From: Siggi L. <si...@us...> - 2004-03-05 16:30:48
|
Update of /cvsroot/xine/xine_www/modules In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv1019/modules Modified Files: confirm-account.php signup.php Added Files: update-account.php Log Message: Some rudimentary account management... --- NEW FILE: update-account.php --- <?php function message($msg){ return '<b>'.$msg."</b><br />\n"; } function error($msg){ return '<font color="red">'.$msg."</font><br />\n"; } $content .= "<br /><center>"; if (strlen($_POST['passwd']) > 1){ if ($_POST['passwd2'] != $_POST['passwd']){ $content .= error("The new passwords don't match. Please try again!"); } else if (single_select('COUNT(*) FROM users ' . 'WHERE login="'.$_SESSION['personal']['login'].'" ' . 'AND password = PASSWORD("'.$_POST['oldpw'].'")')){ // old password matches account mysql_query('UPDATE users ' . 'SET password=PASSWORD("'.$_POST['passwd'].'") ' . 'WHERE login="'.$_SESSION['personal']['login'].'"'); $content .= message('Your password has been changed.'); } else{ $content .= error('Invalid old password given. Please try again!'); } } if (isset($_POST['fullname']) && $_POST['fullname'] != '' && $_POST['fullname'] != $_SESSION['personal']['fullname']){ $_SESSION['personal']['fullname'] = $_POST['fullname']; if (is_integer(strpos($_POST['fullname'],'"'))){ $content .= error('Yor full name may not contain double quotes.<br />'); } else{ mysql_query('UPDATE users ' . 'SET fullname="'.$_POST['fullname'].'" ' . 'WHERE login="'.$_SESSION['personal']['login'].'"'); $content .= message('Your Name has been updated.'); } } // change of primary email needs confirmation... if (isset($_POST['email']) && $_POST['email'] != '' && $_POST['email'] != $_SESSION['personal']['email']){ $email = strtolower($_POST['email']); if (!preg_match('/^[-+_a-z0-9\.]+@[-_a-z0-9\.]+\.[-_a-z0-9\.]+$/', $email)){ $content .= error('"'.$email.'" doesn\'t look like a valid email address. ' . 'Please make sure to enter your email address correctly!<br />'); } else{ mt_srand(make_seed()); $chars = 'abcdefghijklmnopqrstuvwxyz0123456789'; $count = 20; $code = ''; mysql_query('LOCK TABLES hashes WRITE'); while ($count > 0){ $code .= substr($chars, mt_rand(0,strlen($chars)-1),1); $count--; if ($count == 0){ if (single_select('count(*) FROM hashes WHERE hash="'.$code.'"') > 0){ $count++; } } } mysql_query('INSERT INTO hashes (login, hash, what)' .' VALUES ("'.$_SESSION['personal']['login']. '", "'.$code.'", "email:'.$email.'")'); mysql_query('UNLOCK TABLES'); $body = "Hi,\n" .'the primary email address for your ("'.$_SESSION['personal']['login'] .'") account on '.$_SERVER['SERVER_NAME']." is to be changed.\n\n" ."To accept the new address, point your web browser to this URL:\n\n" .'http://'.$_SERVER['SERVER_NAME'].'/index.php/confirm/'.$code."\n\n" .'This change has been requested by the IP address ' .$_SERVER['REMOTE_ADDR'].".\n" ."If that request has not been made by you: Please ignore this" ." message!\n" ."Your email address will then stay blocked for further requests.\n" ."In case of problems, direct email to <$service_email>.\n\n" ."Best regards,\n" ." the xinehq team"; if (mail($email, 'address change on '.$_SERVER['SERVER_NAME'], $body)){ $content.= message('A confirmation email has been sent to the new email address. ' .'You have to confirm using the procedure described in ' .'that mail in order to change your email address. <br />'); } else { $content.= error("An error occured while sending the " ."confirmation message. Seek assistance!<br />"); } } } $userinfo = assoc_select('fullname, email FROM users ' .' WHERE login="'.$_SESSION['personal']['login'].'"'); //end of messages $content .=' </center>'; $content .= '<br /> <form action="'.$PHP_SELF.'" method="post"> <table align="left" width="350" border="0" cellspacing="0" cellpadding="4"> <tr> <td align="right">Email address</td> <td><input type="text" size="25" maxlength="64" name="email" value="' . htmlspecialchars($userinfo['email']) . '"></td> </tr> <tr> <td align="right">Full Name</td> <td><input type="text" size="25" maxlength="63" name="fullname" value="' . htmlspecialchars($userinfo['fullname']) . '"></td> </tr> <tr> <td align="right"></td> <td><input type="submit" name="change" value="Update Account"></td> </tr> </table> </form>'; $content .= '<form action="'.$PHP_SELF.'" method="post"> <table align="right" width="350" border="0" cellspacing="0" cellpadding="4"> <tr> <td align="right">Old Password</td> <td><input type="password" size="25" maxlength="25" name="oldpw"></td> </tr> <tr> <td align="right">New Password</td> <td><input type="password" size="25" maxlength="25" name="passwd"></td> </tr> <tr> <td align="right">New Password (again)</td> <td><input type="password" size="25" maxlength="25" name="passwd2"></td> </tr> <tr> <td align="right"></td> <td><input type="submit" name="changepw" value="Change Password"></td> </tr> </table> </form>'; // This feature should be added soon. However, make sure it integrates with // the tracking system! // // $content .= ' // <br /><br /><br /><br /><br /> // <p align="left"> // <b>Additional email addresses</b><br /> // You can register any number of additional email addresses to be associated // with your account. Those addresses will automatically be replaced by your // realname in all emails published on-site, for example. // </p> // <form action="'.$PHP_SELF.'" method="post"> // <table align="center" width="350" border="0" cellspacing="0" cellpadding="4"> // '; // $res = mysql_query("SELECT * from extra_email WHERE login='" // .$_SESSION['personal']['login']."'"); // while ($row = mysql_fetch_assoc($res)){ // $content .= '<tr> // <td align="right">'.$row['email'].'</td> // <td><input type="submit" name="del_extramail" value="'.$row['email'].'"></td> // </tr> // '; // } // $content .= '<tr> // <td align="right">additional email:</td> // <td><input type="text" size="25" maxlength="64" name="new_email" value=""></td> // </tr> // <tr> // <td align="right"></td> // <td><input type="submit" name="addmail" value="add email"></td> // </tr> // </table> // </form>'; ?> Index: confirm-account.php =================================================================== RCS file: /cvsroot/xine/xine_www/modules/confirm-account.php,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- confirm-account.php 1 Jan 2003 23:13:48 -0000 1.3 +++ confirm-account.php 5 Mar 2004 16:16:36 -0000 1.4 @@ -1,21 +1,61 @@ <?php +$content .= "<br /><br />\n"; + $code=$parameters[1]; if ($code == ''){ $content .= 'no confirmation code was given.'; } else{ - $login = single_select('login FROM hashes WHERE hash="'.$code.'"'); - if ($login){ - mysql_query('UPDATE users SET verified=1 WHERE login="'.$login.'"'); - mysql_query('DELETE FROM hashes WHERE hash="'.$code.'"'); - $content .= 'Your account activation is now completed.<br /><br />' - . '<a href="'.selflink('login').'">click here to log in</a> using your Username' - . " ($login).\n"; + $res = simple_select('login, what FROM hashes WHERE hash="'.$code.'"'); + if ($res){ + $login = $res[0]; + $what = $res[1]; + if (preg_match('/^email:(.*)$/', $what, $m)){ + // process email change request + $email = $m[1]; + mysql_query('UPDATE users SET email="'.$email + .'" WHERE login="'.$login.'"'); + mysql_query('UPDATE hashes SET what="completed"' + .' WHERE hash="'.$code.'"'); + if ($GUARD['logged_on']){ + $_SESSION['personal']['email'] = $email; + } + $content .= "Your primary email address has been changed to " + ."<$email>.\n"; + } + else if ($what == 'completed') { + // give a nice message for those notorious retryers... + $content .= "This confirmation has already been " + ."completed successfully.<br />" + ."You are probably seeing this message because you have clicked the " + ."confirmation URL twice.<br />"; + if ($GUARD['logged_off']){ + $content .= '<a href="'.selflink('login') + .'">click here to log in</a> using your Username'." ($login).\n"; + } + } + else{ + // process account confirmation + mysql_query('UPDATE users SET verified=1 WHERE login="'.$login.'"'); + mysql_query('UPDATE hashes SET what="completed"' + .' WHERE hash="'.$code.'"'); + $content .= 'Your account activation is now completed.<br /><br />' + . '<a href="'.selflink('login').'">click here to log in</a> using your Username' + . " ($login).\n"; + } } else { - $content .= "You have specified an invalid confirmation code. Please make sure" - . " to use exactly the URL specified in your confirmation email!\n"; + $content .= "You have specified an invalid confirmation code. Please make " + . "sure to use exactly the URL specified in your confirmation email!\n"; } } + +//cleanup, should be called "every now and then". So this place is as good ;-) + +$timestamp = time() - 86400; // = 24*60*60 = 1d +$yesterday = strftime('%Y%m%d%H%M%S', $timestamp); +mysql_query('DELETE FROM hashes WHERE what="completed" ' + ." AND last_change < '$yesterday'"); + ?> \ No newline at end of file Index: signup.php =================================================================== RCS file: /cvsroot/xine/xine_www/modules/signup.php,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- signup.php 17 Dec 2003 13:02:15 -0000 1.6 +++ signup.php 5 Mar 2004 16:16:36 -0000 1.7 @@ -1,10 +1,5 @@ <?php -function make_seed() { - list($usec, $sec) = explode(' ', microtime()); - return (float) $sec + ((float) $usec * 100000); -} - $showform = true; $message = ''; @@ -138,14 +133,24 @@ '<p align="left"> Use this form to create an account for the xine website: If you submit the form, an email will be sent to the given address. This -<b>email contains an URL with a confirmation code</b>. +email contains an URL with a confirmation code. You have to visit this URL in order to activate your account. </p> +<p> +<b>NOTE: entering an invalid or foreign email address will not work</b> +(see above for details). +</p> +<p> + This is only used to prevent abuse and in case you have to be contacted + for administrative reasons (eg. to recover a lost password). + We will never send you unsolicited email, and we will never give + your address away. +</p> <table class="content" border="0" cellspacing="0" cellpadding="0"> <tr> <td valign="middle"> -<table align="center" width="300" border="0" cellspacing="0" cellpadding="4"> +<table align="center" width="350" border="0" cellspacing="0" cellpadding="4"> <tr> <td align="right">Username </td> <td><input type="text" size="25" maxlength="25" name="login" value="' |