exit; } } elseif (isset($_POST['token'])) { call('REGULAR LOGIN'); // test the token if (!isset($_SESSION['token']) || $_SESSION['token'] != $_POST['token']) { call($GLOBALS); die('Hacking attempt detected.<br /><br />If you have reached this page in error, please go back to the login page,<br />clear your cache, refresh the page, and try to log in again.'); } // check for a player with supplied username and password $query = "\n\t\tSELECT *\n\t\tFROM " . T_PLAYER . "\n\t\tWHERE p_username = '******'txtUsername']) . "'\n\t"; $player = $mysql->fetch_assoc($query, __LINE__, __FILE__); // check for an old password and update if needed if (false !== $player && 32 === strlen($player['p_password'])) { if (md5($_POST['pwdPassword']) === $player['p_password']) { $player['p_password'] = password_make($_POST['pwdPassword']); $mysql->insert(T_PLAYER, array('p_password' => $player['p_password']), " WHERE `p_id` = '{$player['p_id']}' "); } } } else { call('NO LOGIN DETECTED'); call($GLOBALS); header('Location: login.php'); exit; } // just refresh, OR log us in if such a player exists and password is good... otherwise die if (isset($refreshPlayer) || false !== $player && password_test($_POST['pwdPassword'], $player['p_password'])) { $_SESSION['GAME'] = 'WebChess2-' . $CFG_SITENAME . '-' . $CFG_MAINPAGE; // prevent cross script session stealing due to refresh login $_SESSION['player_id'] = $player['p_id']; $_SESSION['last_input_time'] = time();
// because if they accessed this, they are admin $query = "\n\t\t\t\tUPDATE " . T_PLAYER . "\n\t\t\t\tSET p_is_admin = '1'\n\t\t\t\tWHERE p_id = '{$_SESSION['player_id']}'\n\t\t\t\tLIMIT 1\n\t\t\t"; $mysql->query($query, __LINE__, __FILE__); // update admin before deleting if (isset($_POST['admin'])) { foreach ($_POST['admin'] as $user) { // ...then adminify all the checked ones $query = "\n\t\t\t\t\t\tUPDATE " . T_PLAYER . "\n\t\t\t\t\t\tSET p_is_admin = '1'\n\t\t\t\t\t\tWHERE p_id = '{$user}'\n\t\t\t\t\t\tLIMIT 1\n\t\t\t\t\t"; $mysql->query($query, __LINE__, __FILE__); } } // reset passwords before deleting as well if (isset($_POST['resetpass'])) { foreach ($_POST['resetpass'] as $user) { // reset the password to change!me $pass = password_make('change!me'); $query = "\n\t\t\t\t\t\tUPDATE " . T_PLAYER . "\n\t\t\t\t\t\tSET p_password = '******'\n\t\t\t\t\t\tWHERE p_id = '{$user}'\n\t\t\t\t\t\tLIMIT 1\n\t\t\t\t\t"; $mysql->query($query, __LINE__, __FILE__); // get the users email address $query = "\n\t\t\t\t\t\tSELECT p_email\n\t\t\t\t\t\tFROM " . T_PLAYER . "\n\t\t\t\t\t\tWHERE p_id = '{$user}'\n\t\t\t\t\t"; $email = $mysql->fetch_value($query, __LINE__, __FILE__); // email the user and let them know their password has been changed call("webchessMail('passupdate',{$email},'','','')"); webchessMail('passupdate', $email, '', '', ''); } } $i = 0; if (isset($_POST['delete'])) { foreach ($_POST['delete'] as $user) { $query = "\n\t\t\t\t\t\tSELECT p_username\n\t\t\t\t\t\tFROM " . T_PLAYER . "\n\t\t\t\t\t\tWHERE p_id = '{$user}'\n\t\t\t\t\t"; $name = $mysql->fetch_value($query, __LINE__, __FILE__);