Location: PHPKode > scripts > PHP Link Directory Script > linkdirectory/www/login.php
<?php
/* PHP Link Directory Copyright 2011 Robert Rook */
// Member login page / reset forgotten
// login information.
// login.php
require('dblogon.php');

if(isset($_GET['subpage']) && $_GET['subpage']=="error") {
	// Delete cookies...
	setcookie("username",false);
	setcookie("password",false);
}

// Check for a login attempt
if(isset($_POST['username']) && isset($_POST['password'])) {
	$_POST['username'] = preg_replace('/\'/','',strip_tags($_POST['username']));
	$_POST['password'] = preg_replace('/\'/','',strip_tags($_POST['password']));

	$result = mysql_query("SELECT * FROM {$prefix}users WHERE username='{$_POST['username']}' AND password='{$_POST['password']}'", $db);
	if(!mysql_num_rows($result)) {
		// If the username or password is incorrect
		$_POST['login_failed'] = 1;
	} else {
		$retval = mysql_fetch_array($result);
		if($retval['bstatus']!=1) {
			// User account is currently blocked
			header("Location: {$site_url}/login.php?subpage=error&error=blocked");
			die();
		} else {
			mysql_query("UPDATE {$prefix}users SET lip='{$_SERVER['REMOTE_ADDR']}', ltime='".time()."', rtries=0 WHERE userid='{$retval['userid']}'", $db);
			setcookie("username",$_POST['username']);
			setcookie("password",md5($_POST['password']));
			if(isset($_GET['cmd']) && $_GET['cmd']=="redirect" && isset($_GET['url'])) {
				header("Location: ".urldecode($_GET['url']));
			} else {
				header("Location: {$site_url}/admin.php?cmd=welcome");
			}
			die();
		}
	}
}

// Check for a password reset attempt
if(isset($_POST['username']) && isset($_POST['email']) && isset($_POST['panswer'])) {
	unset($retval);
	
	$_POST['username'] = preg_replace('/\'/','',strip_tags($_POST['username']));
	$_POST['email'] = preg_replace('/\'/','',strip_tags($_POST['email']));
	$_POST['panswer'] = preg_replace('/\'/','',strip_tags($_POST['panswer']));

	if(strlen($_POST['email'])) {
		// Try to find account via email first
		$result = mysql_query("SELECT * FROM {$prefix}users WHERE email='{$_POST['email']}'", $db);
		if(mysql_num_rows($result)) { $retval = mysql_fetch_array($result); }
	} else if(strlen($_POST['username'])) {
		// Now try to find account via username
		$result = mysql_query("SELECT * FROM {$prefix}users WHERE username='{$_POST['username']}'", $db);
		if(mysql_num_rows($result)) { $retval = mysql_fetch_array($result); }
	}

	if(isset($retval)) {
		// Fetch the secret answer and compare it
		// to post->panswer

		if($_POST['panswer']!=$retval['panswer']) {
			// If panswer is wrong, update for output.
			mysql_query("UPDATE {$prefix}users SET rtries=rtries+1 WHERE userid='{$retval['userid']}'", $db);
			if($retval['rtries']>=2) {
				// Temporarily stop the user from guessing the answer.
				mysql_query("UPDATE {$prefix}users SET rtries=0, rtime='".(time()+(60*5))."' WHERE userid='{$retval['userid']}'", $db);
			}
			$_POST['panswer_failed'] = 1;
		} else {
			// If everything is OK, the password is reset
			// and mailed to the user.
			$retval['password'] = substr(md5(time()),0,rand(8,16));
			mysql_query("UPDATE {$prefix}users SET password='{$retval['password']}', rtries=0, rtime='".(time()+(60*60))."' WHERE userid='{$retval['userid']}'", $db);
			$_POST['reset_ok'] = 1;
			require('lib/sendmail.php');
			sendmail_password_reset_byid($retval['userid']);
		}
	}
}

require('tpl/boxes.php');

// Show page head
$page_title = "Member login";
require('page_l.php');

if(isset($_GET['subpage']) && $_GET['subpage']=="error") {
	// Show the error page
	show_header("Logged out from Members area", "You have been logged out from the members area for the following reason(s)...");

	if(isset($_GET['error']) && $_GET['error']=="nocookies") {
		echo "<p><b>Not logged in</b><br>\n";
		echo "Please <a href=\"{$site_url}/login.php\">login to your account</a> ";
		echo "to access the members area.</p>\n";

		echo "<p><b>Still having problems?</b><br>\n";
		echo "Please try the following...\n<ul>";
		echo "<li>Check that cookies are enabled in your browser</li>\n";
		echo "<li>Check that your browser isn't blocking cookies from ";
		echo "this website.</li>\n</ul></p>\n";
	} else if(isset($_GET['error']) && $_GET['error']=="badlogin") {
		echo "<p><b>Not logged in</b><br>\n";
		echo "Your username and/or password are incorrect.  If you\n";
		echo "have forgotten this information, please ";
		echo "<a href=\"{$site_url}/login.php?subpage=reset\">reset your ";
		echo "account password</a>.</p>\n<p>You can ";
		echo "<a href=\"{$site_url}/login.php\">login to your account</a>";
		echo "when you have the correct login information.</p>\n";
	} else if(isset($_GET['error']) && $_GET['error']=="badip") {
		echo "<p><b>Session expired</b><br>\n";
		echo "You need to login again to access the members area.\n";
		echo "You can do so from the <a href=\"{$site_url}/login.php\">";
		echo "member login page</a>.</p>\n";
	} else if(isset($_GET['error']) && $_GET['error']=="blocked") {
		echo "<p><b>Account unavailable</b><br>\n";
		echo "Your account is currently unavailable.  It may have been\n";
		echo "temporarily closed for maintenance, or still require activation ";
		echo "by an administrator.  If the problem persists,\n";
		echo "and you do not recieve more information, please contact\n";
		echo "the site administration.</p>\n";
	} else if(isset($_GET['error']) && $_GET['error']=="unverified") {
		echo "<p><b>Email not verified</b><br>\n";
		echo "Your email address has not yet been verified.  Please visit\n";
		echo "the account activation link that was emailed to you when your\n";
		echo "account was created, or have the verification link resent:\n";
		echo "<ul><li><a href=\"login.php?subpage=email\">Resend verification link";
		echo "</a></li></ul></p>\n";
	} else {
		echo "<p><b>Unknown Error</b><br>\n";
		echo "An unknown error has occured.  Your account should be\n";
		echo "available to login to very soon from the ";
		echo "<a href=\"{$site_url}/login.php\">member login page</a>.\n";
		echo "If the problem persists, please contact the website\n";
		echo "administration.</p>\n";
	}
} else if(isset($_GET['subpage']) && $_GET['subpage']=="reset") {
	// Reset password
	show_header("Reset password", "Forgotten your login information? Reset your password in a couple of steps to regain access to your account.");

	if(isset($_POST['reset_ok'])) {
		// Completed password reset
		echo "<p><b>Password reset</b><br>\n";
		echo "Your password has been reset, and mailed to the email\n";
		echo "address associated with your account.  You should recieve\n";
		echo "the email shortly.</p>\n";
	} else if(isset($_POST['username']) && isset($_POST['email'])) {
		// Check secret question
		unset($retval);
		if(strlen($_POST['email'])) {
			// Try to find account via email first
			$result = mysql_query("SELECT * FROM {$prefix}users WHERE email='{$_POST['email']}'", $db);
			if(mysql_num_rows($result)) { $retval = mysql_fetch_array($result); }
		} else if(strlen($_POST['username'])) {
			// Now try to find account via username
			$result = mysql_query("SELECT * FROM {$prefix}users WHERE username='{$_POST['username']}'", $db);
			if(mysql_num_rows($result)) { $retval = mysql_fetch_array($result); }
		}

		if(!isset($retval)) {
			// No account found.  Display error message
			// and back link to try again.
			echo "<p><b>Account not found</b><br>\nNo account has ";
			echo "been found with the username or email address\n";
			echo "you provided.\n<ul><li>If you believe you have entered ";
			echo "the information incorrectly, please try to\n";
			echo "<a href=\"{$site_url}/login.php?subpage=reset\">reset your ";
			echo "account password</a> again.</li></ul></p>\n";
		} else if($retval['rtime']>time()) {
			// The user is not currently able to recover account
			// information.  Display an error.
			show_error("Cannot reset password", "As you have recently either reset your account information or made repeated failed attempts at answering your secret question, your account reset option has been temporarily blocked. After resetting your password, please wait one hour before doing so again.  After failing to answer your secret question three time in a row, please wait five minutes before trying again.");
		} else {
			// Show secret question
			// If the user has failed a guess, show an error
			if(isset($_POST['panswer_failed'])) {
				show_error("Answer incorrect", "The answer you have provided for your secret question is incorrect.  Please try again.");
			}
			// Show question / form
			echo "<form method=\"post\" action=\"{$site_url}/login.php?subpage=reset\">\n";
			echo "<input type=\"hidden\" name=\"username\" value=\"{$_POST['username']}\" />\n";
			echo "<input type=\"hidden\" name=\"email\" value=\"{$_POST['email']}\" />\n";
			echo "<table class=\"form_box\" cellpadding=\"2px\" cellspacing=\"0\" width=\"100%\">\n";
			echo "<tr><td colspan=\"2\"><p>Please answer the secret question ";
			echo "you have created for your account:\n";
			echo "<ul><li>{$retval['pquestion']}";
			echo "</li></ul></p></td></tr>\n";
			echo "<tr><td>Answer: </td><td align=\"right\">";
			echo "<input type=\"text\" maxlength=\"100\" name=\"panswer\" class=\"stdinput\"></td></tr>\n";
			echo "<tr><td></td><td align=\"right\"><input type=\"submit\" value=\"Answer\" class=\"stdbutton\"></td></tr>\n";
			echo "</table>\n";
			echo "</form>\n";
		}
	} else {
		// Show recovery options
		echo "<form method=\"post\" action=\"{$site_url}/login.php?subpage=reset\">\n";
		echo "<table class=\"form_box\" cellpadding=\"2px\" cellspacing=\"0\" width=\"100%\">\n";
		echo "<tr><td colspan=\"2\">\n<p>Please enter either \n";
		echo "(or both) your username or email address.</p></td></tr>\n";
		echo "<tr><td>Username</td><td align=\"right\">\n";
		echo "<input type=\"text\" name=\"username\" maxlength=\"15\" class=\"stdinput\"></td></tr>\n";
		echo "<tr><td>Email address</td><td align=\"right\"><input type=\"text\" name=\"email\" maxlength=\"250\" class=\"stdinput\"></td></tr>\n";
		echo "<tr><td></td><td align=\"right\"><input type=\"submit\" value=\"Next step...\" class=\"stdbutton\"></td></tr>\n";
		echo "</table>\n";
		echo "</form>\n";
	}
} else if(isset($_GET['subpage']) && $_GET['subpage']=="email") {
	// Resend email verification link
	show_header("Verify your email address", "In order to verify your email address you must follow a verification link found in the verification email you recieve when creating an account with this website. If you have lost this email, or the link has expired, you can have the email resent using the form below.");

	// If the user has already provided their email
	// address
	if(isset($_POST['email'])) {
		$result = mysql_query("SELECT * FROM {$prefix}users WHERE email='{$_POST['email']}'", $db);
		if(!mysql_num_rows($result)) {
			// The email address was not found.
			// Show an error.
			show_error("Email address not found", "The email address you have provided was not found to be associated with an account.\n<ul><li><a href=\"{$site_url}/login.php?subpage=email\">Want to try a different email address?</a></li></ul>");
		} else {
			$retval = mysql_fetch_array($result);
			// Check the account is not already verified
			if($retval['bverified']) {
				echo "<p><b>Account verified</b><br>\n";
				echo "Your email address has already been verified.\n";
				echo "Thank you.</p>\n";
			} else if($retval['rtime']>time()) {
				// The account has had the verification email sent
				// recently, it cannot be sent again for some time.
				echo "<p><b>Verification link recently sent</b><br>\n";
				echo "The verification email for this account has been sent\n";
				echo "recently, and cannot be resent again for some time.\n";
				echo "You should be able to have the verification email resent\n";
				echo "within an hour.</p>\n";
			} else {
				// No problems; resend the verification email
				require('lib/sendmail.php');
				sendmail_admin_email_verify_byid($retval['userid']);
				mysql_query("UPDATE {$prefix}users SET rtime='".(time()+(60*60))."' WHERE userid='{$retval['userid']}'", $db);
				echo "<p><b>Verification link sent</b><br>\n";
				echo "Your verification link has been sent to your email\n";
				echo "address.  Please check your inbox soon for the link.";
				echo "</p>\n<p>If you have problems recieving the link,\n";
				echo "please check your spam box (in case your email\n";
				echo "provider has misplaced the email).</p>\n";
			}
		}
	} else {
		// Show a form for the email address
		echo "<form method=\"post\" action=\"{$site_url}/login.php?subpage=email\">\n";
		echo "<table class=\"form_box\" cellpadding=\"2px\" cellspacing=\"0\" width=\"100%\">\n";
		echo "<tr><td>Email address</td><td align=\"right\">";
		echo "<input type=\"text\" name=\"email\" maxlength=\"250\" class=\"stdinput\"></td></tr>\n";
		echo "<tr><td></td><td align=\"right\">";
		echo "<input type=\"submit\" value=\"Resend link\" class=\"stdbutton\"></td></tr>\n";
		echo "</table>\n</form>\n";
	}
} else {
	// Show the standard login form
	show_header("Member login", "To enter the members area, please login using your account information below.\n<ul><li>Forgotten your login information?  <a href=\"{$site_url}/login.php?subpage=reset\">Reset your account password</a>\nto have your login information mailed to you.</li></ul>");

	if(isset($_POST['login_failed'])) {
		// If a failed login attempt was made, notify
		// the visitor
		show_error("Login failed", "The username/password combination you have entered  is incorrect.\n<ul><li>If you have forgotten your username or password, <a href=\"{$site_url}/login.php?subpage=reset\"> reset your login information</a>.</li></ul>");
	}

	echo "<form method=\"post\" action=\"{$site_url}/login.php\">\n";
	echo "<table class=\"form_box\" cellpadding=\"2px\" cellspacing=\"0\" align=\"center\">\n";
	echo "<tr><td>Username</td><td align=\"right\">";
	echo "<input type=\"text\" maxlength=\"15\" name=\"username\" class=\"stdinput\"></td></tr>\n";
	echo "<tr><td>Password</td><td align=\"right\">";
	echo "<input type=\"password\" maxlength=\"20\" name=\"password\" class=\"stdinput\"></td></tr>\n";
	echo "<tr><td></td><td align=\"right\">";
	echo "<input type=\"submit\" value=\"Log in\" class=\"stdbutton\"></td></tr>\n";
	echo "</table>\n";
	echo "</form>\n";
}

require('page_r.php');
?>
Return current item: PHP Link Directory Script