<?phpclass system { public function __construct() { # Allows access to th

1. <?php
2. class system {
3. public function __construct() {
4. # Allows access to the database
5. global $database;
6.  
7. # Make sure we are connected to the database
8. $database->connectToDatabase();
9. }
10.  
11. # Checks if the user is logged in, if they are it returns true, else false
12. public function loggedin() {
13. # Allows access to the database
14. global $database;
15.  
16. # If the session hasn't already been started, start one
17. if (!isset($_SESSION)) {
18. session_start();
19. }
20.  
21. # Check if the username and password sessions are set, if they are then the user is logged in
22. if (isset($_SESSION['sys_username']) AND isset($_SESSION['sys_password'])) {
23. return true;
24. }
25. else {
26. # Not logged in, return false
27. return false;
28. }
29. }
30.  
31. # Returns the current user's username
32. public function username() {
33. # Allows access to the database
34. global $database;
35.  
36. # If the session hasn't already been started, start one
37. if (!isset($_SESSION)) {
38. session_start();
39. }
40.  
41. # Returns the value of the 'sys_username' session
42. return $_SESSION['sys_username'];
43. }
44.  
45. # Returns the current user's email
46. public function email() {
47. # Allows access to the database
48. global $database;
49.  
50. # If the session hasn't already been started, start one
51. if (!isset($_SESSION)) {
52. session_start();
53. }
54.  
55. # Returns the value of the 'sys_email' session
56. return $_SESSION['sys_email'];
57. }
58.  
59. # Function to prevent MySQL injection
60. public function clean($string) {
61. # Allows access to the database
62. global $database;
63.  
64. # Clean $string
65. $string = stripslashes($string);
66. $string = mysql_real_escape_string($string);
67.  
68. # Send back the cleaned string
69. return $string;
70. }
71.  
72. # Retrieve the salt for a user from the database
73. public function retrieveSalt($username) {
74. # Clean the username
75. $username = $this->clean($username);
76.  
77. # Query database to retrieve salt
78. $sql = "SELECT salt FROM users WHERE username='$username'";
79. $result = mysql_query($sql);
80.  
81. # Get the results from the database
82. $res = mysql_fetch_array($result);
83.  
84. # Retrieve the result from the array
85. $salt = $res['salt'];
86.  
87. # Returns the salt
88. return $salt;
89. }
90.  
91. # Check if a username and password combination is valid, returns true if valid, else false
92. public function validate($username, $password) {
93. # Allows access to the database
94. global $database;
95.  
96. # Check if the IP address is banned
97. if (!$this->checkIPBanned($_SERVER['REMOTE_ADDR'])) {
98. # The IP address is not banned, continue as normal
99.  
100. # Clean the username and password to prevent injection
101. $username = $this->clean($username);
102. $password = $this->clean($password);
103.  
104. # Get the user's salt
105. $salt = $this->retrieveSalt($username);
106.  
107. # MD5 the password
108. $password = md5($salt . $password);
109.  
110. # Search for records where username and password match
111. $sql = "SELECT * FROM users WHERE username='$username' AND password='$password'";
112. $result = mysql_query($sql);
113.  
114. # Count the number of returned rows
115. $count = mysql_num_rows($result);
116.  
117. # If the rows returned are equal to or greater than 1, the username and password are valid
118. if ($count >= 1) {
119. # If session hasnt been started, start one
120. if (!isset($_SESSION)) {
121. session_start();
122. }
123.  
124. # Get the returned results
125. $result = mysql_fetch_array($result);
126.  
127. # Check if the user is banned
128. if ($result['usergroup'] == "banned") {
129. # User is banned, return false (fail)
130. return false;
131. }
132. else {
133. # Set the results from the query as sessions
134. $_SESSION['sys_username'] = $result['username'];
135. $_SESSION['sys_password'] = $result['password'];
136. $_SESSION['sys_email'] = $result['email'];
137.  
138. # Get the user's IP address and clean it
139. $ip = $this->clean($_SERVER['REMOTE_ADDR']);
140.  
141. # The user has logged in successfully, delete all entries from the authentication logs
142. $sql = "DELETE FROM authentication_fails_log WHERE ip='$ip'";
143. mysql_query($sql);
144.  
145. # Return true as login was successful
146. return true;
147. }
148. }
149. else {
150. # Return false (failed)
151. return false;
152. }
153. }
154. else {
155. # The IP address is banned, return false (fail)
156. return false;
157. }
158. }
159.  
160. # Logs the user out
161. public function logout() {
162. # Unset the session variables
163. unset($_SESSION['sys_username']);
164. unset($_SESSION['sys_password']);
165. unset($_SESSION['sys_email']);
166. }
167.  
168. # Generates a random string
169. public function generateRandom($length) {
170. # Characters that can be used in the string
171. $characters = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
172.  
173. # Just set the variable so that we dont get errors appending it
174. $string = "";
175.  
176. # Create the random string
177. for ($p = 0; $p < $length; $p++) {
178. $string .= $characters[mt_rand(0, strlen($characters) - 1)];
179. }
180.  
181. return $string;
182. }
183.  
184. public function recover($username) {
185. # Allows access to the database
186. global $database;
187.  
188. # Clean the userame
189. $username = $this->clean($username);
190.  
191. # Search if there are any users with the entered username
192. $sql = "SELECT * FROM users WHERE username='$username'";
193. $result = mysql_query($sql);
194.  
195. # Count the number of rows
196. $count = mysql_num_rows($result);
197.  
198. # If the number or results is equal to or greater than 1, it is a valid username
199. if ($count <= 1) {
200. # Fetch the results of the query so that we can get the user's email address
201. $res = mysql_fetch_array($result);
202.  
203. # Get the user's email address from the results array
204. $to = $res['email'];
205.  
206. # The subject for the email
207. $subject = "Password Recovery";
208.  
209. $random_password = $this->generateRandom(6);
210.  
211. # Get the MD5 version of the password which is what we put in the database
212. $random_password_md5 = md5($random_password);
213.  
214. # Update the user's password in the database
215. $sql1 = "UPDATE users SET password='$random_password_md5' WHERE username='$username'";
216. $result1 = mysql_query($sql1);
217.  
218. # Check if the update was successful
219. if (!$result1) {
220. # Didn't change, exit
221. return false;
222. }
223. else {
224. # The body of the email
225. $body = "We recieved a request to reset the password for your account at Twaddlr from " . $_SERVER['REMOTE_ADDR'] . "\n\nUsername: " . $username . "\nPassword: " . $random_password;
226.  
227. # Check if the email was sent successfully
228. if (mail($to, $subject, $body)) {
229. # Sent successfully, the function has succeeded
230. return true;
231. }
232. else {
233. # Send failed, the subject has not succeeded
234. return false;
235. }
236. }
237. }
238. }
239.  
240. public function changePassword($username, $oldPassword, $newPassword) {
241. # Allows access to the database
242. global $database;
243.  
244. # Clean the strings
245. $username = $this->clean($username);
246. $oldPassword = $this->clean($oldPassword);
247. $newPassword = $this->clean($newPassword);
248.  
249. # Check if the username and password match
250. if ($this->validate($username, $oldPassword)) {
251. # Retrieve the user's salt
252. $salt = $this->retrieveSalt($username);
253.  
254. # Encrypt the new password
255. $newPassword = md5($salt . $newPassword);
256.  
257. # Update the user's password
258. $sql = "UPDATE users SET password='$newPassword' WHERE username='$username'";
259. $result = mysql_query($sql);
260.  
261. # Check if it was successful or not
262. if ($result) {
263. # Changed successfully, return true
264. return true;
265. }
266. else {
267. # Change failed, return false
268. return false;
269. }
270. }
271. else {
272. # Username and password were not correct, function failed
273. return false;
274. }
275. }
276.  
277. public function changeEmail($username, $password, $newEmail) {
278. # Allows access to the database
279. global $database;
280.  
281. # Clean the submitted data
282. $username = $this->clean($username);
283. $password = $this->clean($password);
284. $newEmail = $this->clean($newEmail);
285.  
286. # Check if the username and password are valid
287. if ($this->validate($username, $password)) {
288. # Username and password are valid
289. $sql = "UPDATE users SET email='$newEmail' WHERE username='$username'";
290. $result = mysql_query($sql);
291.  
292. # Check if the field was updated successfuly
293. if ($result) {
294. # It was updated, return true (success)
295. return true;
296. }
297. else {
298. # Could not update the field, return false (fail)
299. return false;
300. }
301. }
302. else {
303. # Username and password were wrong, return false (fail)
304. return false;
305. }
306. }
307.  
308. # Check if a username is already in use
309. public function usernameAvalible($username) {
310. # Clean the input
311. $username = $this->clean($username);
312.  
313. # Select all rows from the database where username matches
314. $sql = "SELECT * FROM users WHERE username='$username'";
315. $result = mysql_query($sql);
316.  
317. # Count the number of rows returned
318. $count = mysql_num_rows($result);
319.  
320. # Check if $count is equal to or greater than 1
321. if ($count == 0) {
322. # No rows returned. The username is avalible. Return true (success)
323. return true;
324. }
325. else {
326. # Rows returned. The username is in use. Return false (failed)
327. return false;
328. }
329. }
330.  
331. # Register a user
332. public function register($username, $password, $email) {
333. # Check if the username is avalible
334. if (!$this->usernameAvalible($username)) {
335. # The username is taken, return false (failed)
336. return false;
337. }
338. else {
339. # Get the user's IP address
340. $ip = $_SERVER['REMOTE_ADDR'];
341.  
342. # Clean the inputs
343. $username = $this->clean($username);
344. $password = $this->clean($password);
345. $email = $this->clean($email);
346. $ip = $this->clean($ip);
347.  
348. # Generates a salt
349. $salt = $this->generateRandom(10);
350.  
351. # Encrypt the password
352. $password = md5($salt . $password);
353.  
354. # Insert them into the database
355. $sql = "INSERT INTO users (username, password, salt, email, signup_ip) VALUES ('$username', '$password', '$salt', '$email', '$ip')";
356. $result = mysql_query($sql);
357.  
358. # Check if the query was successful
359. if ($result) {
360. # Query was successful, return true (success)
361. return true;
362. }
363. else {
364. # Query was not successful, return false (fail)
365. return false;
366. }
367. }
368. }
369.  
370. # Check if a user is banned
371. public function checkBanned($username) {
372. # Clean the username
373. $username = $this->clean($username);
374.  
375. # Get the rows in bannedips relevant to the username
376. $sql = "SELECT * FROM users WHERE username='$username' AND group='banned'";
377. $result = mysql_query($sql);
378.  
379. # Get the number of rows returned
380. $count = mysql_num_rows($result);
381.  
382. # If the count is equal to 0, they are not banned
383. if ($count == 0) {
384. # The user is not banned, return false;
385. return false;
386. }
387. else {
388. # The user is banned, return true
389. return true;
390. }
391. }
392.  
393. # Check if an IP address is banned from logging in
394. public function checkIPBanned($ip) {
395. # Clean the IP address of the user
396. $ip = $this->clean($ip);
397.  
398. # Get the rows in bannedips relevant to the IP address
399. $sql = "SELECT * FROM bannedips WHERE ip='$ip'";
400. $result = mysql_query($sql);
401.  
402. # Get the number of rows returned
403. $count = mysql_num_rows($result);
404.  
405. # If the count is equal to 0, they are not banned
406. if ($count == 0) {
407. # The IP address is not banned, return false
408. return false;
409. }
410. else {
411. # The IP address is banned, return true
412. return true;
413. }
414. }
415.  
416. # Verifies if an email is valid
417. public function verifyEmail($email) {
418. if (!preg_match( "/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/", $email)) {
419. return false;
420. }
421. else {
422. return true;
423. }
424. }
425.  
426. ####################################################################################################
427. ## ADMIN FUNCTIONS #################################################################################
428. ####################################################################################################
429.  
430. # Function to ban users
431. public function banUser($username) {
432. # Clean the username
433. $username = $this->clean($username);
434.  
435. # Update the user's group as banned
436. $sql = "UPDATE users SET usergroup='banned' WHERE username='$username'";
437. $result = mysql_query($sql);
438.  
439. # Check if the query was successful
440. if ($result) {
441. # Query successful, user is banned, return true
442. return true;
443. }
444. else {
445. # Query was not successful, could not ban user, return false
446. return false;
447. }
448. }
449.  
450. # Function to unban users
451. public function unbanUser($username) {
452. # Clean the username
453. $username = $this->clean($username);
454.  
455. # Update the user's group as banned
456. $sql = "UPDATE users SET usergroup='user' WHERE username='$username'";
457. $result = mysql_query($sql) or die(mysql_error());
458.  
459. # Check if the query was successful
460. if ($result) {
461. # Query successful, user has been unbanned, return true
462. return true;
463. }
464. else {
465. # Query was not successful, could not unban user, return false
466. return false;
467. }
468. }
469.  
470. # Function to ban IP addresses
471. public function banIP($ip, $reason = NULL) {
472. # Clean the IP address and $reason
473. $ip = $this->clean($ip);
474. $reason = $this->clean($reason);
475.  
476. # Insert the IP address and reason into the database
477. $sql = "INSERT INTO bannedips (ip, reason) VALUES ('$ip', '$reason')";
478. $result = mysql_query($sql);
479.  
480. # Check if the query was successful
481. if ($result) {
482. # Query successful, return true
483. return true;
484. }
485. else {
486. # Query was not successful, return false
487. return false;
488. }
489. }
490.  
491. # Function to un-ban IP addresses
492. public function unbanIP($ip) {
493. # Clean the IP address
494. $ip = $this->clean($ip);
495.  
496. # Delete the rows where the IP address is mentioned
497. $sql = "DELETE FROM bannedips WHERE ip='$ip'";
498. $result = mysql_query($sql);
499.  
500. # Check if the query was successful
501. if ($result) {
502. # Query successful, return true
503. return true;
504. }
505. else {
506. # Query was not successful, return false
507. return false;
508. }
509. }
510.  
511. # Function to retrieve the reason for an IP address being banned
512. public function reasonForIPBan($ip) {
513. # Clean the IP address
514. $ip = $this->clean($ip);
515.  
516. # Get the row where it is banned
517. $sql = "SELECT * FROM bannedips WHERE ip='$ip'";
518. $result = mysql_query($sql);
519.  
520. # Count the number of rows returned
521. $count = mysql_num_rows($result);
522.  
523. # If $count is equal to or greater than 1, then the IP is banned
524. if ($count == 0) {
525. # IP address is not banned, message to be returned
526. $reason = "This IP address does not appear to be banned";
527.  
528. # Return reason
529. return $reason;
530. }
531. else {
532. # IP address is banned, get the row's contents
533. $result = mysql_fetch_array($result);
534.  
535. # Get the reason
536. $reason = $result['reason'];
537.  
538. if ($reason == "") {
539. $reason = "No reason specified";
540. }
541.  
542. # Return the reason
543. return $reason;
544. }
545. }
546. }
547.  
548. $system = new system;
549. ?>