Guest User

Untitled

a guest
Aug 23rd, 2018
155
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 18.45 KB | None | 0 0
  1. <?php
  2. include("database.php");
  3. include("mailer.php");
  4. include("form.php");
  5.  
  6. class Session
  7. {
  8. var $username; //Username given on sign-up
  9. var $userid; //Random value generated on current login
  10. var $userlevel; //The level to which the user pertains
  11. var $time; //Time user was last active (page loaded)
  12. var $logged_in; //True if user is logged in, false otherwise
  13. var $userinfo = array(); //The array holding all user info
  14. var $url; //The page url current being viewed
  15. var $referrer; //Last recorded site page viewed
  16. /**
  17. * Note: referrer should really only be considered the actual
  18. * page referrer in process.php, any other time it may be
  19. * inaccurate.
  20. */
  21.  
  22. /* Class constructor */
  23. function Session(){
  24. $this->time = time();
  25. $this->startSession();
  26. }
  27.  
  28. /**
  29. * startSession - Performs all the actions necessary to
  30. * initialize this session object. Tries to determine if the
  31. * the user has logged in already, and sets the variables
  32. * accordingly. Also takes advantage of this page load to
  33. * update the active visitors tables.
  34. */
  35. function startSession(){
  36. global $database; //The database connection
  37. session_start(); //Tell PHP to start the session
  38.  
  39. /* Determine if user is logged in */
  40. $this->logged_in = $this->checkLogin();
  41.  
  42. /**
  43. * Set guest value to users not logged in, and update
  44. * active guests table accordingly.
  45. */
  46. if(!$this->logged_in){
  47. $this->username = $_SESSION['username'] = GUEST_NAME;
  48. $this->userlevel = GUEST_LEVEL;
  49. $database->addActiveGuest($_SERVER['REMOTE_ADDR'], $this->time);
  50. }
  51. /* Update users last active timestamp */
  52. else{
  53. $database->addActiveUser($this->username, $this->time);
  54. }
  55.  
  56. /* Remove inactive visitors from database */
  57. $database->removeInactiveUsers();
  58. $database->removeInactiveGuests();
  59.  
  60. /* Set referrer page */
  61. if(isset($_SESSION['url'])){
  62. $this->referrer = $_SESSION['url'];
  63. }else{
  64. $this->referrer = "/";
  65. }
  66.  
  67. /* Set current url */
  68. $this->url = $_SESSION['url'] = $_SERVER['PHP_SELF'];
  69. }
  70.  
  71. /**
  72. * checkLogin - Checks if the user has already previously
  73. * logged in, and a session with the user has already been
  74. * established. Also checks to see if user has been remembered.
  75. * If so, the database is queried to make sure of the user's
  76. * authenticity. Returns true if the user has logged in.
  77. */
  78. function checkLogin(){
  79. global $database; //The database connection
  80. /* Check if user has been remembered */
  81. if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookid'])){
  82. $this->username = $_SESSION['username'] = $_COOKIE['cookname'];
  83. $this->userid = $_SESSION['userid'] = $_COOKIE['cookid'];
  84. }
  85.  
  86. /* Username and userid have been set and not guest */
  87. if(isset($_SESSION['username']) && isset($_SESSION['userid']) &&
  88. $_SESSION['username'] != GUEST_NAME){
  89. /* Confirm that username and userid are valid */
  90. if($database->confirmUserID($_SESSION['username'], $_SESSION['userid']) != 0){
  91. /* Variables are incorrect, user not logged in */
  92. unset($_SESSION['username']);
  93. unset($_SESSION['userid']);
  94. return false;
  95. }
  96.  
  97. /* User is logged in, set class variables */
  98. $this->userinfo = $database->getUserInfo($_SESSION['username']);
  99. $this->username = $this->userinfo['username'];
  100. $this->userid = $this->userinfo['userid'];
  101. $this->userlevel = $this->userinfo['userlevel'];
  102.  
  103. /* auto login hash expires in three days */
  104. if($this->userinfo['hash_generated'] < (time() - (60*60*24*3))){
  105. /* Update the hash */
  106. $database->updateUserField($this->userinfo['username'], 'hash', $this->generateRandID());
  107. $database->updateUserField($this->userinfo['username'], 'hash_generated', time());
  108. }
  109.  
  110. return true;
  111. }
  112. /* User not logged in */
  113. else{
  114. return false;
  115. }
  116. }
  117.  
  118. /**
  119. * login - The user has submitted his username and password
  120. * through the login form, this function checks the authenticity
  121. * of that information in the database and creates the session.
  122. * Effectively logging in the user if all goes well.
  123. */
  124. function login($subuser, $subpass, $subremember){
  125. global $database, $form; //The database and form object
  126.  
  127. /* Username error checking */
  128. $field = "user"; //Use field name for username
  129. $q = "SELECT valid FROM ".TBL_USERS." WHERE username='$subuser'";
  130. $valid = $database->query($q);
  131. $valid = mysql_fetch_array($valid);
  132.  
  133. if(!$subuser || strlen($subuser = trim($subuser)) == 0){
  134. $form->setError($field, "* Username not entered");
  135. }
  136. else{
  137. /* Check if username is not alphanumeric */
  138. if(!ctype_graph($subuser)){
  139. $form->setError($field, "* Username not alphanumeric");
  140. }
  141. }
  142.  
  143. /* Password error checking */
  144. $field = "pass"; //Use field name for password
  145. if(!$subpass){
  146. $form->setError($field, "* Password not entered");
  147. }
  148.  
  149. /* Return if form errors exist */
  150. if($form->num_errors > 0){
  151. return false;
  152. }
  153.  
  154. /* Checks that username is in database and password is correct */
  155. $subuser = stripslashes($subuser);
  156. $result = $database->confirmUserPass($subuser, md5($subpass));
  157.  
  158. /* Check error codes */
  159. if($result == 1){
  160. $field = "user";
  161. $form->setError($field, "* Username not found");
  162. }
  163. else if($result == 2){
  164. $field = "pass";
  165. $form->setError($field, "* Invalid password");
  166. }
  167.  
  168. /* Return if form errors exist */
  169. if($form->num_errors > 0){
  170. return false;
  171. }
  172.  
  173.  
  174. if(EMAIL_WELCOME){
  175. if($valid['valid'] == 0){
  176. $form->setError($field, "* User's account has not yet been confirmed.");
  177. }
  178. }
  179.  
  180. /* Return if form errors exist */
  181. if($form->num_errors > 0){
  182. return false;
  183. }
  184.  
  185.  
  186.  
  187. /* Username and password correct, register session variables */
  188. $this->userinfo = $database->getUserInfo($subuser);
  189. $this->username = $_SESSION['username'] = $this->userinfo['username'];
  190. $this->userid = $_SESSION['userid'] = $this->generateRandID();
  191. $this->userlevel = $this->userinfo['userlevel'];
  192.  
  193. /* Insert userid into database and update active users table */
  194. $database->updateUserField($this->username, "userid", $this->userid);
  195. $database->addActiveUser($this->username, $this->time);
  196. $database->removeActiveGuest($_SERVER['REMOTE_ADDR']);
  197.  
  198. /**
  199. * This is the cool part: the user has requested that we remember that
  200. * he's logged in, so we set two cookies. One to hold his username,
  201. * and one to hold his random value userid. It expires by the time
  202. * specified in constants.php. Now, next time he comes to our site, we will
  203. * log him in automatically, but only if he didn't log out before he left.
  204. */
  205. if($subremember){
  206. setcookie("cookname", $this->username, time()+COOKIE_EXPIRE, COOKIE_PATH);
  207. setcookie("cookid", $this->userid, time()+COOKIE_EXPIRE, COOKIE_PATH);
  208. }
  209.  
  210. /* Login completed successfully */
  211. return true;
  212. }
  213.  
  214. /**
  215. * logout - Gets called when the user wants to be logged out of the
  216. * website. It deletes any cookies that were stored on the users
  217. * computer as a result of him wanting to be remembered, and also
  218. * unsets session variables and demotes his user level to guest.
  219. */
  220. function logout(){
  221. global $database; //The database connection
  222. /**
  223. * Delete cookies - the time must be in the past,
  224. * so just negate what you added when creating the
  225. * cookie.
  226. */
  227. if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookid'])){
  228. setcookie("cookname", "", time()-COOKIE_EXPIRE, COOKIE_PATH);
  229. setcookie("cookid", "", time()-COOKIE_EXPIRE, COOKIE_PATH);
  230. }
  231.  
  232. /* Unset PHP session variables */
  233. unset($_SESSION['username']);
  234. unset($_SESSION['userid']);
  235.  
  236. /* Reflect fact that user has logged out */
  237. $this->logged_in = false;
  238.  
  239. /**
  240. * Remove from active users table and add to
  241. * active guests tables.
  242. */
  243. $database->removeActiveUser($this->username);
  244. $database->addActiveGuest($_SERVER['REMOTE_ADDR'], $this->time);
  245.  
  246. /* Set user level to guest */
  247. $this->username = GUEST_NAME;
  248. $this->userlevel = GUEST_LEVEL;
  249. }
  250.  
  251. /**
  252. * register - Gets called when the user has just submitted the
  253. * registration form. Determines if there were any errors with
  254. * the entry fields, if so, it records the errors and returns
  255. * 1. If no errors were found, it registers the new user and
  256. * returns 0. Returns 2 if registration failed.
  257. */
  258. function register($subuser, $subpass, $subemail, $subname){
  259.  
  260. global $database, $form, $mailer; //The database, form and mailer object
  261.  
  262. /* Username error checking */
  263. $field = "user"; //Use field name for username
  264. if(!$subuser || strlen($subuser = trim($subuser)) == 0){
  265. $form->setError($field, "* Username not entered");
  266. }
  267. else{
  268. /* Spruce up username, check length */
  269. $subuser = stripslashes($subuser);
  270. if(strlen($subuser) < 3){
  271. $form->setError($field, "* Username below 3 characters");
  272. }
  273. else if(strlen($subuser) > 30){
  274. $form->setError($field, "* Username above 30 characters");
  275. }
  276. /* Check if username is not alphanumeric */
  277. else if(!ctype_graph($subuser)){
  278. $form->setError($field, "* Username not alphanumeric");
  279. }
  280. /* Check if username is reserved */
  281. else if(strcasecmp($subuser, GUEST_NAME) == 0){
  282. $form->setError($field, "* Username reserved word");
  283. }
  284. /* Check if username is already in use */
  285. else if($database->usernameTaken($subuser)){
  286. $form->setError($field, "* Username already in use");
  287. }
  288. /* Check if username is banned */
  289. else if($database->usernameBanned($subuser)){
  290. $form->setError($field, "* Username banned");
  291. }
  292. }
  293.  
  294. /* Password error checking */
  295. $field = "pass"; //Use field name for password
  296. if(!$subpass){
  297. $form->setError($field, "* Password not entered");
  298. }
  299. else{
  300. /* Spruce up password and check length*/
  301. $subpass = stripslashes($subpass);
  302. if(strlen($subpass) < 4){
  303. $form->setError($field, "* Password too short");
  304. }
  305. /* Check if password is not alphanumeric */
  306. else if(!ctype_alnum(($subpass = trim($subpass)))){
  307. $form->setError($field, "* Password not alphanumeric");
  308. }
  309. /**
  310. * Note: I trimmed the password only after I checked the length
  311. * because if you fill the password field up with spaces
  312. * it looks like a lot more characters than 4, so it looks
  313. * kind of stupid to report "password too short".
  314. */
  315. }
  316.  
  317. /* Email error checking */
  318. $field = "email"; //Use field name for email
  319. if(!$subemail || strlen($subemail = trim($subemail)) == 0){
  320. $form->setError($field, "* Email not entered");
  321. }
  322. else{
  323. /* Check if valid email address */
  324. if(filter_var($subemail, FILTER_VALIDATE_EMAIL) == FALSE){
  325. $form->setError($field, "* Email invalid");
  326. }
  327. /* Check if email is already in use */
  328. if($database->emailTaken($subemail)){
  329. $form->setError($field, "* Email already in use");
  330. }
  331.  
  332. $subemail = stripslashes($subemail);
  333. }
  334.  
  335. /* Name error checking */
  336. $field = "name";
  337. if(!$subname || strlen($subname = trim($subname)) == 0){
  338. $form->setError($field, "* Name not entered");
  339. } else {
  340. $subname = stripslashes($subname);
  341. }
  342.  
  343. $randid = $this->generateRandID();
  344.  
  345. /* Errors exist, have user correct them */
  346. if($form->num_errors > 0){
  347. return 1; //Errors with form
  348. }
  349. /* No errors, add the new account to the */
  350. else{
  351. if($database->addNewUser($subuser, md5($subpass), $subemail, $randid, $subname)){
  352. if(EMAIL_WELCOME){
  353. $mailer->sendWelcome($subuser,$subemail,$subpass,$randid);
  354. }
  355. return 0; //New user added succesfully
  356. }else{
  357. return 2; //Registration attempt failed
  358. }
  359. }
  360. }
  361.  
  362. /**
  363. * editAccount - Attempts to edit the user's account information
  364. * including the password, which it first makes sure is correct
  365. * if entered, if so and the new password is in the right
  366. * format, the change is made. All other fields are changed
  367. * automatically.
  368. */
  369. function editAccount($subcurpass, $subnewpass, $subemail, $subname){
  370. global $database, $form; //The database and form object
  371. /* New password entered */
  372. if($subnewpass){
  373. /* Current Password error checking */
  374. $field = "curpass"; //Use field name for current password
  375. if(!$subcurpass){
  376. $form->setError($field, "* Current Password not entered");
  377. }
  378. else{
  379. /* Check if password too short or is not alphanumeric */
  380. $subcurpass = stripslashes($subcurpass);
  381. if(strlen($subcurpass) < 4 ||
  382. !preg_match("^([0-9a-z])+$", ($subcurpass = trim($subcurpass)))){
  383. $form->setError($field, "* Current Password incorrect");
  384. }
  385. /* Password entered is incorrect */
  386. if($database->confirmUserPass($this->username,md5($subcurpass)) != 0){
  387. $form->setError($field, "* Current Password incorrect");
  388. }
  389. }
  390.  
  391. /* New Password error checking */
  392. $field = "newpass"; //Use field name for new password
  393. /* Spruce up password and check length*/
  394. $subpass = stripslashes($subnewpass);
  395. if(strlen($subnewpass) < 4){
  396. $form->setError($field, "* New Password too short");
  397. }
  398. /* Check if password is not alphanumeric */
  399. else if(!preg_match("^([0-9a-z])+$", ($subnewpass = trim($subnewpass)))){
  400. $form->setError($field, "* New Password not alphanumeric");
  401. }
  402. }
  403. /* Change password attempted */
  404. else if($subcurpass){
  405. /* New Password error reporting */
  406. $field = "newpass"; //Use field name for new password
  407. $form->setError($field, "* New Password not entered");
  408. }
  409.  
  410. /* Email error checking */
  411. $field = "email"; //Use field name for email
  412. if($subemail && strlen($subemail = trim($subemail)) > 0){
  413. /* Check if valid email address */
  414. if(filter_var($subemail, FILTER_VALIDATE_EMAIL) == FALSE){
  415. $form->setError($field, "* Email invalid");
  416. }
  417. $subemail = stripslashes($subemail);
  418. }
  419.  
  420. /* Name error checking */
  421. $field = "name";
  422. if(!$subname || strlen($subname = trim($subname)) == 0){
  423. $form->setError($field, "* Name not entered");
  424. } else {
  425. $subname = stripslashes($subname);
  426. }
  427.  
  428. /* Errors exist, have user correct them */
  429. if($form->num_errors > 0){
  430. return false; //Errors with form
  431. }
  432.  
  433. /* Update password since there were no errors */
  434. if($subcurpass && $subnewpass){
  435. $database->updateUserField($this->username,"password",md5($subnewpass));
  436. }
  437.  
  438. /* Change Email */
  439. if($subemail){
  440. $database->updateUserField($this->username,"email",$subemail);
  441. }
  442.  
  443. /* Change Name */
  444. if($subname){
  445. $database->updateUserField($this->username,"name",$subname);
  446. }
  447.  
  448. /* Success! */
  449. return true;
  450. }
  451.  
  452. /**
  453. * isAdmin - Returns true if currently logged in user is
  454. * an administrator, false otherwise.
  455. */
  456. function isAdmin(){
  457. return ($this->userlevel == ADMIN_LEVEL ||
  458. $this->username == ADMIN_NAME);
  459. }
  460.  
  461. /**
  462. * isMod - Returns true if currently logged in user is
  463. * an Moderator, false otherwise.
  464. */
  465. function isMod(){
  466. return ($this->userlevel == MOD_LEVEL ||
  467. $this->username == MOD_NAME);
  468. }
  469.  
  470. /**
  471. * isAuthor - Returns true if currently logged in user is
  472. * an author or an administrator, false otherwise.
  473. */
  474. function isAuthor(){
  475. return ($this->userlevel == AUTHOR_LEVEL ||
  476. $this->userlevel == ADMIN_LEVEL);
  477. }
  478.  
  479. /**
  480. * generateRandID - Generates a string made up of randomized
  481. * letters (lower and upper case) and digits and returns
  482. * the md5 hash of it to be used as a userid.
  483. */
  484. function generateRandID(){
  485. return md5($this->generateRandStr(16));
  486. }
  487.  
  488. /**
  489. * generateRandStr - Generates a string made up of randomized
  490. * letters (lower and upper case) and digits, the length
  491. * is a specified parameter.
  492. */
  493. function generateRandStr($length){
  494. $randstr = "";
  495. for($i=0; $i<$length; $i++){
  496. $randnum = mt_rand(0,61);
  497. if($randnum < 10){
  498. $randstr .= chr($randnum+48);
  499. }else if($randnum < 36){
  500. $randstr .= chr($randnum+55);
  501. }else{
  502. $randstr .= chr($randnum+61);
  503. }
  504. }
  505. return $randstr;
  506. }
  507.  
  508. function cleanInput($post = array()) {
  509. foreach($post as $k => $v){
  510. $post[$k] = trim(htmlspecialchars($v));
  511. }
  512. return $post;
  513. }
  514. };
  515.  
  516.  
  517. /**
  518. * Initialize session object - This must be initialized before
  519. * the form object because the form uses session variables,
  520. * which cannot be accessed unless the session has started.
  521. */
  522. $session = new Session;
  523.  
  524. /* Initialize form object */
  525. $form = new Form;
  526.  
  527. ?>
Add Comment
Please, Sign In to add comment