Location: PHPKode > scripts > Particle Gallery > includes/usersys.php
<?php
// class for user authorisation, registration, etc
class UserSys{
	
	// variables up for grabs
	var $Access;
	
	// user sign in and validation function
	function signin($username, $password = "", $from = ""){
		global $db, $dbprefix;
		
		// validate the information
		if ($username == ""){ return "No username entered"; }
		if ($password == ""){ return "No password entered"; }
		
		// select user from the database
		$sql = "SELECT * FROM " . $dbprefix . "users WHERE username = '" . dbSecure($username) . "'";
		$userget = $db->execute($sql);
		if ($userget->rows < 1){ return "This username is not registerd"; }
		
		// validate the password
		if ($from === 0){
			if ($userget->fields["password"] <> $password){
				return "Your password was incorrect";
			}
		} else {
			if ($userget->fields["password"] <> md5($password)){
				return "Your password was incorrect";
			}
		}
		
		// check the account isn't locked
		if ($userget->fields["status"] == 0){ return "Your account has been locked"; }
		
		// user is cleared, update database
		$sql = "UPDATE " . $dbprefix . "users SET logindate = " . time() . ", ipaddress = '";
		$sql .= $_SERVER["REMOTE_ADDR"] . "'";
		$sql .= " WHERE userid = " . $userget->fields["userid"];
		$db->execute($sql);
		
		// load information into session
		$_SESSION["userid"] = $userget->fields["userid"];
		$_SESSION["username"] = $userget->fields["username"];
		$_SESSION["password"] = $userget->fields["password"];
		
		// create cookies for auto-sign-in
		setcookie("rem_username", $userget->fields["username"], time()+7776000);
		setcookie("rem_password", $userget->fields["password"], time()+7776000);
		
		// where to send the user?
		if ($from === 0){
			// do nothing
		} elseif ($from <> ""){
			Header("Location: " . $from);
			die();
		} else {
			return false;
		}
	}
	
	// log user out, destroy sessions
	function signout(){
		$_SESSION = Array();
		session_destroy();
		
		setcookie("rem_username", null, time()+7776000);
		setcookie("rem_password", null, time()+7776000);
	}
	
	// user authorisation function
	function Auth($level){
		global $db, $dbprefix;
		
		if ($_SESSION["userid"] <> ""){
			// validate users login
			$sql = "SELECT * FROM " . $dbprefix . "users WHERE userid = " . intval($_SESSION["userid"]);
			$userd = $db->execute($sql);
			if ($userd->rows < 1){
				// user account not found
				$this->signout();
				$authlevel = 0;
			} else {
				// user account found
				if ($_SESSION["username"] <> $userd->fields["username"] || $_SESSION["password"] <> $userd->fields["password"]){
					// incorrect details
					$this->signout();
					$authlevel = 0;
				} else {
					// user is actually ok, supringly
					$authlevel = $userd->fields["status"];
				}
			}
		} else {
			// user is just a visitor
			$authlevel = 0;
		}
		
		// set auth level
		$this->Access = $authlevel;
		
		// finally, check if user has access
		if ($level > $authlevel){
			if ($authlevel > 0){
				die("You are not authorised to view this page.");
			} else {
				if (!$_SERVER["REQUEST_URI"]){
					Header("Location: auth.php");
				} else {
					Header("Location: auth.php?from=" . urlencode($_SERVER["REQUEST_URI"]));
				}
				die();
			}
		}
	
	}
	
	// registration
	function register(){
		global $db, $dbprefix, $config;
		
		// check registration acceptance
		if (($config["enableregistrations"] != "true") && ($usr->Access < 3)){
			return "Registrations are not currently being accepted";
		}
		
		// standard validation
		if ($_POST["rusername"] == ""){ return "You did not enter a username"; }
		if ($_POST["password"] == ""){ return "You did not enter a password"; }
		if ($_POST["password2"] == ""){ return "You did not confirm your password"; }
		if ($_POST["email"] == ""){ return "You did not enter your email address"; }
		
		// check passwords
		if ($_POST["password"] <> $_POST["password2"]){ return "Your passwords did not match"; }
		
		// extra validation on the username
		$u = strip_tags($_POST["rusername"]);
		if (str_replace(" ", "", $u) == ""){ return "This is not an acceptable username"; }
		
		// email address validation
		if (function_exists("checkdnsrr")){
			$emailsplit = split("@", $_POST["email"]);
			if (!(checkdnsrr($emailsplit[1], "MX"))){
				return "Your email address is not valid";
			}
		}
		
		// check for reserved username
		if (strcasecmp($u, "system") == 0 || strcasecmp($u, "anonymous") == 0 || strcasecmp($u, "unknown") == 0){
			return "You cannot use this username as it is a reserved word";
		}
		
		// check for taken username
		$sql = "SELECT * FROM " . $dbprefix . "users WHERE username = '" . dbSecure($u) . "'";
		$chk = $db->execute($sql);
		if ($chk->rows > 0){ return "This username has already been taken"; }
		
		// check for taken email address
		$sql = "SELECT * FROM " . $dbprefix . "users WHERE email = '" . dbSecure($_POST["email"]) . "'";
		$chk = $db->execute($sql);
		if ($chk->rows > 0){ return "This email address is already in use"; }
		
		// run the insert statement
		$sql = "INSERT INTO " . $dbprefix . "users (username, password, email, ipaddress, joindate) VALUES (";
		$sql .= "'" . dbSecure($u) . "', ";
		$sql .= "'" . dbSecure(md5($_POST["password"])) . "', ";
		$sql .= "'" . dbSecure($_POST["email"]) . "', ";
		$sql .= "'" . dbSecure($_SERVER["REMOTE_ADDR"]) . "', ";
		$sql .= time() . ")";
		$db->execute($sql);
		
		// ok, send welcome email
		$msg = "Hi,\nThank you for registering. Your username is: ";
		$msg = $msg . $u . "\n\nYou can log in on the site.";
		communicate($_POST["email"], $config["sitename"] . " Registration", $msg);
		
		// and sign user in
		$this->signin($u, $_POST["password"]);
		
		// and redirect
		redirect("index.php?act=newbie");
	}
	
	// updating a profile
	function profile(){
		global $db, $dbprefix;
		
		$pass1 = $_POST["pass1"];
		$pass2 = $_POST["pass2"];
		$pass3 = $_POST["pass3"];
		$email = $_POST["email"];
		
		// ok, lets begin with validation
		if ($pass1 == ""){ return "You did not enter your old password"; }
		if ($pass2 <> $pass3){ return "Your new passwords did not match"; }
		if ($email == ""){ return "You did not enter an email address"; }
		
		// validate and get existing profile
		$this->auth(1);
		$sql = "SELECT * FROM " . $dbprefix . "users WHERE userid = " . dbSecure(intval($_SESSION["userid"]));
		$pro = $db->execute($sql);
		
		// validate current password
		if ($pro->fields["password"] <> md5($pass1)){
			return "Your current password was incorrect";
		}
		
		// work out new password
		if ($pass2 <> ""){
			$newpass = md5($pass2);
			
			// sign user in and out
			$newsignin = 1;
		} else {
			$newpass = $pro->fields["password"];
		}
		
		// work out new email address
		if ($pro->fields["email"] <> $email){
			// make sure it's a real address
			if (function_exists("checkdnsrr")){
				$emailsplit = split("@", $email);
				if (!(checkdnsrr($emailsplit[1], "MX"))){
					return "Your email address is not valid";
				}
			}
			
			// now make sure that is isn't being used
			$sql = "SELECT email FROM " . $dbprefix . "users WHERE email = '" . dbSecure($email) . "' AND userid <> " . $pro->fields["userid"];
			$chk = $db->execute($sql);
			if ($chk->rows > 0){ return "This email address is already in use"; }
			
			// and set variable
			$newemail = $email;
		} else {
			$newemail = $pro->fields["email"];
		}
		
		// and run the update dealie
		$sql  = "UPDATE " . $dbprefix . "users SET ";
		$sql .= "password = '" . dbSecure($newpass) . "', ";
		$sql .= "email = '" . dbSecure($newemail) . "' ";
		$sql .= "WHERE userid = " . $pro->fields["userid"];
		$db->execute($sql);
		
		// sign user in and out?
		if ($newsignin == 1){
			$this->signout();
			StartSession();
			$this->signin($pro->fields["username"], $pass2);
		}
		
		// and return
		return "Profile updated successfully!";
	}
	
	// password reset function
	function getpassword($email){
		global $db, $dbprefix, $config;
		
		// standard validation
		if ($email == ""){ return "No email address entered"; }
		
		// generate a new password and email it to the user
		$sql = "SELECT * FROM " . $dbprefix . "users WHERE email = '" . dbSecure($email) . "'";
		$grabpass = $db->execute($sql);
		if ($grabpass->rows < 1){ return "This email address is not registered to an account"; }
		
		// sign user out
		$this->signout();
		
		// ok now generate a new password
		$nupass = GeneratePassword();
		
		// update the database
		$sql = "UPDATE " . $dbprefix . "users SET password = '" . md5($nupass) . "' WHERE userid = " . $grabpass->fields["userid"];
		$db->execute($sql);
		
		// send the user an email
		$msg  = "Hi,\nYour password has been changed. Your new password is: ";
		$msg .= $nupass . "\n\nYou can sign in using your new password.";
		$headers = "From: \"" . $config["sitename"] . "\" \r\n";
		
		// send the email
		$r = communicate($grabpass->fields["email"], $config["sitename"] . " Password", $msg);
		if ($r === FALSE){ return "The email could not be sent, contact the site administrator"; }
		
		// and redirect user
		return "A new password has been emailed to you";
	
	}
}
?>
Return current item: Particle Gallery