0.2.1/inc/modules/guest/what-login.php

   1 <?php
   2 /************************************************************************
   3  * MXChange v0.2.1                                    Start: 10/14/2003 *
   4  * ===============                              Last change: 04/28/2004 *
   5  *                                                                      *
   6  * -------------------------------------------------------------------- *
   7  * File              : what-login.php                                   *
   8  * -------------------------------------------------------------------- *
   9  * Short description : Login area (redirects to the real login module)  *
  10  * -------------------------------------------------------------------- *
  11  * Kurzbeschreibung  : Loginbereich (leitet an das richtige Lgin-Modul  *
  12  *                     weiter)                                          *
  13  * -------------------------------------------------------------------- *
  14  *                                                                      *
  15  * -------------------------------------------------------------------- *
  16  * Copyright (c) 2003 - 2008 by Roland Haeder                           *
  17  * For more information visit: http://www.mxchange.org                  *
  18  *                                                                      *
  19  * This program is free software; you can redistribute it and/or modify *
  20  * it under the terms of the GNU General Public License as published by *
  21  * the Free Software Foundation; either version 2 of the License, or    *
  22  * (at your option) any later version.                                  *
  23  *                                                                      *
  24  * This program is distributed in the hope that it will be useful,      *
  25  * but WITHOUT ANY WARRANTY; without even the implied warranty of       *
  26  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the        *
  27  * GNU General Public License for more details.                         *
  28  *                                                                      *
  29  * You should have received a copy of the GNU General Public License    *
  30  * along with this program; if not, write to the Free Software          *
  31  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,               *
  32  * MA  02110-1301  USA                                                  *
  33  ************************************************************************/
  34
  35 // Some security stuff...
  36 if (ereg(basename(__FILE__), $_SERVER['PHP_SELF']))
  37 {
  38         $INC = substr(dirname(__FILE__), 0, strpos(dirname(__FILE__), "/inc") + 4) . "/security.php";
  39         require($INC);
  40 }
  41
  42 // Add description as navigation point
  43 ADD_DESCR("guest", basename(__FILE__));
  44
  45 OPEN_TABLE("100%", "guest_content_align", "");
  46 global $DATA, $FATAL;
  47
  48 // Initialize data
  49 $probe_nickname = false; $UID = false; $hash = "";
  50 unset($login); unset($online);
  51
  52 if ((!empty($GLOBALS['userid'])) && (!empty($_COOKIE['u_hash'])))
  53 {
  54         // Already logged in?
  55         $UID = $GLOBALS['userid'];
  56 }
  57  elseif ((!empty($_POST['id'])) && (!empty($_POST['password'])) && (isset($_POST['ok'])))
  58 {
  59         // Set userid and crypt password when login data was submitted
  60         $probe_nickname = ((EXT_IS_ACTIVE("nickname")) && (("".round($_POST['id'])."") != $_POST['id']));
  61         if ($probe_nickname)
  62         {
  63                 // Nickname entered
  64                 $UID = SQL_ESCAPE($_POST['id']);
  65         }
  66          else
  67         {
  68                 // Direct userid entered
  69                 $UID  = bigintval($_POST['id']);
  70         }
  71 }
  72  elseif (!empty($_POST['new_pass']))
  73 {
  74         // New password requested
  75         $UID = "0";
  76         if (!empty($_POST['id'])) $UID = $_POST['id'];
  77 }
  78  else
  79 {
  80         // Not logged in
  81         $UID = "0"; $hash = "";
  82 }
  83
  84 $URL = ""; $ADD = "";
  85 // Set unset variables
  86 if (empty($_POST['new_pass'])) $_POST['new_pass'] = "";
  87 if (empty($_GET['login']))     $_GET['login']     = "";
  88
  89 if (IS_LOGGED_IN())
  90 {
  91         // Login immidiately...
  92         $URL = URL."/modules.php?module=login";
  93 }
  94  elseif (isset($_POST['ok']))
  95 {
  96         // Add last_login if available
  97         $LAST = "";
  98         if (GET_EXT_VERSION("sql_patches") >= "0.2.8")
  99         {
 100                 $LAST = ", last_login";
 101         }
 102
 103         // Check login data
 104         $password = "";
 105         if ($probe_nickname)
 106         {
 107                 // Nickname entered
 108                 $result = SQL_QUERY_ESC("SELECT userid, password, last_online".$LAST." FROM "._MYSQL_PREFIX."_user_data WHERE nickname='%s' AND status='CONFIRMED' LIMIT 1",
 109                  array($UID), __FILE__, __LINE__);
 110                 list($UID2, $password, $online, $login) = SQL_FETCHROW($result);
 111                 if (!empty($UID2)) $UID = $UID2;
 112         }
 113          else
 114         {
 115                 // Direct userid entered
 116                 $result = SQL_QUERY_ESC("SELECT userid, password, last_online".$LAST." FROM "._MYSQL_PREFIX."_user_data WHERE userid=%d AND status='CONFIRMED' LIMIT 1",
 117                  array(bigintval($UID), $hash), __FILE__, __LINE__);
 118                 list($dmy, $password, $online, $login) = SQL_FETCHROW($result);
 119         }
 120         if (SQL_NUMROWS($result) == 1)
 121         {
 122                 // Valid data found so let's load the last login data
 123                 if (isset($_POST['ok']))
 124                 {
 125                         // By default the hash is empty
 126                         $hash = "";
 127
 128                         // Check for old MD5 passwords
 129                         if ((strlen($password) == 32) && (md5($_POST['password']) == $password))
 130                         {
 131                                 // Just set the hash to the password from DB... :)
 132                                 $hash = $password;
 133                         }
 134                          else
 135                         {
 136                                 // Encrypt hash for comparsion
 137                                 $hash = generateHash($_POST['password'], substr($password, 0, -40));
 138                         }
 139
 140                         if ($hash == $password)
 141                         {
 142                                 // New hashed password found so let's generate a new one
 143                                 $hash = generateHash($_POST['password']);
 144
 145                                 // ... and update database
 146                                 $result_update = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_user_data SET password='%s' WHERE userid=%d AND status='CONFIRMED' LIMIT 1",
 147                                  array($hash, $UID), __FILE__, __LINE__);
 148
 149                                 // No login bonus by default
 150                                 $BONUS = false;
 151
 152                                 // Probe for last online timemark
 153                                 $probe = time() -  $online;
 154                                 if (!empty($login)) $probe = time() - $login;
 155                                 if ((GET_EXT_VERSION("bonus") >= "0.2.2") && ($probe >= $CONFIG['login_timeout']))
 156                                 {
 157                                         // Add login bonus to user's account
 158                                         $ADD = ", login_bonus=login_bonus+'".$CONFIG['login_bonus']."'";
 159                                         $BONUS = true;
 160
 161                                         // Subtract login bonus from userid's account or jackpot
 162                                         if ((GET_EXT_VERSION("bonus") >= "0.3.5") && ($CONFIG['bonus_mode'] != "ADD")) BONUS_POINTS_HANDLER('login_bonus');
 163                                 }
 164
 165
 166                                 // Secure lifetime from input form
 167                                 $l = bigintval($_POST['lifetime']);
 168                                 $life = "-1";
 169                                 if ($l > 0)
 170                                 {
 171                                         // Calculate lifetime of cookies
 172                                         $life = time() + $l;
 173
 174                                         // Calculate new hash with the secret key and master salt together
 175                                         $hash = generatePassString($hash);
 176
 177                                         // Update cookies
 178                                         $login = (@setcookie("userid"  , $UID , $life, COOKIE_PATH)
 179                                                && @setcookie("u_hash"  , $hash, $life, COOKIE_PATH)
 180                                                && @setcookie("lifetime", $l   , $life, COOKIE_PATH));
 181
 182                                         // Update global array
 183                                         $GLOBALS['userid'] = $UID;
 184                                         $_COOKIE['u_hash'] = $hash;
 185                                         $_COOKIE['lifetime'] = $l;
 186                                 }
 187                                  else
 188                                 {
 189                                         // Check for login data
 190                                         $login = IS_LOGGED_IN();
 191                                 }
 192
 193                                 if ($login)
 194                                 {
 195                                         // Update database records
 196                                         $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_user_data SET total_logins=total_logins+1".$ADD." WHERE userid=%d LIMIT 1",
 197                                          array(bigintval($UID)), __FILE__, __LINE__);
 198                                         if (SQL_AFFECTEDROWS($link) == 1)
 199                                         {
 200                                                 // Procedure to checking for login data
 201                                                 if (($BONUS) && (EXT_IS_ACTIVE("bonus")))
 202                                                 {
 203                                                         // Bonus added (just displaying!)
 204                                                         $URL = URL."/modules.php?module=chk_login&mode=bonus";
 205                                                 }
 206                                                  else
 207                                                 {
 208                                                         // Bonus not added
 209                                                         $URL = URL."/modules.php?module=chk_login&mode=login";
 210                                                 }
 211                                         }
 212                                          else
 213                                         {
 214                                                 // Cannot update counter!
 215                                                 $URL = URL."/modules.php?module=".$GLOBALS['module']."&what=login&login=".CODE_CNTR_FAILED;
 216                                         }
 217                                 }
 218                                  else
 219                                 {
 220                                         // Cookies not setable!
 221                                         $URL = URL."/modules.php?module=".$GLOBALS['module']."&what=login&login=".CODE_NO_COOKIES;
 222                                 }
 223                         }
 224                          else
 225                         {
 226                                 // Wrong password!
 227                                 $ERROR = CODE_WRONG_PASS;
 228                         }
 229                 }
 230                  else
 231                 {
 232                         // Fatal error!
 233                         $ERROR = CODE_LOGIN_FAILED;
 234                 }
 235         }
 236          else
 237         {
 238                 // Other account status?
 239                 $result = SQL_QUERY_ESC("SELECT status FROM "._MYSQL_PREFIX."_user_data WHERE userid=%d LIMIT 1",
 240                  array(bigintval($UID)), __FILE__, __LINE__);
 241                 if (SQL_NUMROWS($result) == 1)
 242                 {
 243                         // Load status
 244                         list($status) = SQL_FETCHROW($result);
 245                         switch ($status)
 246                         {
 247                         case "LOCKED":
 248                                 $ERROR = CODE_ID_LOCKED;
 249                                 break;
 250
 251                         case "UNCONFIRMED":
 252                                 $ERROR = CODE_ID_UNCONFIRMED;
 253                                 break;
 254
 255                         default:
 256                                 $ERROR = CODE_UNKNOWN_STATUS;
 257                                 break;
 258                         }
 259                 }
 260                  else
 261                 {
 262                         // ID not found!
 263                         $ERROR = CODE_WRONG_ID;
 264                 }
 265
 266                 // Construct URL
 267                 $URL = URL."/modules.php?module=".$GLOBALS['module']."&what=login&login=".$ERROR;
 268         }
 269 }
 270  elseif ((!empty($_POST['new_pass'])) && (isset($UID)))
 271 {
 272         // Compile email when found in address (only secure chars!)
 273         if (!empty($_POST['email'])) $_POST['email'] = str_replace("{DOT}", '.', $_POST['email']);
 274
 275         // Set ID number when left empty
 276         if (empty($_POST['id'])) $_POST['id'] = "0";
 277
 278         // Probe userid/nickname
 279         $probe_nickname = ((EXT_IS_ACTIVE("nickname")) && (("".round($_POST['id'])."") != $_POST['id']));
 280         if ($probe_nickname)
 281         {
 282                 // Nickname entered
 283                 $result = SQL_QUERY_ESC("SELECT userid, status FROM "._MYSQL_PREFIX."_user_data WHERE nickname='%s' OR email='%s' LIMIT 1",
 284                  array(addslashes($UID), $_POST['email']), __FILE__, __LINE__);
 285         }
 286          else
 287         {
 288                 // Direct userid entered
 289                 $result = SQL_QUERY_ESC("SELECT userid, status FROM "._MYSQL_PREFIX."_user_data WHERE userid=%d OR email='%s' LIMIT 1",
 290                  array(bigintval($UID), $_POST['email']), __FILE__, __LINE__);
 291         }
 292         if (SQL_NUMROWS($result) == 1)
 293         {
 294                 // This data is valid, so we create a new pass... :-)
 295                 list($UID, $status) = SQL_FETCHROW($result);
 296
 297                 if ($status == "CONFIRMED")
 298                 {
 299                         // Ooppps, this was missing! ;-) We should update the database...
 300                         $NEW_PASS = GEN_PASS();
 301                         $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_user_data SET password='%s' WHERE userid=%d LIMIT 1",
 302                          array(generateHash($NEW_PASS), bigintval($UID)), __FILE__, __LINE__);
 303
 304                         // Prepare data and message for email
 305                         $DATA = array($NEW_PASS, getenv('REMOTE_ADDR'));
 306                         $msg = LOAD_EMAIL_TEMPLATE("new-pass", "", bigintval($UID));
 307
 308                         // ... and send it away
 309                         SEND_EMAIL(bigintval($UID), GUEST_NEW_PASSWORD, $msg);
 310
 311                         // Output note to user
 312                         LOAD_TEMPLATE("admin_settings_saved", false, GUEST_NEW_PASSWORD_SEND);
 313                 }
 314                  else
 315                 {
 316                         // Account is locked or unconfirmed
 317                         switch ($status)
 318                         {
 319                                 case "LOCKED"     : $MSG = CODE_ID_LOCKED;      break;
 320                                 case "UNCONFIRMED": $MSG = CODE_ID_UNCONFIRMED; break;
 321                         }
 322
 323                         // Load URL
 324                         LOAD_URL(URL."/modules.php?module=".$GLOBALS['module']."&amp;what=login&login=".$MSG);
 325                 }
 326         }
 327          else
 328         {
 329                 // ID or email is wrong
 330                 LOAD_TEMPLATE("admin_settings_saved", false, "<SPAN class=\"guest_failed\">".GUEST_WRONG_ID_EMAIL."</SPAN>");
 331         }
 332 }
 333  else
 334 {
 335         // Login problems?
 336         if (!empty($_GET['login']))
 337         {
 338                 // Ok, which one now?
 339                 $MSG = "<TR>
 340   <TD width=\"10\">&nbsp;</TD>
 341   <TD colspan=\"7\" align=\"center\">
 342     <STRONG><SPAN class=\"guest_failed\">";
 343                 switch ($_GET['login'])
 344                 {
 345                 case CODE_WRONG_PASS:
 346                         $MSG .= LOGIN_WRONG_PASS;
 347                         break;
 348
 349                 case CODE_WRONG_ID:
 350                         $MSG .= LOGIN_WRONG_ID;
 351                         break;
 352
 353                 case CODE_ID_LOCKED:
 354                         $MSG .= LOGIN_ID_LOCKED;
 355                         break;
 356
 357                 case CODE_ID_UNCONFIRMED:
 358                         $MSG .= LOGIN_ID_UNCONFIRMED;
 359                         break;
 360
 361                 case CODE_NO_COOKIES:
 362                         $MSG .= LOGIN_NO_COOKIES;
 363                         break;
 364
 365                 default:
 366                         $MSG .= LOGIN_WRONG_ID;
 367                         break;
 368                 }
 369                 $MSG .= "</SPAN></STRONG>
 370   </TD>
 371   <TD width=\"10\">&nbsp;</TD>
 372 </TR>\n";
 373                 define ('LOGIN_FAILURE_MSG', $MSG);
 374         }
 375          else
 376         {
 377                 // No problems, no output
 378                 define ('LOGIN_FAILURE_MSG', "");
 379         }
 380         // Display login form with resend-password form
 381         if (EXT_IS_ACTIVE("nickname"))
 382         {
 383                 LOAD_TEMPLATE("guest_nickname_login");
 384         }
 385          else
 386         {
 387                 LOAD_TEMPLATE("guest_login");
 388         }
 389 }
 390
 391 // Was an URL constructed?
 392 if (!empty($URL))
 393 {
 394         // URL was constructed
 395         if (!empty($FATAL[0]))
 396         {
 397                 // Fatal errors!
 398                 require_once(PATH."inc/fatal_errors.php");
 399         }
 400          else
 401         {
 402                 // Load URL
 403                 LOAD_URL($URL);
 404         }
 405 }
 406
 407 CLOSE_TABLE();
 408 //
 409 ?>