Location: PHPKode > projects > Spam free PHP GuestBook > guestbook/gb/user/include/clslogin.php
<?php
/*
Copyright (c) 2008 http://ramui.com. All right reserved.
This product is by copyright and distributed under licenses restricting copying, distribution. Permission is granted to the public to download and use this script provided that this Notice and any statement of authorship are reproduced in every page on all copies of the script.
*/
class clslogin extends connection
{
private $uid;
private function verify_user(&$message)
{
		if(isset($_SESSION['fw_login'])){
            $ip=$_SERVER['REMOTE_ADDR'];
            $login=$_SESSION['fw_login'];
            $query=sprintf("SELECT id FROM ".$this->prefix."user WHERE login = '$ip' AND session = '%s'",mysql_real_escape_string($login));
            $result=@mysql_query($query);
			$row =@mysql_fetch_array($result, MYSQL_ASSOC);
            if(!empty($row['id'])){$this->uid=$row['id'];return true;}}
        else{
            if($this->exceed_login()){return false;}
            if(!empty($_POST['login'])){return($this->login($message));}
            if(!empty($_POST['forget'])){$this->forget($message);}
            $this->register($message);
            return false;}
}

private function exceed_login()
{
        if(empty($_POST['register'])&&empty($_POST['login'])&&empty($_POST['forget'])){return false;}
        $_SESSION['fw_try']=((isset($_SESSION['fw_try']))? 1+$_SESSION['fw_try'] : 1);
        return($_SESSION['fw_try']>5);
}
private function login(&$message)
{
        $email=fw_strip_slashes(trim($_POST['email']));
        $password=fw_strip_slashes(trim($_POST['password']));
        if((!fw_validate_email($email))||(!fw_validate_password($password))){$message='<span style="color:red;">Incorrect email and/or password!</span>';return false;}
        $query=sprintf("SELECT id FROM ".$this->prefix."user WHERE email = '%s' AND password = '%s' AND (level=6 OR level=8)",mysql_real_escape_string($email),mysql_real_escape_string($password));
        $result=@mysql_query($query);
		$num=@mysql_num_rows($result);
        if($num<1){$message='<span style="color:red;">Incorrect email and/or password!</span>';return false;}
        $row = @mysql_fetch_array($result, MYSQL_ASSOC);
		$_SESSION['fw_try']=0;
        $ip=$_SERVER['REMOTE_ADDR'];
        $random=substr(fw_random(),0,12);
        $query=sprintf("UPDATE ".$this->prefix."user SET login = '$ip', session = '%s' WHERE email = '%s'",mysql_real_escape_string($random),mysql_real_escape_string($email));
        if(@mysql_query($query)==false){$message='<span style="color:red;">System error! Please try again later.</span>';return false;}
        $_SESSION['fw_login']=$random;
		$this->uid=$row['id'];
        return true;
}
private function remote_login()
{
        $_SESSION['fw_try']=((isset($_SESSION['fw_try']))? 1+$_SESSION['fw_try'] : 1);
		if($_SESSION['fw_try']>5){exit;}
		$email=trim(fw_strip_slashes(rawurldecode($_POST['email'])));
        $password=trim(fw_strip_slashes(rawurldecode($_POST['password'])));
        if((!fw_validate_email($email))||(!fw_validate_password($password))){echo '<span style="color:red;">Incorrect email and/or password!</span>';exit;}
        $query=sprintf("SELECT id FROM ".$this->prefix."user WHERE email = '%s' AND password = '%s' AND (level=6 OR level=8)",mysql_real_escape_string($email),mysql_real_escape_string($password));
        $result=@mysql_query($query);
		$num=@mysql_num_rows($result);
        if($num<1){echo '<span style="color:red;">Incorrect email and/or password!</span>';exit;}
		$_SESSION['fw_try']=0;
        $ip=$_SERVER['REMOTE_ADDR'];
        $random=substr(fw_random(),0,12);
        $query=sprintf("UPDATE ".$this->prefix."user SET login = '$ip', session = '%s' WHERE email = '%s'",mysql_real_escape_string($random),mysql_real_escape_string($email));
        if(@mysql_query($query)==false){echo '<span style="color:red;">System error! Please try again later.</span>';exit;}
        $_SESSION['fw_login']=$random;
		$this->uid=$row['id'];
        echo 'success';exit;
}
private function forget(&$message)
{
        $email=fw_strip_slashes(trim($_POST['forgetemail']));
        if(!fw_validate_email($email)){$message='<span style="color:red;">No such email in our database!</span>';return false;}
        $query=sprintf("SELECT id, name, password, level FROM ".$this->prefix."user WHERE email = '%s' AND level > 5",mysql_real_escape_string($email));
        $result=@mysql_query($query);
        $row = @mysql_fetch_array($result, MYSQL_ASSOC);
        if(empty($row['id'])){$message='<span style="color:red;">No such email in our database!</span>';return false;}
        if($row['level']===7){
            $message=($this->send_verification($email,$row['name'])? '<span style="color:green;">Resend verification email. Please confirm your account.</span>' : '<span style="color:red;">System error! Please  contact site administrator.</span>');
            return false;}
        $password=$row['password'];
        $name=$row['name'];
        $from="From: ".$this->default_from()."\r\n";
        $text="Hello ".$name.",\r\n";
        $text.="Your requested password is: ".$password."\r\n";
        $text.="Login your account at: http://".getenv('HTTP_HOST').fw_get_docroot()."gb/user/index.php\r\n";
        $text.="\r\nThank you.\r\nSite administrator.\r\nhttp://".getenv('HTTP_HOST')."/";
        $text.="\r\n------------------------------------------\r\nThis is an autogenerated email. Please do not reply.";
        if(@mail($email,'Your requested password',$text,$from)){$message='<span style="color:green;">Password has been send.Please check your email account.</span>';return;}
        $message='<span style="color:red;">System error! Please contact site administrator.</span>';
}
private function default_from(){return('noreply@'.str_replace('www.','', strtolower(getenv('HTTP_HOST'))));}
private function register(&$message)
{
        $name=fw_strip_slashes(trim($_POST['name']));
        $user=fw_strip_slashes(trim($_POST['user']));
        $password=fw_strip_slashes(trim($_POST['pw']));
        $email=fw_strip_slashes(trim($_POST['registeremail']));
        if(!fw_validate_user($user,$email)){return false;}
        if(!fw_validate_password($password)){return false;}
		$length=strlen($name);
		if(($length>50)||($length<5)){return false;}
        $dt=time();
        $query=sprintf("SELECT id, user, password, level FROM ".$this->prefix."user WHERE email = '%s'",mysql_real_escape_string($email));
        $result=@mysql_query($query);
        $row = @mysql_fetch_array($result, MYSQL_ASSOC);
        if(empty($row['id'])){
            $query=sprintf("SELECT id FROM ".$this->prefix."user WHERE user = '%s'",mysql_real_escape_string($user));
            $result=@mysql_query($query);
			$num=@mysql_num_rows($result);
            if(empty($num)){
                if($this->site['verifyuser']=='Y'){
					$query=sprintf("INSERT INTO ".$this->prefix."user(name, user, email, password, level, date) VALUES ('%s', '%s', '%s', '%s', 7, $dt)",mysql_real_escape_string($name),mysql_real_escape_string($user),mysql_real_escape_string($email),mysql_real_escape_string($password));
					if(@mysql_query($query)){$message=($this->send_verification($email,$name)? '<span style="color:green;">A verification email has been send. Please confirm your account.</span>' : '<span style="color:red;">System error! Please  contact site administrator.</span>');}
					else{$message='<span style="color:red;">System error! Please  contact site administrator.</span>';}}
				else{
					$query=sprintf("INSERT INTO ".$this->prefix."user(name, user, email, password, level, date) VALUES ('%s', '%s', '%s', '%s', 6, $dt)",mysql_real_escape_string($name),mysql_real_escape_string($user),mysql_real_escape_string($email),mysql_real_escape_string($password));
					$message=(@mysql_query($query))? '<span style="color:green;">Thank you for registering, your account has been created. You may now login with your email and password.</span>' : '<span style="color:red;">System error! Please  contact site administrator.</span>';}
            }
            else{$message='<span style="color:red;">User <b>'.$user.'</b> already exist! Please select different user name.</span>';}return false;
        }
		if($row['user']!==$user){$message='<span style="color:red;">Another user is using this email ID! Please select different one.</span>';return false;}
		if($row['level']===0){$message='<span style="color:red;">Sorry! you have been banned from this site.</span>';return false;}
		if(($row['level']===6)||($row['level']===8)){$message='<span style="color:red;">You are already registered! Please use <b>Forget password</b> to resend password.</span>';return false;}
		if($row['level']===7){$message='<span style="color:red;">You are already registered. Please use <b>Forget password</b> form to resend verification email.</span>';}
}
private function send_verification($email,$name)
{
        $dt=time();
        $verify=substr(fw_random(),0,12);
		$query=sprintf("DELETE FROM ".$this->prefix."tmpuser  WHERE email = '%s'",mysql_real_escape_string($email));
		@mysql_query($query);
		$query=sprintf("INSERT INTO ".$this->prefix."tmpuser(email, verify, date) VALUES ('%s', '%s', $dt)",mysql_real_escape_string($email),mysql_real_escape_string($verify));
        if(!empty($this->uid)){$query=sprintf("INSERT INTO ".$this->prefix."tmpuser(uid, email, verify, date) VALUES (%d, '%s', '%s', $dt)",$this->uid,mysql_real_escape_string($email),mysql_real_escape_string($verify));}
		if(!(@mysql_query($query))){return false;}
        $from=$this->default_from();
        $selfurl = str_replace("www.","", strtolower(getenv("HTTP_HOST")));
        $link='http://'.strtolower(getenv("HTTP_HOST")).fw_get_docroot().'gb/verify.php?confirm='.md5($verify).'&email='.$email;
		$text.="Thank you for contacting with ".$selfurl.".  We have received your information and we will process it once you confirm your email address by clicking on the following hyperlink:\r\n\r\n";
        $text.="$link\r\n*This link will remain active for 48 hours.\r\n\r\n";
        $text.="-----------------------------------\r\nYou receive this email because you (or someone else) has added this email address to $selfurl.\r\n";
        $text.="This is an auto generated email. Please do not reply.";
		if(!empty($name)){$text="Hello $name,\r\n$text";}
        return(@mail($email,'Verification required',$text,'From: '.$from));
}

private function log_out($remote='')
{
		unset($_SESSION['fw_login']);
		$ip=$_SERVER['REMOTE_ADDR'];
		$query = "UPDATE ".$this->prefix."user SET login ='' AND session = '' WHERE login = '$ip'";
		@mysql_query($query);
		if(empty($remote)){@header("Location: index.php");}
		else{echo 'success';}
		exit;
}
private function save_comment($pid='')
{
        if((empty($_SESSION['fw_captcha_code']))||(md5($_POST['fw_captcha_code'])!==($_SESSION['fw_captcha_code']))){
            echo '<span style="color:red; background-color:white;">Error! wrong verification code. Please try again.</span>';
            exit;}
		$title=trim(fw_strip_slashes(rawurldecode($_POST["title"])));
		$title=htmlspecialchars(fw_remove_smarttag($title));
		$comment=trim(fw_strip_slashes(rawurldecode($_POST["comment"])));
		$autolink=(empty($_POST["autolink"])? '' : 'Y');
		$dt=time();
		$publish=(($this->site['approval']=='A')? 'Y':'');
		$query=sprintf("INSERT INTO ".$this->prefix."comments(title, pid, uid, comment, autolink, publish, date) VALUES ('%s', %d, %d, '%s', '$autolink', '$publish', $dt)",mysql_real_escape_string($title),$pid,$this->uid,mysql_real_escape_string($comment));
		$max_size=(empty($pid)? $this->site['postsize'] : $this->site['commentsize']);
		if((strlen($comment)>$max_size)||(strlen($title)>80)){exit;}
		if(empty($pid)){
			$description=trim(fw_strip_slashes(rawurldecode($_POST["description"])));
			$tags=trim(fw_strip_slashes(rawurldecode($_POST["tags"])));
			$description=htmlspecialchars(fw_remove_smarttag($description));
			$description=str_replace("\n"," ",str_replace("\r","",$description));
			$tags=htmlspecialchars(fw_remove_smarttag($tags));
			if((strlen($description)>250)||(strlen($tags)>250)){exit;}
			$query=sprintf("INSERT INTO ".$this->prefix."post(title, description, keywords, uid, content, autolink, publish, date) VALUES ('%s', '%s', '%s', %d, '%s', '$autolink', '$publish', $dt)",mysql_real_escape_string($title),mysql_real_escape_string($description),mysql_real_escape_string($tags),$this->uid,mysql_real_escape_string($comment));}
		@mysql_query($query);
		echo '<span style="color:green; background-color:white;">'.(($this->site['approval']=='A')? 'Your message has been successfully posted':'Your message is waiting for approval').'</span>';
		exit;
}
private function add_comment($pid='')
{
		$scriptfile='<script type="text/javascript" src="../script/comment.js"></script>'."\n".'<script type="text/javascript" src="../bbcode/bbcode.js"></script>';
		$scriptfile.='<script type="text/javascript" src="../preview/preview.js"></script>';
		if(empty($pid)){$title='Add new post';
			$submit=sprintf("%d,%d,-1",$this->site['postsize'],$this->site['imagecount']);
			$preview=sprintf("%d,%d,%d,%d",$this->site['postsize'],$this->site['imagewidth'],$this->site['imageheight'],$this->site['imagecount']);}
		else{
			$query=sprintf("SELECT id, title FROM ".$this->prefix."post WHERE id = %d AND locked <> 'Y'",$pid);
			$result=@mysql_query($query);
			$num=@mysql_num_rows($result);
			if($num<1){@header("LOCATION: index.php");exit;}
			$row = @mysql_fetch_array($result, MYSQL_ASSOC);
			$comment_title=substr('Re: '.$row['title'],0,80);
			$title='Add comment';
			$submit=sprintf("%d,%d,%d",$this->site['commentsize'],$this->site['imagecount'],$pid);
			$preview=sprintf("%d,%d,%d,%d",$this->site['commentsize'],$this->site['imagewidth'],$this->site['imageheight'],$this->site['imagecount']);}
		$menu='<a href="../../index.php">GuestBook</a> | <a href="index.php">User CP</a> | <a href="index.php?query=5">Logout</a>';
		if(fw_get_docroot()!=='/'){$menu.=' | <a href="http://'.$_SERVER['HTTP_HOST'].'/">Home</a>';}
		if(!empty($pid)){$menu='<a href="../../index.php?pid='.$pid.'">Back to post</a> | '.$menu;}
		include "include/head.php";
		include "include/add_comment.php";
}
private function usercp()
{
		$query=sprintf("SELECT* FROM ".$this->prefix."user WHERE id = %d",$this->uid);
		$result=@mysql_query($query);
		$row = @mysql_fetch_array($result, MYSQL_ASSOC);
		$disabled_email=($this->site['allowemail']!=='Y');
		$title='UserCP :: '.$row['user'];
		$menu='<a href="../../index.php">GuestBook</a> | <a href="index.php?query=3">New post</a> | <a href="index.php?query=5">Logout</a>';
		$scriptfile='<script type="text/javascript" src="../script/user.js"></script>';
		include "include/head.php";
		include "include/usercp.php";
}
private function save_user()
{
		$website=trim(fw_strip_slashes(rawurldecode($_POST["website"])));
		$email=trim(fw_strip_slashes(rawurldecode($_POST["email"])));
		$password=trim(fw_strip_slashes(rawurldecode($_POST["password"])));
		$newpassword=trim(fw_strip_slashes(rawurldecode($_POST["newpassword"])));
		$allowemail=(empty($_POST["allowemail"])? '' : 'Y');
		if(!empty($password)){if((!fw_validate_password($password))||(!fw_validate_password($newpassword))){exit;}}
		if(!fw_validate_email($email)){echo '<span style="color:red; background-color:white;">Error! Invalid email address.</span>';exit;}
		$query=sprintf("SELECT* FROM ".$this->prefix."user WHERE id = %d",$this->uid);
		$result=@mysql_query($query);
		$row = @mysql_fetch_array($result, MYSQL_ASSOC);
		$query=sprintf("UPDATE ".$this->prefix."user set email = '%s', website = '%s', allowemail = '$allowemail'",mysql_real_escape_string($email),mysql_real_escape_string($website));
		$message='Data has been successfully updated.';
		if(!empty($password)){
			if($row['password']!==$password){echo '<span style="color:red; background-color:white;">Error! Invalid old password.</span>';exit;}
			if((!fw_validate_password($password))||(!fw_validate_password($newpassword))){exit;}
			$query.=sprintf(", password = '%s'",mysql_real_escape_string($newpassword));
		}
		if(($row['email']!==$email)&&($this->site['verifyuser']=='Y')){
			if(!($this->send_verification($email,$row['name']))){echo '<span style="color:red;">System error! Please  contact site administrator.</span>';exit;}
			$query.=", level = 8";
			$message.='<br />A verification has been sent to your new email address.';
		}
		$query.=sprintf(" WHERE id = %d",$this->uid);
		@mysql_query($query);
		echo '<span style="color:green; background-color:white;">'.$message.'</span>';exit;
}
private function log_in($message)
{
		$title='Login';
		$menu='<a href="../../index.php">'.$this->site['sitename'].'</a>';
		if(fw_get_docroot()!=='/'){$menu.=' | <a href="http://'.$_SERVER['HTTP_HOST'].'/">Home</a>';}
		if(!empty($qur[1])){$menu='<a href="../../index.php?pid='.$qur[1].'">Back to post</a> | '.$menu;}
		$scriptfile='<script type="text/javascript" src="../script/login.js"></script>';
		include "include/head.php";
		include "include/login.php";
}
public function get_query()
{
        if(($this->site['blocksite']=='Y')&&(empty($this->admin))){include "../gb/include/blocksite.php";exit;}
		$query=@$_GET['query'];
		$qur= explode("M", $query);
		$message='';
		if($this->verify_user($message)){
			switch ($qur[0]){
				case "1":
					$this->save_comment();
				break;
				case "2":
					$this->save_comment($qur[1]);
				break;
				case "3":
					$this->add_comment();
				break;
				case "4":
					$this->add_comment($qur[1]);
				break;
				case "5":
					$this->log_out();
				break;
				case "6":
					$this->save_user();
				break;
				case "7":
					$this->log_out(true);
				break;
				default:
					$this->usercp();
				break;}
		}
		else{
			switch ($qur[0]){
				case "1": case "2": case "6":
					exit;
				break;
				case "8":
					$this->remote_login();
				break;
				case "5":
					$this->log_out();
				break;
				case "7":
					$this->log_out(true);
				break;
				default:
					$this->log_in($message);
				break;}
		}
}
}
?>
Return current item: Spam free PHP GuestBook