-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathAuth.inc.php
178 lines (159 loc) · 5.66 KB
/
Auth.inc.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
<?php
/************************************************
* Module: Auth.inc.php *
* Author Name: J.D. Stone *
* *
* Purpose: Authentication Libraries. Provides *
* various authentication related *
* helper methods. *
*************************************************/
require_once("MySQL.inc.php");
class Auth extends MySQL {
// Declare variables
private $redirectLoginSuccess;
private $redirectLoginFailed;
private $logoutGoTo;
public function __construct() {
// "In Main (BaseClass) constructor"
parent::__construct();
$this->logoutGoTo = "login.php";
}
// 'set' Methods
public function setRedirectLoginSuccess($link) {
$this->redirectLoginSuccess = $link;
}
public function setRedirectLoginFailed($link) {
$this->redirectLoginFailed = $link;
}
public function setLogoutGoTo($link) {
$this->logoutGoTo = $link;
}
// 'get' Methods
public function getRedirectLoginSuccess() {
return $this->redirectLoginSuccess;
}
public function getRedirectLoginFailed() {
return $this->redirectLoginFailed;
}
public function getLogoutGoTo() {
return $this->logoutGoTo;
}
public function changePasswd($currpasswd, $newpasswd) {
$this->dbConnect();
$currpasswd = $this->dblink->real_escape_string($currpasswd);
$currpasswd = md5($currpasswd);
$newpasswd = $this->dblink->real_escape_string($newpasswd);
$newpasswd = md5($newpasswd);
$result = $this->doQuery("SELECT passwd FROM users WHERE U_Id = '".$_SESSION['uid']."'");
$dbarray = $result->fetch_assoc();
if ($currpasswd == $dbarray['passwd']) {
$result = $this->doQuery("UPDATE `users` SET `passwd`='$newpasswd' WHERE `U_Id`='".$_SESSION['uid']."'");
return $result;
} else {
return false;
}
$this->dblink->close();
}
public function changeEmail($newemail, $currpasswd) {
$this->dbConnect();
$newemail = $this->dblink->real_escape_string($newemail);
$currpasswd = $this->dblink->real_escape_string($currpasswd);
$currpasswd = md5($currpasswd);
$result = $this->doQuery("SELECT passwd, email FROM users WHERE U_Id = '".$_SESSION['uid']."'");
$dbarray = $result->fetch_assoc();
if ($currpasswd == $dbarray['passwd']) {
$result = $this->doQuery("UPDATE `users` SET `username`='$newemail', `email`='$newemail' WHERE `U_Id`='".$_SESSION['uid']."'");
return $result;
} else {
return false;
}
$this->dblink->close();
}
// Authenticate and log user in (see below)
public function processLogin($username, $password) {
$this->dbConnect();
$username = $this->dblink->real_escape_string($username);
$password = $this->dblink->real_escape_string($password);
$password = md5($password);
$result = $this->doQuery("SELECT U_Id, passwd, acslvl FROM users WHERE username = '".$username."'");
$dbarray = $result->fetch_assoc();
if ($password == $dbarray['passwd']) {
$uid = $dbarray['U_Id'];
// Check to see what type of user they are (admin, user, etc.)
$usergroup = $dbarray['acslvl'];
$this->createSession($uid, $usergroup);
header("Location: ".$this->redirectLoginSuccess);
} else {
header("Location: ".$this->redirectLoginFailed);
}
$this->dblink->close();
}
public function createSession($uid, $usergroup) {
session_regenerate_id(true);
$_SESSION['uid'] = $uid;
$_SESSION['usergroup'] = $usergroup;
}
public function doLogout() {
// To fully log out a visitor we need to clear the session varialbles
$_SESSION['uid'] = NULL;
$_SESSION['usergroup'] = NULL;
unset($_SESSION['uid']);
unset($_SESSION['usergroup']);
if ($this->logoutGoTo) {
header("Location: ".$this->logoutGoTo);
exit;
}
}
public function createAccount($firstname, $username, $passwd, $email) {
$this->dbConnect();
$firstname = $this->dblink->real_escape_string($firstname);
$username = $this->dblink->real_escape_string($username);
$passwd = md5($passwd);
$email = $this->dblink->real_escape_string($email);
$result = $this->doQuery("INSERT INTO `users`(`firstname`, `username`, `passwd`, `email`) VALUES('$firstname', '$username', '$passwd', '$email')");
$this->dblink->close();
return $result;
}
// Restrict Access To Page: Grant or deny access to specified page
private function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {
// For security, start by assuming the visitor is NOT authorized
$isValid = False;
// When a visitor has logged into this site, the Session variable username is set equal to their username.
// Therefore, we know that a user is NOT logged in if that Session variable is blank.
if (!empty($UserName)) {
// Besides being logged in, restrict access to only certain users based on an ID established when they login.
// Parse the strings into arrays.
$arrUsers = Explode(",", $strUsers);
$arrGroups = Explode(",", $strGroups);
if (in_array($UserName, $arrUsers)) {
$isValid = true;
}
// Or, restrict access to only certain users based on their username
if (in_array($UserGroup, $arrGroups)) {
$isValid = true;
}
if (($strUsers == "") && false) {
$isValid = true;
}
}
return $isValid;
}
// Restrict Access To Page: Grant or deny access to specified page
public function checkAccess($authorizedUsers) {
$restrictGoTo = "denied.html";
if (!((isset($_SESSION['uid'])) && ($this->isAuthorized("", $authorizedUsers, $_SESSION['uid'], $_SESSION['usergroup'])))) {
$qsChar = "?";
$authReferrer = $_SERVER['PHP_SELF'];
if (strpos($restrictGoTo, "?")) {
$qsChar = "&";
}
if (isset($_SERVER['QUERY_STRING']) && strlen($_SERVER['QUERY_STRING']) > 0) {
$authReferrer .= "?".$_SERVER['QUERY_STRING'];
}
$restrictGoTo = $restrictGoTo.$qsChar."accesscheck=".urlencode($authReferrer);
header("Location: ".$restrictGoTo);
exit;
}
}
}
?>