$logged_in=false; //clear it out in case someone sets it in the url or something unset($logged_in);
/*
create table user ( user_id int not null auto_increment primary key, user_name text, real_name text, email text, password text, remote_addr text, confirm_hash text, is_confirmed int not null default 0 );
*/
function user_isloggedin() { global $user_name,$id_hash,$hidden_hash_var,$logged_in; //have we already run the hash checks? //if so, return the pre-set var if (isset($logged_in)) { return $logged_in; } if ($user_name && $id_hash) { $hash=md5($user_name.$hidden_hash_var); if ($hash == $id_hash) { $logged_in=true; return true; } else { $logged_in=false; return false; } } else { $logged_in=false; return false; } }
function user_login($user_name,$password) { global $feedback; if (!$user_name || !$password) { $feedback .= ' error - missing user name or password '; return false; } else { $user_name=strtolower($user_name); $password=strtolower($password); $sql="select * from user where user_name='$user_name' and password='". md5($password) ."'"; $result=db_query($sql); if (!$result || db_numrows($result) < 1){ $feedback .= ' error - user not found or password incorrect '; return false; } else { if (db_result($result,0,'is_confirmed') == '1') { user_set_tokens($user_name); $feedback .= ' success - you are now logged in '; return true; } else { $feedback .= ' error - you haven/'t confirmed your account yet '; return false; } } } }
function user_logout() { setcookie('user_name','',(time()+2592000),'/','',0); setcookie('id_hash','',(time()+2592000),'/','',0); }
function user_set_tokens($user_name_in) { global $hidden_hash_var,$user_name,$id_hash; if (!$user_name_in) { $feedback .= ' error - user name missing when setting tokens '; return false; } $user_name=strtolower($user_name_in); $id_hash= md5($user_name.$hidden_hash_var);
function user_confirm($hash,$email) { /* call this function on the user confirmation page, which they arrive at when the click the link in the account confirmation email */
global $feedback,$hidden_hash_var;
//verify that they didn't tamper with the email address $new_hash=md5($email.$hidden_hash_var); if ($new_hash && ($new_hash==$hash)) { //find this record in the db $sql="select * from user where confirm_hash='$hash'"; $result=db_query($sql); if (!$result || db_numrows($result) < 1) { $feedback .= ' error - hash not found '; return false; } else { //confirm the email and set account to active $feedback .= ' user account updated - you are now logged in '; user_set_tokens(db_result($result,0,'user_name')); $sql="update user set email='$email',is_confirmed='1' where confirm_hash='$hash'"; $result=db_query($sql); return true; } } else { $feedback .= ' hash invalid - update failed '; return false; } }
function user_change_password ($new_password1,$new_password2,$change_user_name,$old_password) { global $feedback; //new passwords present and match? if ($new_password1 && ($new_password1==$new_password2)) { //is this password long enough? if (account_pwvalid($new_password1)) { //all vars are present? if ($change_user_name && $old_password) { //lower case everything $change_user_name=strtolower($change_user_name); $old_password=strtolower($old_password); $new_password1=strtolower($new_password1); $sql="select * from user where user_name='$change_user_name' and password='". md5($old_password) ."'"; $result=db_query($sql); if (!$result || db_numrows($result) < 1) { $feedback .= ' user not found or bad password '.db_error(); return false; } else { $sql="update user set password='". md5($new_password1). "' ". "where user_name='$change_user_name' and password='". md5($old_password). "'"; $result=db_query($sql); if (!$result || db_affected_rows($result) < 1) { $feedback .= ' nothing changed '.db_error(); return false; } else { $feedback .= ' password changed '; return true; } } } else { $feedback .= ' must provide user name and old password '; return false; } } else { $feedback .= ' new passwords doesn/'t meet criteria '; return false; } } else { return false; $feedback .= ' new passwords must match '; } }
function user_lost_password ($email,$user_name) { global $feedback,$hidden_hash_var; if ($email && $user_name) { $user_name=strtolower($user_name); $sql="select * from user where user_name='$user_name' and email='$email'"; $result=db_query($sql); if (!$result || db_numrows($result) < 1) { //no matching user found $feedback .= ' error - incorrect user name or email address '; return false; } else { //create a secure, new password $new_pass=strtolower(substr(md5(time().$user_name.$hidden_hash_var),1,14));
//update the database to include the new password $sql="update user set password='". md5($new_pass) ."' where user_name='$user_name'"; $result=db_query($sql);
//send a simple email with the new password mail ($email,'password reset','your password '. 'has been reset to: '.$new_pass,'from: [email protected]'); $feedback .= ' your new password has been emailed to you. '; return true; } } else { $feedback .= ' error - user name and email address are required '; return false; } }
function user_change_email ($password1,$new_email,$user_name) { global $feedback,$hidden_hash_var; if (validate_email($new_email)) { $hash=md5($new_email.$hidden_hash_var); //change the confirm hash in the db but not the email - //send out a new confirm email with a new hash $user_name=strtolower($user_name); $password1=strtolower($password1); $sql="update user set confirm_hash='$hash' where user_name='$user_name' and password='". md5($password1) ."'"; $result=db_query($sql); if (!$result || db_affected_rows($result) < 1) { $feedback .= ' error - incorrect user name or password '; return false; } else { $feedback .= ' confirmation sent '; user_send_confirm_email($new_email,$hash); return true; } } else { $feedback .= ' new email address appears invalid '; return false; } }
function user_send_confirm_email($email,$hash) { /* used in the initial registration function as well as the change email address function */
$message = "thank you for registering at phpbuilder.com". "/nsimply follow this link to confirm your registration: ". "/n/nhttp://www.phpbuilder.com/account/confirm.php?hash=$hash&email=". urlencode($email). "/n/nonce you confirm, you can use the services on phpbuilder."; mail ($email,'phpbuilder registration confirmation',$message,'from: [email protected]'); }
function user_register($user_name,$password1,$password2,$email,$real_name) { global $feedback,$hidden_hash_var; //all vars present and passwords match? if ($user_name && $password1 && $password1==$password2 && $email && validate_email($email)) { //password and name are valid? if (account_namevalid($user_name) && account_pwvalid($password1)) { $user_name=strtolower($user_name); $password1=strtolower($password1);
//does the name exist in the database? $sql="select * from user where user_name='$user_name'"; $result=db_query($sql); if ($result && db_numrows($result) > 0) { $feedback .= ' error - user name exists '; return false; } else { //create a new hash to insert into the db and the confirmation email $hash=md5($email.$hidden_hash_var); $sql="insert into user (user_name,real_name,password,email,remote_addr,confirm_hash,is_confirmed) ". "values ('$user_name','$real_name','". md5($password1) ."','$email','$globals[remote_addr]','$hash','0')"; $result=db_query($sql); if (!$result) { $feedback .= ' error - '.db_error(); return false; } else { //send the confirm email user_send_confirm_email($email,$hash); $feedback .= ' successfully registered. you should have a confirmation email waiting '; return true; } } } else { $feedback .= ' account name or password invalid '; return false; } } else { $feedback .= ' error - must fill in user name, matching passwords, and provide valid email address '; return false; } }
function user_getid() { global $g_user_result; //see if we have already fetched this user from the db, if not, fetch it if (!$g_user_result) { $g_user_result=db_query("select * from user where user_name='" . user_getname() . "'"); } if ($g_user_result && db_numrows($g_user_result) > 0) { return db_result($g_user_result,0,'user_id'); } else { return false; } }
function user_getrealname() { global $g_user_result; //see if we have already fetched this user from the db, if not, fetch it if (!$g_user_result) { $g_user_result=db_query("select * from user where user_name='" . user_getname() . "'"); } if ($g_user_result && db_numrows($g_user_result) > 0) { return db_result($g_user_result,0,'real_name'); } else { return false; } }
function user_getemail() { global $g_user_result; //see if we have already fetched this user from the db, if not, fetch it if (!$g_user_result) { $g_user_result=db_query("select * from user where user_name='" . user_getname() . "'"); } if ($g_user_result && db_numrows($g_user_result) > 0) { return db_result($g_user_result,0,'email'); } else { return false; } }
function user_getname() { if (user_isloggedin()) { return $globals['user_name']; } else { //look up the user some day when we need it return ' error - not logged in '; } }
function account_pwvalid($pw) { global $feedback; if (strlen($pw) < 6) { $feedback .= " password must be at least 6 characters. "; return false; } return true; }
function account_namevalid($name) { global $feedback; // no spaces if (strrpos($name,' ') > 0) { $feedback .= " there cannot be any spaces in the login name. "; return false; }
// must have at least one character if (strspn($name,"abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz") == 0) { $feedback .= "there must be at least one character."; return false; }
// must contain all legal characters if (strspn($name,"abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789-_") != strlen($name)) { $feedback .= " illegal character in name. "; return false; }
// min and max length if (strlen($name) < 5) { $feedback .= " name is too short. it must be at least 5 characters. "; return false; } if (strlen($name) > 15) { $feedback .= "name is too long. it must be less than 15 characters."; return false; }
// illegal names if (eregi("^((root)|(bin)|(daemon)|(adm)|(lp)|(sync)|(shutdown)|(halt)|(mail)|(news)" . "|(uucp)|(operator)|(games)|(mysql)|(httpd)|(nobody)|(dummy)" . "|(www)|(cvs)|(shell)|(ftp)|(irc)|(debian)|(ns)|(download))$",$name)) { $feedback .= "name is reserved."; return 0; } if (eregi("^(anoncvs_)",$name)) { $feedback .= "name is reserved for cvs."; return false; }
return true; }
function validate_email ($address) { return (ereg('^-!}
