Security line in all includes changed
[mailer.git] / inc / modules / guest / what-sponsor_login.php
1 <?php
2 /************************************************************************
3  * MXChange v0.2.1                                    Start: 06/10/2005 *
4  * ===============                              Last change: 05/18/2008 *
5  *                                                                      *
6  * -------------------------------------------------------------------- *
7  * File              : what-sponsor_login.php                           *
8  * -------------------------------------------------------------------- *
9  * Short description : Login form and password resending for sponsor    *
10  * -------------------------------------------------------------------- *
11  * Kurzbeschreibung  : Loginformular und Neues Passwort fuer Sponsor    *
12  * -------------------------------------------------------------------- *
13  *                                                                      *
14  * -------------------------------------------------------------------- *
15  * Copyright (c) 2003 - 2008 by Roland Haeder                           *
16  * For more information visit: http://www.mxchange.org                  *
17  *                                                                      *
18  * This program is free software. You can redistribute it and/or modify *
19  * it under the terms of the GNU General Public License as published by *
20  * the Free Software Foundation; either version 2 of the License.       *
21  *                                                                      *
22  * This program is distributed in the hope that it will be useful,      *
23  * but WITHOUT ANY WARRANTY; without even the implied warranty of       *
24  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the        *
25  * GNU General Public License for more details.                         *
26  *                                                                      *
27  * You should have received a copy of the GNU General Public License    *
28  * along with this program; if not, write to the Free Software          *
29  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,               *
30  * MA  02110-1301  USA                                                  *
31  ************************************************************************/
32
33 // Some security stuff...
34 if (!defined('__SECURITY')) {
35         $INC = substr(dirname(__FILE__), 0, strpos(dirname(__FILE__), "/inc") + 4)."/security.php";
36         require($INC);
37 }
38
39 // Add description as navigation point
40 ADD_DESCR("guest", basename(__FILE__));
41
42 $MODE = "";
43 if (!empty($_GET['mode']))
44 {
45         // A "special" mode of the login system was requested
46         switch ($_GET['mode'])
47         {
48                 case "activate" : $MODE = "activate";  break; // Activation link requested
49                 case "lost_pass": $MODE = "lost_pass"; break; // Request new password
50         }
51 }
52
53 // Check if hash for confirmation of email address is given...
54 if (!empty($_GET['hash']))
55 {
56         // Lookup sponsor
57         $result = SQL_QUERY_ESC("SELECT id, status, gender, surname, family,
58 company, position, tax_ident,
59 street_nr1, street_nr2, country, zip, city, email, phone, fax, cell,
60 points_amount AS points, last_pay AS pay, last_curr AS curr
61 FROM "._MYSQL_PREFIX."_sponsor_data
62 WHERE hash='%s' AND (status='UNCONFIRMED' OR status='EMAIL')
63 LIMIT 1", array($_GET['hash']), __FILE__, __LINE__);
64         if (SQL_NUMROWS($result) == 1)
65         {
66                 // Sponsor found, load his data...
67                 $SPONSOR = SQL_FETCHARRAY($result);
68
69                 // Translate gender and comma
70                 $SPONSOR['gender']  = TRANSLATE_GENDER($SPONSOR['gender']);
71                 $SPONSOR['points'] = TRANSLATE_COMMA($SPONSOR['points']);
72                 $SPONSOR['pay']    = TRANSLATE_COMMA($SPONSOR['pay']);
73
74                 // Unconfirmed account or changed email address?
75                 if ($SPONSOR['status'] == "UNCONFIRMED")
76                 {
77                         // Set account to pending
78                         $result_update = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_sponsor_data SET status='PENDING'
79 WHERE id='%s' AND hash='%s' AND status='UNCONFIRMED' LIMIT 1",
80  array(bigintval($SPONSOR['id']), $_GET['hash']), __FILE__, __LINE__);
81
82                         // Check on success 
83                         if (SQL_AFFECTEDROWS() == 1)
84                         {
85                                 // Prepare mail and send it to the sponsor
86                                 $MSG = LOAD_EMAIL_TEMPLATE("sponsor_pending", $SPONSOR);
87                                 SEND_EMAIL($SPONSOR['email'], SPONSOR_ACCOUNT_PENDING_SUBJ, $MSG);
88
89                                 // Send email to admin
90                                 SEND_ADMIN_NOTIFICATION(ADMIN_NEW_SPONSOR, "admin_sponsor_pending", $SPONSOR);
91
92                                 // Sponsor account set to pending
93                                 LOAD_TEMPLATE("admin_settings_saved", false, SPONSOR_ACCOUNT_IS_PENDING);
94                         }
95                          else
96                         {
97                                 // Could not unlock account!
98                                 LOAD_TEMPLATE("admin_settings_saved", false, SPONSOR_ACCOUNT_PENDING_FAILED);
99                         }
100                 }
101                  elseif ($SPONSOR['status'] == "EMAIL")
102                 {
103                         // Changed email adress need to be confirmed
104                         $result_update = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_sponsor_data SET status='CONFIRMED'
105 WHERE id='%s' AND hash='%s' AND status='EMAIL' LIMIT 1",
106  array(bigintval($SPONSOR['id']), $_GET['hash']), __FILE__, __LINE__);
107
108                         // Check on success 
109                         if (SQL_AFFECTEDROWS() == 1)
110                         {
111                                 // Sponsor account is unlocked again
112                                 LOAD_TEMPLATE("admin_settings_saved", false, SPONSOR_ACCOUNT_IS_CONFIRMED_AGAIN);
113                         }
114                          else
115                         {
116                                 // Could not unlock account!
117                                 LOAD_TEMPLATE("admin_settings_saved", false, SPONSOR_ACCOUNT_EMAIL_FAILED);
118                         }
119                 }
120                  else
121                 {
122                         /// ??? Other status?
123                         LOAD_TEMPLATE("admin_settings_saved", false, SPONSOR_ACCOUNT_STATUS_FAILED);
124                 }
125         }
126          else
127         {
128                 // No sponsor found
129                 LOAD_TEMPLATE("admin_settings_saved", false, SPONSOR_ACCOUNT_404);
130         }
131
132         // Free memory
133         SQL_FREERESULT($result);
134 }
135  elseif ($MODE == "activate")
136 {
137         // Send activation link again
138         if (isset($_POST['ok']))
139         {
140                 // Check submitted data
141                 if (empty($_POST['email'])) unset($_POST['ok']);
142         }
143
144         if (isset($_POST['ok']))
145         {
146                 // Check email
147                 $result = SQL_QUERY_ESC("SELECT id, hash, status, remote_addr, gender, surname, family, sponsor_created
148 FROM "._MYSQL_PREFIX."_sponsor_data
149 WHERE email='%s' AND (status='UNCONFIRMED' OR status='EMAIL') LIMIT 1",
150  array($_POST['email']), __FILE__, __LINE__);
151                 if (SQL_NUMROWS($result) == 1)
152                 {
153                         // Unconfirmed sponsor account found so let's load the requested data
154                         $SPONSOR = SQL_FETCHARRAY($result);
155
156                         // Translate some data
157                         $SPONSOR['gender']           = TRANSLATE_GENDER($SPONSOR['gender']);
158                         $SPONSOR['sponsor_created'] = MAKE_DATETIME($SPONSOR['sponsor_created']);
159
160                         // Prepare email and send it to the sponsor
161                         if ($SPONSOR['status'] == "UNCONFIRMED")
162                         {
163                                 // Unconfirmed accounts
164                                 $msg_sponsor = LOAD_EMAIL_TEMPLATE("sponsor_activate", $SPONSOR);
165                         }
166                          else
167                         {
168                                 // Confirmed email address
169                                 $msg_sponsor = LOAD_EMAIL_TEMPLATE("sponsor_email", $SPONSOR);
170                         }
171                         SEND_EMAIL($_POST['email'], SPONSOR_ACTIVATION_LINK_SUBJ, $msg_sponsor);
172
173                         // Output message
174                         LOAD_TEMPLATE("admin_settings_saved", false, SPONSOR_ACTIVATION_LINK_SENT);
175                 }
176                  else
177                 {
178                         // No account found or not UNCONFIRMED
179                         LOAD_TEMPLATE("admin_settings_saved", false, SPONSOR_ACTIVATION_LINK_404);
180                 }
181
182                 // Free memory
183                 SQL_FREERESULT($result);
184         }
185          else
186         {
187                 // Load form
188                 LOAD_TEMPLATE("guest_sponsor_activate");
189         }
190 }
191  elseif ($MODE == "lost_pass")
192 {
193         // Send new password
194         if (isset($_POST['ok']))
195         {
196                 // Check submitted data
197                 if (empty($_POST['email'])) unset($_POST['ok']);
198         }
199
200         if (isset($_POST['ok']))
201         {
202                 // Check email
203                 $result = SQL_QUERY_ESC("SELECT id, hash, remote_addr, gender, surname, family, sponsor_created
204 FROM "._MYSQL_PREFIX."_sponsor_data
205 WHERE email='%s' AND id='%s' AND status='CONFIRMED' LIMIT 1",
206  array($_POST['email'], bigintval($_POST['id'])), __FILE__, __LINE__);
207                 if (SQL_NUMROWS($result) == 1)
208                 {
209                         // Unconfirmed sponsor account found so let's load the requested data
210                         $SPONSOR = SQL_FETCHARRAY($result);
211
212                         // Translate some data
213                         $SPONSOR['gender']           = TRANSLATE_GENDER($SPONSOR['gender']);
214                         $SPONSOR['sponsor_created'] = MAKE_DATETIME($SPONSOR['sponsor_created']);
215
216                         // Generate password
217                         $SPONSOR['password']        = GEN_PASS();
218
219                         // Prepare email and send it to the sponsor
220                         $msg_sponsor = LOAD_EMAIL_TEMPLATE("sponsor_lost", $SPONSOR);
221                         SEND_EMAIL($_POST['email'], SPONSOR_LOST_PASSWORD_SUBJ, $msg_sponsor);
222
223                         // Update password
224                         $result_update = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_sponsor_data SET password='%s'
225 WHERE id='%s' LIMIT 1",
226  array(md5($SPONSOR['password']), bigintval($SPONSOR['id'])), __FILE__, __LINE__);
227
228                         // Output message
229                         LOAD_TEMPLATE("admin_settings_saved", false, SPONSOR_LOST_PASSWORD_SENT);
230                 }
231                  else
232                 {
233                         // No account found or not UNCONFIRMED
234                         LOAD_TEMPLATE("admin_settings_saved", false, SPONSOR_LOST_PASSWORD_404);
235                 }
236
237                 // Free memory
238                 SQL_FREERESULT($result);
239         }
240          else
241         {
242                 // Load form
243                 LOAD_TEMPLATE("guest_sponsor_lost");
244         }
245 }
246  elseif (isset($_POST['ok']))
247 {
248         // Check status and login data ...
249         $result = SQL_QUERY_ESC("SELECT status FROM "._MYSQL_PREFIX."_sponsor_data
250 WHERE id='%s' AND password='%s' LIMIT 1",
251  array(bigintval($_POST['sponsorid']), md5($_POST['pass'])), __FILE__, __LINE__);
252         if (SQL_NUMROWS($result) == 1)
253         {
254                 // Okay, first login data check passed, now has he/she an approved (CONFIRMED) account?
255                 list($status) = SQL_FETCHROW($result);
256                 if ($status == "CONFIRMED")
257                 {
258                         // Calculate cookie lifetime, maybe we have to change this so the admin can setup a
259                         // seperate timeout for these two cookies?
260                         $life = (time() + $_CONFIG['online_timeout']);
261
262                         // Is confirmed so both is fine and we can continue with login procedure
263                         $login = ((setcookie("sponsorid"  , bigintval($_POST['sponsorid']), $life, COOKIE_PATH)) &&
264                                   (setcookie("sponsorpass", md5($_POST['pass'])           , $life, COOKIE_PATH)));
265
266                         if ($login)
267                         {
268                                 // Cookie setup successfull so we can forward to sponsor area
269                                 LOAD_URL(URL."/modules.php?module=sponsor");
270                         }
271                          else
272                         {
273                                 // Cookie setup failed!
274                                 LOAD_TEMPLATE("admin_settings_saved", false, SPONSPOR_COOKIE_SETUP_FAILED);
275                                 OUTPUT_HTML("<br />");
276
277                                 // Login formular and other links
278                                 LOAD_TEMPLATE("guest_sponsor_login");
279                         }
280                 }
281                  else
282                 {
283                         // Status is not fine
284                         $eval = "\$content = SPONSOR_LOGIN_FAILED_".strtoupper($status).";";
285                         eval($eval);
286                         LOAD_TEMPLATE("admin_settings_saved", false, $content);
287                         OUTPUT_HTML("<br />");
288
289                         // Login formular and other links
290                         LOAD_TEMPLATE("guest_sponsor_login");
291                 }
292         }
293          else
294         {
295                 // Account missing or wrong pass! We shall not find this out for the "hacker folks"...
296                 LOAD_TEMPLATE("admin_settings_saved", false, SPONSOR_LOGIN_FAILED_404_WRONG_PASS);
297                 OUTPUT_HTML("<br />");
298
299                 // Login formular and other links
300                 LOAD_TEMPLATE("guest_sponsor_login");
301         }
302
303         // Free memory
304         SQL_FREERESULT($result);
305 }
306  else
307 {
308         // Login formular and other links
309         LOAD_TEMPLATE("guest_sponsor_login");
310 }
311
312 //
313 ?>