function login(){global $errors;// check login statusif (!empty($_SESSION[

1. function login(){
2. global $errors;
3. // check login status
4. if (!empty($_SESSION['user']) && $_SESSION['user']) {
5. // logged in -> go away
6. $_SESSION['notices'][]= "already logged in";
7. header("Location: ?");
8. exit(0);
9. } else {
10. $username="";
11. if (!empty($_POST['username'])) $username=$_POST['username'];
12. if ($_SERVER['REQUEST_METHOD']=="POST"){
13. if (!empty($_POST['username']) && !empty($_POST['password'])){
14. $_SESSION['user']=check_user($_POST['username'], $_POST['password']);
15. if ($_SESSION['user']) {
16. $_SESSION['notices'][]= "Successful login";
17. header("Location: ?");
18. exit(0);
19. } else {
20. $errors[]="unable to log in with that info";
21. }
22. } else {
23. $errors[]='Please fill in your login information';
24. }
25. }
26. include('views/login.html');
27. }
28. }
29. function register(){
30. global $errors;
31. if (!empty($_SESSION['user']) && $_SESSION['user']) {
32. // logged in -> go away
33. $_SESSION['notices'][]= "already logged in";
34. header("Location: ?");
35. exit(0);
36. } else {
37. $username="";
38. $email="";
39. if ($_SERVER['REQUEST_METHOD']=="POST"){
40. if (!empty($_POST['username'])) $username=$_POST['username'];
41. else $errors[]='please specify an username';
42. if (!empty($_POST['email'])) $email=$_POST['email'];
43. else $errors[]='please specify an email address';
44. if (empty($_POST['password']) || empty($_POST['password2'])) $errors[]='please fill in both passwords';
45. if (empty($errors)){
46. if ($_POST['password'] == $_POST['password2']) {
47. if(add_user($_POST['username'], $_POST['password'], $_POST['email'])){
48. $_SESSION['user']=check_user($_POST['username'], $_POST['password']);
49. if ($_SESSION['user']){ // register successful?
50. $_SESSION['notices'][]= "Successful register, you have been logged in";
51. header("Location: ?");
52. exit(0);
53. } else {
54. $errors[]="problem registering";
55. }
56. }
57. } else {
58. $errors[]="passwords dont match";
59. }
60. } // parameters exist
61. }
62. include('views/register.html');
63. }
64. }
65. function logout(){
66. $_SESSION = array();
67. if (isset($_COOKIE[session_name()])) {
68. setcookie(session_name(), '', time()-42000, '/');
69. }
70. session_destroy();
71. header("Location: ?");
72. exit(0);
73. }
74. function view_profile($id){
75. global $user;
76. $user = get_user($id);
77. if ($user) {
78. include('views/profile.html');
79. } else {
80. $_SESSION['alerts'][]= "Could not find user";
81. header("Location: ?");
82. exit(0);
83. }
84. }
85. function edit_profile($id){
86. global $connection, $user, $errors, $DB_usertable;
87. $errors = [];
88. $user = get_user($id);
89. if ($user) {
90. if (!empty($_POST)){
91. if (!empty($_POST['password_old'])) {
92. $password_old=mysqli_real_escape_string($connection,$_POST['password_old']);
93. if (!check_user($user['username'], $password_old)){
94. $errors[]='please enter your current password to confirm changes';
95. }
96. } else {
97. $password_old='';
98. $errors[]='please enter your password to confirm changes';
99. }
100. if (!empty($_REQUEST['id'])){
101. $id=mysqli_real_escape_string($connection, $_REQUEST['id']) ;
102. } else{
103. $errors[]='please specify an user';
104. }
105. // validate inputs
106. if (!empty($_POST['username'])){
107. $username=mysqli_real_escape_string($connection, $_POST['username']) ;
108. } else{
109. $errors[]='please specify an username';
110. }
111. if (!empty($_POST['email'])) {
112. $email=mysqli_real_escape_string($connection,$_POST['email']);
113. } else {
114. $errors[]='please specify an email address';
115. }
116. if ((empty($_POST['password']) && !empty($_POST['password2']) ) || (empty($_POST['password2']) && !empty($_POST['password'])) ) { // one not filled
117. $errors[]='please fill in both passwords';
118. } else if (!empty($_POST['password']) && !empty($_POST['password2'])) { // both filled
119. if ($_POST['password'] == $_POST['password2']) {
120. $newPass= mysqli_real_escape_string($connection,$_POST['password']);
121. } else {
122. $errors[]='Passwords do not match';
123. $newPass = $password_old;
124. }
125. } else { // no passwords, use old
126. $newPass = $password_old;
127. }
128. if (empty($errors)){
129. $query ="UPDATE $DB_usertable set username='{$username}', email='{$email}', password = SHA1('$newPass') WHERE id=$id";
130. $result = mysqli_query($connection, $query) or die("$query - ".mysqli_error($connection));
131. if (mysqli_error($connection)==''){
132. $_SESSION['notices'][]="User updated";
133. header("Location: ?page=profile&id=$id");
134. exit(0);
135. } else {
136. $errors[]="update failed";
137. }
138. }
139. }
140. include('views/edit_profile.html');
141. } else {
142. $_SESSION['alerts'][]= "Could not find user";
143. header("Location: ?");
144. exit(0);
145. }
146. }
147. // upload image or resize
148. function edit_image($id){
149. global $connection, $user, $errors, $DB_usertable;
150. $user = get_user($id);
151. if ($user){
152. $errors = array();
153. $newfile = '';
154. // try uploading
155. if (!empty($_FILES['filename'])){
156. $newfile = upload('filename','users', array('png', 'jpg', 'jpeg', 'JPG', 'JPEG', 'gif'), false);
157. unset($errors['nofile']); // ignore no file upload error
158. }
159. if (!empty($_POST['uri'])){
160. $newarg = escapeshellarg($_POST['uri']);
161. $fileloc = 'pictures/'.end(explode('/', $_POST['uri']));
162. $fileloc_esc = escapeshellarg($fileloc);
163. exec("wget -O {$fileloc_esc} {$newarg}");
164. $errors = array_merge($errors, $o);
165. if ($r>0){
166. $errors[] = "There was a problem while downloading the image";
167. }
168. }
169. if (empty($errors)){
170. if ($newfile==''){
171. // no file uploaded, check for coordinates
172. if (!empty($_GET['filename']) || !empty($_GET['x']) || !empty($_GET['y'])){
173. if (empty($_GET['filename'])){
174. $errors[] = 'filename missing';
175. }
176. if (empty($_GET['x'])){
177. $errors[] = 'x-coordinate missing';
178. }
179. if (empty($_GET['y'])){
180. $errors[] = 'y-coordinate missing';
181. }
182. if (empty($errors)){
183. $temp = explode(".", $_GET['filename']);
184. $extension = end($temp);
185. $newname = str_replace(".".$extension, "_small.".$extension, $_GET['filename'] );
186. echo exec("convert {$_GET['filename']} -crop 200x200+{$_GET['x']}+{$_GET['y']} {$newname}", $o, $r);
187. if($r == 0){
188. $query ="UPDATE $DB_usertable set avatar='{$newname}' WHERE id=$id";
189. $result = mysqli_query($connection, $query) or die("$query - ".mysqli_error($connection));
190. if (mysqli_error($connection)==''){
191. $_SESSION['notices'][]="Avatar updated";
192. header("Location: ?page=profile&id=$id");
193. exit(0);
194. } else {
195. $errors[]="update failed";
196. }
197. } else {
198. $errors = array_merge($errors, $o);
199. $errors[] = 'crop failed';
200. }
201. }
202. }
203. } else {
204. // new file uploaded. update user and redirect to the edit image
205. $query ="UPDATE $DB_usertable set filename='{$newfile}' WHERE id=$id";
206. $result = mysqli_query($connection, $query) or die("$query - ".mysqli_error($connection));
207. if (mysqli_error($connection)==''){
208. $_SESSION['notices'][]="Image updated";
209. header("Location: ?page=profile_image&id=$id");
210. exit(0);
211. } else {
212. $errors[]="update failed";
213. }
214. }
215. include('views/profile_image.html');
216. } else {
217. include('views/profile.html');
218. }
219. } else {
220. $_SESSION['alerts'][]="Could not find user";
221. header("Location: ?");
222. exit(0);
223. }
224. }
225. function auth(){
226. if (isset($_SESSION['user']) && $_SESSION['user']){
227. // logged in
228. return true;
229. } else {
230. // not logged in
231. $_SESSION['alerts'][]="You need to be logged in";
232. header("Location: ?page=login");
233. exit(0);
234. }
235. }
236. function check_availability($username){
237. global $connection, $DB_usertable;
238. $username = mysqli_real_escape_string($connection, $username);
239. $query ="SELECT * FROM $DB_usertable WHERE username='$username'";
240. $result = mysqli_query($connection, $query) or die("$query - ".mysqli_error($connection));
241. if (mysqli_num_rows($result)>0) {
242. return true;
243. }else {
244. return false;
245. }
246. }
247. function add_user($username, $password, $email) {
248. global $connection, $errors, $DB_usertable;
249. $result=check_availability($username);
250. if ($result) {
251. $errors[]="the username is already in use";
252. return false;
253. }
254. $username = mysqli_real_escape_string($connection, $username);
255. $email = mysqli_real_escape_string($connection, $email);
256. $password = mysqli_real_escape_string($connection, $password);
257. $query ="INSERT INTO $DB_usertable (username, password, email, filename) VALUES ('$username', SHA1('$password'), '$email', 'uploads/users/default.png')";
258. mysqli_query($connection, $query) or die("$query - ".mysqli_error($connection));
259. return mysqli_insert_id($connection);
260. }
261. function check_user($username, $passwd) {
262. global $connection, $DB_usertable;
263. $query ="SELECT * FROM $DB_usertable WHERE username='$username' AND password=SHA1('$passwd')";
264. $result = mysqli_query($connection, $query);
265. if (!$result) {
266. return false;
267. }
268. $user=mysqli_fetch_assoc($result);
269. if (!empty($user)) {
270. return $user;
271. } else {
272. return false;
273. }
274. }
275. function get_user($id) {
276. global $connection, $DB_usertable;
277. $id = mysqli_real_escape_string($connection, $id);
278. $query ="SELECT * FROM $DB_usertable WHERE id='$id'";
279. $result = mysqli_query($connection, $query);
280. if (!$result) {
281. return false;
282. }
283. $user=mysqli_fetch_assoc($result);
284. if (!empty($user)) {
285. return $user;
286. } else {
287. return false;
288. }
289. }
290. ?>