PageRenderTime 47ms CodeModel.GetById 18ms RepoModel.GetById 0ms app.codeStats 0ms

/website/account/user.inc

https://bitbucket.org/matthewsomerville/publicwhip-v1
PHP | 542 lines | 451 code | 48 blank | 43 comment | 116 complexity | 8ccefea3b7a85ff247f563e48c750507 MD5 | raw file
Possible License(s): AGPL-1.0, BSD-3-Clause 
    

  1. <?php
    2. 

  2. 

  3. require_once $toppath . 'auth.inc';
    4. 

  4. 

  5. $feedback = '';
    6. 

  6. 

  7. if (!defined('HIDDEN_HASH_VAR')) {
    8. 

  8.     trigger_error("ERROR: include config.php first, and make sure it has values in", E_USER_ERROR);
    9. 

  9. }
    10. 

  10. 

  11. if (!function_exists("user_isloggedin"))
    12. 

  12. {
    13. 

  13.     unset($LOGGED_IN);
    14. 

  14. 

  15.     function user_isloggedin() {
    16. 

  16.             global $user_name,$id_hash,$LOGGED_IN;
    17. 

  17. 

  18.             if (!$user_name) {
    19. 

  19.                 $user_name=mysql_real_escape_string($_COOKIE["user_name"]);
    20. 

  20.             }
    21. 

  21.             
    22. 

  22.             $id_hash=mysql_real_escape_string($_COOKIE["id_hash"]);
    23. 

  23. 

  24.             //have we already run the hash checks? 
    25. 

  25.             //If so, return the pre-set var
    26. 

  26.             if (isset($LOGGED_IN)) {
    27. 

  27.                 if ($LOGGED_IN) {
    28. 

  28.                   return $LOGGED_IN;
    29. 

  29.                 }
    30. 

  30.             }
    31. 

  31.             if ($user_name && $id_hash) {
    32. 

  32.                     $hash=md5($user_name.HIDDEN_HASH_VAR);
    33. 

  33.                 #    print "hash $hash idhash $id_hash";
    34. 

  34.                     if ($hash == $id_hash) {
    35. 

  35.                             $LOGGED_IN=true;
    36. 

  36.                             return true;
    37. 

  37.                     } else {
    38. 

  38.                             $LOGGED_IN=false;
    39. 

  39.                             return false;
    40. 

  40.                     }
    41. 

  41.             } else {
    42. 

  42.                     $LOGGED_IN=false;
    43. 

  43.                     return false;
    44. 

  44.             }
    45. 

  45.     }
    46. 

  46. }
    47. 

  47. 

  48. function user_login($user_name,$password) {
    49. 

  49. 	global $feedback, $LOGGED_IN;
    50. 

  50. 

  51. 	if (!$user_name || !$password) {
    52. 

  52. 		$feedback .=  ' Please enter your user name and password. ';
    53. 

  53. 		return false;
    54. 

  54. 	} else {
    55. 

  55. 		$user_name=strtolower($user_name);
    56. 

  56. 		$password=strtolower($password);
    57. 

  57. 		$sql="SELECT * FROM pw_dyn_user WHERE user_name='$user_name' AND password='". md5($password) ."'";
    58. 

  58. 		$result=db_query($sql);
    59. 

  59. 		if (!$result || db_numrows($result) < 1){
    60. 

  60. 			$feedback .=  ' User not found or password incorrect. ';
    61. 

  61. 			return false;
    62. 

  62. 		} else {
    63. 

  63. 			if (db_result($result,0,'is_confirmed') == '1') {
    64. 

  64. 				user_set_tokens($user_name);
    65. 

  65.                                 $LOGGED_IN = true;
    66. 

  66. 				$feedback .=  ' You are now logged in.';
    67. 

  67. 				return true;
    68. 

  68. 			} else {
    69. 

  69. 				$feedback .=  ' You haven\'t confirmed your account yet.  Please check your email. ';
    70. 

  70. 				return false;
    71. 

  71. 			}
    72. 

  72. 		}
    73. 

  73. 	}
    74. 

  74. }
    75. 

  75. 

  76. function user_logout() {
    77. 

  77.         global $LOGGED_IN;
    78. 

  78.         $LOGGED_IN = false;
    79. 

  79. 	setcookie('user_name','',(time()+2592000),'/','',0);
    80. 

  80. 	setcookie('id_hash','',(time()+2592000),'/','',0);
    81. 

  81. }
    82. 

  82. 

  83. function user_set_tokens($user_name_in) {
    84. 

  84. 	global $user_name,$id_hash;
    85. 

  85. 	if (!$user_name_in) {
    86. 

  86. 		$feedback .=  ' User name missing when setting tokens. ';
    87. 

  87. 		return false;
    88. 

  88. 	}
    89. 

  89. 	$user_name=strtolower($user_name_in);
    90. 

  90. 	$id_hash= md5($user_name.HIDDEN_HASH_VAR);
    91. 

  91. 

  92. 	setcookie('user_name',$user_name,(time()+2592000),'/','',0);
    93. 

  93. 	setcookie('id_hash',$id_hash,(time()+2592000),'/','',0);
    94. 

  94. }
    95. 

  95. 

  96. function user_confirm($hash,$email) {
    97. 

  97. 	/*
    98. 

  98. 		Call this function on the user confirmation page,
    99. 

  99. 		which they arrive at when the click the link in the
    100. 

  100. 		account confirmation email
    101. 

  101. 	*/
    102. 

  102. 

  103. 	global $feedback;
    104. 

  104. 

  105. 	//verify that they didn't tamper with the email address
    106. 

  106. 	$new_hash=md5($email.HIDDEN_HASH_VAR);
    107. 

  107. 	if ($new_hash && ($new_hash==$hash)) {
    108. 

  108. 		//find this record in the db
    109. 

  109. 		$sql="SELECT * FROM pw_dyn_user WHERE confirm_hash='$hash' order by is_confirmed";
    110. 

  110. 		$result=db_query($sql);
    111. 

  111.         $return_url = db_result($result,0,'confirm_return_url');
    112. 

  112. 		if (!$result || db_numrows($result) < 1) {
    113. 

  113. 			$feedback .= ' Hash not found.  Found: ' . db_numrows($result);
    114. 

  114. 			return false;
    115. 

  115. 		} else {
    116. 

  116. 			//confirm the email and set account to active
    117. 

  117. 			$feedback .= ' New user account  ' . db_result($result,0,'user_name') . ' confirmed - you are now logged in. ';
    118. 

  118. 			user_set_tokens(db_result($result,0,'user_name'));
    119. 

  119. 			$sql="UPDATE pw_dyn_user SET email='$email',is_confirmed='1' WHERE confirm_hash='$hash'";
    120. 

  120. 			$result=db_query($sql);
    121. 

  121.             $result=db_query("DELETE FROM pw_dyn_newsletter WHERE email='" . $email . "'");
    122. 

  122.             $result=db_query("INSERT INTO pw_dyn_newsletter (email, confirm, subscribed, token) values('" . $email . "', 1, now(), '".auth_random_token()."')");
    123. 

  123. 	
    124. 

  124.             audit_log("Confirmed account email " . $email . " valid");
    125. 

  125. 			return $return_url;
    126. 

  126. 		}
    127. 

  127. 	} else {
    128. 

  128. 		$feedback .= ' Hash invalid - update failed. ';
    129. 

  129. 		return false;
    130. 

  130. 	}
    131. 

  131. }
    132. 

  132. 

  133. function user_change_password ($new_password1,$new_password2,$change_user_name,$old_password) {
    134. 

  134. 	global $feedback;
    135. 

  135. 	//new passwords present and match?
    136. 

  136. 	if ($new_password1 && ($new_password1==$new_password2)) {
    137. 

  137. 		//is this password long enough?
    138. 

  138. 		if (account_pwvalid($new_password1)) {
    139. 

  139. 			//all vars are present?
    140. 

  140. 			if ($change_user_name && $old_password) {
    141. 

  141. 				//lower case everything
    142. 

  142. 				$change_user_name=strtolower($change_user_name);
    143. 

  143. 				$old_password=strtolower($old_password);
    144. 

  144. 				$new_password1=strtolower($new_password1);
    145. 

  145. 				$sql="SELECT * FROM pw_dyn_user WHERE user_name='$change_user_name' AND password='". md5($old_password) ."'";
    146. 

  146. 				$result=db_query($sql);
    147. 

  147. 				if (!$result || db_numrows($result) < 1) {
    148. 

  148. 					$feedback .= ' User not found or bad password. '.db_error();
    149. 

  149. 					return false;
    150. 

  150. 				} else {
    151. 

  151. 					$sql="UPDATE pw_dyn_user SET password='". md5($new_password1). "' ".
    152. 

  152. 						"WHERE user_name='$change_user_name' AND password='". md5($old_password). "'";
    153. 

  153. 					$result=db_query($sql);
    154. 

  154. 					if (!$result || db_affected_rows($result) < 1) {
    155. 

  155. 						$feedback .= ' Nothing changed! '.db_error();
    156. 

  156. 						return false;
    157. 

  157. 					} else {
    158. 

  158.                         audit_log("Changed password");
    159. 

  159. 						$feedback .= ' Password changed.';
    160. 

  160. 						return true;
    161. 

  161. 					}
    162. 

  162. 				}
    163. 

  163. 			} else {
    164. 

  164. 				$feedback .= ' You must provide both your user name and old password. ';
    165. 

  165. 				return false;
    166. 

  166. 			}
    167. 

  167. 		} else {
    168. 

  168. 			$feedback .= ' New passwords doesn\'t meet criteria. ';
    169. 

  169. 			return false;
    170. 

  170. 		}
    171. 

  171. 	} else {
    172. 

  172. 		$feedback .= ' New passwords must match. ';
    173. 

  173. 		return false;
    174. 

  174. 	}
    175. 

  175. }
    176. 

  176. 

  177. function user_lost_password ($email,$user_name) {
    178. 

  178. 	global $feedback;
    179. 

  179. 	if ($email && $user_name) {
    180. 

  180. 		$user_name=strtolower($user_name);
    181. 

  181. 		$sql="SELECT * FROM pw_dyn_user WHERE user_name='$user_name' AND email='$email'";
    182. 

  182. 		$result=db_query($sql);
    183. 

  183. 		if (!$result || db_numrows($result) < 1) {
    184. 

  184. 			//no matching user found
    185. 

  185. 			$feedback .= ' Incorrect user name or email address. ';
    186. 

  186. 			return false;
    187. 

  187. 		} else {
    188. 

  188. 			//create a secure, new password
    189. 

  189. 			$new_pass=strtolower(substr(md5(time().$user_name.HIDDEN_HASH_VAR),1,14));
    190. 

  190. 

  191. 			//update the database to include the new password
    192. 

  192. 			$sql="UPDATE pw_dyn_user SET password='". md5($new_pass) ."' WHERE user_name='$user_name'";
    193. 

  193. 			$result=db_query($sql);
    194. 

  194. 

  195. 			//send a simple email with the new password
    196. 

  196.                         $message = 
    197. 

  197.                                 "Your password has been changed to: $new_pass".
    198. 

  198.                                 "\nYour username is $user_name, email address $email.".
    199. 

  199.                                 "\n\nLogin here: http://www.publicwhip.org.uk/account/settings.php".
    200. 

  200.                                 "\n\nAfter login you can change your password to something memorable.";
    201. 

  201. 			mail ($email,'Public Whip Password Reset',$message,'From: auto@publicwhip.org.uk');
    202. 

  202. 			$feedback .= ' Your new password has been emailed to you. ';
    203. 

  203.             audit_log("Reset password, new one emailed to user " . $user_name);
    204. 

  204. 			return true;
    205. 

  205. 		}
    206. 

  206. 	} else {
    207. 

  207. 		$feedback .= ' Enter a user name and email address. ';
    208. 

  208. 		return false;
    209. 

  209. 	}
    210. 

  210. }
    211. 

  211. 

  212. function user_change_email ($password1,$new_email,$user_name) {
    213. 

  213. 	global $feedback;
    214. 

  214. 	if (pw_validate_email($new_email)) {
    215. 

  215. 		$hash=md5($new_email.HIDDEN_HASH_VAR);
    216. 

  216. 		//change the confirm hash in the db but not the email - 
    217. 

  217. 		//send out a new confirm email with a new hash
    218. 

  218. 		$user_name=strtolower($user_name);
    219. 

  219. 		$password1=strtolower($password1);
    220. 

  220. #                print "user $user_name pw $password1 em $new_email";
    221. 

  221. 		$sql="UPDATE pw_dyn_user SET confirm_hash='$hash' WHERE user_name='$user_name' AND password='". md5($password1) ."'";
    222. 

  222. 		$result=db_query($sql);
    223. 

  223. 		if (!$result || db_affected_rows($result) < 1) {
    224. 

  224. 			$feedback .= ' Incorrect user name or password.  ' . db_error();
    225. 

  225. 			return false;
    226. 

  226. 		} else {
    227. 

  227. 			$feedback .= ' Confirmation email sent.  Check your new email address, and follow the link to complete the change.';
    228. 

  228. 			user_send_confirm_email($new_email,$hash,$user_name);
    229. 

  229.             audit_log("Sent confirm new email " . $new_email);
    230. 

  230. 			return true;
    231. 

  231. 		}
    232. 

  232. 	} else {
    233. 

  233. 		$feedback .= ' New email address appears invalid. ';
    234. 

  234. 		return false;
    235. 

  235. 	}
    236. 

  236. }
    237. 

  237. 

  238. function user_send_confirm_email($email,$hash, $user) {
    239. 

  239. 	/*
    240. 

  240. 		Used in the initial registration function
    241. 

  241. 		as well as the change email address function
    242. 

  242. 	*/
    243. 

  243. 

  244. 	$message = "Thank you for registering with the Public Whip!".
    245. 

  245. 		"\nSimply follow this link to confirm your registration: ".
    246. 

  246. 		"\n\nhttp://www.publicwhip.org.uk/account/confirm.php?hash=$hash&email=". urlencode($email).
    247. 

  247. 		"\n\nOnce you have confirmed, you will in future receive the".
    248. 

  248.                 "\nat most monthly Public Whip newsletter and be able".
    249. 

  249.                 "\nto access extra features on the website.".
    250. 

  250.                 "\n\nYour username is $user, email address $email.".
    251. 

  251.                 "\nIf you would not like to receive the newsletter, you can".
    252. 

  252.                 "\nlog in and stop the newsletter, but still access other".
    253. 

  253.                 "\nfeatures.  You can do this after confirming." .
    254. 

  254.                 "\n\nFor more information on the project visit www.publicwhip.org.uk";
    255. 

  255. 	mail ($email,'Public Whip registration confirmation',$message,'From: auto@publicwhip.org.uk');
    256. 

  256. }
    257. 

  257. 

  258. function user_register($user_name,$password1,$password2,$email,$real_name) {
    259. 

  259. 	global $feedback;
    260. 

  260. 	//all vars present and passwords match?
    261. 

  261. 	if (!$user_name )
    262. 

  262.         {
    263. 

  263. 		$feedback .=  ' Please fill in your user name.';
    264. 

  264. 		return false;
    265. 

  265. 	}
    266. 

  266. 	else if (!$password1 )
    267. 

  267.         {
    268. 

  268. 		$feedback .=  ' Please fill in your password.';
    269. 

  269. 		return false;
    270. 

  270. 	}
    271. 

  271. 	else if ($password1 != $password2 )
    272. 

  272.         {
    273. 

  273. 		$feedback .=  ' Please enter matching passwords.';
    274. 

  274. 		return false;
    275. 

  275. 	}
    276. 

  276. 	else if (!$email)
    277. 

  277.         {
    278. 

  278. 		$feedback .=  ' Please fill in your email address.';
    279. 

  279. 		return false;
    280. 

  280. 	}
    281. 

  281. 	else if (!pw_validate_email($email) )
    282. 

  282.         {
    283. 

  283. 		$feedback .=  ' Please fill in a valid email address.';
    284. 

  284. 		return false;
    285. 

  285. 	}
    286. 

  286.     else {
    287. 

  287. 		//password and name are valid?
    288. 

  288. 		if (account_namevalid($user_name) && account_pwvalid($password1)) {
    289. 

  289. 			$user_name=strtolower($user_name);
    290. 

  290. 			$password1=strtolower($password1);
    291. 

  291. 

  292. 			//does the name exist in the database?
    293. 

  293. 			$sql="SELECT * FROM pw_dyn_user WHERE user_name='$user_name'";
    294. 

  294. 			$result=db_query($sql);
    295. 

  295. 			if ($result && db_numrows($result) > 0) {
    296. 

  296. 				$feedback .=  'Sorry, that user name has already been used.';
    297. 

  297. 				return false;
    298. 

  298. 			} else {
    299. 

  299. 				//create a new hash to insert into the db and the confirmation email
    300. 

  300. 				$hash=md5($email.HIDDEN_HASH_VAR);
    301. 

  301. 				$sql="INSERT INTO pw_dyn_user
    302. 

  302.                                 (user_name,real_name,password,email,remote_addr,confirm_hash,is_confirmed, reg_date, confirm_return_url) ".
    303. 

  303. 					"VALUES ('$user_name','$real_name','".  md5($password1) ."','$email','" . getenv('REMOTE_ADDR') . "','$hash','0',NOW(),'".mysql_real_escape_string($_POST['r'])."')";
    304. 

  304. 				$result=db_query($sql);
    305. 

  305. 				if (!$result) {
    306. 

  306. 					$feedback .= ' Trouble with the database. '.db_error();
    307. 

  307. 					return false;
    308. 

  308. 				} else {
    309. 

  309. 					//send the confirm email
    310. 

  310. 					user_send_confirm_email($email,$hash,$user_name);
    311. 

  311. 					$feedback .= ' You have successfully registered.  <b>Check your email<b> for a confirmation message.  Follow the link in the email to confirm your account.';
    312. 

  312.                     audit_log("Registered new user " . $user_name . ", real " . $real_name . ", " . $email);
    313. 

  313. 					return true;
    314. 

  314. 				}
    315. 

  315. 			}
    316. 

  316. 		} else {
    317. 

  317. 			$feedback .=  ' Your account name or password are not valid. ';
    318. 

  318. 			return false;
    319. 

  319. 		}
    320. 

  320. 	} 
    321. 

  321. }
    322. 

  322. 

  323. function user_getid() {
    324. 

  324. 	global $G_USER_RESULT;
    325. 

  325. 	//see if we have already fetched this user from the db, if not, fetch it
    326. 

  326. 	if (!$G_USER_RESULT) {
    327. 

  327. 		$G_USER_RESULT=db_query("SELECT * FROM pw_dyn_user WHERE user_name='" . user_getname() . "'");
    328. 

  328. 	}
    329. 

  329. 	if ($G_USER_RESULT && db_numrows($G_USER_RESULT) > 0) {
    330. 

  330. 		return db_result($G_USER_RESULT,0,'user_id');
    331. 

  331. 	} else {
    332. 

  332. 		return false;
    333. 

  333. 	}
    334. 

  334. }
    335. 

  335. 

  336. function user_getrealname() {
    337. 

  337. 	global $G_USER_RESULT;
    338. 

  338. 	//see if we have already fetched this user from the db, if not, fetch it
    339. 

  339. 	if (!$G_USER_RESULT) {
    340. 

  340. 		$G_USER_RESULT=db_query("SELECT * FROM pw_dyn_user WHERE user_name='" . user_getname() . "'");
    341. 

  341. 	}
    342. 

  342. 	if ($G_USER_RESULT && db_numrows($G_USER_RESULT) > 0) {
    343. 

  343. 		return db_result($G_USER_RESULT,0,'real_name');
    344. 

  344. 	} else {
    345. 

  345. 		return false;
    346. 

  346. 	}
    347. 

  347. }
    348. 

  348. 

  349. function user_getemail() {
    350. 

  350. 	global $G_USER_RESULT;
    351. 

  351. 	//see if we have already fetched this user from the db, if not, fetch it
    352. 

  352. 	if (!$G_USER_RESULT) {
    353. 

  353. 		$G_USER_RESULT=db_query("SELECT * FROM pw_dyn_user WHERE user_name='" . user_getname() . "'");
    354. 

  354. 	}
    355. 

  355. 	if ($G_USER_RESULT && db_numrows($G_USER_RESULT) > 0) {
    356. 

  356. 		return db_result($G_USER_RESULT,0,'email');
    357. 

  357. 	} else {
    358. 

  358. 		return false;
    359. 

  359. 	}
    360. 

  360. }
    361. 

  361. 

  362. function user_getactivepolicy() {
    363. 

  363. 	global $G_USER_RESULT;
    364. 

  364. 	//see if we have already fetched this user from the db, if not, fetch it
    365. 

  365. 	if (!$G_USER_RESULT) {
    366. 

  366. 		$G_USER_RESULT=db_query("SELECT * FROM pw_dyn_user WHERE user_name='" . user_getname() . "'");
    367. 

  367. 	}
    368. 

  368. 	if ($G_USER_RESULT && db_numrows($G_USER_RESULT) > 0) {
    369. 

  369. 		return db_result($G_USER_RESULT,0,'active_policy_id');
    370. 

  370. 	} else {
    371. 

  371. 		return false;
    372. 

  372. 	}
    373. 

  373. }
    374. 

  374. 

  375. function user_getnewsletter() {
    376. 

  376. 	global $G_NEWSL_RESULT;
    377. 

  377. 	//see if we have already fetched this user from the db, if not, fetch it
    378. 

  378. 	if (!$G_NEWSL_RESULT) {
    379. 

  379.         $G_NEWSL_RESULT=db_query("SELECT * FROM pw_dyn_newsletter WHERE confirm AND email='" . user_getemail() . "'");
    380. 

  380. 	}
    381. 

  381. 	if ($G_NEWSL_RESULT && db_numrows($G_NEWSL_RESULT) > 0) {
    382. 

  382.         return true;
    383. 

  383. 	} else {
    384. 

  384. 		return false;
    385. 

  385. 	}
    386. 

  386. }
    387. 

  387. 

  388. function user_changenewsletter($newsletter) {
    389. 

  389.     global $feedback;
    390. 

  390.     if ($newsletter)
    391. 

  391.         $newsletter = 1;
    392. 

  392.     else
    393. 

  393.         $newsletter = 0;
    394. 

  394.     $result=db_query("DELETE FROM pw_dyn_newsletter WHERE email='" . user_getemail() . "'");
    395. 

  395.     if ($result && $newsletter)  
    396. 

  396.         $result=db_query("INSERT INTO pw_dyn_newsletter (email, confirm, subscribed, token) values('" . user_getemail() . "', 1, now(), '".auth_random_token()."')");
    397. 

  397. 	if ($result) {
    398. 

  398.                 $feedback .= " Newsletter setting changed. ";
    399. 

  399.                 audit_log("Changed newsletter to " . $newsletter);
    400. 

  400. 		return true;
    401. 

  401. 	} else {
    402. 

  402.         $feedback .= " Error writing to database. ". db_error();
    403. 

  403. 		return false;
    404. 

  404. 	}
    405. 

  405. }
    406. 

  406. function user_getname() {
    407. 

  407. 	if (user_isloggedin()) {
    408. 

  408. 		return mysql_real_escape_string($GLOBALS['user_name']);
    409. 

  409. 	} else {
    410. 

  410. 		//look up the user some day when we need it
    411. 

  411. 		return ' Not logged in. ';
    412. 

  412. 	}
    413. 

  413. }
    414. 

  414. 

  415. function account_pwvalid($pw) {
    416. 

  416. 	global $feedback;
    417. 

  417. 	if (strlen($pw) < 6) {
    418. 

  418. 		$feedback .= " Password must be at least 6 characters. ";
    419. 

  419. 		return false;
    420. 

  420. 	}
    421. 

  421. 	return true;
    422. 

  422. }
    423. 

  423. 

  424. function account_namevalid($name) {
    425. 

  425. 	global $feedback;
    426. 

  426. 	// no spaces
    427. 

  427. 	if (strrpos($name,' ') > 0) {
    428. 

  428. 		$feedback .= " There cannot be any spaces in the user name. ";
    429. 

  429. 		return false;
    430. 

  430. 	}
    431. 

  431. 

  432. 	// must have at least one character
    433. 

  433. 	if (strspn($name,"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ") == 0) {
    434. 

  434. 		$feedback .= "There must be at least one character.";
    435. 

  435. 		return false;
    436. 

  436. 	}
    437. 

  437. 

  438. 	// must contain all legal characters
    439. 

  439. 	if (strspn($name,"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_")
    440. 

  440. 		!= strlen($name)) {
    441. 

  441. 		$feedback .= " Please only use the alphabet, dash and underscore in your username. ";
    442. 

  442. 		return false;
    443. 

  443. 	}
    444. 

  444. 

  445. 	// min and max length
    446. 

  446. 	if (strlen($name) < 5) {
    447. 

  447. 		$feedback .= " Name is too short. It must be at least 5 characters. ";
    448. 

  448. 		return false;
    449. 

  449. 	}
    450. 

  450. 	if (strlen($name) > 15) {
    451. 

  451. 		$feedback .= "Name is too long. It must be less than 15 characters.";
    452. 

  452. 		return false;
    453. 

  453. 	}
    454. 

  454. 

  455. 	// illegal names
    456. 

  456. 	if (preg_match("/^((root)|(bin)|(daemon)|(adm)|(lp)|(sync)|(shutdown)|(halt)|(mail)|(news)"
    457. 

  457. 		. "|(uucp)|(operator)|(games)|(mysql)|(httpd)|(nobody)|(dummy)"
    458. 

  458. 		. "|(www)|(cvs)|(shell)|(ftp)|(irc)|(debian)|(ns)|(download))$/i",$name)) {
    459. 

  459. 		$feedback .= "Name is reserved.";
    460. 

  460. 		return 0;
    461. 

  461. 	}
    462. 

  462. 	if (preg_match("/^(anoncvs_)/i",$name)) {
    463. 

  463. 		$feedback .= "Name is reserved for CVS.";
    464. 

  464. 		return false;
    465. 

  465. 	}
    466. 

  466. 

  467. 	return true;
    468. 

  468. }
    469. 

  469. 

  470. function pw_validate_email ($address) {
    471. 

  471.     // using > as delimiter as not in string http://uk2.php.net/manual/en/regexp.reference.delimiters.php
    472. 

  472. 	return (preg_match('>^[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+'. '@'. '[-!#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+\.' . '[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+$>', $address));
    473. 

  473. }
    474. 

  474. 

  475. function login_screen()
    476. 

  476. {
    477. 

  477.     global $feedback, $toppath, $onload, $title;
    478. 

  478. 

  479.     $onload = "givefocus('user_name')";
    480. 

  480.     $title = "Login to Public Whip"; 
    481. 

  481.     pw_header();
    482. 

  482. 

  483.     if ($feedback) {
    484. 

  484.         print "<div class=\"error\"><h2>Login not correct,
    485. 

  485.         please try again</h2><p>$feedback</div>";
    486. 

  486.     }
    487. 

  487. 

  488.     global $this_place;
    489. 

  489.     print '
    490. 

  490.         <P>
    491. 

  491.         Enter your user name and password and we\'ll set a cookie so we know you\'re logged in.
    492. 

  492.         <p>Not got a login?  <A HREF="/account/register.php?r='.
    493. 

  493.             ($_GET['r']?urlencode($_GET['r']):urlencode($this_place)).
    494. 

  494.         '">Register a new
    495. 

  495.         account</A>.  You will also receive a free email newsletter.
    496. 

  496.         <br>Lost your password? <a href="lostpass.php">Reset your password here</a>.
    497. 

  497.         <P>
    498. 

  498.         <FORM ACTION="'. $PHP_SELF .'" METHOD="POST" name=pw>
    499. 

  499.         <B>User name:</B><BR>
    500. 

  500.         <INPUT TYPE="TEXT" NAME="user_name" id="user_name" VALUE="" SIZE="15" MAXLENGTH="15">
    501. 

  501.         <P>
    502. 

  502.         <B>Password:</B><BR>
    503. 

  503.         <INPUT TYPE="password" NAME="password" VALUE="" SIZE="15" MAXLENGTH="15">
    504. 

  504.         <P>';
    505. 

  505.     if ($_GET['r']) {
    506. 

  506.         print '<INPUT TYPE="hidden" NAME="r" VALUE="'.htmlspecialchars($_GET['r']).'">';
    507. 

  507.     }
    508. 

  508.     print '<INPUT TYPE="SUBMIT" NAME="submit" VALUE="Login to Public Whip">
    509. 

  509.         </FORM>
    510. 

  510.         <P>';
    511. 

  511.     pw_footer();
    512. 

  512. }
    513. 

  513. 

  514. function do_login_screen()
    515. 

  515. {
    516. 

  516.     if (!user_isloggedin())
    517. 

  517.     {
    518. 

  518.         $user_name=mysql_real_escape_string($_POST["user_name"]);
    519. 

  519.         $password=mysql_real_escape_string($_POST["password"]);
    520. 

  520.         $submit=mysql_real_escape_string($_POST["submit"]);
    521. 

  521. 

  522.         if ($submit) {
    523. 

  523.             if (user_login($user_name,$password))
    524. 

  524.             {
    525. 

  525.                 $feedback = "";
    526. 

  526.                 return true;
    527. 

  527.             }
    528. 

  528.         }
    529. 

  529.     }
    530. 

  530.     return false;
    531. 

  531. }
    532. 

  532. 

  533. function audit_log($text)
    534. 

  534. {
    535. 

  535.     $sql = "insert into pw_dyn_auditlog (user_id, event_date, event, remote_addr)
    536. 

  536.                 values ('" . user_getid() . "', NOW(), '" . mysql_real_escape_string($text) . "', '" . getenv('REMOTE_ADDR') . "')";
    537. 

  537.     $result=db_query($sql);
    538. 

  538.     if (!$result) 
    539. 

  539.         print "Error writing to audit log: " . db_error();
    540. 

  540. }
    541. 

  541. 	
    542. 

  542. ?>
    543. 

  543.