Location: PHPKode > scripts > phpSecurityAdmin > phpsecurityadmin/include/class.phpSecurityAdmin.php
<?php // 8/9/2002 8:54AM
/*
    Name: phpSecurityAdmin
    Author: Justin Koivisto (hide@address.com)
    Version: 2.3.2
    Date:  8/9/2002 8:55AM GMT-6:00
    Copyright (C) 2001,2002

    This program is free software; you can redistribute it and/or modify it under the terms of
    the GNU General Public License as published by the Free Software Foundation; either version
    2 of the License, or (at your option) any later version.

    This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
    without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    See the GNU General Public License for more details. (Found in the LICENSE file.)

    You should have received a copy of the GNU General Public License along with this program;
    if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston,
    MA 02111-1307 USA
*/

// make sure this file is only included once
if(isset($SECURITY_CLASS_INC)) return;
$SECURITY_CLASS_INC=TRUE;

require dirname(__FILE__).'/class.phpMysqlConnection.php';

// start defining security_class
class phpSecurityAdmin extends phpMysqlConnection{
    var $SQL_HOST='';
    var $SQL_DB='';
    var $SQL_USER='';
    var $SQL_PASS='';
    var $LANGUAGE='';
    var $VERSION='2.3.1';
    var $PHPSECURITYADMIN_HOST='';

    // This is the class constructor
    function phpSecurityAdmin($lang,$user='phpuser',$pass='php',$db='security',$host='localhost',$site=''){
        global $PHPSECURITYADMIN_PATH;
        // include the correct language file.
        // the passed value of $lang would be the prefix of the
        // language file to use from the "lang" directory.
        include $PHPSECURITYADMIN_PATH.'/lang/'.$lang.'.lang.php';

        $this->SQL_HOST=$host;
        $this->SQL_DB=$db;
        $this->SQL_USER=$user;
        $this->SQL_PASS=$pass;
        $this->LANGUAGE=$lang;
        if(!empty($site))
            $this->PHPSECURITYADMIN_HOST=$site;
        else
            $this->PHPSECURITYADMIN_HOST=$_SERVER['HTTP_HOST'];

        // connect to the database - errors are output by the phpMysqlConnection
        $this->phpMysqlConnection($user,$pass,$host);
        $this->SelectDB($db);
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        isLoggedIn: Checks to see if the user is logged in through the session variables.
        returns: TRUE or FALSE
    */
    function isLoggedIn(){
        // if session remote value doesn't equal the remote address, don't allow access.
        if(isset($_SESSION['psaun']) && isset($_SESSION['remote']) &&
                ($_SESSION['remote'] == $_SERVER['REMOTE_ADDR'])){
            return TRUE;
        }
        return FALSE;
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        Login: Performs the actual login procedure with all error checking.
        returns: FALSE if successful login or error message stringaccording to locale on failure.
        param: user [string] The username to log in with.
        param: pass [string] The password to log in with.
    */
    function Login($user='',$pass=''){
        if($user=='')
            return $this->PHPSECURITYADMIN_NO_USERNAME;
        if($pass=='')
            return sprintf($this->PHPSECURITYADMIN_BAD_PASSWORD,$user);

        // I want to make sure that there are no sneaks trying to pass SQL queries!
        $user=str_replace(' ','',$user);
        // password is md5() encoded before comparison - no need to check value (might want spaces in password)

        // clear session variables
        session_unset();

        // check if username is in the system
        if($this->isSystemUser($user)){
            // get user info from the database
            $query="SELECT `pass`,`hash`,`active`,`lockcount`,`connection`,`uid`,`gid` FROM `security_users` WHERE `id`='".
                trim($user)."'";
            $this->QueryRow($query);
            $connection=explode("'",$this->data['connection']);
            $db_pass=$this->data['pass'];
            $db_hash=$this->data['hash'];
            $active=$this->data['active'];
            $psau=$this->data['uid'];
            $psag=$this->data['gid'];
            $lockcount=$this->data['lockcount']+1;

            // get the system lockout number
            $query="SELECT `value` FROM `security_settings` WHERE `name`='lockcount'";
            $sys_lock=$this->QueryItem($query);
            if($lockcount>$sys_lock){
                $query="UPDATE `security_users` SET `updated`='".date('Y-m-d H:i:s').
                    "', `active`='0',`lockcount`='0' WHERE `id`='".$user."'";
                $this->Update($query);
                return $this->PHPSECURITYADMIN_ACCOUNT_LOCK;
            }

            // check if user account is active
            if(!$active)
                return $this->PHPSECURITYADMIN_ACCOUNT_LOCK;

            // check if connection is allowed
            if(!$this->checkConnection($user)){
                // connection not allowed!
                $query="UPDATE `security_users` SET `updated`='".date("Y-m-d H:i:s")."', `lockcount`='".
                    $lockcount."' WHERE `id`='".$user."'";
                $this->Update($query);
                return sprintf($this->PHPSECURITYADMIN_BAD_CONNECTION,$_SERVER['REMOTE_ADDR']);
            }

            // check the password
            $pass=trim($pass);
            if(strlen($pass)>0 && md5($pass.$db_hash)==$db_pass){
                $query="UPDATE `security_users` SET `updated`='".date("Y-m-d H:i:s").
                    "', `lockcount`='0' WHERE `id`='".$user."'";
                $this->Update($query);
                $psaun=$user;
                $remote=$_SERVER['REMOTE_ADDR'];
                $_SESSION['psaun']=$psaun;
                $_SESSION['remote']=$remote;
                $_SESSION['psag']=$psag;
                $_SESSION['psau']=$psau;
                return FALSE;
            }else{
                $query="UPDATE `security_users` SET `updated`='".date("Y-m-d H:i:s")."', `lockcount`='".$lockcount.
                    "' WHERE `id`='".$user."'";
                $this->Update($query);
                return sprintf($this->PHPSECURITYADMIN_BAD_PASSWORD,$user);
            }
        }else
            return sprintf($this->PHPSECURITYADMIN_USER_DOES_NOT_EXIST,$user);
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        Logout: Logs out the user and destroys the session.
    */
    function Logout(){
        if(isset($_SESSION['psaun'])){
            session_unset();
            session_destroy();
        }
    }


//-----------------------------------------------------------------------------------------------------------
    /*
        checkConnection: Check to see if the user is allowed to connect from the current address
        return: TRUE or FALSE
        param: user [string] The username that is trying to log in.
    */
    function checkConnection($user){
        $SYSFLAG=FALSE;
        $ipsegs=explode('.',$_SERVER['REMOTE_ADDR']);
        $pattern='^('.$ipsegs[0].'){1,}\.('.$ipsegs[1].')+\.('.$ipsegs[2].')+\.('.$ipsegs[3].')+$';

        // check system permission first
        $query="SELECT `value` FROM `security_settings` WHERE `name`='connection'";
        $connection=$this->QueryItem($query);
        if($connection){
            // for each of the listed accepted address ranges, check if it matches
            $connections=explode(',',$connection);    // separate multiples
            while(list($x,$conn)=@each($connections)){
                $pattern='^'.str_replace('.','\.',trim($conn));
                if(ereg($pattern,$_SERVER['REMOTE_ADDR'])) $SYSFLAG=TRUE;
            }
        }else{
            $SYSFLAG=TRUE;
        }

        if($SYSFLAG){
            $USERFLAG=FALSE;
            $query="SELECT `connection` FROM `security_users` WHERE `id`='".$user."'";
            $connection=$this->QueryItem($query);
            if($connection){
                // for each of the listed accepted address ranges, check if it matches
                $connections=explode(',',$connection);    // separate multiples
                while(list($x,$conn)=@each($connections)){
                    $pattern='^'.str_replace('.','\.',trim($conn));
                    if(ereg($pattern,$_SERVER['REMOTE_ADDR'])) $USERFLAG=TRUE;
                }
            }else{
                $USERFLAG=TRUE;
            }
        }
        return ($SYSFLAG && $USERFLAG);
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        isSystemUser: Check to see if username exists on system.
        return: TRUE or FALSE
        param: user [string] The username to check for.
    */
    function isSystemUser($user){
        // don't even look up if not in valid format
        if(!$this->isValidUsername($user))
            return FALSE;
        if($this->Exists("SELECT `id` FROM `security_users` WHERE `id`='".$user."'"))
            return TRUE;
        return FALSE;
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        isValidUsername: Check to see if the username is only alpha-numeric characters and is of the proper length according to the system settings.
        return: array('result','max','min')
            Result Values:
                0 if good
                -1 if too short
                -2 if too long
                -3 if invalid characters
        param: user [string] The username to check.
    */
    function isValidUsername($user){
        $query="SELECT `value` FROM `security_settings` WHERE `name`='max_username_length'";
        $max_username_length=$this->QueryItem($query);
        $query="SELECT `value` FROM `security_settings` WHERE `name`='min_username_length'";
        $min_username_length=$this->QueryItem($query);
        $regex='/^[a-zA-Z0-9]+$/';
        $test=strlen($user);
        if($test > $max_username_length)
            return array('result'=>-2,'max'=>$max_username_length,'min'=>$min_username_length);
        if($test < $min_username_length)
            return array('result'=>-1,'max'=>$max_username_length,'min'=>$min_username_length);
        if(!preg_match($regex,$user))
            return array('result'=>-3,'max'=>$max_username_length,'min'=>$min_username_length);
        return array('result'=>1,'max'=>$max_username_length,'min'=>$min_username_length);
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        isValidPassword: Check to make sure the password is of proper length.
        return: array('result','min','max')
            Result values:
                1 if good
                -1 if too short
                -2 if too long
        param: pass [string] The password to check.
    */
    function isValidPassword($pass){
        $query="SELECT `value` FROM `security_settings` WHERE `name`='max_password_length'";
        $max_password_length=$this->QueryItem($query);
        $query="SELECT `value` FROM `security_settings` WHERE `name`='min_password_length'";
        $min_password_length=$this->QueryItem($query);
        $test=strlen($pass);
        if($test > $max_password_length)
            $result=-2;
        else if($test < $min_password_length)
            $result=-1;
        else
            $result=1;
        return array('result'=>$result,'min'=>$min_password_length,'max'=>$max_password_length);
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        isAdmin
        return: TRUE of FALSE
        param: user [string] The username to lookup and test.: Check if the user has administrative privileges.
    */
    function isAdmin($user){
        $query="SELECT `gid` FROM `security_users` WHERE `id`='".$user."'";
        $gid=$this->QueryItem($query);
        $query="SELECT `admin` FROM `security_profiles` WHERE `id`='".$gid."'";
        if($this->QueryItem($query))
            return TRUE;
        return FALSE;
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        hasRights: Check to see if the user has rights to view this page. Use $_SERVER['PHP_SELF'] as the url.
        return: Returns TRUE or FALSE.
        param: url [string] The filename of the page.
    */
    function hasRights($url,$url2=''){
        // Make sure that the database will contain the full URI for the page
        // $PHP_SELF should be used to pass the url to this function
        $url=ereg_replace('(\?|&)PHPSESSID=[a-zA-Z0-9]{32}','',$url);
        $url2=ereg_replace('(\?|&)PHPSESSID=[a-zA-Z0-9]{32}','',$url2);
        $query="SELECT `id` FROM `security_pages` WHERE `page`='".$url."' OR `page`='".$url2."'";
        if($this->Exists($query))
            $pageid=$this->QueryItem($query);
        $query="SELECT `gid` FROM `security_users` WHERE `id`='".$_SESSION['psaun']."'";
        $gid=$this->QueryItem($query);
        $tmp=$this->getProfiles();
        $rightsar=$this->getProfile($gid);
        if(isset($rightsar[$pageid]))
            return TRUE;
        // 6/6/02 12:11PM - this was still set to echo the output rather than return the string
        return $this->PHPSECURITYADMIN_NO_ACCESS."<br><br>\n";
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        createRights: Takes an array and creates a field value for rights (users/profiles). Only adds rights to pages that are in the database.
        return: Returns a serialized array for storing in the rights field of the security_users table.
        param: ar array[page id]=access right
    */
    function createRights($ar){
        $i=0; $retarr=array();
        $pages=$this->getPages();
        while(list($key,$val)=@each($ar)){
            if(isset($pages[$key]))
                $retarr[$key]=$val;
            $i++;
        }
        return serialize($retarr);
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        deleteUser: Remove a user from the system.
        param: user [string] The username you wish to delete from the database.
    */
    function deleteUser($user){
        $this->Delete("DELETE FROM `security_users` WHERE `id`='$user'");
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        addProfile: Takes an array and creates a system user profile based on it.
        param: ar array[field]=bool
    */
    function addProfile($ar){
        $name=$ar['name'];
        if(isset($ar['admin']))
            $admin=1;
        else
            $admin=0;
        unset($ar['admin']);
        unset($ar['name']);
        $ar=$this->createRights($ar);
        $query="INSERT INTO `security_profiles` SET `name`='".$name."', `value`='".$ar."',`admin`='".$admin."'";
        $this->Insert($query);
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        editProfile: Takes an array and updates a profile based on it.
        param: ar array[field]=bool
    */
    function editProfile($ar){
        $id=$ar['id'];
        $name=$ar['name'];
        if(isset($ar['admin']))
            $admin=$ar['admin'];
        else
            $admin=0;
        $ar=$this->createRights($ar);
        $query="UPDATE `security_profiles` SET `name`='".$name."',`value`='".$ar."',`admin`='".$admin."' WHERE `id`='".$id."'";
        $this->Update($query);
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        deleteProfile: Takes a profile id and deletes the profile.
        param: id [int] The profile's database row id.
    */
    function deleteProfile($id){
        $this->Delete("DELETE FROM `security_profiles` WHERE `id`='$id'");
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        addPage: Adds a page to the database to allow restrictions.
        return: Returns TRUE or FALSE if filename or title already in use.
        param: title [string] The name you want to see the page displayed as in the rights list.
        param: page [string] The filename of the page.
    */
    function addPage($title,$page){
        $query="SELECT `id` FROM `security_pages` WHERE `title`='".$title."' OR `page`='".$page."'";
        if($this->Exists($query))
            return FALSE;
        else{
            $query="INSERT INTO `security_pages` SET `title`='".$title."',`page`='".$page."'";
            $this->Insert($query);
            return TRUE;
        }
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        editPage: Edits a page in the database info that is sent via array.
        param: ar [array] Use $_POST.
    */
    function editPage($ar){
        $query="UPDATE `security_pages` SET `page`='".
            $ar['page']."', `title`='".$ar['title']."' WHERE `id`='".$ar['id']."'";
        $this->Update($query);
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        deletePage: Deletes a page from the database. If this is done nobody can view that page unless the include _restrict.php line is removed from the file on the server.
        param: id [int] The database row id of the page to delete.
    */
    function deletePage($id){
        $query="DELETE FROM `security_pages` WHERE `id`='".$id."'";
        $this->Delete($query);
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        getPages: Get an array of all the page ids and titles.
        return: array[page id]=title
    */
    function getPages(){
        $pages=array();
        $query='SELECT `id`,`title` FROM `security_pages` ORDER BY `title`';
        $this->Query($query);
        for($i=0;$i<$this->rows;$i++){
            $this->GetRow($i);
            $id=$this->data['id'];
            $title=$this->data['title'];
            $pages[$id]=$title;
        }
        return $pages;
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        getPage: Get an array of the page values from the table.
        return: array[field]=value
        param: id [int] The page's database row id.
    */
    function getPage($id){
        $query="SELECT `id`,`page`,`title` FROM `security_pages` WHERE `id`='".$id."'";
        $this->QueryRow($query);
        $retarr['id']=$id;
        $retarr['page']=$this->data['page'];
        $retarr['title']=$this->data['title'];
        return $retarr;
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        getProfiles: Get an array of all the profile ids and names in the system.
        return: array[id]=name else FALSE if no profiles exist.
    */
    function getProfiles(){
        $profiles=FALSE;
        $query='SELECT `id`,`name` FROM `security_profiles` ORDER BY `name`';
        $this->Query($query);
        if($this->rows) $profiles=array();
        for($i=0;$i<$this->rows;$i++){
            $this->GetRow($i);
            $id=$this->data['id'];
            $name=$this->data['name'];
            $profiles[$id]=$name;
        }
        return $profiles;
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        getProfile: Get the profile information from the database.
        return: FALSE if profile doesn't extist.
            Array[pageid]=$_GET['a']ccess_flag as well as array['name']=name and array['admin']=T/F if profile has been set else returns $array['name']=name if it is an empty profile.
        param: id [int] The profile's database row id.
    */
    function getProfile($id){
        $query="SELECT `value`,`name`,`admin` FROM `security_profiles` WHERE `id`='".$id."'";
        if($this->Exists($query)){
            $this->QueryRow($query);
            $rights=unserialize($this->data['value']);
            $rights['rights']=$this->data['value'];
            $rights['name']=$this->data['name'];
            $rights['admin']=$this->data['admin'];
            return $rights;
        }else
            return FALSE;
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        getUsers: Get array of users.
        return: array(name,email,phone,connection,admin,active)
    */
    function getUsers(){
        $users=array();
        $groups=array();
        $q='SELECT `id`,`admin` FROM `security_profiles` ORDER BY `id`';
        $this->Query($q);
        for($i=0;$i<$this->rows;$i++){
            $this->GetRow($i);
            $groups[$this->data['id']]=$this->data['admin'];
        }

        $query='SELECT `id`,`fname`,`lname`,`mname`,`email`,`gid`,`uid`,`phone`,`connection`,`active` FROM `security_users`';
        $this->Query($query);
        for($i=0;$i<$this->rows;$i++){
            $this->GetRow($i);
            $id=$this->data['id'];
            $fname=$this->data['fname'];
            $lname=$this->data['lname'];
            $mname=$this->data['mname'];
            $email=$this->data['email'];
            $phone=$this->data['phone'];
            $gid=$this->data['gid'];
            $uid=$this->data['uid'];
            $connection=$this->data['connection'];
            $active=$this->data['active'];
            $name=$lname.', '.$fname;

            $users[$id]=array('id'=>$id,'name'=>$name,'email'=>$email,'phone'=>$phone,
                'connection'=>$connection,'admin'=>$groups[$gid],'active'=>$active,
                'lname'=>$lname,'fname'=>$fname,'mname'=>$mname,'gid'=>$gid,'uid'=>$uid);
        }
        return $users;
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        loginForm: Displays a login form that posts to page that called function.
    */
    function loginForm($custom=''){
        if($custom){
            include $custom;
            return TRUE;
        }else{
?>
		  <form method=post action="<?php echo $_SERVER['REQUEST_URI'] ?>">
		   <input type=hidden name="requested_uri" value="<?php echo $_SERVER['REQUEST_URI'] ?>">
<?php
            while(list($k,$v)=@each($_POST)){
                echo '<input type="hidden" name="'.$k.'" value="'.urlencode($v).'">'."\n";
            }
?>
		<pre><b><?php printf('%-15s',$this->PHPSECURITYADMIN_USERNAME.':') ?></b> <input type=text size=30 name=user>
		<b><?php printf('%-15s',$this->PHPSECURITYADMIN_PASSWORD.':') ?></b> <input type=password size=30 name=pass></pre>
		   <input type=hidden name=language value="<?php echo $this->LANGUAGE?>">
		   <input type=submit name=LOGIN value="<?php echo $this->PHPSECURITYADMIN_LOGIN ?>">
		  </form>
<?php
            return TRUE;
        }
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        editUser:  Updates the user information in the database based on the passed values. It does not matter which parameter (or both) you send.
        return: Returns TRUE or FALSE if no array was sent.
        param: ar [array] Use $_POST to send the user information to the function for updates.
        param: rgt [array] Use $_POST to send the user rights to the function for updates.
    */
    function editUser($ar){
        $query="UPDATE `security_users` SET `updated`='".date('Y-m-d H:i:s')."'";
        $pass_test=$this->isValidPassword($ar['pass1']);
        if(isset($ar['pass1']) && $pass_test['result']==1)
            $this->changePassword($ar['id'],$ar['pass1']);
        while(list($field,$value)=@each($ar)){
            if($field=='uid' || $field=='gid' || $field=='id' || $field=='lname' ||
                    $field=='fname' || $field=='mname' || $field=='email' || $field=='phone' ||
                    $field=='active' || $field=='connection')
                $query.=",`".$field."`='".$value."'";
        }
        if(!isset($ar['active']))
            $query.=",`active`='0'";
        $query.=" WHERE `id`='".$ar['id']."'";
        $this->Update($query);
        return TRUE;
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        activateUser: [de]activates a user in the database.
        param: $user [string] the user to activate/deactivate
        param: $active [int] Pass as 0 to deactivate a user.
    */
    function activateUser($user,$active=1){
        $query="UPDATE `security_users` SET `updated`='".date('Y-m-d H:i:s')."', `active`='".$active.
            "' WHERE `id`='".$user."'";
        $this->Update($query);
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        changeProfile:  Takes single array $ar to change a user's access rights profile.
        param: ar [array] The fields posted from the form (use $_POST).
        return: Updates the user's gid in the database.
    */
    function changeProfile($ar){
        $uid=$ar['uid'];
        $gid=$ar['profile'];
        $q="UPDATE `security_users` SET `updated`='".date('Y-m-d H:i:s')."', `gid`='".$gid."' WHERE `uid`='".$uid."'";
        $this->Update($q);
    }


//-----------------------------------------------------------------------------------------------------------
    /*
        addUser:  Takes single array $ar to create a new user for the system.
        return: Returns TRUE on success and FALSE if the user already exists.
        param: ar [array] The fields posted from the form (use $_POST).
    */
    function addUser($ar){
        $users=$this->getUsers();
        if(!isset($users[$ar['id']])){
            $query="SELECT `value` FROM `security_profiles` WHERE `id`='".$ar['profile']."'";
            $rights=$this->QueryItem($query);
            $query="INSERT INTO `security_users` SET `updated`='".date('Y-m-d H:i:s')."'";

            $HASH_VAR=date('YmdHis').$_SERVER['REMOTE_ADDR'];
            $hash=md5($HASH_VAR);
            $password=md5($ar['pass'].$hash);

            $query.=",`lname`='".$ar['lname']."',`fname`='".$ar['fname']."',`mname`='".$ar['mname']."'".
                ",`email`='".$ar['email']."',`phone`='".$ar['phone']."',`id`='".$ar['id']."',`pass`='".$password."'".
                ",`hash`='".$hash."',`gid`='".$ar['profile']."',`active`='1'";
            $this->Insert($query);
            return TRUE;
        }else
            return FALSE;
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        changePassword: Updates the user's password in the database. The logged in user must either be the same as the requested change or someone with administrative rights to the system.
        return: TRUE or FALSE.
        param: user [string] The username that the new password corresponds with.
        param: pass [string] The new password.
    */
    function changePassword($user,$pass){
        if($_SESSION['psaun']==$user || $this->isAdmin($_SESSION['psaun'])){
            $HASH_VAR=date('YmdHis').$_SERVER['REMOTE_ADDR'];
            $hash=md5($HASH_VAR);
            $password=md5($pass.$hash);
            $query="UPDATE `security_users` SET `updated`='".date('Y-m-d H:i:s')."', `pass`='".$password."', ".
                "`hash`='".$hash."', `lockcount`='0', `active`='1' WHERE `id`='".$user."'";
            $this->Update($query);
            return TRUE;
        }else
            return FALSE;    // could possibly log these requests to show violations
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        updateSettings: Allows a user to change the security system settings
        return: The database is updated.
        param: array of posted values from form (Use $_POST)
    */
    function updateSettings($ar){
        while(list($name,$val)=@each($ar)){
            if($name!='submit'){
                $query="UPDATE `security_settings` SET `value`='".$val."' WHERE `name`='".$name."'";
                $this->Update($query);
            }
        }
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        languageSelection: Displays a language selection from from data in security_languages
    */
    function languageSelection($outofdate=0){
        $retVal='  <form method=post action="'.$_SERVER['REQUEST_URI'].'">'."\n".
            '   <select name=language>'."\n";
        $q='SELECT `id`,`name` FROM `security_languages`';
        if($outofdate)
            $q.=" WHERE `uptodate`='0'";
        else
            $q.=" WHERE `uptodate`='1'";
        $q.=' ORDER BY `name`';
        $this->Query($q);
        for($i=0;$i<$this->rows;$i++){
            $this->GetRow($i);
            $retVal.='    <option value="'.$this->data['id'].'"';
            if($this->data['id']==$this->LANGUAGE)
                $retVal.=' selected';
            $retVal.='>'.$this->data['name'].'</option>'."\n";
        }
        $retVal.='   </select>'."\n".
            '   <input type=submit value="'.$this->PHPSECURITYADMIN_TRANSLATE.'">'."\n".
            '  </form>'."\n";
        return $retVal;
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        securityHeader: Starts the HTML output for the page.
    */
    function securityHeader($charset='iso-8859-1'){
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//<?php echo strtoupper($this->LANGUAGE); ?>">
<html>
 <head>
  <title>phpSecurityAdmin <?php echo $this->VERSION ?>: <?php echo $this->PHPSECURITYADMIN_HOST ?></title>
  <meta http-equiv="Content-Type" content="text/html; charset=<?php echo $charset ?>">
  <link rel="stylesheet" href="styles.css" type="text/css">
 </head>

 <body style="background-color: #ffffff; color: #000000;">
<?php
    }

//-----------------------------------------------------------------------------------------------------------
    /*
        securityFooter: Ends the HTML output for the page.
    */
    function securityFooter(){
?>
 </body>
</html>
<?php
    }
} // end security_class

?>
Return current item: phpSecurityAdmin