key based on the new email $new_mail_sha = sha1($new_mail); // prepare our confirmation message if ($format_mail_html) { $file_name = "lang/mail_templates/" . $lang . "/change_email.tpl"; } else { $file_name = "lang/mail_templates/" . $lang . "/change_email_nohtml.tpl"; } $fh = fopen($file_name, "r"); $subject = fgets($fh, 4096); $body = fread($fh, filesize($file_name)); fclose($fh); $mail = $email["email"]; $subject = str_replace("<title>", $title, $subject); if ($format_mail_html) { $body = str_replace("\n", "<br />", $body); $body = str_replace("\r", " ", $body); } $body = str_replace("<username>", $user_name, $body); $body = str_replace("<email>", $new_mail, $body); $body = str_replace("<key>", $new_mail_sha, $body); $body = str_replace("<title>", $title, $body); $server_addr = $_SERVER["SERVER_PORT"] != 80 ? $_SERVER["SERVER_NAME"] . ":" . $_SERVER["SERVER_PORT"] : $_SERVER["SERVER_NAME"]; // if we aren't installed in / then append the path to $server_addr $server_addr .= $url_path != "" ? $url_path : ""; $body = str_replace("<base_url>", $server_addr, $body); if ($GMailSender) { require_once "libs/mailer/authgMail_lib.php"; $fromName = $title . " Admin"; authgMail($from_mail, $fromName, $mail, $mail, $subject, $body, $smtp_cfg); } else { require_once "libs/mailer/class.phpmailer.php"; $mailer = new PHPMailer(); $mailer->Mailer = $mailer_type; if ($mailer_type == "smtp") { $mailer->Host = $smtp_cfg["host"]; $mailer->Port = $smtp_cfg["port"]; if ($smtp_cfg["user"] != "") { $mailer->SMTPAuth = true; $mailer->Username = $smtp_cfg["user"]; $mailer->Password = $smtp_cfg["pass"]; } } $mailer->WordWrap = 50; $mailer->From = $from_mail; $mailer->FromName = $title . " Admin"; $mailer->Subject = $subject; $mailer->IsHTML($format_mail_html); $mailer->Body = $body; $mailer->AddAddress($mail); $mailer->Send(); $mailer->ClearAddresses(); } // save new email $temp_email_query = "UPDATE config_accounts SET TempEmail='" . $new_mail . "' WHERE Login='******'"; $temp_email_result = $sql["mgr"]->query($temp_email_query); // save OLD email back for now $new_mail = $email["email"]; } } // Achievement Points to Credits // just to be sure we have no cheating if ($achievement_point_credits) { if ($credits_fractional) { $new_credits = $achievement_point_credits / $achievement_point_points * $points_to_spend; } else { $new_credits = float($achievement_point_credits / $achievement_point_points * $points_to_spend); } $points_query = "UPDATE config_accounts SET Credits=Credits+'" . $new_credits . "', AchievePointsSpent=AchievePointsSpent+'" . $points_to_spend . "' WHERE Login='******'"; $points_result = $sql["mgr"]->query($points_query); } // Overriding Remember Me is done via a cookie // usage is backward from the name // 1 = show check box // 0 = hide if (!isset($_POST["override"])) { $override = 0; } else { $override = 1; } if ($override != $_COOKIE["corem_override_remember_me"] || !isset($_COOKIE["corem_override_remember_me"])) { if ($override) { setcookie("corem_override_remember_me", "1", time() + 60 * 60 * 24 * 30); } else { setcookie("corem_override_remember_me", "0", time() + 60 * 60 * 24 * 30); } $other_changes = 1; } // change other settings if ($core == 1) { $query = "UPDATE accounts SET email='" . $new_mail . "', " . $new_pass . " flags='" . $new_expansion . "' WHERE login='******'"; } else { $query = "UPDATE account SET email='" . $new_mail . "', " . $new_pass . " expansion='" . $new_expansion . "', v=0, s=0 WHERE username='******'"; } $acct_result = $sql["logon"]->query($query); if (doupdate_referral($referredby) || $acct_result || $sn_result || $other_changes) { redirect("edit.php?error=3"); } else { redirect("edit.php?error=4"); } }
function doedit_user(&$sqlr, &$sqlc) { global $output, $user_name; if ((empty($_POST['pass']) || $_POST['pass'] === '') && (empty($_POST['mail']) || $_POST['mail'] === '') && (empty($_POST['expansion']) || $_POST['expansion'] === '') && (empty($_POST['referredby']) || $_POST['referredby'] === '')) { redirect('edit.php?error=1'); } $new_pass = $sqlr->quote_smart($_POST['pass']) == sha1(strtoupper($user_name) . ':******') ? '' : 'sha_pass_hash=\'' . $sqlr->quote_smart($_POST['pass']) . '\', '; $new_mail = $sqlr->quote_smart(trim($_POST['mail'])); $new_expansion = $sqlr->quote_smart(trim($_POST['expansion'])); $referredby = $sqlr->quote_smart(trim($_POST['referredby'])); //make sure the mail is valid mail format if (valid_email($new_mail) && strlen($new_mail) < 225) { } else { redirect('edit.php?error=2'); } $sqlr->query('UPDATE account SET email = \'' . $new_mail . '\', ' . $new_pass . ' v=0, s=0, expansion = \'' . $new_expansion . '\' WHERE username = \'' . $user_name . '\''); if (doupdate_referral($referredby, $sqlr, $sqlc) || $sqlr->affected_rows()) { redirect('edit.php?error=3'); } else { redirect('edit.php?error=4'); } }
function doedit_user() { global $logon_db, $corem_db, $corem_db, $user_id, $user_lvl, $defaultoption, $user_name, $action_permission, $sql, $core; valid_login($action_permission["update"]); if ((!isset($_POST["pass"]) || $_POST["pass"] === '') && (!isset($_POST["mail"]) || $_POST["mail"] === '') && (!isset($_POST["expansion"]) || $_POST["expansion"] === '') && (!isset($_POST["referredby"]) || $_POST["referredby"] === '')) { redirect("user.php?action=edit_user&acct={$_POST["acct"]}&error=1"); } $acct = $sql["logon"]->quote_smart($_POST["acct"]); $login = $sql["logon"]->quote_smart($_POST["login"]); $screenname = $sql["mgr"]->quote_smart($_POST["screenname"]); $banreason = $sql["logon"]->quote_smart($_POST["banreason"]); $password = $sql["logon"]->quote_smart($_POST["pass"]); //$user_password_change = ($password != sha1(strtoupper($login).":******")) ? "login='******',password='******'," : ""; $mail = isset($_POST["mail"]) && $_POST["mail"] != '' ? $sql["logon"]->quote_smart($_POST["mail"]) : ""; $failed = isset($_POST["failed"]) ? $sql["logon"]->quote_smart($_POST["failed"]) : 0; $gmlevel = isset($_POST["gm"]) ? $sql["logon"]->quote_smart($_POST["gm"]) : 0; $seclevel = isset($_POST["seclvl"]) ? $sql["logon"]->quote_smart($_POST["seclvl"]) : 0; $webadmin = isset($_POST["webadmin"]) ? $sql["logon"]->quote_smart($_POST["webadmin"]) : 0; $expansion = isset($_POST["expansion"]) ? $sql["logon"]->quote_smart($_POST["expansion"]) : $defaultoption; $banned = isset($_POST["banned"]) ? $sql["logon"]->quote_smart($_POST["banned"]) : 0; $locked = isset($_POST["locked"]) ? $sql["logon"]->quote_smart($_POST["locked"]) : 0; $referredby = $sql["logon"]->quote_smart(trim($_POST["referredby"])); $credits = $sql["logon"]->quote_smart($_POST["credits"]); //make sure username/pass at least 4 chars long and less than max if (strlen($login) < 4 || strlen($login) > 15) { redirect("user.php?action=edit_user&acct=" . $acct . "&error=8"); } // if we received a Screen Name, make sure it does not conflict with other Screen Names or with // login names. if ($screenname != $_POST["oldscreenname"]) { $query = "SELECT * FROM config_accounts WHERE ScreenName='" . $screenname . "'"; $sn_result = $sql["mgr"]->query($query); if ($sql["mgr"]->num_rows($sn_result) != 0) { redirect('user.php?action=edit_user&acct=' . $acct . '&error=7&'); } if ($core == 1) { $query = "SELECT * FROM accounts WHERE login='******'"; } else { $query = "SELECT * FROM account WHERE username='******'"; } $sn_result = $sql["logon"]->query($query); if ($sql["logon"]->num_rows($sn_result) != 0) { redirect('user.php?action=edit_user&acct=' . $acct . '&error=7'); } //make sure screen name is at least 4 chars long and less than max if ($screenname) { if (strlen($screenname) < 4 || strlen($screenname) > 15) { redirect("user.php?action=edit_user&acct=" . $acct . "&error=8"); } } } //restricting access to lower security level if ($seclevel > $user_lvl || $user_lvl < $action_permission["delete"]) { redirect("user.php?action=edit_user&acct=" . $_POST["acct"] . "&error=16"); } require_once "libs/valid_lib.php"; if (!valid_alphabetic($login)) { redirect("user.php?action=edit_user&error=9&acct=" . $acct); } // record changes to Banned status if (!$banned) { if ($core == 1) { $sql["logon"]->query("UPDATE accounts SET banned=0 WHERE acct='" . $acct . "'"); } else { $sql["logon"]->query("DELETE FROM account_banned WHERE id='" . $acct . "'"); } } else { if ($core == 1) { $ban_count = "SELECT COUNT(*) FROM accounts WHERE banned<>0 AND acct='" . $acct . "'"; } else { $ban_count = "SELECT COUNT(*) FROM account_banned WHERE active<>0 AND id='" . $acct . "'"; } $result = $sql["logon"]->query($ban_count); if (!$sql["logon"]->result($result, 0)) { if ($core == 1) { $ban_query = "INSERT INTO accounts (acct, banned, banreason) VALUES ('" . $acct . "', '" . (time() + 365 * 24 * 3600) . "', '" . $banreason . "')"; } else { $ban_query = "INSERT INTO account_banned (id, bandate, unbandate, bannedby, banreason, active)\r\n VALUES (" . $acct . ", " . time() . ", " . (time() + 365 * 24 * 3600) . ", '" . $user_name . "', '" . $banreason . "', 1)"; } } else { // this_is_junk: I removed the SETs for when the ban expires because it was extending the ban // hopefully this won't cause other problems if ($core == 1) { $ban_query = "UPDATE accounts SET banreason='" . $banreason . "' WHERE acct='" . $acct . "'"; } else { $ban_query = "UPDATE account_banned SET banreason='" . $banreason . "', active=1 WHERE id='" . $acct . "'"; } } $sql["logon"]->query($ban_query); } // record changes in Credits if ($core == 1) { $acct_name_query = "SELECT login FROM `" . $logon_db["name"] . "`.accounts WHERE acct='" . $acct . "'"; } else { $acct_name_query = "SELECT username AS login FROM `" . $logon_db["name"] . "`.account WHERE id='" . $acct . "'"; } $acct_name_result = $sql["logon"]->query($acct_name_query); $acct_name_result = $sql["logon"]->fetch_assoc($acct_name_result); $credit_query = "UPDATE config_accounts SET Credits='" . $credits . "' WHERE Login='******'"; $credit_result = $sql["mgr"]->query($credit_query); // record changes in Security Level if ($core == 1) { $acct_name_query = "SELECT login FROM `" . $logon_db["name"] . "`.accounts WHERE acct='" . $acct . "'"; } else { $acct_name_query = "SELECT username AS login FROM `" . $logon_db["name"] . "`.account WHERE id='" . $acct . "'"; } $sec_level_query = "SELECT * FROM config_accounts WHERE Login=(" . $acct_name_query . ") COLLATE utf8_general_ci"; $sec_level_result = $sql["mgr"]->query($sec_level_query); $sec_level_fields = $sql["mgr"]->fetch_assoc($sec_level_result); if ($sec_level_fields["SecurityLevel"] != NULL || $sec_level_fields["SecurityLevel"] != $seclevel) { $sec_level_query = "UPDATE config_accounts SET SecurityLevel='" . ($seclevel + $webadmin) . "' WHERE Login=(" . $acct_name_query . ") COLLATE utf8_general_ci"; } else { $sec_level_query = "INSERT INTO config_accounts (Login, SecurityLevel) VALUES ((" . $acct_name_query . "), '" . ($seclevel + $webadmin) . "')"; } $sec_level_result = $sql["mgr"]->query($sec_level_query); // record Screen Name if ($screenname != $_POST["oldscreenname"] || $login != $_POST["oldlogin"]) { if ($login == $_POST["oldlogin"]) { $temp_login = $_POST["oldlogin"]; } else { $temp_login = $login; } $query = "SELECT * FROM config_accounts WHERE Login='******'"; $sn_result = $sql["mgr"]->query($query); if ($sql["mgr"]->num_rows($sn_result)) { $s_result = $sql["mgr"]->query("UPDATE config_accounts SET Login='******', ScreenName='" . $screenname . "' WHERE Login='******'"); } else { $s_result = $sql["mgr"]->query("INSERT INTO config_accounts (Login, ScreenName) VALUES ('" . $login . "', '" . $screenname . "')"); } } else { $s_result = true; } // ArcEmu: find out if we're using an encrypted password for this account if ($core == 1) { $pass_query = "SELECT * FROM accounts WHERE login='******' AND encrypted_password<>''"; $pass_result = $sql["logon"]->query($pass_query); $arc_encrypted = $sql["logon"]->num_rows($pass_result); } // record changes to account if ($password == "******") { if ($core == 1) { $a_result = $sql["logon"]->query("UPDATE accounts SET login='******', email='" . $mail . "', muted='" . $locked . "', gm='" . $gmlevel . "', flags='" . $expansion . "' WHERE acct=" . $acct); } elseif ($core == 2) { $a_result = $sql["logon"]->query("UPDATE account SET username='******', email='" . $mail . "', locked='" . $locked . "', gmlevel='" . $gmlevel . "', expansion='" . $expansion . "' WHERE id=" . $acct); } else { // Trinity makes things a little more complex $a_result = $sql["logon"]->query("UPDATE account SET username='******', email='" . $mail . "', locked='" . $locked . "', expansion='" . $expansion . "' WHERE id=" . $acct); $gm_query = "SELECT * FROM account_access WHERE id='" . $acct . "'"; $gm_result = $sql["logon"]->query($gm_query); $gm = $sql["logon"]->fetch_assoc($gm_result); if ($gm["gmlevel"] == NULL) { $gm_result = $sql["logon"]->query("INSERT INTO account_access (id, gmlevel, RealmID) VALUES ('" . $acct . "', '" . $gmlevel . "', -1)"); } else { $gm_result = $sql["logon"]->query("UPDATE account_access SET gmlevel='" . $gmlevel . "' WHERE id='" . $acct . "'"); } } } else { if ($core == 1) { if ($arc_encrypted) { $a_result = $sql["logon"]->query("UPDATE accounts SET login='******', email='" . $mail . "', encrypted_password='******', muted='" . $locked . "', gm='" . $gmlevel . "', flags='" . $expansion . "' WHERE acct=" . $acct); } else { $a_result = $sql["logon"]->query("UPDATE accounts SET login='******', email='" . $mail . "', password='******', muted='" . $locked . "', gm='" . $gmlevel . "', flags='" . $expansion . "' WHERE acct=" . $acct); } } elseif ($core == 2) { $a_result = $sql["logon"]->query("UPDATE account SET username='******', email='" . $mail . "', sha_pass_hash=UCASE('" . $password . "'), locked='" . $locked . "', gmlevel='" . $gmlevel . "', expansion='" . $expansion . "', v=0, s=0 WHERE id=" . $acct); } else { // Trinity makes things a little more complex $a_result = $sql["logon"]->query("UPDATE account SET username='******', email='" . $mail . "', sha_pass_hash=UCASE('" . $password . "'), locked='" . $locked . "', expansion='" . $expansion . "', v=0, s=0 WHERE id=" . $acct); $gm_query = "SELECT * FROM account_access WHERE id='" . $acct . "'"; $gm_result = $sql["logon"]->query($gm_query); $gm = $sql["logon"]->fetch_assoc($gm_result); if ($gm["gmlevel"] == NULL) { $gm_result = $sql["logon"]->query("INSERT INTO account_access (id, gmlevel, RealmID) VALUES ('" . $acct . "', '" . $gmlevel . "', -1)"); } else { $gm_result = $sql["logon"]->query("UPDATE account_access SET gmlevel='" . $gmlevel . "' WHERE id='" . $acct . "'"); } } } $result = $s_result && $a_result; if (doupdate_referral($referredby, $acct) || $result) { redirect("user.php?action=edit_user&error=13&acct=" . $acct); } else { redirect("user.php?action=edit_user&error=12&acct=" . $acct); } }
function doedit_user() { global $lang_global, $realm_db, $mmfpm_db, $user_lvl, $user_name, $action_permission; valid_login($action_permission['update']); if ((!isset($_POST['pass']) || $_POST['pass'] === '') && (!isset($_POST['mail']) || $_POST['mail'] === '') && (!isset($_POST['expansion']) || $_POST['expansion'] === '') && (!isset($_POST['referredby']) || $_POST['referredby'] === '')) { redirect("user.php?action=edit_user&&id={$_POST['id']}&error=1"); } $sqlr = new SQL(); $sqlr->connect($realm_db['addr'], $realm_db['user'], $realm_db['pass'], $realm_db['name']); $id = $sqlr->quote_smart($_POST['id']); $username = $sqlr->quote_smart($_POST['username']); $banreason = $sqlr->quote_smart($_POST['banreason']); $pass = $sqlr->quote_smart($_POST['pass']); $user_pass_change = $pass != sha1(strtoupper($username) . ":******") ? "username='******',sha_pass_hash='{$pass}'," : ""; $mail = isset($_POST['mail']) && $_POST['mail'] != '' ? $sqlr->quote_smart($_POST['mail']) : ""; $failed = isset($_POST['failed']) ? $sqlr->quote_smart($_POST['failed']) : 0; $gmlevel = isset($_POST['gmlevel']) ? $sqlr->quote_smart($_POST['gmlevel']) : 0; $expansion = isset($_POST['expansion']) ? $sqlr->quote_smart($_POST['expansion']) : 1; $banned = isset($_POST['banned']) ? $sqlr->quote_smart($_POST['banned']) : 0; $locked = isset($_POST['locked']) ? $sqlr->quote_smart($_POST['locked']) : 0; $referredby = $sqlr->quote_smart(trim($_POST['referredby'])); //make sure username/pass at least 4 chars long and less than max if (strlen($username) < 4 || strlen($username) > 15) { redirect("user.php?action=edit_user&id={$id}&error=8"); } if ($gmlevel >= $user_lvl) { redirect("user.php?action=edit_user&&id={$_POST['id']}&error=16"); } if (!valid_alphabetic($username)) { redirect("user.php?action=edit_user&error=9&id={$id}"); } //restricting accsess to lower gmlvl $result = $sqlr->query("SELECT account.username, IFNULL(account_access.gmlevel,0) as gmlevel FROM account LEFT JOIN account_access ON account.id=account_access.id WHERE account.id = '{$id}'"); if ($user_lvl <= $sqlr->result($result, 0, 'gmlevel') && $user_name != $sqlr->result($result, 0, 'username')) { redirect("user.php?error=14"); } $accgmlevel = $sqlr->result($result, 0, 'gmlevel'); if (!$banned) { $sqlr->query("DELETE FROM account_banned WHERE id='{$id}'"); } else { $result = $sqlr->query("SELECT count(*) FROM account_banned WHERE id = '{$id}'"); if (!$sqlr->result($result, 0)) { $sqlr->query("INSERT INTO account_banned (id, bandate, unbandate, bannedby, banreason, active)\r\n VALUES ({$id}, " . time() . "," . (time() + 365 * 24 * 3600) . ",'{$user_name}','{$banreason}', 1)"); } } $error = false; $sqlr->query("UPDATE account SET email='{$mail}', {$user_pass_change} v=0,s=0,failed_logins='{$failed}',locked='{$locked}',expansion='{$expansion}' WHERE id='{$id}'"); if (!$sqlr->affected_rows()) { $error = true; } if ($gmlevel != $accgmlevel) { if ($gmlevel == 0 && $accgmlevel > 0) { $sqlr->query("DELETE FROM account_access WHERE id='{$id}'"); } elseif ($gmlevel > 0 && $accgmlevel == 0) { //0 has no entry in account_access, add one; sometimes there's a bug so there's indeed a gmlevel 0 entry in the table -> replace $sqlr->query("REPLACE INTO account_access (`id`,`gmlevel`,`RealmID`) VALUES ('{$id}','{$gmlevel}','-1')"); } else { $sqlr->query("UPDATE account_access SET gmlevel='{$gmlevel}' WHERE id='{$id}'"); } $sqlr->query("SELECT IFNULL((SELECT gmlevel FROM account_access WHERE id='{$id}'),0)"); if (!$sqlr->affected_rows() || $sqlr->result($result, 0) != $accgmlevel) { //temporary errorhandling $error = true; } } if (doupdate_referral($referredby, $id) || $error) { redirect("user.php?action=edit_user&error=13&id={$id}"); } else { redirect("user.php?action=edit_user&error=12&id={$id}"); } }
function doregister() { global $characters_db, $logon_db, $corem_db, $realm_id, $disable_acc_creation, $invite_only, $lang, $limit_acc_per_ip, $valid_ip_mask, $send_mail_on_creation, $create_acc_locked, $from_mail, $mailer_type, $smtp_cfg, $title, $expansion_select, $defaultoption, $GMailSender, $format_mail_html, $enable_captcha, $use_recaptcha, $recaptcha_private_key, $send_confirmation_mail_on_creation, $sql, $url_path, $initial_credits, $core; // ArcEmu: if one account has an encrypted password all new accounts will as well if ($core == 1) { $pass_query = "SELECT * FROM accounts WHERE encrypted_password<>'' LIMIT 1"; $pass_result = $sql["logon"]->query($pass_query); $arc_encrypted = $sql["logon"]->num_rows($pass_result); } if ($enable_captcha) { if ($use_recaptcha) { require_once 'libs/recaptcha/recaptchalib.php'; $resp = recaptcha_check_answer($recaptcha_private_key, $_SERVER["REMOTE_ADDR"], $_POST["recaptcha_challenge_field"], $_POST["recaptcha_response_field"]); if (!$resp->is_valid) { redirect("register.php?err=13"); } } else { if ($_POST["security_code"] != $_SESSION["security_code"]) { redirect("register.php?err=13"); } } } if (empty($_POST["pass"]) || empty($_POST["email"]) || empty($_POST["username"])) { redirect("register.php?err=1"); } // if Disable Account Creation is enabled and Invitation Only is disabled then we error out if ($disable_acc_creation && !$invite_only) { redirect("register.php?err=4"); } // if Invitation Only is enabled and we didn't get an Invitation Key then we error out if ($invite_only && !isset($_POST["invitationkey"])) { redirect("register.php?err=4"); } if (filter_var(getenv("HTTP_X_FORWARDED_FOR"), FILTER_VALIDATE_IP)) { $last_ip = $sql["mgr"]->quote_smart(getenv("HTTP_X_FORWARDED_FOR")); } else { $last_ip = $sql["mgr"]->quote_smart(getenv("REMOTE_ADDR")); } if (sizeof($valid_ip_mask)) { $qFlag = 0; $user_ip_mask = explode('.', $last_ip); foreach ($valid_ip_mask as $mask) { $vmask = explode('.', $mask); $v_count = 4; $i = 0; foreach ($vmask as $range) { $vmask_h = explode('-', $range); if (isset($vmask_h[1])) { if ($vmask_h[0] >= $user_ip_mask[$i] && $vmask_h[1] <= $user_ip_mask[$i]) { $v_count--; } } else { if ($vmask_h[0] == $user_ip_mask[$i]) { $v_count--; } } $i++; } if (!$v_count) { $qFlag++; break; } } if (!$qFlag) { redirect("register.php?err=9&usr="******"logon"]->quote_smart(trim($_POST["username"])); $screenname = !empty($_POST["screenname"]) ? $sql["mgr"]->quote_smart(trim($_POST["screenname"])) : NULL; $pass = $sql["logon"]->quote_smart($_POST["pass"]); $pass1 = $sql["logon"]->quote_smart($_POST["pass1"]); // get invitation key $invite_key = isset($_POST["invitationkey"]) ? $sql["logon"]->quote_smart($_POST["invitationkey"]) : NULL; // check it for XSS if ($invite_key != htmlspecialchars($_POST["invitationkey"])) { redirect("register.php?err=4"); } // make sure username/pass at least 4 chars long and less than max if (strlen($user_name) < 4 || strlen($user_name) > 15) { redirect("register.php?err=5"); } if ($core == 1 && !$arc_encrypted) { if (strlen($pass) < 4 || strlen($pass) > 15) { redirect("register.php?err=5"); } } else { if (strlen($pass1) < 4 || strlen($pass1) > 15) { redirect("register.php?err=5"); } } // make sure screen name is at least 4 chars long and less than max if (isset($screenname)) { if (strlen($screenname) < 4 || strlen($screenname) > 15) { redirect("register.php?err=5"); } } require_once "libs/valid_lib.php"; // make sure it doesnt contain non english chars. if (!valid_alphabetic($user_name)) { redirect("register.php?err=6"); } // make sure screen name doesnt contain non english chars. if (!valid_alphabetic($screenname)) { redirect("register.php?err=6"); } // make sure the mail is valid mail format $mail = $sql["logon"]->quote_smart(trim($_POST["email"])); if (!valid_email($mail) || strlen($mail) > 254) { redirect("register.php?err=7"); } // if we limit accounts per ip, we'll need to throw an error if ($limit_acc_per_ip) { if ($core == 1) { $result = $sql["logon"]->query("SELECT login, email FROM accounts WHERE lastip='" . $last_ip . "'"); } else { $result = $sql["logon"]->query("SELECT username AS login, email FROM account WHERE last_ip='" . $last_ip . "'"); } if ($sql["logon"]->num_rows($result)) { redirect("register.php?err=15"); } } // IP is in ban list if ($core == 1) { $result = $sql["logon"]->query("SELECT ip FROM ipbans WHERE ip='" . $last_ip . "'"); } else { $result = $sql["logon"]->query("SELECT ip FROM ip_banned WHERE ip='" . $last_ip . "'"); } if ($sql["logon"]->num_rows($result)) { redirect("register.php?err=8&usr="******"logon"]->query("SELECT login, email FROM accounts WHERE email='" . $mail . "'"); } else { $result = $sql["logon"]->query("SELECT username AS login, email FROM account WHERE email='" . $mail . "'"); } if ($sql["logon"]->num_rows($result)) { redirect("register.php?err=14"); } // username check if ($core == 1) { $result = $sql["logon"]->query("SELECT login, email FROM accounts WHERE login='******' OR login='******'"); } else { $result = $sql["logon"]->query("SELECT username AS login, email FROM account WHERE username='******' OR username='******'"); } // make sure we got a valid Invitation Key if ($invite_only) { $check_invite_query = "SELECT * FROM invitations WHERE invited_email='" . $mail . "' AND invitation_key='" . $invite_key . "'"; $check_invite_result = $sql["mgr"]->query($check_invite_query); $check_invite = $sql["mgr"]->num_rows($check_invite_result); if ($check_invite == 0) { redirect("register.php?err=17&by=" . $_POST["invitedby"] . "&key=" . $invite_key); } } if ($sql["logon"]->num_rows($result)) { // there is already someone with same account name redirect("register.php?err=3&usr="******"SELECT * FROM config_accounts WHERE ScreenName='" . $screenname . "'"; $result = $sql["mgr"]->query($query); if ($sql["mgr"]->num_rows($result)) { redirect("register.php?err=3&usr="******"expansion"]) ? $sql["logon"]->quote_smart($_POST["expansion"]) : 0; } else { $expansion = $defaultoption; } // insert screen name (if we didn't get a screen name, we still need to exit registration correctly. if ($screenname) { $query = "INSERT INTO config_accounts (Login, ScreenName, Credits) VALUES ('" . $user_name . "', '" . $screenname . "', '" . $initial_credits . "')"; } else { $query = "INSERT INTO config_accounts (Login, ScreenName, Credits) VALUES ('" . $user_name . "', '', '" . $initial_credits . "')"; } $s_result = $sql["mgr"]->query($query); if ($send_confirmation_mail_on_creation) { // for email confirmation we save their real password to their config_accounts entry // and a temporary (and incorrect) password into the logon database $temppass = $pass; $pass_gen_list = "abcdefghijklmnopqrstuvwxyz"; // generate a random, temporary pass $pass = $pass_gen_list[rand(0, 25)]; $pass .= $pass_gen_list[rand(0, 25)]; $pass .= $pass_gen_list[rand(0, 25)]; $pass .= rand(1, 9); $pass .= rand(1, 9); $pass .= rand(1, 9); $pass .= $pass_gen_list[rand(0, 25)]; // save their real password $query = "UPDATE config_accounts SET TempPassword='******' WHERE Login='******'"; $q_result = $sql["mgr"]->query($query); // now; we create their, temporarily crippled, account if ($core == 1) { $query = "INSERT INTO accounts (login, password, gm, banned, email, flags) VALUES ('" . $user_name . "', '" . $pass . "', '0', '0', '" . $mail . "', '" . $expansion . "')"; } else { $query = "INSERT INTO account (username, sha_pass_hash, email, expansion) VALUES ('" . $user_name . "', '" . sha1(strtoupper($user_name . ":" . $pass)) . "', '" . $mail . "', '" . $expansion . "')"; } $a_result = $sql["logon"]->query($query); } else { // otherwise, we just save if ($core == 1) { if ($arc_encrypted) { $query = "INSERT INTO accounts (login, password, encrypted_password, gm, banned, email, flags) VALUES ('" . $user_name . "', '', '" . $pass . "', '0', '0', '" . $mail . "', '" . $expansion . "')"; } else { $query = "INSERT INTO accounts (login, password, gm, banned, email, flags) VALUES ('" . $user_name . "', '" . $pass . "', '0', '0', '" . $mail . "', '" . $expansion . "')"; } } else { $query = "INSERT INTO account (username, sha_pass_hash, email, expansion) VALUES ('" . $user_name . "', '" . $pass . "', '" . $mail . "', '" . $expansion . "')"; } $a_result = $sql["logon"]->query($query); } // if we got an Invitation Key then we need to remove the invitation if (isset($invite_key)) { $clear_invite_query = "DELETE FROM invitations WHERE invitation_key='" . $invite_key . "'"; $clear_invite_result = $sql["mgr"]->query($clear_invite_query); } // do referral if ($core == 1) { $our_acct_query = "SELECT acct AS id FROM accounts WHERE login='******'"; } else { $our_acct_query = "SELECT id FROM account WHERE username='******'"; } $our_acct_result = $sql["logon"]->query($our_acct_query); $our_acct_result = $sql["logon"]->fetch_assoc($our_acct_result); $our_acct = $our_acct_result["id"]; $referredby = isset($_POST["invitedby"]) ? $sql["logon"]->quote_smart($_POST["invitedby"]) : NULL; $referralresult = doupdate_referral($referredby, $our_acct); // Trinity uses a separate table for gm levels and realm access if ($core == 3) { $id_query = "SELECT * FROM account WHERE username='******'"; $id_result = $sql["logon"]->query($id_query); $id_fields = $sql["logon"]->fetch_assoc($id_result); $new_id = $id_fields["id"]; $query = "INSERT INTO account_access (id, gmlevel, RealmID) VALUES ('" . $new_id . "', '0', '-1')"; $aa_result = $sql["logon"]->query($query); } // compile results if ($core != 3) { $result = $s_result && $a_result; } else { $result = $s_result && $a_result && $aa_result; } // destroy the terms cookie setcookie("terms", "", time() - 3600); // set $lang global if (empty($_POST["lang"])) { redirect("register.php?error=1"); } else { $lang = addslashes($_POST["lang"]); } // create lang cookie if ($lang) { setcookie("lang", $lang, time() + 60 * 60 * 24 * 30 * 6); } else { redirect("register.php?error=1"); } // registration emails if ($send_confirmation_mail_on_creation) { // we send our confirmation message // prepare message if ($format_mail_html) { $file_name = "lang/mail_templates/" . $lang . "/mail_activate.tpl"; } else { $file_name = "lang/mail_templates/" . $lang . "/mail_activate_nohtml.tpl"; } $fh = fopen($file_name, 'r'); $subject = fgets($fh, 4096); $body = fread($fh, filesize($file_name)); fclose($fh); $subject = str_replace("<title>", $title, $subject); if ($format_mail_html) { $body = str_replace("\n", "<br />", $body); $body = str_replace("\r", " ", $body); } $body = str_replace("<core>", core_name($core), $body); $body = str_replace("<username>", $user_name, $body); if ($screenname) { $body = str_replace("<screenname>", $screenname, $body); } else { $body = str_replace("<screenname>", "NONE GIVEN", $body); } $body = str_replace("<password>", $pass1, $body); $server_addr = $_SERVER["SERVER_PORT"] != 80 ? $_SERVER["SERVER_NAME"] . ":" . $_SERVER["SERVER_PORT"] : $_SERVER["SERVER_NAME"]; // if we aren't installed in / then append the path to $server_addr $server_addr .= $url_path != "" ? $url_path : ""; $body = str_replace("<base_url>", $server_addr, $body); if ($core == 1) { if ($arc_encrypted) { $body = str_replace("<key>", $temppass, $body); } else { $body = str_replace("<key>", sha1(strtoupper($user_name . ":" . $temppass)), $body); } } else { $body = str_replace("<key>", $temppass, $body); } if ($GMailSender) { require_once "libs/mailer/authgMail_lib.php"; $fromName = $title . " Admin"; authgMail($from_mail, $fromName, $mail, $mail, $subject, $body, $smtp_cfg); } else { require_once "libs/mailer/class.phpmailer.php"; $mailer = new PHPMailer(); $mailer->Mailer = $mailer_type; if ($mailer_type == "smtp") { $mailer->Host = $smtp_cfg["host"]; $mailer->Port = $smtp_cfg["port"]; if ($smtp_cfg["user"] != "") { $mailer->SMTPAuth = true; $mailer->Username = $smtp_cfg["user"]; $mailer->Password = $smtp_cfg["pass"]; } } $mailer->WordWrap = 50; $mailer->From = $from_mail; $mailer->FromName = $title . " Admin"; $mailer->Subject = $subject; $mailer->IsHTML($format_mail_html); $mailer->Body = $body; $mailer->AddAddress($mail); $mailer->Send(); $mailer->ClearAddresses(); } } else { // we only send the welcome message if we don't send the confirmation if ($send_mail_on_creation) { // prepare message if ($format_mail_html) { $file_name = "lang/mail_templates/" . $lang . "/mail_welcome.tpl"; } else { $file_name = "lang/mail_templates/" . $lang . "/mail_welcome_nohtml.tpl"; } $fh = fopen($file_name, 'r'); $subject = fgets($fh, 4096); $subject = str_replace("Subject: ", "", $subject); $subject = trim($subject); $body = fread($fh, filesize($file_name)); fclose($fh); $subject = str_replace("<title>", $title, $subject); if ($format_mail_html) { $body = str_replace("\n", "<br />", $body); $body = str_replace("\r", "", $body); } $body = str_replace("<core>", core_name($core), $body); $body = str_replace("<username>", $user_name, $body); if ($screenname) { $body = str_replace("<screenname>", $screenname, $body); } else { $body = str_replace("<screenname>", "NONE GIVEN", $body); } $body = str_replace("<password>", $pass1, $body); $server_addr = $_SERVER["SERVER_PORT"] != 80 ? $_SERVER["SERVER_NAME"] . ":" . $_SERVER["SERVER_PORT"] : $_SERVER["SERVER_NAME"]; // if we aren't installed in / then append the path to $server_addr $server_addr .= $url_path != "" ? $url_path : ""; $body = str_replace("<base_url>", $server_addr, $body); if ($GMailSender) { require_once "libs/mailer/authgMail_lib.php"; $fromName = $title . " Admin"; authgMail($from_mail, $fromName, $mail, $mail, $subject, $body, $smtp_cfg); } else { require_once "libs/mailer/class.phpmailer.php"; $mailer = new PHPMailer(); $mailer->Mailer = $mailer_type; if ($mailer_type == "smtp") { $mailer->Host = $smtp_cfg["host"]; $mailer->Port = $smtp_cfg["port"]; if ($smtp_cfg["user"] != "") { $mailer->SMTPAuth = true; $mailer->Username = $smtp_cfg["user"]; $mailer->Password = $smtp_cfg["pass"]; } } $mailer->WordWrap = 50; $mailer->From = $from_mail; $mailer->FromName = $title . " Admin"; $mailer->Subject = $subject; $mailer->IsHTML($format_mail_html); $mailer->Body = $body; $mailer->AddAddress($mail); $mailer->Send(); $mailer->ClearAddresses(); } } } if ($result) { if ($referralresult) { $appendinfo = ""; } else { $appendinfo = "&info=1"; } if ($send_confirmation_mail_on_creation) { redirect("login.php?error=8" . $appendinfo); } else { redirect("login.php?error=6" . $appendinfo); } } } }