Local Food Cooperative Software
The Jist: This software operates on an order cycle instead of an “always open” system. Producers/farmers can log in and add products to their product catalog at anytime for sale. During a designated time, cooperative members place orders.
Always make back-ups before applying changes.
___v1.4.4 Login Update___
Features
- Update to login validation system
Contributors to this Update
Unknown___v1.4.4 Changes to Files___
- Change configuration files
Modify config_foodweb_orders.php
Find this around line 19:
define("TABLE_AUTH",TABLE_MEMBER);//authentication tokens are in the member table
Change it to this:
define("TABLE_AUTH","auth_users_c");
Near the end of the file (around line 117), find these lines and delete them:
function login ($username_m, $password) {
$conn = db_connect();
if (!$conn)
return 0;
$resultv = mysql_query("SELECT * FROM $table_mem WHERE username_m = '$username_m'
AND password = password('$password')");
if (!$resultv)
return 0;
if (mysql_num_rows($resultv)>0)
return 1;
else
return 0;
}
Around line 134 replace these lines:
global $valid_m;
if (session_is_registered("valid_m")) {
echo "";
} else {
with this:
if(!$_SESSION['valid_m']){
Modify config_foodweb.php
Do all of the same steps as for config_foodweb_orders.php above except substitute valid_c everywhere that says valid_m.
- Change admin files
Delete /shop/admin/index_new.php
Edit /shop/admin/index.php
Find these lines around line 5 and delete them:
if ($username_c && $password) {
if (login($username_c, $password)) {
$valid_c = $username_c;
session_register("valid_c");
} else {
header( "Location: show_login.php");
exit;
}
}
Edit /shop/admin/show_login.php
Find these lines near line 6:
if ($op == "ds") {
$username = preg_replace("/[^A-Za-z0-9]/","",$username_c);
$password = preg_replace("/[^A-Za-z0-9]/","",$password);
$sql = "SELECT * FROM $auth_table_name
WHERE username_c = \"$username_c\" and (password = md5(\"$password\"))
";
$result = @mysql_query($sql, $connection) or die("Couldn't execute query.");
$num = mysql_numrows($result);
if ($num != 0) {
$valid_c = $username_c;
session_register('valid_c');
} else {
$msg = "Login incorrect. Please re-enter your login information.";
$show_form = "yes";
}
if ($valid_c == $username_c) {
$_SESSION["username_c"] = $username_c;
$go_there = "yes";
}
} else {
$show_form = "yes";
}
and replace them with these lines:
$show_form = "yes";
if ($_POST['op'] == "ds" && $_POST['username_c'] && $_POST['password']) {
$sql = mysql_query("SELECT username_c FROM ".TABLE_AUTH."
WHERE username_c = '".mysql_real_escape_string($_POST['username_c'])."'
AND password = md5('".mysql_real_escape_string($_POST['password'])."')");
if (mysql_numrows($sql) != 0) {
$row = mysql_fetch_array($sql);
$_SESSION["username_c"] = $row['username_c'];
$_SESSION["valid_c"] = $row['username_c'];
header("Location: index.php");
exit;
} else {
$msg = "Login incorrect. Please re-enter your login information.";
}
}
At around line 35, replace the double quote on $form_block = with single quotes and also at the end of that section around line 54. Then replace all instances of \" within that section with just " by removing the back-slashes.
At around line 58 remove the following lines:
} else if ($go_there == "yes") {
$username = $_SESSION['username_c'];
header("Location: index.php");
exit;
- Change member files
Edit /shop/members/index.php
Find this statement near line 3
session_start();
and add the following line after it:
check_valid_user();
Then, near lines 13-22 find the following and delete it:
if ($username_m && $password) {
if (login($username_m, $password)) {
$valid_m = $username_m;
session_register("valid_m");
} else {
header( "Location: orders_login.php");
exit;
}
}
check_valid_user();
Finally, near line 322, find the line that says:
Update Your<br>Contact Info</a></b>
and enter the following line after it:
<br /><strong><a href="reset_password.php">Change Password</a></strong>
Create a file called /shop/members/reset_password.php and copy the following code into it:
<?php
include("../../../config_foodweb_orders.php");
session_start();
$message = '';
// Rather than use the check_valid_user function, we need to trap the result
if(!$_SESSION['valid_m'])
// The user is not valid, so provide a form to reset and send a new password by email
{
if ($_POST['form_data'] == 'true')
// Validate the information and take appropriate action
{
$username_m = preg_replace("/[^A-Za-z0-9]/","",$_POST['username_m']);
$email_address = preg_replace("/[^A-Za-z0-9_\-@]\-/","",$_POST['email_address']);
$full_name = preg_replace("/[^A-Za-z0-9 ]/","",$_POST['first_name'].' '.$_POST['last_name']);
// Check consistency between username_m and email_address
$query_check = '
SELECT
username_m,
email_address,
first_name,
last_name,
first_name_2,
last_name_2
FROM '.TABLE_MEMBER.'
WHERE username_m="'.mysql_real_escape_string($username_m).'"
OR email_address="'.mysql_real_escape_string($email_address).'"
OR (first_name="'.mysql_real_escape_string($first_name).'"
AND last_name="'.mysql_real_escape_string($last_name).'")
OR (first_name_2="'.mysql_real_escape_string($first_name).'"
AND last_name_2="'.mysql_real_escape_string($last_name).'")';
$result = @mysql_query($query_check, $connection) or die(mysql_error());
$valid_info = false;
while ($row = mysql_fetch_array($result))
{
$row['full_name'] = $row['first_name'].' '.$row['last_name'];
$row['full_name_2'] = $row['first_name_2'].' '.$row['last_name_2'];
if ($row['username_m'] == $username_m && $row['email_address'] == $email_address)
{
$valid_info = true;
$valid_email = $row['email_address'];
$valid_username = $row['username_m'];
}
if ($row['username_m'] == $username_m && ($row['full_name'] == $full_name || $row['full_name_2'] == $full_name))
{
$valid_info = true;
$valid_email = $row['email_address'];
$valid_username = $row['username_m'];
}
if ($row['email_address'] == $email_address && ($row['full_name'] == $full_name || $row['full_name_2'] == $full_name))
{
$valid_info = true;
$valid_email = $row['email_address'];
$valid_username = $row['username_m'];
}
}
if ($valid_info == true)
// Everything looks good, send the new password to the validated email address.
{
// Generate new password
$chars = "ABCDEFGHIJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz23456789";
$password = '' ;
while (strlen ($password) <= rand(5,8))
{
$password .= substr($chars, rand(0,57), 1);
}
$query_update = '
UPDATE '.TABLE_MEMBER.'
SET password = MD5("'.mysql_real_escape_string($password).'")
WHERE email_address = "'.mysql_real_escape_string($valid_email).'"';
$result = mysql_query($query_update, $connection) or die(mysql_errno());
$message =
'Account security notice:
'. '
'. 'The password for an account registered with this email address
'. 'has been reset from the website at '.$domainname.'
'. 'Username: '.$valid_username.'
'. 'The new password is: '.$password;
mail ( $valid_email, 'Updated account info for '.$domainname, $message, "from: ".MEMBERSHIP_EMAIL);
header( 'refresh: 15; url=../index.php' );
include("template_hdr_orders.php");
echo
'<table width="50%" align="center" cellspacing="5">
<tr>
<td><p style="font-size:1.5em">An email has been sent to the validated address.
If you do not receive it, contact '.MEMBERSHIP_EMAIL.'</p>
<p style="font-size:1.5em">In a few seconds, you will be redirected to the main page.</p></td>
</tr>
</table>';
include("template_footer_orders_notloggedin.php");
exit;
}
else
// Information did not validate, so return to the form
{
$_POST['form_data'] = 'false';
$message = '<p style="font-size:1.5em">Sorry... the information you submitted did not validate.</p>';
}
}
if ($_POST['form_data'] != 'true')
// Form data was not posted or was invalid, so show the form for input
{
include("template_hdr_orders.php");
echo
'<form method="post" action="'.$_SERVER['PHP_SELF'].'" name="change_password">
<table width="50%" align="center" cellspacing="5">
<tr>
<td colspan="2">'.$message.'<p style="font-size:1.5em">In order to reset your password, you must correctly
enter two of the three pieces of information below. Then a new password will be
e-mailed to you.</p><p style="font-size:1.5em">For security purposes, you will not be told which information
is incorrect.</p></td>
</tr>
<tr>
<td align="right"><b>Username</b>:</td>
<td align="left"><input type="input" name="username_m" size="17" maxlength="20"></td>
</tr>
<tr>
<td align="right"><b>Email Address</b>:</td>
<td align="left"><input type="text" name="email_address" size="25" maxlength="50"></td>
</tr>
<tr>
<td align="right"><b>Full Name</b>:</td>
<td align="left"><input type="input" name="first_name" size="20" maxlength="25" value="...first name..." onClick="javascript:this.focus();this.select();">
AND <input type="input" name="last_name" size="20" maxlength="25" value="...last name..." onClick="javascript:this.focus();this.select();"></td>
</tr>
<tr>
<td colspan="2" align="center"><input type="hidden" name="form_data" value="true">
<input type="submit" name="submit" value="Send New Password"></td>
</tr>
</table>
</form>';
include("template_footer_orders_notloggedin.php");
}
}
else
// The user is already logged in, so provide a form to change the password
{
if ($_POST['form_data'] == 'true')
// Validate the password information and take appropriate action
{
$username_m = $_SESSION['username_m'];
$old_password = preg_replace("/[^A-Za-z0-9]/","",$_POST['old_password']);
$new_password1 = preg_replace("/[^A-Za-z0-9]/","",$_POST['new_password1']);
$new_password2 = preg_replace("/[^A-Za-z0-9]/","",$_POST['new_password2']);
// Make sure everything is filled in
if($_SESSION['username_m'] && $old_password && $new_password1 && $new_password2)
{
// Check that the new passwords match
if ($new_password1 != $new_password2)
{
$message .= '<p style="font-size:1.5em">New passwords do not match.</p>';
}
// Check that the old password is correct
$query_pw = '
SELECT "true" AS valid_password
FROM '.TABLE_MEMBER.'
WHERE username_m="'.mysql_real_escape_string($username_m).'"
AND password = MD5("'.mysql_real_escape_string($old_password).'")';
$result = @mysql_query($query_pw, $connection) or die(mysql_error());
$row = mysql_fetch_array($result);
if ($row['valid_password'] != 'true')
{
$message .= '<p style="font-size:1.5em">Incorrect old password was provided.</p>';
}
if ($message == '')
// Everything looks good, so go ahead and update the password
{
$query_update = '
UPDATE '.TABLE_MEMBER.'
SET password = MD5("'.mysql_real_escape_string($new_password1).'")
WHERE username_m = "'.mysql_real_escape_string($username_m).'"';
$result = mysql_query($query_update, $connection) or die(mysql_errno());
header( 'refresh: 15; url=index.php' );
include("template_hdr_orders.php");
echo
'<table width="50%" align="center" cellspacing="5">
<tr>
<td><p style="font-size:1.5em">Your password has been updated. </p>
<p style="font-size:1.5em">In a few seconds, you will be redirected to the login page.</p></td>
</tr>
</table>';
include("template_footer_orders_notloggedin.php");
exit;
}
else
// There was an error, so return to the form
{
$_POST['form_data'] = 'false';
}
}
else
{
$_POST['form_data'] = 'false';
}
}
if ($_POST['form_data'] != 'true')
// Form data was not posted or was invalid, so show the form for input
{
include("template_hdr_orders.php");
echo '<form method="post" action="'.$_SERVER['PHP_SELF'].'" name="change_password">';
echo '
<table width="50%" align="center" cellspacing="5">
<tr>
<td colspan="2">';
if ($message)
{
echo $message.'<p style="font-size:1.5em">Please re-enter your information.</p>';
}
else
{
echo '<p style="font-size:1.5em">In order to change your password, please enter your old password and
enter your new password twice for confirmation.</p>';
}
echo '
</td>
</tr>
<tr>
<td align="right"><b>Old Password</b>:</td>
<td align="left"><input type="password" name="old_password" size="17" maxlength="20"></td>
</tr>
<tr>
<td align="right"><b>New Password</b>:</td>
<td align="left"><input type="password" name="new_password1" size="17" maxlength="25"></td>
</tr>
<tr>
<td align="right"><b>New Password (confirm)</b>:</td>
<td align="left"><input type="password" name="new_password2" size="17" maxlength="25"></td>
</tr>
<tr>
<td colspan="2" align="right"><input type="hidden" name="form_data" value="true">
<input type="submit" name="submit" value="Update"></td>
</tr>
</table>
</form>';
include("template_footer_orders.php");
}
}
?>
Edit the file /shop/members/orders_login.php
Near line 5 replace the following lines:
if ($gp == "ds") {
$username_m = preg_replace("/[^A-Za-z0-9]/","",$_POST['username_m']);
$password = preg_replace("/[^A-Za-z0-9]/","",$_POST['password']);
$sqlpw = "SELECT password as dbpass FROM $table_mem
WHERE username_m = \"$username_m\"";
$resultpw = @mysql_query($sqlpw, $connection) or die("Couldn't execute query.");
while ($row = mysql_fetch_array($resultpw)) {
$dbpass = $row['dbpass'];
//$sql = "SELECT username_m FROM $table_mem WHERE username_m = \"$username_m\" and pending='0'";
$sql = "SELECT username_m FROM $table_mem WHERE username_m = \"$username_m\"";
$result = @mysql_query($sql, $connection) or die("Couldn't execute query.");
$num = mysql_numrows($result);
}
if ($num != 0) {
$valid_m = $username_m;
session_register('valid_m');
} else {
$msg = "Login incorrect. Please re-enter your login information.";
$show_form = "yes";
}
if ($valid_m == $username_m) {
$_SESSION["username_m"] = $username_m;
$go_there = "yes";
}
} else {
$show_form = "yes";
}
with these lines:
$show_form = "yes";
if ($_POST['gp'] == "ds" && $_POST['username_m'] && $_POST['password']) {
$sql = mysql_query("SELECT username_m FROM ".TABLE_MEMBER."
WHERE username_m = '".mysql_real_escape_string($_POST['username_m'])."'
AND password = md5('".mysql_real_escape_string($_POST['password'])."')");
if (mysql_numrows($sql) != 0) {
$row = mysql_fetch_array($sql);
$_SESSION["username_m"] = $row['username_m'];
$_SESSION["valid_m"] = $row['username_m'];
header("Location: index.php");
exit;
} else {
$msg = "Login incorrect. Please re-enter your login information.";
}
}
At around line 24, replace the double quote on $form_block = with single quotes and also at the end of that section around line 42. Then replace all instances of \" within that section with just " by removing the back-slashes.
Around line 49, find the following lines:
if ($show_form == "yes") {
$display_block = $form_block;
Immediately before those add these lines:
<div style="text-align:left;font-size:11px;">
<a href="reset_password.php">Forgot your password?</a>
</div>
';
And immediately after them, delete these lines:
} else if ($go_there == "yes") {
$username_m = $_SESSION['username_m'];
header("Location: index.php");
exit;
Around line 61, replace "$site_name" with SITE_NAME.
Edit the file /shop/members/template_hdr_orders.php
Near line 21 add .PATH so the line looks like this:
<img src="<?php echo BASE_URL.PATH;?>/grfx/logo.jpg" border="0" alt="Food Cooperative" align="left"></a>