<?php
require_once('../../../config.php');
require_once(FOLDER_RELATIVE_COMMON . 'database.php');
session_start();
$request = isset($_GET['request']) ? $_GET['request'] : '';
if ($request == 'xml') {
header('Content-Type: text/xml');
$xml = '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>' . "\n";
$forgotpassword = isset($_GET['forgotpassword']) ? $_GET['forgotpassword'] : '';
if ($forgotpassword == 'Y') {
$username = isset($_GET['loginu']) ? $_GET['loginu'] : '';
if ($username == '') {
$xml .= "<root>Error: Please enter your email address or username in the username field</root>\n";
echo $xml;
exit;
}
// If the account does not exist, no reason to email, but report back to the webpage as if it did exist.
if ($username == 'text') {
// Do something here, like email the admin or the user directly.
}
$xml .= "<root>The site administrator has been notified and will contact you with your new password shortly</root>\n";
echo $xml;
exit;
}
$authenticated = isset($_SESSION['username']) ? 1 : 0;
if ($authenticated) {
$xml .= "<root>You are logged in as " . $_SESSION['username'] . "</root>\n";
echo $xml;
exit;
}
$show_first_time = isset($_SESSION['show_first_time']) ? $_SESSION['show_first_time'] : 0;
$username = isset($_GET['loginu']) ? $_GET['loginu'] : '';
$password = isset($_GET['loginp']) ? $_GET['loginp'] : '';
if ($username == '' && $password == '') {
if ($show_first_time) {
$xml .= "<root>Since this is your first time logging in, please choose the username you would like to use and a new password</root>\n";
} else {
// $xml .= "<root>Please enter username and password to login</root>\n";
$xml .= "<root></root>\n";
}
echo $xml;
exit;
}
if ($username == '' || $password == '') {
$xml .= "<root>Error: Missing username or password</root>\n";
echo $xml;
exit;
}
if ($show_first_time == 0) {
// Look the user up.
$password = md5("jaxblog" . $password); // add a little salt to the password prior to hashing it
$sql = "SELECT id FROM Users WHERE (username = ? OR ( email = ? AND first_time = 'Y')) AND password = ?";
$user_id = databaseGetValue($sql, array($username, $username, $password));
if (isset($user_id) && $user_id != 0) {
// First time through user logs in with email address and temp password.
// So ask them for a permanent username and password.
$is_first_time = databaseGetValue('SELECT first_time FROM Users WHERE id = ?', array($user_id));
if (isset($is_first_time) && $is_first_time == 'Y') {
$_SESSION['show_first_time'] = 1;
$_SESSION['user_id'] = $user_id;
$xml .= "<root>Since this is your first time logging in, please choose the username you would like to use and a new password</root>\n";
} else {
$_SESSION['username'] = $username;
$_SESSION['user_id'] = $user_id;
$xml .= "<root>Success logging in as " . $_SESSION['username'] . "</root>\n";
}
} else {
sleep(3);
$xml .= "<root>Error: User not found in system or password is incorrect</root>\n";
}
} else {
// Username must be at least seven characters and at most 12.
if (strlen($username) < 7 || strlen($username) > 12) {
$xml .= "<root>Error: New username must be between seven and 12 characters in length</root>\n";
echo $xml;
exit;
}
// Test to see if the new password is strong enough to save off.
$score = passwordScore($password);
if ($score < 2) {
$xml .= "<root>Error: New password must be seven characters in length and contain letters and numbers</root>\n";
echo $xml;
exit;
}
// Store the new username and password.
$password = md5("jaxblog" . $password); // add a little salt to the password prior to hashing it
$sql = 'UPDATE Users SET username = ?, password = ?, first_time = ? WHERE id = ?';
databaseExecute($sql, array($username, $password, 'N', $_SESSION['user_id']));
$_SESSION['username'] = $username;
$xml .= "<root>Success logging in as " . $_SESSION['username'] . "</root>\n";
}
echo $xml;
exit;
}
if ($request == "reset") {
session_start();
unset($_SESSION['user_id']);
unset($_SESSION['username']);
unset($_SESSION['show_first_time']);
header("location: user_login.php");
exit;
}
?>