function checkLogin($u, $p)
{
global $seed;
// global because $seed is declared in the header.php file
if (!valid_username($u) || !valid_password($p) || !user_exists($u)) {
return false;
// the name was not valid, or the password, or the username did not exist
}
//Now let us look for the user in the database.
$query = sprintf("\n\t\tSELECT loginid \n\t\tFROM login \n\t\tWHERE \n\t\tusername = '******' AND password = '******' \n\t\tAND disabled = 0 AND activated = 1 \n\t\tLIMIT 1;", mysql_real_escape_string($u), mysql_real_escape_string(sha1($p . $seed)));
$result = mysql_query($query);
// If the database returns a 0 as result we know the login information is incorrect.
// If the database returns a 1 as result we know the login was correct and we proceed.
// If the database returns a result > 1 there are multple users
// with the same username and password, so the login will fail.
if (mysql_num_rows($result) != 1) {
return false;
} else {
// Login was successfull
$row = mysql_fetch_array($result);
// Save the user ID for use later
$_SESSION['loginid'] = $row['loginid'];
// Save the username for use later
$_SESSION['username'] = $u;
// Now we show the userbox
return true;
}
return false;
}
private function validateRegistration()
{
loadLibrary("validation.lib");
$user = secure($_POST["username"]);
$display = secure($_POST["display"]);
$pass1 = secure($_POST["pass1"]);
$pass2 = secure($_POST["pass2"]);
$email1 = secure($_POST["email1"]);
$email2 = secure($_POST["email2"]);
$res = valid_username($user);
if ($res !== true) {
$this->errors[] = $res;
}
$res = valid_displayname($display);
if ($res !== true) {
$this->errors[] = $res;
}
if ($pass1 !== $pass2) {
$this->errors[] = "passwords_dont_match";
} else {
$res = valid_password($pass1);
if ($res !== true) {
$this->errors[] = $res;
}
}
if ($email1 !== $email2) {
$this->errors[] = "emails_dont_match";
} else {
$res = valid_email($email1);
if ($res !== true) {
$this->errors[] = $res;
}
}
// Validate these next two for the most protective method.
if ($_POST["hideemail"] == "no") {
$hideemail = false;
} else {
$hideemail = true;
}
if ($_POST["receiveemail"] == "yes") {
$receiveemail = true;
} else {
$receiveemail = false;
}
// Check ToS box
if (!$_POST["tos"]) {
$this->errors[] = "tos_not_checked";
}
if (count($this->errors) == 0) {
// Add the user
global $yakbb;
$yakbb->db->insert("users", array("id" => 0, "username" => $user, "displayname" => $display, "password" => sha256($pass1), "email" => $email1, "emailshow" => $hideemail ? 0 : 1, "emailoptin" => $receiveemail ? 1 : 0, "activated" => 1, "activationcode" => "", "pending" => 0, "registeredtime" => time(), "lastip" => $yakbb->ip, "template" => $yakbb->config["default_template"], "language" => $yakbb->config["default_language"], "timezone" => $yakbb->config["default_timezone"]));
redirect("?action=login®=true");
}
}
function lostPassword($username, $email)
{
global $seed;
if (!valid_username($username) || !user_exists($username) || !valid_email($email)) {
return false;
}
$query = sprintf("select loginid from login where username = '******' and email = '%s' limit 1", $username, $email);
$result = mysql_query($query);
if (mysql_num_rows($result) != 1) {
return false;
}
$newpass = generate_code(8);
$query = sprintf("update login set password = '******' where username = '******'", mysql_real_escape_string(sha1($newpass . $seed)), mysql_real_escape_string($username));
if (mysql_query($query)) {
if (sendLostPasswordEmail($username, $email, $newpass)) {
return true;
} else {
return false;
}
} else {
return false;
}
return false;
}
/**
* Process information given to new/edit account form
*
* @global array $SUPPORTED_LANGS Languages that are supported by the AUR
* @param string $TYPE Either "edit" for editing or "new" for registering an account
* @param string $A Form to use, either UpdateAccount or NewAccount
* @param string $U The username for the account
* @param string $T The account type for the user
* @param string $S Whether or not the account is suspended
* @param string $E The e-mail address for the user
* @param string $H Whether or not the e-mail address should be hidden
* @param string $P The password for the user
* @param string $C The confirmed password for the user
* @param string $R The real name of the user
* @param string $L The language preference of the user
* @param string $I The IRC nickname of the user
* @param string $K The PGP fingerprint of the user
* @param string $PK The list of public SSH keys
* @param string $J The inactivity status of the user
* @param string $UID The user ID of the modified account
* @param string $N The username as present in the database
*
* @return array Boolean indicating success and message to be printed
*/
function process_account_form($TYPE, $A, $U = "", $T = "", $S = "", $E = "", $H = "", $P = "", $C = "", $R = "", $L = "", $I = "", $K = "", $PK = "", $J = "", $UID = 0, $N = "")
{
global $SUPPORTED_LANGS;
$error = '';
$message = '';
if (is_ipbanned()) {
$error = __('Account registration has been disabled ' . 'for your IP address, probably due ' . 'to sustained spam attacks. Sorry for the ' . 'inconvenience.');
}
$dbh = DB::connect();
if (isset($_COOKIE['AURSID'])) {
$editor_user = uid_from_sid($_COOKIE['AURSID']);
} else {
$editor_user = null;
}
if (empty($E) || empty($U)) {
$error = __("Missing a required field.");
}
if ($TYPE != "new" && !$UID) {
$error = __("Missing User ID");
}
if (!$error && !valid_username($U)) {
$length_min = config_get_int('options', 'username_min_len');
$length_max = config_get_int('options', 'username_max_len');
$error = __("The username is invalid.") . "<ul>\n" . "<li>" . __("It must be between %s and %s characters long", $length_min, $length_max) . "</li>" . "<li>" . __("Start and end with a letter or number") . "</li>" . "<li>" . __("Can contain only one period, underscore or hyphen.") . "</li>\n</ul>";
}
if (!$error && $P && $C && $P != $C) {
$error = __("Password fields do not match.");
}
if (!$error && $P != '' && !good_passwd($P)) {
$length_min = config_get_int('options', 'passwd_min_len');
$error = __("Your password must be at least %s characters.", $length_min);
}
if (!$error && !valid_email($E)) {
$error = __("The email address is invalid.");
}
if (!$error && $K != '' && !valid_pgp_fingerprint($K)) {
$error = __("The PGP key fingerprint is invalid.");
}
if (!$error && !empty($PK)) {
$ssh_keys = array_filter(array_map('trim', explode("\n", $PK)));
$ssh_fingerprints = array();
foreach ($ssh_keys as &$ssh_key) {
if (!valid_ssh_pubkey($ssh_key)) {
$error = __("The SSH public key is invalid.");
break;
}
$ssh_fingerprint = ssh_key_fingerprint($ssh_key);
if (!$ssh_fingerprint) {
$error = __("The SSH public key is invalid.");
break;
}
$tokens = explode(" ", $ssh_key);
$ssh_key = $tokens[0] . " " . $tokens[1];
$ssh_fingerprints[] = $ssh_fingerprint;
}
/*
* Destroy last reference to prevent accidentally overwriting
* an array element.
*/
unset($ssh_key);
}
if (isset($_COOKIE['AURSID'])) {
$atype = account_from_sid($_COOKIE['AURSID']);
if ($atype == "User" && $T > 1 || $atype == "Trusted User" && $T > 2) {
$error = __("Cannot increase account permissions.");
}
}
if (!$error && !array_key_exists($L, $SUPPORTED_LANGS)) {
$error = __("Language is not currently supported.");
}
if (!$error) {
/*
* Check whether the user name is available.
* TODO: Fix race condition.
*/
$q = "SELECT COUNT(*) AS CNT FROM Users ";
$q .= "WHERE Username = "******"edit") {
$q .= " AND ID != " . intval($UID);
}
$result = $dbh->query($q);
$row = $result->fetch(PDO::FETCH_NUM);
if ($row[0]) {
$error = __("The username, %s%s%s, is already in use.", "<strong>", htmlspecialchars($U, ENT_QUOTES), "</strong>");
}
}
if (!$error) {
/*
* Check whether the e-mail address is available.
* TODO: Fix race condition.
*/
$q = "SELECT COUNT(*) AS CNT FROM Users ";
$q .= "WHERE Email = " . $dbh->quote($E);
if ($TYPE == "edit") {
$q .= " AND ID != " . intval($UID);
}
$result = $dbh->query($q);
$row = $result->fetch(PDO::FETCH_NUM);
if ($row[0]) {
$error = __("The address, %s%s%s, is already in use.", "<strong>", htmlspecialchars($E, ENT_QUOTES), "</strong>");
}
}
if (!$error && count($ssh_keys) > 0) {
/*
* Check whether any of the SSH public keys is already in use.
* TODO: Fix race condition.
*/
$q = "SELECT Fingerprint FROM SSHPubKeys ";
$q .= "WHERE Fingerprint IN (";
$q .= implode(',', array_map(array($dbh, 'quote'), $ssh_fingerprints));
$q .= ")";
if ($TYPE == "edit") {
$q .= " AND UserID != " . intval($UID);
}
$result = $dbh->query($q);
$row = $result->fetch(PDO::FETCH_NUM);
if ($row) {
$error = __("The SSH public key, %s%s%s, is already in use.", "<strong>", htmlspecialchars($row[0], ENT_QUOTES), "</strong>");
}
}
if ($error) {
$message = "<ul class='errorlist'><li>" . $error . "</li></ul>\n";
return array(false, $message);
}
if ($TYPE == "new") {
/* Create an unprivileged user. */
$salt = generate_salt();
if (empty($P)) {
$send_resetkey = true;
$email = $E;
} else {
$send_resetkey = false;
$P = salted_hash($P, $salt);
}
$U = $dbh->quote($U);
$E = $dbh->quote($E);
$P = $dbh->quote($P);
$salt = $dbh->quote($salt);
$R = $dbh->quote($R);
$L = $dbh->quote($L);
$I = $dbh->quote($I);
$K = $dbh->quote(str_replace(" ", "", $K));
$q = "INSERT INTO Users (AccountTypeID, Suspended, ";
$q .= "InactivityTS, Username, Email, Passwd, Salt, ";
$q .= "RealName, LangPreference, IRCNick, PGPKey) ";
$q .= "VALUES (1, 0, 0, {$U}, {$E}, {$P}, {$salt}, {$R}, {$L}, ";
$q .= "{$I}, {$K})";
$result = $dbh->exec($q);
if (!$result) {
$message = __("Error trying to create account, %s%s%s.", "<strong>", htmlspecialchars($U, ENT_QUOTES), "</strong>");
return array(false, $message);
}
$uid = $dbh->lastInsertId();
account_set_ssh_keys($uid, $ssh_keys, $ssh_fingerprints);
$message = __("The account, %s%s%s, has been successfully created.", "<strong>", htmlspecialchars($U, ENT_QUOTES), "</strong>");
$message .= "<p>\n";
if ($send_resetkey) {
send_resetkey($email, true);
$message .= __("A password reset key has been sent to your e-mail address.");
$message .= "</p>\n";
} else {
$message .= __("Click on the Login link above to use your account.");
$message .= "</p>\n";
}
} else {
/* Modify an existing account. */
$q = "SELECT InactivityTS FROM Users WHERE ";
$q .= "ID = " . intval($UID);
$result = $dbh->query($q);
$row = $result->fetch(PDO::FETCH_NUM);
if ($row[0] && $J) {
$inactivity_ts = $row[0];
} elseif ($J) {
$inactivity_ts = time();
} else {
$inactivity_ts = 0;
}
$q = "UPDATE Users SET ";
$q .= "Username = "******", AccountTypeID = " . intval($T);
}
if ($S) {
/* Ensure suspended users can't keep an active session */
delete_user_sessions($UID);
$q .= ", Suspended = 1";
} else {
$q .= ", Suspended = 0";
}
$q .= ", Email = " . $dbh->quote($E);
if ($H) {
$q .= ", HideEmail = 1";
} else {
$q .= ", HideEmail = 0";
}
if ($P) {
$salt = generate_salt();
$hash = salted_hash($P, $salt);
$q .= ", Passwd = '{$hash}', Salt = '{$salt}'";
}
$q .= ", RealName = " . $dbh->quote($R);
$q .= ", LangPreference = " . $dbh->quote($L);
$q .= ", IRCNick = " . $dbh->quote($I);
$q .= ", PGPKey = " . $dbh->quote(str_replace(" ", "", $K));
$q .= ", InactivityTS = " . $inactivity_ts;
$q .= " WHERE ID = " . intval($UID);
$result = $dbh->exec($q);
$ssh_key_result = account_set_ssh_keys($UID, $ssh_keys, $ssh_fingerprints);
if ($result === false || $ssh_key_result === false) {
$message = __("No changes were made to the account, %s%s%s.", "<strong>", htmlspecialchars($U, ENT_QUOTES), "</strong>");
} else {
$message = __("The account, %s%s%s, has been successfully modified.", "<strong>", htmlspecialchars($U, ENT_QUOTES), "</strong>");
}
}
return array(true, $message);
}
function callPluginMethod($method, $args = '')
{
foreach ($GLOBALS['plugin']->pluginslist as $value) {
if (!valid_username($value)) {
echo 'Sorry, your plugin ' . e::h($value) . ' is not setup properly';
}
$plugin_obj = new $value();
$plugin_obj->{$method}($args);
}
}
urlto("main.php");
}
include_once "_jack1.php";
//nopost -> return
if (isset($_POST['un'])) {
$un = $_POST['un'];
} else {
urlto("index.php");
}
if (isset($_POST['pw'])) {
$pw = $_POST['pw'];
} else {
urlto("index.php");
}
//check data
if (!valid_username($un)) {
urlto("index.php?msg=2");
}
if (!valid_password($pw)) {
urlto("index.php?msg=2");
}
$con = mysql_connectEx();
$sql = "SELECT * FROM `motal_users` WHERE `username`='" . $un . "'";
echo $sql . "<hr>";
$result = mysql_query($sql);
$row = @mysql_fetch_array($result);
if (isset($row['username'])) {
//check hashed data
$pw = sha1($un . $pw);
if ($pw == $row['password']) {
$_SESSION['uid'] = $row['id'];
function insert_user($userdat)
{
// Creates a new user on the forum
global $yakbb;
// List fields that this function can provide.
$valid_fields = array("username", "displayname", "password", "email", "emailshow", "emailoptin");
$required_fields = array("username", "password", "email");
// Validate that ONLY these fields are provided. Then, validate required fields
$fields_provided = array_keys($userdat);
foreach ($fields_provided as $k => $item) {
if (!in_array($item, $valid_fields)) {
unset($userdat[$item]);
// Remove the invalid item
}
}
foreach ($required_fields as $k => $item) {
if (!in_array($item, $fields_provided)) {
record_yakbb_error("Missed field \"" . $item . "\" in call to insert_user().");
return false;
}
}
// Set the data that will ALWAYS be this way
$userdat["group"] = 0;
$userdat["activated"] = 1;
$userdat["activationcode"] = "";
// Sent via e-mail
$userdat["pending"] = 0;
// Admin approval required?
$userdat["registeredtime"] = time();
$userdat["lastip"] = $yakbb->ip;
$userdat["template"] = $yakbb->config["default_template"];
$userdat["language"] = $yakbb->config["default_language"];
$userdat["timezone"] = $yakbb->config["default_timezone"];
// Set the data that is optional. intval() is used to force integer value upon certain ones
$userdat["emailshow"] = isset($userdat["emailshow"]) ? intval($userdat["emailshow"]) : 0;
$userdat["emailoptin"] = isset($userdat["emailoptin"]) ? intval($userdat["emailoptin"]) : 0;
$userdat["displayname"] = isset($userdat["displayname"]) ? $userdat["displayname"] : $userdat["username"];
// Validate inputted data
if (!function_exists("valid_username")) {
loadLibrary("validation.lib");
}
$errors = array();
$res = valid_username($userdat["username"]);
if ($res !== true) {
$errors[] = $res;
}
$res = valid_displayname($userdat["displayname"]);
if ($res !== true) {
$errors[] = $res;
}
$res = valid_password($userdat["password"]);
if ($res !== true) {
$errors[] = $res;
}
$res = valid_email($userdat["email"]);
if ($res !== true) {
$errors[] = $res;
}
if (count($errors) == 0) {
$yakbb->db->insert("users", $userdat);
return true;
} else {
return $errors;
}
}
<?php
include "config/config.php";
include "include/function.php";
include "include/logincheck.php";
if (isset($_POST['submit'])) {
$error = "";
if (!valid_mail($_POST['email'])) {
$error .= "Email is already registered<br>";
}
if (!valid_username($_POST['username'])) {
$error .= "Username is already registered<br>";
}
if ($error == "") {
$form_data = array('usertype' => $_POST['usertype'], 'username' => $_POST['username'], 'email' => $_POST['email'], 'fname' => $_POST['fname'], 'lname' => $_POST['lname'], 'phone' => $_POST['phone'], 'password' => $_POST['password'], 'debut' => date("Y-m-d H:i:s"));
InsertData(USER, $form_data);
$id = mysql_insert_id();
log_add_user($id);
email_add_user($id);
header("location:add-user.php?addsuccess");
}
}
?>
<!DOCTYPE html>
<!--[if IE 8]> <html lang="en" class="ie8 no-js"> <![endif]-->
<!--[if IE 9]> <html lang="en" class="ie9 no-js"> <![endif]-->
<!--[if !IE]><!-->
<html lang="en" class="no-js">
<!--<![endif]-->
<!-- BEGIN HEAD -->
function valid_username($str)
{
if (!valid_username($str) || $str != preg_replace('/\\s+/', ' ', $str)) {
$this->form_validation->set_message('valid_username', "Username contains invalid characters");
return FALSE;
} elseif (!$this->user_dal->is_username_available($str)) {
$this->form_validation->set_message('valid_username', "That username is already in use");
return FALSE;
}
return TRUE;
}
private function loadUser()
{
$this->user = array("id" => 0, "username" => "Guest", "group" => -1, "template" => $this->config["default_template"], "language" => $this->config["default_language"]);
$this->smarty->assign("guest", true);
$this->smarty->assign("admin_access", false);
if (getYakCookie("username") != "" && getYakCookie("password") != "") {
// Check login
$user = secure(getYakCookie("username"));
$pass = getYakCookie("password");
loadLibrary("validation.lib");
if (valid_username($user) === true && valid_password($pass) === true) {
$this->db->query("\r\n\t\t\t\t\tSELECT\r\n\t\t\t\t\t\t*\r\n\t\t\t\t\tFROM\r\n\t\t\t\t\t\tyakbb_users\r\n\t\t\t\t\tWHERE\r\n\t\t\t\t\t\tusername = '******'\r\n\t\t\t\t\tLIMIT\r\n\t\t\t\t\t\t1\r\n\t\t\t\t");
if ($this->db->numRows() == 1) {
$x = $this->db->fetch();
if ($x["password"] === $pass) {
$this->user = $x;
$this->smarty->assign("guest", false);
}
}
}
}
}
$department = cleanvar($_REQUEST['department']);
$address1 = cleanvar($_REQUEST['address1']);
$address2 = cleanvar($_REQUEST['address2']);
$county = cleanvar($_REQUEST['county']);
$country = cleanvar($_REQUEST['country']);
$postcode = cleanvar($_REQUEST['postcode']);
$phone = cleanvar($_REQUEST['phone']);
$mobile = cleanvar($_REQUEST['mobile']);
$fax = cleanvar($_REQUEST['fax']);
$email = cleanvar($_REQUEST['email']);
$newpass = cleanvar($_REQUEST['newpassword']);
$newpass2 = cleanvar($_REQUEST['newpassword2']);
$errors = 0;
// VALIDATION CHECKS */
if ($CONFIG['portal_usernames_can_be_changed'] and $oldusername != $username) {
if (!valid_username($username)) {
$errors++;
$_SESSION['formerrors']['portalcontactdetails'] .= "<p class='error'>{$strInvalidUsername}</p>\n";
}
}
if (!empty($newpass) and empty($newpass2)) {
$errors++;
$_SESSION['formerrors']['portalcontactdetails'] .= "<p class='error'>{$strYouMustEnterYourNewPasswordTwice}</p>\n";
} elseif ($newpass != $newpass2) {
$errors++;
$_SESSION['formerrors']['portalcontactdetails'] .= "<p class='error'>{$strPasswordsDoNotMatch}</p>";
}
if ($surname == '') {
$errors++;
$_SESSION['formerrors']['portalcontactdetails'] .= "<p class='error'>" . sprintf($strYouMustEnter, $strSurname) . "</p>\n";
}
}
$model = $_POST;
if ($_GET["mac"] != "") {
$model["mac"] = $_GET["mac"];
$model["mode"] = "edit";
$model["focus"] = "password";
} else {
$model["mode"] = "add";
$model["focus"] = "mac";
}
if ($_SERVER["REQUEST_METHOD"] == "POST") {
/* validate all the entries */
if (valid_mac($model["mac"]) === false) {
invalid_entry($model, "mac");
}
if (valid_username($model["username"]) === false) {
invalid_entry($model, "username");
}
if (valid_password($model["password"]) === false) {
invalid_entry($model, "password");
}
$model["mac"] = strtoupper($model["mac"]);
foreach ($model["switch"] as $i => $switch) {
if (valid_ip($switch["host"]) === false) {
invalid_entry($model, "switch[{$i}][host]");
}
if (valid_call_limit($switch["call-limit"]) === false) {
invalid_entry($model, "switch[{$i}][call-limit]");
}
}
foreach ($model["gateway"] as $i => $gateway) {
If the above link does not work, copy and paste the following URL into your address bar:
http://' . $_SERVER['SERVER_NAME'] . $_SERVER['PHP_SELF'] . '?action=CONFIRM&username='******'username']) . '&activationkey=' . urlencode($values['activationkey']) . '
Thank you for registering.';
// TODO: Actually send the email. For now, we just echo it out.
echo $email;
} else {
die("ERROR: There was a problem during registration. Please contact an administrator.\n");
}
}
} else {
if ($input['action'] == 'CONFIRM') {
// Verify that we have received a valid username
if (!isset($input['username']) || !valid_username($input['username'])) {
die("ERROR: A valid username was not specified. Usernames must use only " . "alphanumeric characters, hyphens, underscores, or periods. Must be " . "2 to 25 characters long.\n");
}
// Verify we have an activation key
if (!isset($input['activationkey']) || strlen($input['activationkey']) != $config['activation']['keyLength']) {
die("ERROR: Invalid activation key specified.\n");
}
// Load the DataLayer
@(include_once 'includes/datalayer.class.php');
// Make sure the DataLayer class loaded sucessfully
if (!class_exists('DataLayer')) {
die("ERROR: Unable to load DataLayer class.\n");
}
$dl = new DataLayer($config['datalayer']);
if ($dl === false) {
die("ERROR: Unable to connect to database.\n");
private function validate()
{
loadLibrary("validation.lib");
$user = secure($_POST["username"]);
$pass = $_POST["password"];
$reg = valid_username($user);
if ($reg !== true) {
$this->errors[] = $reg;
}
$reg = valid_password($pass);
if ($reg !== true) {
$this->errors[] = $reg;
}
if (count($this->errors) == 0) {
// Check actual login data now
global $yakbb;
$yakbb->db->query("\r\n\t\t\t\tSELECT\r\n\t\t\t\t\tpassword\r\n\t\t\t\tFROM\r\n\t\t\t\t\tyakbb_users\r\n\t\t\t\tWHERE\r\n\t\t\t\t\tusername = '******'\r\n\t\t\t\tLIMIT\r\n\t\t\t\t\t1\r\n\t\t\t");
$x = $yakbb->db->fetch();
if ($yakbb->db->numRows() == 0) {
$this->errors[] = "user_doesnt_exist";
} else {
if (sha256($pass) !== $x["password"]) {
$this->errors[] = "password_incorrect";
} else {
// Login
setYakCookie("username", $user, time() + 60 * 60 * 24 * 180);
setYakCookie("password", sha256($pass), time() + 60 * 60 * 24 * 180);
redirect("?");
}
}
}
}
