function OS_CaptchaOnRegistration()
{
if (isset($_SESSION["r_code"]) and $_SESSION["r_code"] == "OK") {
/* CAPTCHA OK */
} else {
$code = rand(100, 10000);
$_SESSION["r_code"] = $code;
$trap1 = generate_hash(16);
$trap2 = generate_hash(8);
$_SESSION["r_trap1"] = $trap1;
$_SESSION["r_trap2"] = $trap2;
?>
<tr>
<td class="padLeft">Captcha:</td>
<td class="padLeft">
<input type="text" size="1" value="" name="r_captcha"/>
<input type="hidden" name="<?php
echo $trap1;
?>
" value="<?php
echo $trap2;
?>
" />
<span style="font-size:26px; font-weight:bold;"><?php
echo $code;
?>
</span>
</td>
</tr>
<?php
}
}
function check_login(){
$user=db_easy("SELECT `name`, `password_hash` FROM `users` WHERE `name`='".mysql_real_escape_string(@$_POST['user'])."'");
if(generate_hash($user['name'], @$_POST['password'])==$user['password_hash']){
return true;
}else{
return false;
}
}
public function change_password(IChangePasswordInput $input)
{
// Prepare data
$this->load->helper('crypto');
$passwordsalt = generate_salt();
$passwordhash = generate_hash($input->get_password(), $passwordsalt);
$this->db->where('email', $input->get_email());
$this->db->where('passwordresetcode', $input->get_resetcode());
$this->db->update("users", array("passwordresetcode" => NULL, "passwordhash" => $passwordhash, "passwordsalt" => $passwordsalt));
return $this->db->affected_rows() > 0;
}
function OS_CheckCaptcha()
{
if (isset($_POST["post_comment"])) {
if (isset($_GET["post_id"]) and is_numeric($_GET["post_id"])) {
$backTo = OS_HOME . '?post_id=' . safeEscape($_GET["post_id"]) . "&" . generate_hash(12) . "#SubmitComment";
} else {
$backTo = '';
}
$CaptchaError = '<h2>Invalid captcha</h2><div><a href="' . $backTo . '">« Back</a></div>';
if (!isset($_POST["c_code"]) or !isset($_SESSION["c_code"])) {
os_trigger_error($CaptchaError);
}
if ($_POST["c_code"] != $_SESSION["c_code"]) {
os_trigger_error($CaptchaError . " ");
} else {
$code = generate_hash(5);
$code = str_replace(array("o", "0"), array("x", "x"), $code);
$_SESSION["c_code"] = $code;
}
}
}
function login($username, $password, $dbh)
{
if ($query = $dbh->prepare("SELECT uid, username, password FROM accounts WHERE username = ? LIMIT 1")) {
$query->bindValue(1, $username);
// Bind "$username" to parameter.
$query->execute();
// Execute the prepared query.
$result = $query->fetch();
$user_id = $result['uid'];
$username = $result['username'];
$storedpass = $result['password'];
$storedsalt = substr($storedpass, 0, 32);
// break salt from stored hash
$password = generate_hash($password, $storedsalt);
// hash the attempted password with the unique salt from database.
if ($result) {
// If the user exists
if ($storedpass == $password) {
// Check if the password in the database matches the password the user submitted.
// Password is correct!
$ip_address = $_SERVER['REMOTE_ADDR'];
// Get the IP address of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// Get the user-agent string of the user.
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
// XSS protection as we might print this value
$_SESSION['user_id'] = $user_id;
$username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
// XSS protection as we might print this value
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512', $password . $ip_address . $user_browser);
// Login successful.
return true;
}
}
} else {
// No user exists.
return false;
}
}
public function __construct($processed_array)
{
$this->entrada_url = isset($processed_array["entrada_url"]) ? $processed_array["entrada_url"] : "";
$this->entrada_relative = isset($processed_array["entrada_relative"]) ? $processed_array["entrada_relative"] : "";
$this->entrada_absolute = isset($processed_array["entrada_absolute"]) ? $processed_array["entrada_absolute"] : "";
$this->entrada_storage = isset($processed_array["entrada_storage"]) ? $processed_array["entrada_storage"] : "";
$this->database_adapter = isset($processed_array["database_adapter"]) ? $processed_array["database_adapter"] : "mysql";
$this->database_host = isset($processed_array["database_host"]) ? $processed_array["database_host"] : "";
$this->database_username = isset($processed_array["database_username"]) ? $processed_array["database_username"] : "";
$this->database_password = isset($processed_array["database_password"]) ? $processed_array["database_password"] : "";
$this->entrada_database = isset($processed_array["entrada_database"]) ? $processed_array["entrada_database"] : "";
$this->auth_database = isset($processed_array["auth_database"]) ? $processed_array["auth_database"] : "";
$this->clerkship_database = isset($processed_array["clerkship_database"]) ? $processed_array["clerkship_database"] : "";
$this->admin_username = isset($processed_array["admin_username"]) ? $processed_array["admin_username"] : "";
$this->admin_password_hash = isset($processed_array["admin_password_hash"]) ? $processed_array["admin_password_hash"] : "";
$this->admin_firstname = isset($processed_array["admin_firstname"]) ? $processed_array["admin_firstname"] : "";
$this->admin_lastname = isset($processed_array["admin_lastname"]) ? $processed_array["admin_lastname"] : "";
$this->admin_email = isset($processed_array["admin_email"]) ? $processed_array["admin_email"] : "";
$this->auth_username = isset($processed_array["auth_username"]) ? $processed_array["auth_username"] : generate_hash();
$this->auth_password = isset($processed_array["auth_password"]) ? $processed_array["auth_password"] : generate_hash();
$this->config_file_path = $this->entrada_absolute . "/core/config/config.inc.php";
}
/**
* Add new user
*
* @param array $user_data
*
* @return bool
*/
public function create($user_data)
{
$user_data = $this->validate($user_data);
if (!$user_data) {
return false;
}
$user_exist = $this->checkExist($user_data);
if ($user_exist) {
$this->setAttributes($user_exist);
return true;
}
$hash = generate_hash();
$date_start = date("Y-m-d H-i-s");
$sql = "INSERT INTO\n {$this->table_name} (\n name,\n email,\n phone,\n hash,\n date_start,\n conference_id\n ) VALUES (\n :name,\n :email,\n :phone,\n :hash,\n :date_start,\n :conference_id\n )";
$prepare_statement = $this->connection->prepare($sql, [PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY]);
$status = $prepare_statement->execute([':name' => $user_data['name'], ':email' => $user_data['email'], ':phone' => $user_data['phone'], ':conference_id' => $user_data['conference_id'], ':date_start' => $date_start, ':hash' => $hash]);
if (!$status) {
return false;
}
$user_data['hash'] = $hash;
$user_data['date_start'] = $date_start;
$this->setAttributes($user_data);
return true;
}
$TOTAL_ERRORS = $ERROR;
$STEP = 2;
}
case 2:
/**
* Keys to allow Entrada to access the authentication web-service.
*/
if (isset($_POST["auth_username"]) && ($auth_username = clean_input($_POST["auth_username"], "alphanumeric"))) {
$PROCESSED["auth_username"] = $auth_username;
} else {
$PROCESSED["auth_username"] = generate_hash();
}
if (isset($_POST["auth_password"]) && ($auth_password = clean_input($_POST["auth_password"], "alphanumeric"))) {
$PROCESSED["auth_password"] = $auth_password;
} else {
$PROCESSED["auth_password"] = generate_hash();
}
case 1:
default:
continue;
break;
}
$setup = new Entrada_Setup($PROCESSED);
/**
* Post-Error Check Data Processing
*/
switch ($STEP) {
case 6:
if (@file_exists($PROCESSED["entrada_absolute"] . "/.htaccess")) {
if (@file_exists($PROCESSED["entrada_absolute"] . "/core/config/config.inc.php")) {
try {
/**
* Creates a user account and updates object, returns true or false.
* $user_data requires: "username", "firstname", "lastname", "email", "password", "organisation_id"
* $user_access requires: "group", "role", "app_id"
*
* @param array $user_data User data array, keys match table fields. Ex: array("id" => "1", "username" => "foo").
* @param array $user_access User access array, keys match table fields. Ex: array("group" => "admin").
* @return boolean
*/
public function createUser(array $user_data, array $user_access)
{
global $db;
$required_user_data = array("username", "firstname", "lastname", "email", "password", "organisation_id");
$required_user_access = array("group", "role", "app_id");
foreach ($required_user_data as $data) {
if (!array_key_exists($data, $user_data)) {
$error = true;
}
}
foreach ($required_user_access as $data) {
if (!array_key_exists($data, $user_access)) {
$error = true;
}
}
if (!$error) {
foreach ($user_data as $fieldname => $data) {
$processed["user_data"][$fieldname] = clean_input($data, array("trim", "striptags"));
}
foreach ($user_access as $fieldname => $data) {
$processed["user_access"][$fieldname] = clean_input($data, array("trim", "striptags"));
}
if ($db->AutoExecute("`" . AUTH_DATABASE . "`.`user_data`", $processed["user_data"], "INSERT")) {
$processed["user_data"]["id"] = $db->Insert_ID();
$processed["user_access"]["user_id"] = $processed["user_data"]["id"];
if (!isset($processed["user_access"]["organisation_id"])) {
$processed["user_access"]["organisation_id"] = $processed["user_data"]["organisation_id"];
}
if (!isset($processed["user_access"]["access_starts"])) {
$processed["user_access"]["access_starts"] = time();
}
if (!isset($processed["user_access"]["account_active"])) {
$processed["user_access"]["account_active"] = "true";
}
if (!isset($processed["user_access"]["private_hash"])) {
$processed["user_access"]["private_hash"] = generate_hash();
}
if (!$db->AutoExecute("`" . AUTH_DATABASE . "`.`user_access`", $processed["user_access"], "INSERT")) {
application_log("error", "Failed to add user, DB said: " . $db->ErrorMsg());
$return = false;
} else {
$params = get_class_vars(__CLASS__);
foreach ($params as $param_name => $param) {
$this->{$param_name} = isset($processed["user_data"][$param_name]) ? $processed["user_data"][$param_name] : (isset($processed["user_access"][$param_name]) ? $processed["user_access"][$param_name] : $param);
}
$return = true;
}
} else {
application_log("error", "Failed to add user, DB said: " . $db->ErrorMsg());
$return = false;
}
} else {
$return = false;
}
return $return;
}
$pw = trim($_POST["password"]);
$email = trim($_POST["email"]);
if (strlen($admin) <= 2 or strlen($pw) <= 2) {
$admin = "admin";
$pw = "admin";
$email = "*****@*****.**";
?>
<div>Admin username or password have too few characters</div>
<div>Inserting default admin username and password</div>
<div><b>Admin username:</b> admin</div>
<div><b>Admin password:</b> admin</div>
<div> </div>
<div>Don't forget to change admin username and password via admin panel</div>
<?php
}
$hash = generate_hash(16, 1);
$pass = generate_password($pw, $hash);
$userLevel = 10;
// 10 - root admin, 9 - administrator
$sth = $dbh->prepare("INSERT INTO oh_users(user_name, user_password, password_hash, user_email, user_joined, user_level,user_ip, confirm, can_comment) VALUES('{$admin}', '{$pass}', '{$hash}', '{$email}', '" . time() . "', '" . $userLevel . "', '" . $_SERVER["REMOTE_ADDR"] . "', '', '1')");
$sth->execute();
$result = 1;
flush();
if ($result) {
?>
<div> </div>
<div><b>Admin successfully created.</b></div>
<div style="display:none;">Please delete <b>install.php</b>, <b>sql_data.sql</b> and <b>sql_heroes_items.sql</b> from install directory.</div>
<div style="display:none;">Please delete or rename <b>install/</b> folder.</div>
function check_hash($proper, $check)
{
$len = strlen($proper);
$nhash = generate_hash($check, substr($proper, $len - SALT_LENGTH));
if ($proper == $nhash) {
return true;
}
return false;
}
<?php
if (!isset($website)) {
header('HTTP/1.1 404 Not Found');
die;
}
$code = generate_hash(8);
$_SESSION["code"] = $code;
if (isset($errors) and !empty($errors)) {
?>
<div><?php
echo $errors;
?>
</div>
<?php
}
?>
<a name="comments"></a><?php
if (isset($CommentsData) and !empty($CommentsData)) {
?>
<div class="comments" id="comments">
<h4><?php
echo $lang["comments"];
?>
(<?php
echo $CommentsData[0]["total_comments"];
?>
)</h4>
<div class="comments-content">
<div id="comment-holder">
<ol>
function get_hash_thold_template($id)
{
$hash = db_fetch_cell("SELECT hash FROM thold_template WHERE id={$id}");
if (preg_match("/[a-fA-F0-9]{32}/", $hash)) {
return $hash;
} else {
return generate_hash();
}
}
img/fb_connect.png" width="300" height="50" alt="FB CONNECT" /></a>
<div>Click on the button above to sign in with your FB account</div>
<div style="margin-top: 360px;"> </div>
</div>
</div>
</div>
</div>
</div>
<?php
}
if ($user and isset($email) and strlen($email) >= 5) {
$result = $db->query("SELECT * FROM users WHERE user_email = '" . $email . "' AND user_fbid = '" . $user . "' ");
if ($db->num_rows($result) <= 0) {
$pass = generate_hash(5);
$hash = generate_hash(12);
$password_db = generate_password($pass, $hash);
$avatar = 'https://graph.facebook.com/' . $user . '/picture?type=large';
$www = 'http://www.facebook.com/profile.php?id=' . $user . '';
if ($gender == "male") {
$gen = 1;
} else {
if ($gender == "female") {
$gen = 2;
} else {
$gen = 0;
}
}
$insert = $db->query("INSERT INTO users(user_name, user_fbid, user_password, password_hash, user_email, user_joined, user_level, user_last_login, user_ip, user_avatar, user_website, user_gender) \n\t VALUES('" . safeEscape($name) . "', '" . $user . "', '" . $password_db . "', '" . $hash . "', '" . safeEscape($email) . "', '" . (int) time() . "', '0', '" . (int) time() . "', '" . safeEscape($_SERVER["REMOTE_ADDR"]) . "', '" . strip_tags($avatar) . "', '" . $www . "', '" . $gen . "')");
$id = $db->get_insert_id();
$_SESSION["user_id"] = $id;
/**
* Creates user data / user access records
* @global type $db
* @param type $member_ldap_data
* @return int $status
*/
private function handleUser($member_ldap_data)
{
global $db;
$number = str_replace("S", "", $member_ldap_data[LDAP_USER_QUERY_FIELD]);
$GRAD = date("Y", time()) + 4;
$user_id = "";
$query = "SELECT * FROM `" . AUTH_DATABASE . "`.`user_data` WHERE `number` = ?";
$result = $db->GetRow($query, array($number));
if (!$result) {
if (isset($member_ldap_data["sn"]) && isset($member_ldap_data["givenName"]) && $member_ldap_data["sn"] && $member_ldap_data["givenName"]) {
$names[0] = $member_ldap_data["givenName"];
$names[1] = $member_ldap_data["sn"];
} else {
$names = explode(" ", $member_ldap_data["cn"]);
}
$student = array("number" => $number, "username" => strtolower($member_ldap_data[LDAP_MEMBER_ATTR]), "password" => md5(generate_password(8)), "organisation_id" => $this->course["organisation_id"], "firstname" => trim($names[0]), "lastname" => trim($names[1]), "prefix" => "", "email" => isset($member_ldap_data["mail"]) ? $member_ldap_data["mail"] : strtolower($member_ldap_data[LDAP_MEMBER_ATTR]) . "@queensu.ca", "email_alt" => "", "email_updated" => time(), "telephone" => "", "fax" => "", "address" => "", "city" => DEFAULT_CITY, "postcode" => DEFAULT_POSTALCODE, "country" => "", "country_id" => DEFAULT_COUNTRY_ID, "province" => "", "province_id" => DEFAULT_PROVINCE_ID, "notes" => "", "privacy_level" => "0", "notifications" => "0", "entry_year" => date("Y", time()), "grad_year" => $GRAD, "gender" => "0", "clinical" => "0", "updated_date" => time(), "updated_by" => "1");
if ($db->AutoExecute("`" . AUTH_DATABASE . "`.`user_data`", $student, "INSERT")) {
$user_id = $db->Insert_ID();
$access = array("user_id" => $user_id, "app_id" => $this->app_id, "organisation_id" => $this->course["organisation_id"], "account_active" => "true", "access_starts" => time(), "access_expires" => "0", "last_login" => "0", "last_ip" => "", "role" => $GRAD, "group" => "student", "extras" => "", "private_hash" => generate_hash(32), "notes" => "");
if ($db->AutoExecute("`" . AUTH_DATABASE . "`.`user_access`", $access, "INSERT")) {
application_log("error", "Failed to create user access record, DB said: " . $db->ErrorMsg());
}
} else {
application_log("error", "Failed to create user data record, DB said: " . $db->ErrorMsg());
}
} else {
$user_id = $result["id"];
$query = "SELECT * FROM `" . AUTH_DATABASE . "`.`user_access`\n WHERE `user_id` = " . $db->qstr($result["id"]) . " AND `organisation_id` = " . $db->qstr($this->course["organisation_id"]);
$access_record = $db->GetRow($query);
if (!$access_record) {
$access = array("user_id" => $user_id, "app_id" => $this->app_id, "organisation_id" => $this->course["organisation_id"], "account_active" => "true", "access_starts" => time(), "access_expires" => "0", "last_login" => "0", "last_ip" => "", "role" => $GRAD, "group" => "student", "extras" => "", "private_hash" => generate_hash(32), "notes" => "");
if (!$db->AutoExecute("`" . AUTH_DATABASE . "`.`user_access`", $access, "INSERT")) {
application_log("error", "Failed to create user access record, DB said: " . $db->ErrorMsg());
}
}
}
$query = "SELECT * FROM `group_members` \n WHERE `proxy_id` = " . $db->qstr($user_id) . "\n AND `group_id` = " . $db->qstr($this->group_id);
$group_member = $db->GetRow($query);
if (!$group_member) {
$values = array("group_id" => $this->group_id, "proxy_id" => $user_id, "start_date" => $this->course["start_date"], "expire_date" => $this->course["end_date"], "member_active" => "1", "entrada_only" => "0", "updated_date" => time(), "updated_by" => "1");
if (!$db->AutoExecute("group_members", $values, "INSERT")) {
application_log("error", "User was not added to group_members table, DB said: " . $db->ErrorMsg());
}
}
if ($this->community_id) {
$query = "SELECT * FROM `community_members` WHERE `proxy_id` = ? AND `community_id` = ?";
$community_membership = $db->GetRow($query, array($user_id, $this->community_id));
if (!$community_membership) {
$values = array("community_id" => $this->community_id, "proxy_id" => $user_id, "member_active" => "1", "member_joined" => time(), "member_acl" => "0");
if (!$db->AutoExecute("`community_members`", $values, "INSERT")) {
application_log("error", "Failed to add user to community, DB said: " . $db->ErrorMsg());
}
}
}
unset($this->community_audience[$user_id]);
}
////////////////// VOTE ///////////////////
//HERO 1 vs HERO 2
require_once 'inc/class.database.php';
require_once 'inc/db_connect.php';
$sth = $db->prepare("SELECT * FROM heroes WHERE summary!= '-' ORDER BY RAND() LIMIT 2");
$result = $sth->execute();
$c = 0;
$HeroVoteData = array();
while ($row = $sth->fetch(PDO::FETCH_ASSOC)) {
$HeroVoteData[$c]["id"] = strtoupper($row["heroid"]);
$HeroVoteData[$c]["original"] = $row["original"];
$HeroVoteData[$c]["description"] = $row["description"];
$HeroVoteData[$c]["summary"] = $row["summary"];
$c++;
}
$code = generate_hash(14);
$_SESSION["code"] = $code;
?>
<div align="center">
<form action="" method="post">
<table width="460" style="width:460px;">
<tr>
<th class="padLeft"><?php
echo $lang["vote_title"];
?>
</th><th></th><th></th>
</tr>
<tr style="height: 154px; vertical-align: middle;">
<td align="center" style="height: 154px; vertical-align: middle; width:200px;" >
<label for="h1">
<img style="vertical-align:middle; padding-right:8px; cursor:pointer;" width="64" height="64" border=0 src="<?php
$access["last_ip"] = "";
$access["role"] = "communityinvite";
$access["group"] = "guest";
if ($db->AutoExecute(AUTH_DATABASE . ".user_access", $access, "INSERT")) {
$community = array();
$community["community_id"] = $user["community_id"];
$community["proxy_id"] = $proxy_id;
$community["member_active"] = 1;
$community["member_joined"] = time();
$community["member_acl"] = 0;
if ($db->AutoExecute("community_members", $community, "INSERT")) {
if ($SKIP_EMAIL_NOTIFICATION) {
output_success("[Row " . $row_count . "]\tSuccessfully added username [" . $user["username"] . "] and skipped e-mail notification.");
} else {
do {
$hash = generate_hash();
} while ($db->GetRow("SELECT `id` FROM `" . AUTH_DATABASE . "`.`password_reset` WHERE `hash` = " . $db->qstr($hash)));
if ($db->AutoExecute(AUTH_DATABASE . ".password_reset", array("ip" => "127.0.0.1", "date" => time(), "user_id" => $proxy_id, "hash" => $hash, "complete" => 0), "INSERT")) {
$notification_search = array("%firstname%", "%lastname%", "%username%", "%password_reset_url%", "%application_url%", "%application_name%", "%community_name%", "%community_url%");
$notification_replace = array(stripslashes($user["firstname"]), stripslashes($user["lastname"]), stripslashes($user["username"]), PASSWORD_RESET_URL . "?hash=" . rawurlencode($proxy_id . ":" . $hash), ENTRADA_URL, APPLICATION_NAME, $community_info["community_title"], COMMUNITY_URL . $community_info["community_url"]);
$message = str_ireplace($notification_search, $notification_replace, $NEW_GUEST_NOTIFICATION);
if ($SEND_ADMIN_NOTIFICATION) {
$user["email"] = $AGENT_CONTACTS["administrator"]["email"];
}
if (@mail($user["email"], "New User Account: " . APPLICATION_NAME, $message, "From: \"" . $AGENT_CONTACTS["administrator"]["name"] . "\" <" . $AGENT_CONTACTS["administrator"]["email"] . ">\nReply-To: \"" . $AGENT_CONTACTS["administrator"]["name"] . "\" <" . $AGENT_CONTACTS["administrator"]["email"] . ">")) {
output_success("[Row " . $row_count . "]\tSuccessfully added username [" . $user["username"] . "] and sent e-mail notification to [" . $user["email"] . "].");
} else {
output_error("[Row " . $row_count . "]\tAdded username [" . $user["username"] . "] to the database, but could not send e-mail notification to [" . $user["email"] . "].");
}
} else {
output_error("[Row " . $row_count . "]\tAdded username [" . $user["username"] . "] to the database, but could not insert password reset entry into password_reset table. Database said: " . $db->ErrorMsg());
foreach ($publications as $publication) {
$query = "INSERT INTO `profile_publications` (`pub_type`, `pub_id`, `dep_id`, `proxy_id`) VALUES (" . $db->qstr($pub_type) . ", " . $db->qstr($publication) . ", " . $db->qstr($dep_id) . ", " . $db->qstr($ENTRADA_USER->getID()) . ")";
$db->Execute($query);
}
}
}
}
}
$url = ENTRADA_URL . "/admin/users/manage?id=" . $PROXY_ID;
$SUCCESS++;
$SUCCESSSTR[] = "You have successfully updated the <strong>" . html_encode($PROCESSED["firstname"] . " " . $PROCESSED["lastname"]) . "</strong> account in the authentication system.<br /><br />You will now be redirected to the users profile page; this will happen <strong>automatically</strong> in 5 seconds or <a href=\"" . $url . "\" style=\"font-weight: bold\">click here</a> to continue.";
header("refresh:5;url=" . $url);
if (isset($_POST["send_notification"]) && (int) $_POST["send_notification"] == 1) {
$PROXY_ID = $PROCESSED_ACCESS["user_id"];
do {
$HASH = generate_hash();
} while ($db->GetRow("SELECT `id` FROM `" . AUTH_DATABASE . "`.`password_reset` WHERE `hash` = " . $db->qstr($HASH)));
if ($db->AutoExecute(AUTH_DATABASE . ".password_reset", array("ip" => $_SERVER["REMOTE_ADDR"], "date" => time(), "user_id" => $PROXY_ID, "hash" => $HASH, "complete" => 0), "INSERT")) {
// Send welcome & password reset e-mail.
$notification_search = array("%firstname%", "%lastname%", "%username%", "%password_reset_url%", "%application_url%", "%application_name%");
$notification_replace = array($PROCESSED["firstname"], $PROCESSED["lastname"], $PROCESSED["username"], PASSWORD_RESET_URL . "?hash=" . rawurlencode($PROXY_ID . ":" . $HASH), ENTRADA_URL, APPLICATION_NAME);
$message = str_ireplace($notification_search, $notification_replace, isset($_POST["notification_message"]) ? html_encode($_POST["notification_message"]) : $DEFAULT_EDIT_USER_NOTIFICATION);
if (!@mail($PROCESSED["email"], "Updated User Account: " . APPLICATION_NAME, $message, "From: \"" . $AGENT_CONTACTS["administrator"]["name"] . "\" <" . $AGENT_CONTACTS["administrator"]["email"] . ">\nReply-To: \"" . $AGENT_CONTACTS["administrator"]["name"] . "\" <" . $AGENT_CONTACTS["administrator"]["email"] . ">")) {
$NOTICE++;
$NOTICESTR[] = "The user was successfully added; however, we could not send them a new account e-mail notice. The MEdTech Unit has been informed of this problem, please send this new user a password reset notice manually.<br /><br />You will now be redirected back to the user index; this will happen <strong>automatically</strong> in 5 seconds or <a href=\"" . $url . "\" style=\"font-weight: bold\">click here</a> to continue.";
application_log("error", "New user [" . $PROCESSED["username"] . "] was given access to OCR but the e-mail notice failed to send.");
}
} else {
$NOTICE++;
$NOTICESTR[] = "The user was successfully added; however, we could not send them a new account e-mail notice. The MEdTech Unit has been informed of this problem, please send this new user a password reset notice manually.<br /><br />You will now be redirected back to the user index; this will happen <strong>automatically</strong> in 5 seconds or <a href=\"" . $url . "\" style=\"font-weight: bold\">click here</a> to continue.";
application_log("error", "New user [" . $PROCESSED["username"] . "] was given access to OCR but the e-mail notice failed to send. Database said: " . $db->ErrorMsg());
} else {
$gen = 0;
}
}
$sql .= "user_gender = '" . $gen . "' ";
$sql .= " WHERE user_name = '" . $_SESSION["username"] . "' ";
$update = $db->prepare($sql);
$result = $update->execute();
/* //=======================================================
UPLOAD AVATAR
*/
//=======================================================
if ($AllowUploadAvatar == 1 and isset($_FILES["avatar_upload"]) and !empty($_FILES["avatar_upload"])) {
$imagename = strtolower($_FILES['avatar_upload']['name']);
$fileExt = end(explode('.', $imagename));
$savedName = generate_hash(4) . "_" . generate_hash(12) . "." . $fileExt;
$savedName = uniqid(time()) . "." . $fileExt;
$source = $_FILES['avatar_upload']['tmp_name'];
$target = "img/avatars/" . $savedName;
//die($fileExt);
$allowtype = array('gif', 'jpg', 'jpe', 'jpeg', 'png');
if (in_array($fileExt, $allowtype)) {
move_uploaded_file($source, $target);
list($width, $height) = getimagesize($target);
if ($width > $MaxImageSize) {
$modwidth = $MaxImageSize;
} else {
$modwidth = $width;
}
$diff = $width / $modwidth;
$modheight = $height / $diff;
$r = $sth->fetch(PDO::FETCH_NUM);
if ($r[0] >= 1) {
$registration_errors .= "<div>" . $lang["error_un_taken"] . "</div>";
}
$sth = $db->prepare("SELECT COUNT(*) FROM " . OSDB_USERS . " WHERE user_email=:user_email LIMIT 1");
$sth->bindValue(':user_email', $email, PDO::PARAM_STR);
$result = $sth->execute();
$r = $sth->fetch(PDO::FETCH_NUM);
if ($r[0] >= 1) {
$registration_errors .= "<div>" . $lang["error_email_taken"] . "</div>";
}
if (empty($registration_errors)) {
$hash = generate_hash(16, 1);
$password_db = generate_password($password, $hash);
if ($UserActivation == 1) {
$code = generate_hash(16, 0);
} else {
$code = '';
}
//FIND user location
if (file_exists("inc/geoip/geoip.inc")) {
include "inc/geoip/geoip.inc";
$GeoIPDatabase = geoip_open("inc/geoip/GeoIP.dat", GEOIP_STANDARD);
$GeoIP = 1;
$Letter = geoip_country_code_by_addr($GeoIPDatabase, $UserIP);
$Country = geoip_country_name_by_addr($GeoIPDatabase, $UserIP);
geoip_close($GeoIPDatabase);
}
if (!empty($Country)) {
$location = $Country;
} else {
function get_hash_round_robin_archive($rra_id)
{
$hash = db_fetch_cell_prepared('SELECT hash FROM rra WHERE id = ?', array($rra_id));
if (preg_match('/[a-fA-F0-9]{32}/', $hash)) {
return $hash;
} else {
return generate_hash();
}
}
$add = "";
if (isset($_POST[$var]) && trim($_POST[$var]) != "") {
$add = trim($_POST[$var]);
}
if ($var == "pagination") {
if (!is_numeric($add)) {
$add = 0;
} else {
$add = intval($add);
}
} else {
if ($var == "login_pass" && strlen($add) > 0) {
if ($add == HASH_PASS) {
continue;
}
$add = generate_hash($add);
}
}
if (isset($config->{$var})) {
$config->{$var} = $add;
} else {
$config->addChild($var, $add);
}
}
$plentry = null;
if (isset($config->plentry)) {
$plentry = $config->plentry;
} else {
$plentry = $config->addChild("plentry");
}
foreach ($pl_fields as $field) {
function OS_PMSystem()
{
if (OS_GetAction("pm")) {
global $db;
$sth = $db->prepare("SET NAMES 'utf8'");
$result = $sth->execute();
global $lang;
global $DateFormat;
$errors = "";
?>
<div class="clr"></div>
<div class="ct-wrapper" id="content" class="s-c-x">
<div class="outer-wrapper wrapper">
<div class="content section" id="main-column">
<div class="widget Blog padding">
<div class="blog-posts hfeed padLeft padTop padBottom inner">
<h2>Private Messages</h2>
<div>
<a class="menuButtons" href="<?php
echo OS_HOME;
?>
?action=pm&inbox">INBOX</a>
<a class="menuButtons" href="<?php
echo OS_HOME;
?>
?action=pm&sent_items">SENT ITEMS</a>
<a class="menuButtons" href="<?php
echo OS_HOME;
?>
?action=pm&new_message">NEW MESSAGE</a>
</div>
<?php
//NEW MESSAGE
if (isset($_GET["new_message"])) {
$PMName = "";
$PMText = "";
if (isset($_POST["pm_message"]) and isset($_POST["pm_name"]) and isset($_SESSION["code"]) and isset($_POST["code"])) {
$PMText = $_POST['pm_message'];
$PMText = strip_tags($PMText);
$PMName = safeEscape(trim($_POST["pm_name"]));
if ($_SESSION["code"] != $_POST["code"]) {
$errors .= "<h4>Form is not valid. Try again.</h4>";
}
if (strlen($PMText) <= 2) {
$errors .= "<h4>There are not enough characters in the message</h4>";
}
if (strlen($PMName) <= 2) {
$errors .= "<h4>Please, write a valid username</h4>";
}
if (strtolower($PMName) == $_SESSION["username"]) {
$errors .= "<h4>You can not send messages to yourself</h4>";
}
if (empty($errors)) {
$sth = $db->prepare("SELECT * FROM " . OSDB_USERS . " \n\t\t\tWHERE LOWER(user_name) = ? LIMIT 1");
$sth->bindValue(1, strtolower($PMName), PDO::PARAM_STR);
$result = $sth->execute();
if ($sth->rowCount() <= 0) {
$errors .= "<h4>User not found</h4>";
} else {
$row = $sth->fetch(PDO::FETCH_ASSOC);
$userID = $row["user_id"];
}
}
if (!empty($errors)) {
echo $errors;
} else {
if (isset($userID) and is_numeric($userID) and $userID != OS_GetUserID()) {
OS_add_custom_field($userID, time() . "|" . OS_GetUserID() . "||p.m.0", $PMText);
$MailText = $PMText;
$PMName = "";
$PMText = "";
?>
<h4>Message was sent successfully</h4><?php
//SEND EMAIL NOTIFICATION
if (!isset($_SESSION["mail_sent"])) {
//$row = $sth->fetch(PDO::FETCH_ASSOC);
$_SESSION["mail_sent"] = 1;
global $lang;
global $mail;
global $DefaultHomeTitle;
$message = "You have just received a private message from " . $_SESSION["username"] . "<br />";
$message .= "Click on the following link to read the message<br />";
$message .= "" . OS_HOME . "?action=pm&inbox";
$message .= "<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />";
$message .= convEnt($MailText);
$message .= "<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />{$DefaultHomeTitle}";
require "inc/class.phpmailer.php";
$mail = new PHPMailer();
$mail->CharSet = 'UTF-8';
$mail->SetFrom($lang["email_from"], $lang["email_from_full"]);
$mail->AddReplyTo($lang["email_from"], $lang["email_from_full"]);
$mail->AddAddress($row["user_email"], "");
$mail->Subject = "New Private Message";
$mail->MsgHTML($message);
$mail->AltBody = "This is the body in plain text for non-HTML mail clients";
$mail->Send();
}
} else {
?>
<h4>The message could not be sent</h4><?php
}
}
}
$code = generate_hash(8);
$_SESSION["code"] = $code;
?>
<form action="" method="post" accept-charset="UTF-8">
<table>
<tr class="row">
<td width="70" class="padLeft"><b>To:</b></td>
<td><input type="text" value="<?php
echo $PMName;
?>
" size="65" name="pm_name" /></td>
</tr>
<tr class="row">
<td width="70" class="padLeft"><b>Message:</b></td>
<td><textarea name="pm_message" rows="9" cols="80" ><?php
echo $PMText;
?>
</textarea></td>
</tr>
<tr class="row">
<td width="70" class="padLeft"></td>
<td><input type="submit" value="Send PM" class="menuButtons" /></td>
</tr>
</table>
<input type="hidden" name="code" value="<?php
echo $code;
?>
" />
</form>
<?php
}
//SEND MESSAGE (USER ID)
if (isset($_GET["send"]) and is_numeric($_GET["send"])) {
$uid = safeEscape((int) $_GET["send"]);
if (OS_GetUserID() == $uid) {
?>
<h4>You can not send messages to yourself</h4>
<?php
} else {
if (isset($_POST["pm_message"]) and isset($_SESSION["code"]) and isset($_POST["code"])) {
if ($_SESSION["code"] != $_POST["code"]) {
$errors .= "<div>Form is not valid. Try again.</div>";
}
$PMText = strip_tags($_POST['pm_message']);
if (strlen($PMText) <= 2) {
$errors .= "<div>There are not enough characters in the message</div>";
}
if (!empty($errors)) {
?>
<h4><?php
echo $errors;
?>
</h4><?php
} else {
//ADD MESSAGE
//ARG: TO - user ID, FROM - time_UserID, message
$sth = $db->prepare("SELECT * FROM " . OSDB_USERS . " WHERE user_id = ? LIMIT 1");
$sth->bindValue(1, $uid, PDO::PARAM_INT);
$result = $sth->execute();
if ($sth->rowCount() >= 1) {
OS_add_custom_field($uid, time() . "|" . OS_GetUserID() . "||p.m.0", $PMText);
}
?>
<h4>Message was sent successfully</h4><?php
}
}
$code = generate_hash(8);
$_SESSION["code"] = $code;
$sth = $db->prepare("SELECT * FROM " . OSDB_USERS . " WHERE user_id = ? LIMIT 1");
$sth->bindValue(1, $uid, PDO::PARAM_INT);
$result = $sth->execute();
if ($sth->rowCount() >= 1) {
$row = $sth->fetch(PDO::FETCH_ASSOC);
$sendTo = $row["user_name"];
?>
<form action="" method="post" accept-charset="UTF-8">
<table>
<tr class="row">
<td width="120" class="padLeft"><b>Send to:</b></td>
<td><?php
echo $sendTo;
?>
</td>
</tr>
<tr class="row">
<td width="120" class="padLeft"><b>Message:</b></td>
<td><textarea name="pm_message" rows="9" cols="80" ></textarea></td>
</tr>
<tr class="row">
<td width="120" class="padLeft"></td>
<td><input type="submit" value="Send PM" class="menuButtons" /></td>
</tr>
</table>
<input type="hidden" name="code" value="<?php
echo $code;
?>
" />
</form>
<?php
if (isset($_GET["m"])) {
$sth = $db->prepare("SELECT * FROM " . OSDB_CUSTOM_FIELDS . " WHERE field_name = ? ");
$sth->bindValue(1, safeEscape($_GET["m"]), PDO::PARAM_STR);
$result = $sth->execute();
$row = $sth->fetch(PDO::FETCH_ASSOC);
$dateFor = explode("|", $row["field_name"]);
$date = (int) $dateFor[0];
//print_r($dateFor);
?>
<div class="padTop"></div>
<table>
<tr class="row">
<td class="padLeft"><b><?php
echo $sendTo;
?>
</b>, <?php
echo date($DateFormat, $date);
?>
</td>
</tr>
<tr>
<td><?php
echo convEnt($row["field_value"]);
?>
</td>
</tr>
</table>
<?php
}
} else {
?>
<h4>User not found</h4><?php
}
}
}
//SENT ITEMS
if (isset($_GET["sent_items"]) and is_logged()) {
?>
<h4>Sent items</h4><?php
//GET ALL MESSAGES
if (!empty($_GET["sent_items"]) and is_numeric($_GET["sent_items"]) and isset($_GET["m"])) {
$id = safeEscape((int) $_GET["sent_items"]);
$field = safeEscape($_GET["m"]);
$sql = "AND c.field_name = ? ";
} else {
$sql = "";
}
$sth = $db->prepare("SELECT COUNT(*) FROM " . OSDB_CUSTOM_FIELDS . " as c\n\t\tWHERE c.field_name LIKE ? {$sql}");
$sth->bindValue(1, "%|" . (int) $_SESSION["user_id"] . "||p.m.%", PDO::PARAM_STR);
if (!empty($sql)) {
$sth->bindValue(2, $field, PDO::PARAM_STR);
}
$result = $sth->execute();
$r = $sth->fetch(PDO::FETCH_NUM);
$numrows = $r[0];
$result_per_page = 10;
$offset = os_offset($numrows, $result_per_page);
$sth = $db->prepare("SELECT c.field_id, c.field_name, c.field_value, u.user_name, u.user_avatar\n\t\tFROM " . OSDB_CUSTOM_FIELDS . " as c\n\t\tLEFT JOIN " . OSDB_USERS . " as u ON u.user_id = c.field_id\n\t\tWHERE c.field_name LIKE ? {$sql}\n\t\tORDER BY c.field_name DESC\n\t\tLIMIT {$offset}, {$result_per_page}");
$sth->bindValue(1, "%|" . OS_GetUserID() . "||p.m.%", PDO::PARAM_STR);
if (!empty($sql)) {
$sth->bindValue(2, $field, PDO::PARAM_STR);
}
$result = $sth->execute();
?>
<table>
<?php
while ($row = $sth->fetch(PDO::FETCH_ASSOC)) {
$dateFor = explode("|", $row["field_name"]);
$date = $dateFor[0];
if (!isset($_GET["m"])) {
$text = limit_words(convEnt($row["field_value"]), 40);
} else {
$text = AutoLinkShort(convEnt($row["field_value"]));
}
?>
<tr class="row">
<td width="140"><a href="<?php
echo OS_HOME;
?>
?action=pm&sent_items=<?php
echo $row["field_id"];
?>
&m=<?php
echo $row["field_name"];
?>
"><b><?php
echo $row["user_name"];
?>
</b>, <?php
echo date($DateFormat, $date);
?>
</a></td>
<td><?php
echo $text;
?>
<?php
if (isset($_GET["m"])) {
?>
<div class="padTop">
<a class="menuButtons" href="<?php
echo OS_HOME;
?>
?action=pm&send=<?php
echo $row["field_id"];
?>
&m=<?php
echo $_GET["m"];
?>
">[SEND MESSAGE]</a>
<a class="menuButtons" href="<?php
echo OS_HOME;
?>
?action=pm&sent_items">« Back</a>
</div>
<?php
} else {
?>
<a href="<?php
echo OS_HOME;
?>
?action=pm&sent_items=<?php
echo $row["field_id"];
?>
&m=<?php
echo $row["field_name"];
?>
">more » </a>
<?php
}
?>
</td>
</tr>
<?php
}
if ($sth->rowCount() <= 0) {
?>
<tr><td>No new messages</td></tr><?php
}
?>
</table>
<?php
os_pagination($numrows, $result_per_page, 5, 1, '&sent_items');
}
//INBOX MESSAGES
if (isset($_GET["inbox"]) and is_logged()) {
?>
<h4>Inbox</h4><?php
if (!empty($_GET["inbox"]) and is_numeric($_GET["inbox"]) and isset($_GET["m"])) {
$id = safeEscape((int) $_GET["inbox"]);
$field = safeEscape($_GET["m"]);
$sql = "AND c.field_name = :field_name ";
$field_name = substr($field, 0, -1) . "1";
} else {
$sql = "";
}
$sth = $db->prepare("SELECT COUNT(*) FROM " . OSDB_CUSTOM_FIELDS . " as c\n\t\tWHERE c.field_id = '" . OS_GetUserID() . "' {$sql}");
//$sth->bindValue(':field_id', "%_".OS_GetUserID()."__p.m.%", PDO::PARAM_STR);
//$sth->bindValue(1, "%_".OS_GetUserID()."__p.m.%", PDO::PARAM_STR);
if (!empty($sql)) {
$sth->bindValue(':field_name', $field, PDO::PARAM_STR);
}
//$sth->bindValue(2, $field, PDO::PARAM_STR);
$result = $sth->execute();
$r = $sth->fetch(PDO::FETCH_NUM);
$numrows = $r[0];
$result_per_page = 10;
$offset = os_offset($numrows, $result_per_page);
$sth = $db->prepare("SELECT c.field_id, c.field_name, c.field_value, u.user_name, u.user_avatar\n\t\tFROM " . OSDB_CUSTOM_FIELDS . " as c\n\t\tLEFT JOIN " . OSDB_USERS . " as u ON u.user_id = c.field_id\n\t\tWHERE c.field_id = '" . OS_GetUserID() . "'\n\t\tAND field_name LIKE('%||p.m.%')\n\t\t{$sql}\n\t\tORDER BY c.field_name DESC\n\t\tLIMIT {$offset}, {$result_per_page}");
//$sth->bindValue(':field_id', "%_".OS_GetUserID()."__p.m.%", PDO::PARAM_STR);
if (!empty($sql)) {
$sth->bindValue(':field_name', $field, PDO::PARAM_STR);
}
$result = $sth->execute();
//UPDATE "read" message
if (!empty($_GET["inbox"]) and is_numeric($_GET["inbox"]) and isset($_GET["m"])) {
$field = safeEscape($_GET["m"]);
$field_name = substr($field, 0, -1) . "1";
$result = $db->update(OSDB_CUSTOM_FIELDS, array("field_name" => $field_name), "field_name = '" . $field . "'");
}
?>
<table>
<?php
while ($row = $sth->fetch(PDO::FETCH_ASSOC)) {
$dateFor = explode("|", $row["field_name"]);
$date = $dateFor[0];
$FromID = $dateFor[1];
$read = substr($row["field_name"], strlen($row["field_name"]) - 1, 1);
if ($read == 1) {
$col = '686A6B';
$readTxt = 'read';
} else {
$col = 'A41600';
$readTxt = '<b>new</b>';
}
if (!isset($_GET["m"])) {
$text = limit_words(convEnt($row["field_value"]), 12);
if ($read == 0) {
$text = '<span style="color: #000;"><b>' . convEnt($text) . '<b/></span>';
}
if ($read == 1) {
$text = '<span style="color: #686A6B;">' . convEnt($text) . '</span>';
}
} else {
$text = AutoLinkShort(convEnt($row["field_value"]));
}
?>
<?php
if (!isset($_GET["m"])) {
?>
<tr class="row">
<td width="120" class="padLeft">
<a href="<?php
echo OS_HOME;
?>
?action=pm&inbox=<?php
echo $FromID;
?>
&m=<?php
echo $row["field_name"];
?>
"><span style="color: #<?php
echo $col;
?>
"><b><?php
echo OS_GetUsernameByUserID($FromID);
?>
</b></span></a>
</td>
<td width="600"><a href="<?php
echo OS_HOME;
?>
?action=pm&inbox=<?php
echo $FromID;
?>
&m=<?php
echo $row["field_name"];
?>
"><?php
echo $text;
?>
</a></td>
<td><?php
echo date($DateFormat, $date);
?>
</td>
</tr>
<?php
} else {
?>
<tr class="row">
<td class="padLeft"><span style="color: #<?php
echo $col;
?>
"><b><?php
echo OS_GetUsernameByUserID($FromID);
?>
</b>, <?php
echo date($DateFormat, $date);
?>
</span></td>
</tr>
<tr>
<td><?php
echo $text;
?>
</td>
</tr>
<tr>
<td><div class="padTop padBottom">
<a class="menuButtons" href="<?php
echo OS_HOME;
?>
?action=pm&send=<?php
echo $FromID;
?>
&m=<?php
echo $_GET["m"];
?>
">[SEND MESSAGE]</a>
<a class="menuButtons" href="<?php
echo OS_HOME;
?>
?action=pm&inbox">« Back</a>
</div></td>
</tr>
<?php
}
?>
<?php
}
if ($sth->rowCount() <= 0) {
?>
<tr><td>No new messages</td></tr><?php
}
?>
</table>
<?php
os_pagination($numrows, $result_per_page, 5, 1, '&inbox');
}
?>
<div class="padTop" style="margin-top:124px;"></div>
</div>
</div>
</div>
</div>
</div>
<?php
}
}
$sth = $db->prepare("SELECT * FROM " . OSDB_GUIDES . " WHERE id = '" . $id . "' ");
$result = $sth->execute();
if ($sth->rowCount() >= 1) {
$hrow = $sth->fetch(PDO::FETCH_ASSOC);
$hid = $hrow["hid"];
$title = $hrow["title"];
$link = $hrow["link"];
$button = "Edit guide";
}
} else {
$hid = "";
$title = "";
$link = "";
$button = "Submit guide";
}
$code = generate_hash(10);
$_SESSION["code"] = $code;
?>
<form action="" method="post">
<table>
<tr>
<th></th>
<th></th>
</tr>
<tr>
<td class="padLeft">
<div style="margin-bottom:12px;">
<img id="himg" style="vertical-align: top;" src="<?php
function verify_hash($hash, $str, $salt = '')
{
$newhash = generate_hash($str, $salt);
return $hash === $newhash;
}
$photo_record = $db->GetRow($query);
if ($photo_record) {
$photo_active = $photo_record["photo_active"] == "1" ? "0" : "1";
$query = "UPDATE `" . AUTH_DATABASE . "`.`user_photos` SET `photo_active` = " . $db->qstr($photo_active) . " WHERE `proxy_id` = " . $db->qstr($ENTRADA_USER->getID());
if ($db->Execute($query)) {
echo json_encode(array("status" => "success", "data" => array("imgurl" => webservice_url("photo", array($ENTRADA_USER->getID(), $photo_active == "1" ? "upload" : "official")) . "/" . time(), "imgtype" => $photo_active == "1" ? "uploaded" : "official")));
} else {
application_log("error", "An error occurred while attempting to update user photo active flag for user [" . $ENTRADA_USER->getID() . "], DB said: " . $db->ErrorMsg());
echo json_encode(array("status" => "error"));
}
} else {
echo json_encode(array("status" => "error", "data" => "No uploaded photo record on file. You must upload a photo before you can toggle photos."));
}
break;
case "generatehash":
$new_private_hash = generate_hash();
$query = "UPDATE IGNORE `" . AUTH_DATABASE . "`.`user_access` SET `private_hash` = " . $db->qstr($new_private_hash) . " WHERE `user_id` = " . $db->qstr($ENTRADA_USER->getID()) . " AND `organisation_id` = " . $db->qstr($ENTRADA_USER->getActiveOrganisation());
$result = $db->Execute($query);
if ($result) {
echo json_encode(array("status" => "success", "data" => $new_private_hash));
$_SESSION["details"]["private_hash"] = $new_private_hash;
} else {
echo json_encode(array("status" => "error"));
}
break;
case "resetpw":
if ($_POST["current_password"] && ($tmp_input = clean_input($_POST["current_password"], array("trim", "striptags")))) {
$PROCESSED["current_password"] = $tmp_input;
}
if ($_POST["new_password"] && ($tmp_input = clean_input($_POST["new_password"], array("trim", "striptags")))) {
$PROCESSED["new_password"] = $tmp_input;
function OS_CheckFacebookLogin()
{
if (isset($_POST["fb_name"]) and isset($_POST["fb_email"]) and isset($_POST["fb_id"])) {
global $db;
$errors = '';
$FBID = trim($_POST["fb_id"]);
$gender = safeEscape(trim($_POST["fb_gender"]));
$name = strip_tags(trim($_POST["fb_name"]));
$email = safeEscape(trim($_POST["fb_email"]));
$IP = safeEscape($_SERVER["REMOTE_ADDR"]);
$avatar = 'https://graph.facebook.com/' . $FBID . '/picture/?type=large';
$www = 'http://www.facebook.com/profile.php?id=' . $FBID . '';
$pass = generate_hash(5);
$hash = generate_hash(12);
$password_db = generate_password($pass, $hash);
if (empty($FBID) or strlen($FBID) <= 6) {
$errors = '1';
}
if (strlen($name) <= 3) {
$errors = '2';
}
if (strlen($email) <= 6) {
$errors = '3';
}
if (!empty($errors)) {
header('location:' . OS_HOME . '?action=facebook&error=' . $errors);
die;
}
if ($gender == "male") {
$gen = 1;
} else {
if ($gender == "female") {
$gen = 2;
} else {
$gen = 0;
}
}
$sth = $db->prepare("SELECT * FROM " . OSDB_USERS . " WHERE user_fbid =:FBID AND user_email =:email");
$sth->bindValue(':FBID', $FBID, PDO::PARAM_STR);
$sth->bindValue(':email', $email, PDO::PARAM_STR);
$result = $sth->execute();
//echo $FBID ;
//echo $db->num_rows($result);
//NEW USER
if ($sth->rowCount() <= 0) {
//Check if username already exists
$sth = $db->prepare("SELECT * FROM " . OSDB_USERS . " WHERE LOWER(user_name) =:name ");
$sth->bindValue(':name', strtolower($name), PDO::PARAM_STR);
if ($sth->rowCount() >= 1) {
$name .= " " . rand(100, 1000);
}
$db->insert(OSDB_USERS, array("user_name" => $name, "user_fbid" => $FBID, "user_password" => $password_db, "password_hash" => $hash, "user_email" => $email, "user_joined" => (int) time(), "user_level" => 0, "user_last_login" => (int) time(), "user_ip" => $IP, "user_avatar" => $avatar, "user_website" => $www, "user_gender" => $gen));
$id = $db->lastInsertId();
$_SESSION["user_id"] = $id;
$_SESSION["username"] = $name;
$_SESSION["email"] = $email;
$_SESSION["level"] = 0;
$_SESSION["can_comment"] = 1;
$_SESSION["logged"] = time();
$_SESSION["fb"] = $FBID;
$_SESSION["bnet"] = "";
$_SESSION["bnet_username"] = "";
header("location: " . OS_HOME . "");
die;
} else {
//UPDATE USER DATA
if ($gen >= 1) {
$sql_update = ", user_gender = '" . (int) $gen . "'";
} else {
$sql_update = "";
}
$update = $db->prepare("UPDATE " . OSDB_USERS . " SET user_last_login = '******',user_avatar = '" . strip_tags($avatar) . "', user_website = '" . strip_tags($www) . "' {$sql_update} \n\t\tWHERE user_email = '" . $email . "' AND user_fbid = '" . $FBID . "' LIMIT 1");
$result = $update->execute();
$row = $sth->fetch(PDO::FETCH_ASSOC);
$id = $row["user_id"];
$_SESSION["user_id"] = $id;
$_SESSION["username"] = $row["user_name"];
$_SESSION["email"] = $row["user_email"];
$_SESSION["level"] = $row["user_level"];
$_SESSION["can_comment"] = $row["can_comment"];
$_SESSION["logged"] = time();
$_SESSION["fb"] = $FBID;
$_SESSION["bnet"] = $row["user_bnet"];
$_SESSION["bnet_username"] = $row["bnet_username"];
header("location: " . OS_HOME . "");
die;
}
}
}
public function config_system()
{
global $LANG;
if (!empty($_SESSION['step2']) && is_file(PH7_ROOT_PUBLIC . '_constants.php')) {
session_regenerate_id(true);
if (empty($_SESSION['val'])) {
$_SESSION['db']['type_name'] = 'MySQL';
$_SESSION['db']['type'] = 'mysql';
$_SESSION['db']['hostname'] = 'localhost';
$_SESSION['db']['name'] = 'PHS-SOFTWARE';
$_SESSION['db']['username'] = '******';
$_SESSION['db']['prefix'] = 'PH7_';
$_SESSION['db']['port'] = '3306';
$_SESSION['db']['charset'] = 'UTF8';
$_SESSION['val']['bug_report_email'] = '';
$_SESSION['val']['ffmpeg_path'] = is_windows() ? 'C:\\ffmpeg\\ffmpeg.exe' : '/usr/bin/ffmpeg';
}
if ($_SERVER['REQUEST_METHOD'] == 'POST' && !empty($_POST['config_system_submit'])) {
if (filled_out($_POST)) {
foreach ($_POST as $sKey => $sVal) {
$_SESSION['db'][str_replace('db_', '', $sKey)] = trim($sVal);
}
$_SESSION['val']['bug_report_email'] = trim($_POST['bug_report_email']);
$_SESSION['val']['ffmpeg_path'] = trim($_POST['ffmpeg_path']);
if (validate_email($_SESSION['val']['bug_report_email'])) {
try {
require_once PH7_ROOT_INSTALL . 'inc/_db_connect.inc.php';
@(require_once PH7_ROOT_PUBLIC . '_constants.php');
@(require_once PH7_PATH_APP . 'configs/constants.php');
// Config File
@chmod(PH7_PATH_APP_CONFIG, 0777);
$sConfigContent = file_get_contents(PH7_ROOT_INSTALL . 'data/configs/config.ini');
$sConfigContent = str_replace('%bug_report_email%', $_SESSION['val']['bug_report_email'], $sConfigContent);
$sConfigContent = str_replace('%ffmpeg_path%', clean_string($_SESSION['val']['ffmpeg_path']), $sConfigContent);
$sConfigContent = str_replace('%db_type_name%', $_SESSION['db']['type_name'], $sConfigContent);
$sConfigContent = str_replace('%db_type%', $_SESSION['db']['type'], $sConfigContent);
$sConfigContent = str_replace('%db_hostname%', $_SESSION['db']['hostname'], $sConfigContent);
$sConfigContent = str_replace('%db_name%', clean_string($_SESSION['db']['name']), $sConfigContent);
$sConfigContent = str_replace('%db_username%', clean_string($_SESSION['db']['username']), $sConfigContent);
$sConfigContent = str_replace('%db_password%', clean_string($_SESSION['db']['password']), $sConfigContent);
$sConfigContent = str_replace('%db_prefix%', clean_string($_SESSION['db']['prefix']), $sConfigContent);
$sConfigContent = str_replace('%db_charset%', $_SESSION['db']['charset'], $sConfigContent);
$sConfigContent = str_replace('%db_port%', $_SESSION['db']['port'], $sConfigContent);
$sConfigContent = str_replace('%private_key%', generate_hash(40), $sConfigContent);
$sConfigContent = str_replace('%rand_id%', generate_hash(5), $sConfigContent);
if (!@file_put_contents(PH7_PATH_APP_CONFIG . 'config.ini', $sConfigContent)) {
$aErrors[] = $LANG['no_app_config_writable'];
} else {
if (!($DB->getAttribute(\PDO::ATTR_DRIVER_NAME) == 'mysql' && version_compare($DB->getAttribute(\PDO::ATTR_SERVER_VERSION), PH7_REQUIRE_SQL_VERSION, '>='))) {
$aErrors[] = $LANG['require_mysql_version'];
} else {
$aDumps = array('pH7_SchemaGame', 'pH7_DataGame', 'pH7_Core', 'pH7_GeoCountry', 'pH7_GeoCity', 'pH7_GeoCity2', 'pH7_GeoCity3', 'pH7_GeoCity4', 'pH7_GeoCity5', 'pH7_GeoCity6', 'pH7_GeoCity7', 'pH7_GeoCity8', 'pH7_GeoState', 'pH7_SampleData');
for ($i = 0, $iCount = count($aDumps); $i < $iCount; $i++) {
exec_query_file($DB, PH7_ROOT_INSTALL . 'data/sql/' . $_SESSION['db']['type_name'] . '/' . $aDumps[$i] . '.sql');
}
unset($DB);
$_SESSION['step3'] = 1;
unset($_SESSION['val']);
redirect(PH7_URL_SLUG_INSTALL . 'config_site');
}
}
} catch (\PDOException $oE) {
$aErrors[] = $LANG['database_error'] . escape($oE->getMessage());
}
} else {
$aErrors[] = $LANG['bad_email'];
}
} else {
$aErrors[] = $LANG['all_fields_mandatory'];
}
}
} else {
redirect(PH7_URL_SLUG_INSTALL . 'config_path');
}
$this->oView->assign('sept_number', 3);
$this->oView->assign('errors', @$aErrors);
unset($aErrors);
$this->oView->display('config_system.tpl');
}
function get_hash_round_robin_archive($rra_id) {
$hash = db_fetch_cell("select hash from rra where id=$rra_id");
if (ereg("[a-fA-F0-9]{32}", $hash)) {
return $hash;
}else{
return generate_hash();
}
}
function OS_ForgotPassword()
{
$errors = "";
global $db;
global $mail;
global $lang;
if (isset($_POST["reset_password"]) and isset($_POST["reset_password_submit"])) {
global $lang;
$email = EscapeStr(trim($_POST["reset_password"]));
if (isset($_SESSION["password_send"])) {
$errors .= "<h4>You have already sent a request to reset the password. Please check your mail.</h4>";
}
if (!preg_match("/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\\.[A-Z]{2,6}\$/i", $email)) {
$errors .= "<h4>Invalid Email address</h4>";
}
if (empty($errors)) {
$sth = $db->prepare("SELECT * FROM " . OSDB_USERS . " WHERE user_email = :email LIMIT 1 ");
$sth->bindValue(':email', $email, PDO::PARAM_STR);
$result = $sth->execute();
if ($sth->rowCount() <= 0) {
$errors .= "<h4>Email address does not exist in our database.</h4>";
}
if (empty($errors)) {
$code = generate_hash(16);
OS_add_custom_field(0, 'reset_password|' . $email, $code);
require "inc/class.phpmailer.php";
$message = "You have requested a password reset.<br />";
$message .= "Click on the link below to reset your password:<br /><br />";
$message .= OS_HOME . "?action=reset_password&e=" . $email . "&c=" . $code . "<br /><br />";
$message .= "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />";
$message .= "If you did not request a password reset just ignore this email and delete it.<br />";
$mail = new PHPMailer();
$mail->CharSet = 'UTF-8';
$mail->ContentType = 'text/plain';
$mail->IsHTML(true);
$mail->SetFrom($lang["email_from"], $lang["email_from_full"]);
//$mail->AddReplyTo( $lang["email_from"], $lang["email_from_full"] );
$mail->AddAddress($email, "");
$mail->Subject = "Password reset!";
$mail->MsgHTML($message);
$mail->AltBody = "This is the body in plain text for non-HTML mail clients";
$mail->Send();
$_SESSION["password_send"] = time();
//Not error, just a message
$errors = "<h4>You have successfully submitted a request to reset your password. Please check your mail.</h4>";
}
}
}
?>
<div id="content" class="s-c-x">
<div class="wrapper">
<div id="main-column">
<div class="padding">
<div class="inner">
<h2>Reset password</h2>
<div class="padTop"></div>
<?php
if (isset($errors) and !empty($errors)) {
echo $errors;
}
?>
<?php
if (!isset($_GET["c"]) and !isset($_GET["e"])) {
?>
<form action="" method="post">
<table style="width:800px;">
<tr class="row">
<td></td>
<td>
<b>You can't retrieve your password, but you can set a new one by following a link sent to you by email.</b>
<div>- This is the email address you used to register on the site.</div>
<div>- If you do not receive an email, check your "Spam" folder.</div>
</td>
</tr>
<tr class="row">
<td width="120" class="padLeft">Email address:</td>
<td class="padLeft">
<input type="text" name="reset_password" size="39" value="" style="height:26px;" />
</td>
</tr>
<tr class="row">
<td width="120" class="padLeft"></td>
<td class="padLeft"><input type="submit" name="reset_password_submit" class="menuButtons" value="Send" />
<div class="padBottom"></div>
</td>
</tr>
</table>
</form>
<?php
} else {
if (isset($_GET["e"])) {
$email = EscapeStr(trim($_GET["e"]));
} else {
$email = generate_hash(12);
}
if (isset($_GET["c"])) {
$code = EscapeStr(trim($_GET["c"]));
} else {
$code = generate_hash(12);
}
if (!preg_match("/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\\.[A-Z]{2,6}\$/i", $email)) {
$errors .= "<h4>Invalid Email address</h4>";
}
if (empty($errors)) {
$sth = $db->prepare("SELECT * FROM " . OSDB_USERS . " WHERE user_email = :email LIMIT 1 ");
$sth->bindValue(':email', $email, PDO::PARAM_STR);
$result = $sth->execute();
if ($sth->rowCount() <= 0) {
$errors .= "<h4>Email address does not exist in our database.</h4>";
}
}
if (empty($errors)) {
$value = OS_get_custom_field(0, 'reset_password|' . $email);
if ($code != $value or strlen($code) <= 5) {
$errors .= "<h4>Link has expired, or the password has already been reset</h4>";
}
}
//FINALLY RESET
if (empty($errors) and isset($_POST["reset_1"]) and isset($_POST["reset_2"])) {
$p1 = strip_tags($_POST["reset_1"]);
$p2 = strip_tags($_POST["reset_2"]);
if ($p1 != $p2) {
$errors .= "<h4>Both passwords are not the same</h4>";
} else {
$hash = generate_hash(16, 1);
$password_db = generate_password($p1, $hash);
$result = $db->update(OSDB_USERS, array("user_password" => $password_db, "password_hash" => $hash), "user_email = '" . $email . "'");
//OS_delete_custom_field( 0, 'reset_password|'.$email , $code);
$delete = $db->exec("DELETE FROM " . OSDB_CUSTOM_FIELDS . " \n\t\t WHERE field_value='" . $code . "' AND field_name = 'reset_password|" . $email . "' LIMIT 1");
$PasswordReset = 1;
}
}
if (isset($errors) and !empty($errors)) {
echo $errors;
} else {
if (isset($PasswordReset) and $PasswordReset == 1) {
?>
<h2>Password has been successfully changed. Now you can log in.</h2>
<?php
} else {
?>
<form action="" method="post">
<table style="width:600px;">
<tr class="row">
<td class="padLeft">New password:</td>
<td class="padLeft"><input type="password" name="reset_1" size="6" value="" /></td>
</tr>
<tr class="row">
<td class="padLeft">Repeat password:</td>
<td class="padLeft"><input type="password" name="reset_2" size="6" value="" /></td>
</tr>
<tr class="row">
<td width="120" class="padLeft"></td>
<td class="padLeft"><input type="submit" name="reset_pw" class="menuButtons" value="Reset your password" />
<div class="padBottom"></div>
</td>
</tr>
</table>
</form>
<?php
}
}
}
?>
<div style="height:260px;"></div>
</div>
</div>
</div>
</div>
</div>
<?php
}
