diff --git a/public/index.php b/public/index.php index 7650919..df9b5cf 100644 --- a/public/index.php +++ b/public/index.php @@ -115,7 +115,7 @@ function dotown() while ($onlinerow = $onlinequery->fetchArray(SQLITE3_ASSOC)) { $online_count++; - $online_rows[] = "".$onlinerow["username"]."" . ", "; + $online_rows[] = "".$onlinerow["username"].""; } $townrow["whosonline"] = "
Who's Online
\n"; diff --git a/public/install.php b/public/install.php index d4347dc..e2ef74b 100644 --- a/public/install.php +++ b/public/install.php @@ -621,7 +621,7 @@ function second() `username` TEXT NOT NULL, `password` TEXT NOT NULL, `email` TEXT NOT NULL, - `verify` INTEGER NOT NULL default 0, + `verify` TEXT NOT NULL default '', `regdate` datetime NOT NULL default CURRENT_TIMESTAMP, `onlinetime` datetime NOT NULL default CURRENT_TIMESTAMP, `authlevel` INTEGER NOT NULL default 0, diff --git a/public/login.php b/public/login.php index b19be3e..c57fd39 100644 --- a/public/login.php +++ b/public/login.php @@ -2,10 +2,7 @@ // login.php :: Handles logins and cookies. -if (!file_exists('../.installed')) { - header('Location: install.php'); - exit; -} +if (!file_exists('../.installed')) redirect('install.php'); require_once '../src/lib.php'; diff --git a/public/users.php b/public/users.php index 07d9f28..7a89a48 100644 --- a/public/users.php +++ b/public/users.php @@ -1,239 +1,252 @@ - verify(), + 'lostpassword' => lostpassword(), + 'changepassword' => changepassword(), + default => register() +}; - $controlquery = doquery("SELECT * FROM {{table}} WHERE id='1' LIMIT 1", "control"); - $controlrow = mysql_fetch_array($controlquery); +/** + * Register a new account. + */ +function register() +{ + global $controlrow; if (isset($_POST["submit"])) { + $u = trim($_POST['username'] ?? ''); + $e = trim($_POST['email1'] ?? ''); + $e2 = trim($_POST['email2'] ?? ''); + $p = $_POST['password1'] ?? ''; + $p2 = $_POST['password2'] ?? ''; - extract($_POST); - - $errors = 0; $errorlist = ""; + $errors = []; // Process username. - if ($username == "") { $errors++; $errorlist .= "Username field is required.
"; } - if (preg_match("/[^A-z0-9_\-]/", $username)==1) { $errors++; $errorlist .= "Username must be alphanumeric.
"; } // Thanks to "Carlos Pires" from php.net! - $usernamequery = doquery("SELECT username FROM {{table}} WHERE username='$username' LIMIT 1","users"); - if (mysql_num_rows($usernamequery) > 0) { $errors++; $errorlist .= "Username already taken - unique username required.
"; } + if (empty($u) || strlen($u) < 3 || strlen($u) > 18 || !ctype_alnum(str_replace(' ', '', $u))) { + $errors[] = 'Username is required and must be between 3 and 18 characters long and contain only + alphanumeric characters and spaces.'; + } + + if (db()->exists('users', 'username', $u)) { + $errors[] = 'Username already taken. Try another.'; + } // Process email address. - if ($email1 == "" || $email2 == "") { $errors++; $errorlist .= "Email fields are required.
"; } - if ($email1 != $email2) { $errors++; $errorlist .= "Emails don't match.
"; } - if (! is_email($email1)) { $errors++; $errorlist .= "Email isn't valid.
"; } - $emailquery = doquery("SELECT email FROM {{table}} WHERE email='$email1' LIMIT 1","users"); - if (mysql_num_rows($emailquery) > 0) { $errors++; $errorlist .= "Email already taken - unique email address required.
"; } + if (empty($e) || strlen($e) > 255 || !filter_var($e, FILTER_VALIDATE_EMAIL)) { + $errors[] = 'Email is required must be a valid email address.'; + } + + if ($e !== $e2) { + $errors[] = 'Verify Email must match.'; + } + + if (db()->exists('users', 'email', $e)) { + $errors[] = 'Email already taken. Forgot your password?'; + } // Process password. - if (trim($password1) == "") { $errors++; $errorlist .= "Password field is required.
"; } - if (preg_match("/[^A-z0-9_\-]/", $password1)==1) { $errors++; $errorlist .= "Password must be alphanumeric.
"; } // Thanks to "Carlos Pires" from php.net! - if ($password1 != $password2) { $errors++; $errorlist .= "Passwords don't match.
"; } - $password = md5($password1); + if (empty($p) || strlen($p) < 6) { + $errors[] = 'Password is required and must be at least 6 characters long.'; + } - if ($errors == 0) { + if ($p2 !== $p) { + $errors[] = 'Verify Password must match.'; + } - if ($controlrow["verifyemail"] == 1) { - $verifycode = ""; - for ($i=0; $i<8; $i++) { - $verifycode .= chr(rand(65,90)); - } - } else { - $verifycode='1'; - } + $password = password_hash($p, PASSWORD_ARGON2ID); - $query = doquery("INSERT INTO {{table}} SET id='',regdate=NOW(),verify='$verifycode',username='$username',password='$password',email='$email1',charclass='$charclass'", "users") or die(mysql_error()); + if (count($errors) !== 0) { + $err = "
    "; + foreach ($errors as $error) $err .= "
  • $error
    • "; + $err .= "
"; + $page = "The following error(s) occurred when your account was being made:
$err
Please go back and try again."; + } else { + $token = ($controlrow['verifyemail'] == true) ? token(8) : 'g2g'; + db()->query('INSERT INTO users (verify, username, password, email, charclass) VALUES (?, ?, ?, ?, ?)', [ + $token, $u, $password, $e, $_POST['charclass'] ?? 1 + ]); - if ($controlrow["verifyemail"] == 1) { - if (sendregmail($email1, $verifycode) == true) { + if ($controlrow['verifyemail'] == true) { + if (sendregmail($e, $token)) { $page = "Your account was created successfully.

You should receive an Account Verification email shortly. You will need the verification code contained in that email before you are allowed to log in. Once you have received the email, please visit the Verification Page to enter your code and start playing."; } else { $page = "Your account was created successfully.

However, there was a problem sending your verification email. Please check with the game administrator to help resolve this problem."; } - } else { - $page = "Your account was created succesfully.

You may now continue to the Login Page and continue playing ".$controlrow["gamename"]."!"; - } - - } else { - - $page = "The following error(s) occurred when your account was being made:
$errorlist
Please go back and try again."; - - } - + } else { + $page = "Your account was created succesfully.

You may now continue to the Login Page and continue playing ".$controlrow["gamename"]."!"; + } + } } else { - - $page = gettemplate("register"); - if ($controlrow["verifyemail"] == 1) { + if ($controlrow["verifyemail"] == true) { $controlrow["verifytext"] = "
A verification code will be sent to the address above, and you will not be able to log in without first entering the code. Please be sure to enter your correct email address."; } else { $controlrow["verifytext"] = ""; } - $page = parsetemplate($page, $controlrow); + $page = parsetemplate(gettemplate("register"), $controlrow); } $topnav = "\"Log\"Register\"\"Help\""; display($page, "Register", false, false, false); - } -function verify() { - +function verify() +{ if (isset($_POST["submit"])) { - extract($_POST); - $userquery = doquery("SELECT username,email,verify FROM {{table}} WHERE username='$username' LIMIT 1","users"); - if (mysql_num_rows($userquery) != 1) { die("No account with that username."); } - $userrow = mysql_fetch_array($userquery); - if ($userrow["verify"] == 1) { die("Your account is already verified."); } - if ($userrow["email"] != $email) { die("Incorrect email address."); } - if ($userrow["verify"] != $verify) { die("Incorrect verification code."); } - // If we've made it this far, should be safe to update their account. - $updatequery = doquery("UPDATE {{table}} SET verify='1' WHERE username='$username' LIMIT 1","users"); + $u = trim($_POST['username'] ?? ''); + $e = trim($_POST['email'] ?? ''); + $t = trim($_POST['token'] ?? ''); + + $query = db()->query('SELECT id FROM users WHERE username=? AND email=? AND verify=? LIMIT 1;', [$u, $e, $t]); + if ($query === false) exit('Verification failed. Go back, double-check your details, and try again.'); + + db()->query("UPDATE users SET verify='g2g' WHERE username=?;", [$u]); + display("Your account was verified successfully.

You may now continue to the Login Page and start playing the game.

Thanks for playing!","Verify Email",false,false,false); } - $page = gettemplate("verify"); - $topnav = "\"Log\"Register\"\"Help\""; - display($page, "Verify Email", false, false, false); + $topnav = "\"Log\"Register\"\"Help\""; + display(gettemplate("verify"), "Verify Email", false, false, false); } -function lostpassword() { - +function lostpassword() +{ if (isset($_POST["submit"])) { - extract($_POST); - $userquery = doquery("SELECT email FROM {{table}} WHERE email='$email' LIMIT 1","users"); - if (mysql_num_rows($userquery) != 1) { die("No account with that email address."); } - $newpass = ""; - for ($i=0; $i<8; $i++) { - $newpass .= chr(rand(65,90)); - } - $md5newpass = md5($newpass); - $updatequery = doquery("UPDATE {{table}} SET password='$md5newpass' WHERE email='$email' LIMIT 1","users"); - if (sendpassemail($email,$newpass) == true) { + $e = trim($_POST['email'] ?? ''); + + if (!db()->exists('users', 'email', $e)) exit("No account with that email address."); + + $newpass = token(16); + $hashed = password_hash($newpass, PASSWORD_ARGON2ID); + + db()->query('UPDATE users SET password=? WHERE email=?;', [$hashed, $e]); + + if (sendpassemail($e, $newpass)) { display("Your new password was emailed to the address you provided.

Once you receive it, you may Log In and continue playing.

Thank you.","Lost Password",false,false,false); } else { display("There was an error sending your new password.

Please check with the game administrator for more information.

We apologize for the inconvience.","Lost Password",false,false,false); } - die(); } - $page = gettemplate("lostpassword"); + $topnav = "\"Log\"Register\"\"Help\""; - display($page, "Lost Password", false, false, false); + display(gettemplate("lostpassword"), "Lost Password", false, false, false); } -function changepassword() { - +function changepassword() +{ if (isset($_POST["submit"])) { - extract($_POST); - $userquery = doquery("SELECT * FROM {{table}} WHERE username='$username' LIMIT 1","users"); - if (mysql_num_rows($userquery) != 1) { die("No account with that username."); } - $userrow = mysql_fetch_array($userquery); - if ($userrow["password"] != md5($oldpass)) { die("The old password you provided was incorrect."); } - if (preg_match("/[^A-z0-9_\-]/", $newpass1)==1) { die("New password must be alphanumeric."); } // Thanks to "Carlos Pires" from php.net! - if ($newpass1 != $newpass2) { die("New passwords don't match."); } - $realnewpass = md5($newpass1); - $updatequery = doquery("UPDATE {{table}} SET password='$realnewpass' WHERE username='$username' LIMIT 1","users"); - if (isset($_COOKIE["dkgame"])) { setcookie("dkgame", "", time()-100000, "/", "", 0); } - display("Your password was changed successfully.

You have been logged out of the game to avoid cookie errors.

Please log back in to continue playing.","Change Password",false,false,false); - die(); - } - $page = gettemplate("changepassword"); - $topnav = "\"Log\"Register\"\"Help\""; - display($page, "Change Password", false, false, false); + $u = trim($_POST['username'] ?? ''); + $p = $_POST['password'] ?? ''; + $np = $_POST['new_password'] ?? ''; + $np2 = $_POST['new_password2'] ?? ''; + $user = db()->query("SELECT password FROM users WHERE username=? LIMIT 1;", [$u]); + $user = $user->fetchArray(SQLITE3_ASSOC); + if ($user === false) exit("No account with that username."); + + if (!password_verify($p, $user['password'])) exit("The old password you provided was incorrect."); + + if (empty($np) || strlen($np) < 6) { + $errors[] = 'New password is required and must be at least 6 characters long.'; + } + + if ($np2 !== $np) { + $errors[] = 'Verify New Password must match.'; + } + + $realnewpass = password_hash($np, PASSWORD_ARGON2ID); + db()->query('UPDATE users SET password=? WHERE username=?;', [$u]); + + set_cookie('dkgame', '', -3600); + + display("Your password was changed successfully.

You have been logged out of the game to avoid errors.

Please log back in to continue playing.","Change Password",false,false,false); + } + + $topnav = "\"Log\"Register\"\"Help\""; + display(gettemplate("changepassword"), "Change Password", false, false, false); } -function sendpassemail($emailaddress, $password) { - - $controlquery = doquery("SELECT * FROM {{table}} WHERE id='1' LIMIT 1", "control"); - $controlrow = mysql_fetch_array($controlquery); +function sendpassemail($emailaddress, $password) +{ + global $controlrow; extract($controlrow); -$email = <<'; - $from = trim($from); + $rp = $controlrow["adminemail"]; + $org = '$gameurl'; + $mailer = 'PHP'; - if (!$from) { - $from = '<'.$controlrow["adminemail"].'>'; - } + $head = ''; + $head .= "Content-Type: text/plain \r\n"; + $head .= "Date: ". date('r'). " \r\n"; + $head .= "Return-Path: $rp \r\n"; + $head .= "From: $from \r\n"; + $head .= "Sender: $from \r\n"; + $head .= "Reply-To: $from \r\n"; + $head .= "Organization: $org \r\n"; + $head .= "X-Sender: $from \r\n"; + $head .= "X-Priority: 3 \r\n"; + $head .= "X-Mailer: $mailer \r\n"; - $rp = $controlrow["adminemail"]; - $org = '$gameurl'; - $mailer = 'PHP'; - - $head = ''; - $head .= "Content-Type: text/plain \r\n"; - $head .= "Date: ". date('r'). " \r\n"; - $head .= "Return-Path: $rp \r\n"; - $head .= "From: $from \r\n"; - $head .= "Sender: $from \r\n"; - $head .= "Reply-To: $from \r\n"; - $head .= "Organization: $org \r\n"; - $head .= "X-Sender: $from \r\n"; - $head .= "X-Priority: 3 \r\n"; - $head .= "X-Mailer: $mailer \r\n"; - - $body = str_replace("\r\n", "\n", $body); - $body = str_replace("\n", "\r\n", $body); - - return mail($to, $title, $body, $head); + $body = str_replace("\r\n", "\n", $body); + $body = str_replace("\n", "\r\n", $body); + return mail($to, $title, $body, $head); } - - -?> diff --git a/src/lib.php b/src/lib.php index 2b40071..a919b9d 100644 --- a/src/lib.php +++ b/src/lib.php @@ -322,3 +322,11 @@ function special_to_string(string $special): string default => $special }; } + +/** + * Generate a pretty dope token. + */ +function token($length = 32): string +{ + return bin2hex(random_bytes($length)); +} diff --git a/templates/verify.php b/templates/verify.php index ee3d3bb..d0b0a48 100644 --- a/templates/verify.php +++ b/templates/verify.php @@ -1,14 +1,14 @@ - - - - - - -
Thank you for registering a character. Please enter your username, email address, and the verification code -that was emailed to you to unlock your character.
Username:
Email Address:
Verification Code:


- -THEVERYENDOFYOU; -?> + +$template = << + + + + + + +
Thank you for registering a character. Please enter your username, email address, and the verification code + that was emailed to you to unlock your character.
Username:
Email Address:
Verification Code:


+ +HTML;