= "0.2.8") { $LAST = ", last_login"; } // END - if // Check login data $password = ""; $uid2 = ""; $dmy = ""; if ($probe_nickname === true) { // Nickname entered $result = SQL_QUERY_ESC("SELECT userid, password, last_online".$LAST." FROM "._MYSQL_PREFIX."_user_data WHERE nickname='%s' AND status='CONFIRMED' LIMIT 1", array($uid), __FILE__, __LINE__); list($uid2, $password, $online, $login) = SQL_FETCHROW($result); if (!empty($uid2)) $uid = bigintval($uid2); } else { // Direct userid entered $result = SQL_QUERY_ESC("SELECT userid, password, last_online".$LAST." FROM "._MYSQL_PREFIX."_user_data WHERE userid=%s AND status='CONFIRMED' LIMIT 1", array($uid, $hash), __FILE__, __LINE__); list($uid2, $password, $online, $login) = SQL_FETCHROW($result); } // Is there an entry? if ((SQL_NUMROWS($result) == 1) && ((($probe_nickname) && (!empty($uid2))) || ($uid2 == $uid))) { // Free result SQL_FREERESULT($result); // By default the hash is empty $hash = ""; // Check for old MD5 passwords if ((strlen($password) == 32) && (md5($_POST['password']) == $password)) { // Just set the hash to the password from DB... :) $hash = $password; } else { // Hash password with improved way for comparsion $hash = generateHash($_POST['password'], substr($password, 0, -40)); } if ($hash == $password) { // New hashed password found so let's generate a new one $hash = generateHash($_POST['password']); // ... and update database SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_user_data SET password='%s' WHERE userid=%s AND status='CONFIRMED' LIMIT 1", array($hash, $uid), __FILE__, __LINE__); // No login bonus by default $BONUS = false; // Probe for last online timemark $probe = time() - $online; if (!empty($login)) $probe = time() - $login; if ((GET_EXT_VERSION("bonus") >= "0.2.2") && ($probe >= $_CONFIG['login_timeout'])) { // Add login bonus to user's account $ADD = sprintf(", login_bonus=login_bonus+%s", (float)$_CONFIG['login_bonus'] ); $BONUS = true; // Subtract login bonus from userid's account or jackpot if ((GET_EXT_VERSION("bonus") >= "0.3.5") && ($_CONFIG['bonus_mode'] != "ADD")) BONUS_POINTS_HANDLER('login_bonus'); } // END - if // Init variables $life = "-1"; $login = false; // Secure lifetime from input form $l = bigintval($_POST['lifetime']); // Is the lifetime set? if ($l > 0) { // Calculate lifetime of cookies $life = time() + $l; // Calculate new hash with the secret key and master salt together $hash = generatePassString($hash); // Update cookies $login = (set_session("userid" , $uid , $life, COOKIE_PATH) && set_session("u_hash" , $hash, $life, COOKIE_PATH) && set_session("lifetime", $l , $life, COOKIE_PATH) ); // Update global array $GLOBALS['userid'] = $uid; } else { // Check for login data $login = IS_MEMBER(); } if ($login) { // Update database records $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_user_data SET total_logins=total_logins+1".$ADD." WHERE userid=%s LIMIT 1", array($uid), __FILE__, __LINE__); if (SQL_AFFECTEDROWS() == 1) { // Procedure to checking for login data if (($BONUS) && (EXT_IS_ACTIVE("bonus"))) { // Bonus added (just displaying!) $URL = URL."/modules.php?module=chk_login&mode=bonus"; } else { // Bonus not added $URL = URL."/modules.php?module=chk_login&mode=login"; } } else { // Cannot update counter! $URL = URL."/modules.php?module=index&what=login&login=".CODE_CNTR_FAILED; } } else { // Cookies not setable! $URL = URL."/modules.php?module=index&what=login&login=".CODE_NO_COOKIES; } } else { // Update failture counter SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_user_data SET login_failtures=login_failtures+1,last_failture=NOW() WHERE userid=%s LIMIT 1", array($uid), __FILE__, __LINE__); // Wrong password! $ERROR = CODE_WRONG_PASS; } } elseif ((($probe_nickname) && (!empty($uid2))) || ($uid2 == $uid)) { // Other account status? $result = SQL_QUERY_ESC("SELECT status FROM "._MYSQL_PREFIX."_user_data WHERE userid=%s LIMIT 1", array($uid), __FILE__, __LINE__); // Entry found? if (SQL_NUMROWS($result) == 1) { // Load status list($status) = SQL_FETCHROW($result); switch ($status) { case "LOCKED": $ERROR = CODE_ID_LOCKED; break; case "UNCONFIRMED": $ERROR = CODE_ID_UNCONFIRMED; break; default: DEBUG_LOG(__FILE__, __LINE__, sprintf("Unknown error status %s detected.", $status)); $ERROR = CODE_UNKNOWN_STATUS; break; } } else { // ID not found! $ERROR = CODE_WRONG_ID; } // Construct URL $URL = URL."/modules.php?module=index&what=login&login=".$ERROR; } else { // ID not found! $ERROR = CODE_WRONG_ID; } } elseif ((!empty($_POST['new_pass'])) && (isset($uid))) { // Compile email when found in address (only secure chars!) if (!empty($_POST['email'])) $_POST['email'] = str_replace("{DOT}", '.', $_POST['email']); // Set ID number when left empty if (empty($_POST['id'])) $_POST['id'] = 0; // Probe userid/nickname $probe_nickname = ((EXT_IS_ACTIVE("nickname")) && (("".round($_POST['id'])."") != $_POST['id'])); if ($probe_nickname) { // Nickname entered $result = SQL_QUERY_ESC("SELECT userid, status FROM "._MYSQL_PREFIX."_user_data WHERE nickname='%s' OR email='%s' LIMIT 1", array($uid, $_POST['email']), __FILE__, __LINE__); } else { // Direct userid entered $result = SQL_QUERY_ESC("SELECT userid, status FROM "._MYSQL_PREFIX."_user_data WHERE userid=%s OR email='%s' LIMIT 1", array(bigintval($uid), $_POST['email']), __FILE__, __LINE__); } // Any entry found? if (SQL_NUMROWS($result) == 1) { // This data is valid, so we create a new pass... :-) list($uid, $status) = SQL_FETCHROW($result); if ($status == "CONFIRMED") { // Ooppps, this was missing! ;-) We should update the database... $NEW_PASS = GEN_PASS(); $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_user_data SET password='%s' WHERE userid=%s LIMIT 1", array(generateHash($NEW_PASS), $uid), __FILE__, __LINE__); // Prepare data and message for email $msg = LOAD_EMAIL_TEMPLATE("new-pass", array('new_pass' => $NEW_PASS), $uid); // ... and send it away SEND_EMAIL($uid, GUEST_NEW_PASSWORD, $msg); // Output note to user LOAD_TEMPLATE("admin_settings_saved", false, GUEST_NEW_PASSWORD_SEND); } else { // Account is locked or unconfirmed switch ($status) { case "LOCKED" : $MSG = CODE_ID_LOCKED; break; case "UNCONFIRMED": $MSG = CODE_ID_UNCONFIRMED; break; } // Load URL LOAD_URL("modules.php?module=index&what=login&login=".$MSG); } } else { // ID or email is wrong LOAD_TEMPLATE("admin_settings_saved", false, "".GUEST_WRONG_ID_EMAIL.""); } } // Login problems? if (!empty($_GET['login'])) { // Use code from URL $ERROR = SQL_ESCAPE($_GET['login']); } // END - if // Login problems? if (!empty($ERROR)) { // Ok, which one now? $MSG = "