lowheartrate

action.php 11292016-0618

Nov 29th, 2016
91
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 19.26 KB | None | 0 0
  1. <?php
  2. // display all error(s)
  3. error_reporting(-1);
  4. ini_set('display_errors', 'true');
  5.  
  6. // get what action user is here for
  7. $action = $_GET['action'];
  8.  
  9. // include common.inc.php
  10. include 'core/common.inc.php';
  11.  
  12. // if user is here to sign in to their account
  13. if ($action == 'sign_in') {
  14.   // protect from users already logged in
  15.   protect();
  16.  
  17.   // show navbar & set page title to 'Log In to account'
  18.   showHeader('Sign In to account');
  19.  
  20.   // show loginModule for user to sign in to
  21.   loginModule();
  22.  
  23.   showFooter();
  24. }
  25.  
  26. // if user is here to logout to their account
  27. if ($action == 'logout') {
  28.   // hide all errors
  29.   error_reporting(0);
  30.  
  31.   // set page title to 'logout' & show navbar
  32.   showHeader('logout');
  33.  
  34.   // protect from users that aren't already logged in...
  35.   protect2();
  36.  
  37.   // destroy session (log out)
  38.   session_destroy();
  39.  
  40.   // notify user logout was successful
  41.   echo "<p class='success'>logout successful</p>";
  42.   echo '<p class="info">If you have not been redirected, try to <a href="index.php">refresh</a> your page.</p>';
  43.  
  44.   // redirect user to homepage & exit();
  45.   redirect('index.php');
  46.   exit();
  47. }
  48.  
  49. if ($action == 'register_account') {
  50.   // hide all errors
  51.   error_reporting(0);
  52.  
  53.   // show navbar and set title to 'Register Account'
  54.   showHeader('Register Account');
  55.  
  56.   // protect page from users that are already logged in
  57.   protect();
  58.  
  59.   // include function to make sure registration form checks for errors
  60.   function checkRegisterErrors() {
  61.     if(isset($_POST['submit_registration'])){
  62.         require 'core/findConflict.php';
  63.         $username = $_POST['username'];
  64.         $password = $_POST['password'];
  65.         $cpassword = $_POST['cpassword'];
  66.         $email = $_POST['email'];
  67.         $hash = password_hash($password, PASSWORD_DEFAULT);
  68.         $query = dbConnect()->prepare("SELECT email, username FROM users WHERE username = :username OR email = :email");
  69.         $query->bindParam(':username', $username);
  70.         $query->bindParam(':email', $email);
  71.         $query->execute();
  72.         $conflictingItems = [];
  73.         while ( $result = $query->fetch( PDO::FETCH_ASSOC ) ) {
  74.             $conflictingItems[] = $result;
  75.         }
  76.         // for checking checkGoogleCaptcha() function!!
  77.         require_once 'core/recaptchalib.php';
  78.         if(isset($_POST['g-recaptcha-response']))
  79.         $captcha = $_POST['g-recaptcha-response'];
  80.         $response = json_decode(file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=6Levrg4TAAAAAFmjcgKW8kDakmXTiBhmiCnUMchD&response=".$captcha."&remoteip=".$_SERVER['REMOTE_ADDR']), true);
  81.  
  82.         if ( count ($conflictingItems) == 1 ) {
  83.           switch ( getConflict($conflictingItems, $username, $email) ) {
  84.               case 1:
  85.               // username conflict
  86.               echo "<p class='error'>username taken</p>";
  87.               break;
  88.               case 2:
  89.               // Email conflict
  90.               echo "<p class='error'>email already in use</p>";
  91.               break;
  92.               case 3:
  93.               // email & username conflict
  94.               echo '<p class="error">username & email in use</p>';
  95.               break;
  96.           }
  97.         } elseif ( count($conflictingItems) == 2 ) {
  98.           echo 'username & email already in use';
  99.  
  100.         // check if passwords match!
  101.         } elseif ($password != $cpassword) {
  102.           echo '<p class="error">passwords do not match</p>';
  103.  
  104.         // make sure password is between 8 - 16 characters
  105.         } elseif (strlen($password) < 8 OR strlen($password) > 16) {
  106.           echo '<p class="error">password must be between 8 & 16 characters</p>';
  107.  
  108.         // checks to make sure google recaptcha was posted!
  109.         } elseif (!$captcha) {
  110.           echo '<p class="error">please complete the captcha</p>';
  111.         } elseif($response['success'] == false) {
  112.           echo '<p class="error">you are a robot</p>';
  113.  
  114.  
  115.         } else {
  116.           // require config.php to get maximum file size --> $maximum_avatar_file_size = '125000';
  117.           //                    to get avatars directory --> $avatars_directory = 'includes/uploads/avatars';
  118.           require 'core/config.php';
  119.  
  120.           // need for file upload query & query to insert fields into database..
  121.           $activation_id = uniqid(true);
  122.  
  123.           // file upload stuff... ONLY NEEDED FOR TESTING PURPOSES!
  124.           // var_dump($_FILES);
  125.  
  126.           // move uploaded file to directory (includes/uploads/avatar)
  127.           $upload_directory = $avatars_directory;
  128.           // sets $image & gets image type, name, tmp_name
  129.           $image = $_FILES['avatar'];
  130.           $image_name = $_FILES['avatar']['name'];
  131.           $image_tmp_name = $_FILES['avatar']['tmp_name'];
  132.           $image_size = $_FILES['avatar']['size'];
  133.           $image_type = $_FILES['avatar']['type'];
  134.  
  135.           // set file name (make it unique)
  136.           $file_name = $activation_id . $image_name;
  137.  
  138.           // finds extension of file uploaded...
  139.           $image_extension = strtolower(pathinfo($_FILES['avatar']['name'],PATHINFO_EXTENSION));
  140.           // allowed extensions of file uploaded...
  141.           $valid_image_extensions = array('jpeg', 'jpg', 'png', 'gif');
  142.  
  143.           // if image extension is a valid image extension...
  144.           if (in_array($image_extension, $valid_image_extensions)) {
  145.             if ($image_size > $maximum_avatar_file_size) {
  146.               echo '<p class="error">error; file size is too large! Maximum file size is ' .$maximum_avatar_file_size. ' bytes. <a href="action.php?action=register_account">Retry Registration</a></p>';
  147.               exit();
  148.             } else {
  149.               // move the file to desired directory ($upload_directory)
  150.               move_uploaded_file($image_tmp_name, "$upload_directory/$file_name");
  151.             }
  152.           }
  153.  
  154.  
  155.           // query to insert fields into database...
  156.           //$activation_id = uniqid(true);
  157.           $query = dbConnect()->prepare("INSERT INTO users (username, password, email, activated, activation_id, avatar) VALUES (:username, :password, :email, :activated, :activation_id, :avatar)");
  158.           $query->bindParam(':username', $username);
  159.           $query->bindParam(':email', $email);
  160.           $query->bindParam(':password', $hash);
  161.           $query->bindValue(':activated', "0");
  162.           $query->bindValue(':activation_id', $activation_id);
  163.           $query->bindValue(':avatar', $file_name);
  164.           $query->execute();
  165.  
  166.           // set variables for optional fields...
  167.           $firstName = $_POST['first_name'];
  168.           $lastName = $_POST['last_name'];
  169.           $birthday = $_POST['birthday'];
  170.           $steam_profile = $_POST['steam_profile'];
  171.           $twitter_profile = $_POST['twitter_profile'];
  172.           $facebook_profile = $_POST['facebook_profile'];
  173.           $instagram_profile = $_POST['instagram_profile'];
  174.  
  175.           // update user_details database
  176.           $query2 = dbConnect()->prepare("INSERT INTO user_details (first_name, last_name, birthday, steam_profile, twitter_profile, facebook_profile, instagram_profile) VALUES (:firstName, :lastName, :birthday, :steam, :twitter, :facebook, :instagram)");
  177.           $query2->bindParam(':firstName', $firstName);
  178.           $query2->bindParam(':lastName', $lastName);
  179.           $query2->bindParam(':birthday', $birthday);
  180.           $query2->bindParam(':steam', $steam_profile);
  181.           $query2->bindParam(':twitter', $twitter_profile);
  182.           $query2->bindParam(':facebook', $facebook_profile);
  183.           $query2->bindParam(':instagram', $instagram_profile);
  184.           $query2->execute();
  185.  
  186.           // query to add image name to database to echo later on...
  187.           /*
  188.           $add_image_to_database = dbConnect()->prepare("INSERT INTO users (avatar) VALUES (:avatar)");
  189.           $add_image_to_database->bindParam(':avatar', $file_name);
  190.           $add_image_to_database->execute();
  191.           */
  192.  
  193.           // send email verification
  194.           require 'core/config.php';
  195.           $subject = $url . 'Registration Confirmation';
  196.           $link = 'http://' . $url. "/activate.php?activation_id=" . $activation_id;
  197.           $message = 'Thanks for registering with us! Please verify your account at' . $link . ' so you can login.';
  198.           $headers = 'From: ' .$contact_email;
  199.           mail($email/* <-- Who its being sent to */, $subject, $message, $headers);
  200.           echo '<p class="info">registration successful, please verify email before logging in.</p>';
  201.  
  202.           header('refresh:5;url=index.php');
  203.  
  204.           echo '<p class="info">if you are not redirected, try to <a href="index.php">refresh</a> your page.</p>';
  205.         }
  206.     }
  207.   }
  208.  
  209.   // echo registration form
  210.   echo '
  211.  <center>
  212.    <form enctype="multipart/form-data" action="" method="post" class="register_module">
  213.  
  214.      <h2 style="text-align:left;font-family:"Roboto",sans-serif;">Account Credentials<span style="font-size:12px;font-weight:400;"> (required)</span></h2>
  215.  
  216.      <div class="account_credentials">
  217.        <input class="register_module protect_from_spaces" type="text" name="username" placeholder="choose a username*" maxlength="30" required><br />
  218.        <input class="register_module protect_from_spaces" type="email" name="email" placeholder="email address*" required><br />
  219.  
  220.        <div class="row_inline">
  221.          <input class="register_module input protect_from_spaces" type="password" name="password" placeholder="password*" maxlength="18" required>
  222.          <input class="register_module input protect_from_spaces" type="password" name="cpassword" placeholder="confirm password*" maxlength="18" required><br />
  223.        </div>
  224.      </div>
  225.        <br />
  226.  
  227.        <!-- here add user details section (name, avatar, birthday, etc...) -->
  228.        <h2 style="text-align:left;font-family:"Roboto",sans-serif;">Account Details<span style="font-size:12px;font-weight:400;"> (optional)</span></h2>
  229.  
  230.        <br />
  231.        <div class="account_details">
  232.          <p style="text-align:left;font-family:"Roboto",sans-serif;font-weight:400;">Name:<span style="font-size:12px;font-weight:400;"> (required)</span></p>
  233.          <input class="register_module_short protect_from_spaces" style="margin-right:1%;" type="text" name="first_name" placeholder="first name*" required />
  234.          <input class="register_module_short protect_from_spaces" type="text" name="last_name" placeholder="last name" />
  235.  
  236.          <p style="text-align:left;font-family:"Roboto",sans-serif;font-weight:400;">Birthday:</p>
  237.          <input style="margin-top:-10px;" class="register_module protect_from_spaces" type="date" name="birthday" />
  238.  
  239.          <p style="text-align:left;font-family:"Roboto",sans-serif;font-weight:400;">Social Link(s):</p>
  240.          <input class="register_module protect_from_spaces" type="text" style="margin-top:-10px;" type="url" name="steam_profile" placeholder="steam profile (http://www.steamcommunity.com/id/lowheartrate/)" />
  241.          <input class="register_module protect_from_spaces" type="text" name="twitter_profile" placeholder="twitter profile (https://twitter.com/lowheartrate)" />
  242.          <input class="register_module protect_from_spaces" type="text" name="facebook_profile" placeholder="facebook profile (https://www.facebook.com/officiallowheartrate)" />
  243.          <input class="register_module protect_from_spaces" type="text" name="instagram_profile" placeholder="instagram profile (https://instagram.com/lowheartrate)" />
  244.  
  245.          <!-- image upload for avatar... -->
  246.          <div class="image_uploader">
  247.            <h2 style="text-align:left;font-family:"Roboto",sans-serif;">✌ Avatar Uploader</h2><br />
  248.  
  249.            <p style="margin-top:-20px;font-size:12px;text-align:left;">Select image to upload:</p>
  250.            <div style="text-align:left;font-size:12px;margin-top:-5px;margin-bottom:25px;">
  251.              <input type="file" name="avatar" class="" />
  252.            </div>
  253.          </div>
  254.        </div>
  255.  
  256.        <!-- check errors in registration -->
  257.  ';
  258.   checkRegisterErrors();
  259.   echo '
  260.  
  261.        <br />
  262.        <p class="pull-left" style="max-width:50%;">by signing up, you agree to our <a href="#">terms</a> and that you have read our <a href="#">privacy policy</a> and <a href="#">content policy</a>.</p>
  263.        <div class="g-recaptcha pull-right" data-sitekey="6Levrg4TAAAAAN-pL6Xl2tndj3ZDn5nJ3PRUhMV-"></div><br />
  264.  
  265.        <br />
  266.  
  267.        <button type="submit" name="submit_registration" class="btn-register" style="margin-top:10px;">sign up</button>
  268.    </form>
  269.  </center>
  270.  ';
  271. }
  272.  
  273. // if user is here to active account...
  274. if ($action == 'verify_email') {
  275.   // if user is logged in - protect page
  276.   protect();
  277.  
  278.   // show header
  279.   showHeader('Verify Email');
  280.  
  281.   // get the activation id from url
  282.   $activationID = $_GET['activation_id'];
  283.  
  284.   // update the users activated to '1'
  285.   $sql = "UPDATE users SET activated = :activated WHERE activation_id = :activation_id";
  286.   $activate = dbConnect()->prepare($sql);
  287.   $activate->bindValue(':activated', '1');
  288.   $activate->bindParam(':activation_id', $activationID);
  289.   $activate->execute();
  290.  
  291.   // echo success message & redirect user
  292.   echo '<p class="success">Your email has been validated successfully!</p>';
  293.   redirect('index.php');
  294. }
  295.  
  296. // if user is here because they forgot their password...
  297. if ($action == 'forgot_password') {
  298.   // protect from users already logged in
  299.   protect();
  300.  
  301.   // set page title to 'Forgot Password' & show header(navbar)
  302.   showHeader('Forgot Password');
  303.  
  304.   // get current time
  305.   date_default_timezone_set('America/New_York');
  306.   $current_time = date('YmdHis');
  307.  
  308.   // if user hasn't submitted form with email:
  309.   if(!isset($_POST['email'])) {
  310.     // echo form to submit email for password reset link
  311.     echo '
  312.    <form method="post">
  313.      <input type="hidden" name="resetpw_date" placeholder="Current date/time: ' .$current_time. '" />
  314.      <input type="email" name="email" placeholder="email address" required /><br />
  315.      <button class="btn btn-primary" type="submit" value="reset password">Reset Password</button>
  316.    </form>
  317.    ';
  318.  
  319.     // if user has submitted $_POST['email']
  320.   } else {
  321.  
  322.     // random string from http://php.net/manual/en/function.openssl-random-pseudo-bytes.php
  323.     for ($i = -1; $i <= 10; $i++) {
  324.       $pwreset_code = openssl_random_pseudo_bytes($i, $cstrong);
  325.       $pwresetcode = bin2hex($pwreset_code);
  326.     }
  327.  
  328.     // set variable for $_POST['email']
  329.     $email = $_POST['email'];
  330.  
  331.     // require config.php for email
  332.     require_once 'core/config.php';
  333.  
  334.     // tell user email has been sent if email exists in database
  335.     echo '<p class="info">If an account is registered with email: ' .$email. ', an email has been sent to reset the password.</p>';
  336.  
  337.     // send email to $email
  338.     $msg = "<p>You are receiving this email because you requested your password to be reset, if you didn't you can ignore this email. <br />Follow the link below to reset your password.</p>";
  339.     $msg .= "<p><a href='http://" .$url. "/reset_password.php?uid=" .$pwresetcode. "'>Reset password</a><br />Thank you</p>";
  340.     $msg = wordwrap($msg,70);
  341.     $headers = "MIME-Version: 1.0" . "\r\n";
  342.     $headers .= "Content-type:text/html;charset=UTF-8" . "\r\n";
  343.     mail($email, "PASSWORD RESET", $msg, $headers);
  344.  
  345.     // update resetpw_id and resetpw_date fields in database
  346.     try {
  347.       // insert $pwresetcode into resetpw_code in db where email = email submitted...
  348.       $email = $_POST['email'];
  349.       $pwresetcode = bin2hex($pwreset_code);
  350.       $pwcodedb = dbConnect()->prepare("UPDATE users SET resetpw_id = :pwresetcode, resetpw_date = :currentTime WHERE email = :email");
  351.       $pwcodedb->bindParam(':email', $email);
  352.       $pwcodedb->bindParam(':pwresetcode', $pwresetcode);
  353.       $pwcodedb->bindParam(':currentTime', $current_time);
  354.       $pwcodedb->execute();
  355.     } catch(PDOException $e) {
  356.       echo $pwcodedb . '<br />' . $e->getMessage();
  357.     }
  358.  
  359.   }
  360. }
  361.  
  362. // if user is here to reset their password
  363. if ($action == 'reset_password') {
  364.   // report all errors
  365.   error_reporting(E_ALL);
  366.  
  367.   // set page title to 'Update Password' & include navbar
  368.   showHeader('Update Password');
  369.  
  370.   // get uid from url
  371.   $uid = $_GET['uid'];
  372.  
  373.   // protect page from users that are already logged in
  374.   protect();
  375.  
  376.   // show form to user
  377.   echo '
  378.  <form method="POST">
  379.    <input type="hidden" placeholder="your uid is <?php echo $uid; ?>" name="uid" class="input2" readonly required />
  380.    <input type="password" placeholder="new password" name="newPassword" class="input" required />
  381.    <input type="password" placeholder="confirm new password" name="confirmNewPassword" class="input" required />
  382.    <br />
  383.    <button type="submit" class="btn btn-primary">change password</button>
  384.  </form>
  385.  ';
  386.  
  387.   // set timezone
  388.   date_default_timezone_set('America/New_York');
  389.  
  390.   // select the date user request pw reset
  391.   $fetch_time =  dbConnect()->prepare("SELECT resetpw_date FROM users WHERE resetpw_id = :uid");
  392.   $fetch_time->bindParam(':uid', $uid);
  393.   $fetch_time->execute();
  394.  
  395.   // ..
  396.   while($row = $fetch_time->fetch(PDO::FETCH_ASSOC)) {
  397.     //$stored_username = $row['username'];
  398.     $stored_resetpw_date = $row['resetpw_date'];
  399.     $resetpw_date = new DateTime($stored_resetpw_date);
  400.     $resetpw_date->format('YmdHis');
  401.   }
  402.  
  403.   // date_time RIGHT NOW!
  404.   $timeRightNow = date('YmdHis');
  405.  
  406.   // Difference between $stored_resetpw_date and $current_time
  407.   $currentTime = strtotime($timeRightNow);
  408.   $requestedPwDate = strtotime($stored_resetpw_date);
  409.   $diff = ($currentTime - $requestedPwDate) / 60;
  410.  
  411.   // if users submits form with new password and confirm password filled out
  412.   if (isset($_POST['newPassword'], $_POST['confirmNewPassword'])) {
  413.   $newPassword = $_POST['newPassword'];
  414.   $confirmNewPassword = $_POST['confirmNewPassword'];
  415.   // if they posted their UID, new password, and confirm new password...
  416.   $sql = "SELECT email, username, password FROM users WHERE resetpw_id = :uid";
  417.   $reset_pw_db_select=dbConnect()->prepare($sql);
  418.   $reset_pw_db_select->bindParam(':uid', $uid);
  419.   $reset_pw_db_select->execute();
  420.  
  421.     // if passwords don't match give user error
  422.     if ($newPassword != $confirmNewPassword) {
  423.       echo '<p class="error pull-right">passwords do not match</p>';
  424.  
  425.     // if passwords are less then 8 characters give user error
  426.     } elseif (strlen($newPassword) < 8) {
  427.       echo '<p class="error pull-right">passwords must be at least 8 characters</p>';
  428.  
  429.     // if user requested pw reset more then 15 minutes ago...
  430.     } elseif ($diff > 15) {
  431.       echo '<p class="error pull-right">reset uid has expired</p>';
  432.  
  433.     // if no errors, update passwords in db to one's posted
  434.     } else {
  435.       $hashed_password = password_hash($newPassword, PASSWORD_DEFAULT);
  436.       $reset_pw_db=dbConnect()->prepare("UPDATE users SET password = '$hashed_password' WHERE resetpw_id = '$uid'");
  437.       //echo $hashed_password;
  438.       $reset_pw_db->execute();
  439.       // provide success message and redirect to homepage
  440.       echo '<p class="success pull-right">password reset successfully!</p>';
  441.       redirect('index.php');
  442.     }
  443.   }
  444. }
  445.  
  446. if ($action == 'edit_account') {
  447.   // set page title to 'Edit Account' & show navbar
  448.   showHeader('Edit Account');
  449.  
  450.   // protect page from users that are not logged in...
  451.   protect2();
  452.  
  453.   echo '<p class="error">function currently unavailable, sorry.</p>';
  454. }
Add Comment
Please, Sign In to add comment