Local Food Cooperative Management System Software Upgrade Notes

___v1.4.4 Security update ___

Features

• PHP short open tags update
• Members option to change password
• More secure logins

Contributors to this Update

___v1.4.4 Changes to Files___

1. PHP short open tags update
   The PHP short_open_tag is a configuration option included in the php.ini directives where your PHP setup is configured. Usually this is managed by a hosting company. In the case of it being set to 'Off', this software won't load php pages correctly because it was mostly written using <? instead of <?php. We did a find and replace on all <? and replaced them with <?php in the case that you don't have access to your ini file and htaccess doesn't work for you. So if you already have the software installed, you might consider doing the same in case your server settings change at some point, but it isn't necessary. The complete software package has this updated.
   
   
2. Delete extraneous file
   shop/admin/index_new.php
   
   
3. Update an image path
   shop/members/template_hdr_orders.php
   
   Find this:
   <img src="<?php echo BASE_URL;?>/grfx/logo.jpg
   Update to:
   <img src="<?php echo BASE_URL.PATH;?>/grfx/logo.jpg
   
   
4. Members option to change password

'Forgot your password?' option if not logged in yet and 'Change Password' option once logged in if they want to change it.
shop/members/reset_password.php
Upload this new file (the links to it are in the updates below for shop/members/orders_login.php and shop/members/index.php)


5. More secure logins
   config_foodweb.php
   
   Find this around line 19:
   define("TABLE_AUTH",TABLE_MEMBER);//authentication tokens are in the member table
   
   Replace that line with this:
   define("TABLE_AUTH","auth_users_c");
   
   Find this around line 126:
   function login ($username_c, $password) {
   
   Delete the login function and the check_valid_user function, deleting all up though line 150, leaving this:
   $font= "<font size=-1 face=arial>";
   
   Add this function right above that:
   

   function check_valid_user() {
   	if(!$_SESSION['valid_c']){
   		header( "Location: show_login.php");
   		exit;
   	}
   }

   
   
   config_foodweb_orders.php
   
   Find this around line 19:
   define("TABLE_AUTH",TABLE_MEMBER);//authentication tokens are in the member table
   
   Replace that line with this:
   define("TABLE_AUTH","auth_users_c");
   
   Find this around line 117:
   function login ($username_m, $password) {
   
   Delete the login function and the check_valid_user function, deleting all up though line 141, leaving this:
   $font= "<font size=-1 face=arial>";
   
   Add this function right above that:
   

   function check_valid_user() {
   	if(!$_SESSION['valid_m']){
   		header( "Location: orders_login.php");
   		exit;
   	}
   }

   
   
   shop/members/orders_login.php
   
   Find this around line 82:
   echo "$site_name";
   
   Replace with:
   echo SITE_NAME;
   
   Find this around line 5:
   if ($gp == "ds") {
   Through this around line 74:
   include("template_hdr_orders.php");?>
   
   Delete all of that (make sure not to delete the ../../../config_ line) and replace it with this:

   $show_form = "yes";
   
   
   if ($_POST['gp'] == "ds" && $_POST['username_m'] && $_POST['password']) {
   	$sql = mysql_query("SELECT username_m FROM ".TABLE_MEMBER."  
   		WHERE username_m = '".mysql_real_escape_string($_POST['username_m'])."' 
   		AND password = md5('".mysql_real_escape_string($_POST['password'])."')");
   
   	if (mysql_numrows($sql) != 0) {
   		$row = mysql_fetch_array($sql);
   		$_SESSION["username_m"] = $row['username_m'];
   		$_SESSION["valid_m"] = $row['username_m'];
   		
   		header("Location: index.php");
   		exit;
      	} else {
   		$msg = "Login incorrect. Please re-enter your login information.";
   	} 
   } 
   
   
   $form_block = '
   <form method="post" action="'.$_SERVER['PHP_SELF'].'" name="login">
   	'.$msg.'
   
   	<table>
     		<tr><td><b>Username</b>:</td><td>
   			<input type="text" name="username_m" size="17" maxlength="20">
     		</td></tr>
   
     		<tr><td><b>Password</b>:</td><td>
   			<input type="password" name="password" size="17" maxlength="25">
      		</td></tr>
   
   		<tr><td colspan="2" align="right">
   			<input type="hidden" name="gp" value="ds">
   			<input type="submit" name="submit" value="Login">
     		</td></tr>
   	</table>
   </form>
   
   <div style="text-align:left;font-size:11px;">
   	<a href="reset_password.php">Forgot your password?</a>
   </div>
   ';
   
   if ($show_form == "yes") {
   	$display_block = $form_block;
   } 
   
   include("template_hdr_orders.php");?>  
   

   
   shop/members/index.php
   
   Find this around line 13:
   if ($username_m && $password) {
   Through this around line 22:
   check_valid_user();
   
   Delete all of that (make sure not to delete the ../../../config_ line). Then on line 4, or the next line after session_start();, paste this:
   check_valid_user();
   
   Find this around line 321:
   Update Your<br>Contact Info</a></b>
   
   Make a new line after it and add this:
   <br /><strong><a href="reset_password.php">Change Password</a></strong>
   
   
   shop/admin/show_login.php
   
   Find this around line 6:
   if ($op == "ds") {
   Through this around line 66:
   include("template_hdr.php");?>
   
   Delete all of that and replace it with this:

   $show_form = "yes";
   
   if ($_POST['op'] == "ds" && $_POST['username_c'] && $_POST['password']) {
   	$sql = mysql_query("SELECT username_c FROM ".TABLE_AUTH."  
   		WHERE username_c = '".mysql_real_escape_string($_POST['username_c'])."' 
   		AND password = md5('".mysql_real_escape_string($_POST['password'])."')");
   
   	if (mysql_numrows($sql) != 0) {
   		$row = mysql_fetch_array($sql);
   		$_SESSION["username_c"] = $row['username_c'];
   		$_SESSION["valid_c"] = $row['username_c'];
   		
   		header("Location: index.php");
   		exit;
      	} else {
   		$msg = "Login incorrect. Please re-enter your login information.";
   	} 
   } 
   
   
   $form_block = '
   <form method="post" action="'.$_SERVER['PHP_SELF'].'" name="login">
   	'.$msg.'
   
   	<table>
     		<tr><td><b>Username</b>:</td><td>
   			<input type="text" name="username_c" size="17" maxlength="20">
     		</td></tr>
   
     		<tr><td><b>Password</b>:</td><td>
   			<input type="password" name="password" size="17" maxlength="25">
      		</td></tr>
   
   		<tr><td colspan="2" align="right">
   			<input type="hidden" name="op" value="ds">
   			<input type="submit" name="submit" value="Login">
     		</td></tr>
   	</table>
   </form>
   ';
   
   if ($show_form == "yes") {
   	$display_block = $form_block;
   } 
   
   include("template_hdr.php");?>
   

   
   shop/admin/index.php
   
   Find this around line 5:
   if ($username_c && $password) {
   Through this around line 14:
   check_valid_user();
   
   Delete all of that. Then on line 4, or the next line after session_start();, paste this:
   check_valid_user();