1
giba
Ativacao.php - Analysing code for team security
  • 2005/1/4 10:32

  • giba

  • Just can't stay away

  • Posts: 638

  • Since: 2003/4/26


Quote:

Acho que isto ainda vai para notícias, mas vou postar aqui para futuras consultas no fórum:

Arquivo ATIVACAO.PHP

PHP
### ======================================================
### [url=http://www.xoops.net.br/]XOOPS Brasil[/url] - A comunidade diferente!
### ======================================================
### Arquivo para reenvio de Link de Ativa??o
### ======================================================
### Developer: Fernando Santos, fernando@zend.com.br
### Copyright: www.xoops.net.br ? 2003-2004
### ------------------------------------------------------
### www.xoops.net.br
### ======================================================
### v.1.0, Sun Dec 19 15:33:59 BRST 2004
### ======================================================

$xoopsOption['pagetype'] = "user";
include 
"mainfile.php";
include 
'header.php';
// Tanto faz, GET ou POST
$email = isset($HTTP_GET_VARS['email']) ? trim($HTTP_GET_VARS['email']) : '';
$email = isset($HTTP_POST_VARS['email']) ? trim($HTTP_POST_VARS['email']) : $email;
// Se $email for vazio, mostra o form para envio do link
if ($email == '') {
echo <<< TOPET05

  Reenvio de Link para Ativa??o de Cadastro
  
Digite o e-mail que você usou no cadastro em nosso site para receber novamente o link de ativa??o de conta.

  $_SERVER[PHP_SELF]" method="post">
    Seu E-mail:   
  

TOPET05;
// Se $email n?o for vazio , vamos fazer uma série de verifica??es antes de enviar
}else{
$myts =& MyTextSanitizer::getInstance();
$member_handler =& xoops_gethandler('member');
// A linha abaixo retornará um array com todos os usuários que tenham o e-mail citado, no nosso caso será apenas $getuser[0]
$getuser =& $member_handler->getUsers(new Criteria('email'$myts->addSlashes($email)));
// Se o e-mail n?o existir na base de dados, $getuser será vazio...
if (empty($getuser)) {
echo 
"

E-mail n?o cadastrado em nossa base de dados!

"
;
include(
"footer.php");
    exit();
}
//Verificando se o usuário já está ativo...
if($getuser[0]->isActive()){
echo 
"

O usuário ".$getuser[0]->getVar('uname').", cadastrado com o e-mail ".$getuser[0]->getVar('email')." já está ativo!

"
;
include(
"footer.php");
    exit();    
}
//Enviando a baga?a
$xoopsMailer =& getMailer();
$xoopsMailer->useMail();
$xoopsMailer->setTemplate('register.tpl');
$xoopsMailer->assign('SITENAME'$xoopsConfig['sitename']);
$xoopsMailer->assign('ADMINMAIL'$xoopsConfig['adminmail']);
$xoopsMailer->assign('SITEURL'XOOPS_URL."/");
$xoopsMailer->setToUsers($getuser[0]);
$xoopsMailer->setFromEmail($xoopsConfig['adminmail']);
$xoopsMailer->setFromName($xoopsConfig['sitename']);
$xoopsMailer->setSubject(sprintf("- Reenvio - "._US_USERKEYFOR,$getuser[0]->getVar("uname")));
    if ( !
$xoopsMailer->send() ) {
    echo 
"

N?o foi possível enviar o link de ativa??o para ".$getuser[0]->getVar('uname').". Entre em contato com os administradores do site.

"
;
    include(
"footer.php");
    exit();
    } else {
    echo 
"

O Link de ativa??o para ".$getuser[0]->getVar('uname')." foi reenviado. Caso n?o receba o e-mail dentro de algumas horas, tente novamente ou entre em contato com os administradores do site.

"
;
    }
}
include(
"footer.php");
?>


Coloque este arquivo no seu diretório principal XOOPS. Depois coloque um link para ele no bloco de login e pronto, n?o precisa alterar nada.
Se algum usuário do seu site vier reclamando que n?o recebeu o link de ativa??o, pe?a-o para acessar o seusite.com.br/ativacao.php e preencher o form.
Se quiser enviar via GET, tipo
seusite.com.br/ativacao.php?email=fernando@mastop.com.br
vai funfar do mesmo jeito.
Espero que seja útil... quem quiser aprimorar o código, agrade?o!!

Testado e funfando direitinho.

Grato ao Izzy pelos primeiros testes

Abra??o


Team for security, analysing for me this code ????

2
giba
Re: Ativacao.php - Analysing code for team security
  • 2005/1/4 14:12

  • giba

  • Just can't stay away

  • Posts: 638

  • Since: 2003/4/26


Up 1

3
Mithrandir
Re: Ativacao.php - Analysing code for team security

What do you want us to do?

4
m0nty
Re: Ativacao.php - Analysing code for team security
  • 2005/1/4 15:09

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


:) also i notice that that code is not from the current version of xoops.. i have no idea what the text says above as i only speak english.

5
giba
Re: Ativacao.php - Analysing code for team security
  • 2005/1/4 15:12

  • giba

  • Just can't stay away

  • Posts: 638

  • Since: 2003/4/26


It would like that esquipe could test this code to know if no breach of security in it does not exist and that was incluido to come with this option already in the versions of the Xoops.
The activation code is very common to fail and later the users it does not receive this again I redispatch.

With this code it will be able to always request that he will not be registered in the site the activation of its I register in cadastre in the hour that to desire.

Sorry my bad english.: -)

6
wcrwcr
Problems with Account Activation Mail - Hack
  • 2005/1/4 17:10

  • wcrwcr

  • Home away from home

  • Posts: 1114

  • Since: 2003/12/12


Hi and happy new year to all

Let me try to put some light here.

The file that Giba has submitted is a workaround to the famous activation mail sending problem.

It was made following the nice suggestion made by herko on this thread:
https://xoops.org/modules/newbb/viewtopic.php?topic_id=26707&viewmode=flat&order=ASC&start=10

How It works:

1. put the Ativacao.php file on your main XOOPS directory.
2. after that, create and put a link to the Ativacao.php file on your login block

That?s all

If any of your users starts complaining about the non sending of the activation mail ask them to click on the link, fill up the form and it?s done

Feel free to implement the code and write any suggestions.
This file was written by topet05.

PS. If anybody wants to use it with the GET function, like

Quote:
yoursite.com.br/ativacao.php?email=fernando@mastop.com.br


the code also do the job

I hope it helps.
Regards,
Wilson

7
Salomao
Re: Ativacao.php - Analysing code for team security
  • 2005/1/4 18:17

  • Salomao

  • Just popping in

  • Posts: 2

  • Since: 2004/2/25


Trying to translate to English
Quote:

File ATIVACAO.PHP

PHP
### ======================================================
### [url=http://www.xoops.net.br/]XOOPS Brasil[/url] - A comunidade diferente!
### ======================================================
### Arquivo para reenvio de Link de Ativação
### Script for resend the activation link
### ======================================================
### Developer: Fernando Santos, fernando@zend.com.br
### Copyright: www.xoops.net.br © 2003-2004
### ------------------------------------------------------
### www.xoops.net.br
### ======================================================
### v.1.0, Sun Dec 19 15:33:59 BRST 2004
### ======================================================

$xoopsOption['pagetype'] = "user";
include 
"mainfile.php";
include 
'header.php';
// Doesn't matter GET or POST
$email = isset($HTTP_GET_VARS['email']) ? trim($HTTP_GET_VARS['email']) : '';
$email = isset($HTTP_POST_VARS['email']) ? trim($HTTP_POST_VARS['email']) : $email;
// If $email is empty, show form for link resend
if ($email == '') {
echo <<< TOPET05

  Resend activation link registration
  
Fill in the e-mail you used to register in our site, so you can receive agaian the activation link for your account.

  $_SERVER[PHP_SELF]" method="post">
    Your E-mail:   
  

TOPET05;
// If $email is not empty, let's verify some things before sending the link
}else{
$myts =& MyTextSanitizer::getInstance();
$member_handler =& xoops_gethandler('member');
// The line below returns an array with all the users registered with the given e-mail, in our case it'll be only the $getuser[0]
$getuser =& $member_handler->getUsers(new Criteria('email'$myts->addSlashes($email)));
// If the e-mail doesn't exist in the database, $getuser returns empty...
if (empty($getuser)) {
echo 
"

E-mail doesn't appear to be registered in our databases!

"
;
include(
"footer.php");
    exit();
}
//Verifying if the user is already active...
if($getuser[0]->isActive()){
echo 
"

The user ".$getuser[0]->getVar('uname').", registered with e-mail ".$getuser[0]->getVar('email')." is already active!

"
;
include(
"footer.php");
    exit();    
}
//Sending it
$xoopsMailer =& getMailer();
$xoopsMailer->useMail();
$xoopsMailer->setTemplate('register.tpl');
$xoopsMailer->assign('SITENAME'$xoopsConfig['sitename']);
$xoopsMailer->assign('ADMINMAIL'$xoopsConfig['adminmail']);
$xoopsMailer->assign('SITEURL'XOOPS_URL."/");
$xoopsMailer->setToUsers($getuser[0]);
$xoopsMailer->setFromEmail($xoopsConfig['adminmail']);
$xoopsMailer->setFromName($xoopsConfig['sitename']);
$xoopsMailer->setSubject(sprintf("- Resend - "._US_USERKEYFOR,$getuser[0]->getVar("uname")));
    if ( !
$xoopsMailer->send() ) {
    echo 
"

It could not be possible to resend the activation link for ".$getuser[0]->getVar('uname').". Contact the site administrators.

"
;
    include(
"footer.php");
    exit();
    } else {
    echo 
"

The activation link for ".$getuser[0]->getVar('uname')." was resent. If you don't receive the e-mail in a few hours, try again or contact the site administrators.

"
;
    }
}
include(
"footer.php");
?>


Put this file in your XOOPS main directory. Then, put a link for it into the login block, and voilá. No need to alter anything else.
If any user claims that it hasn't received the activation link, ask him to go to yoursite.com/ativacao.php and fill in the form.
If you wanna send through GET, like
yoursite.com/ativacao.php?email=me@myemail.com
it'll work without problems.
Hope it helps... If someone wanna make the code look better, I'll appreciate it!!

Tested and approved.

Thanks to Izzy for the first tests

Big hug

Hope it helps...

Salomão - XT

8
Herko
Re: Ativacao.php - Analysing code for team security
  • 2005/1/4 18:27

  • Herko

  • XOOPS is my life!

  • Posts: 4238

  • Since: 2002/2/4 1


Very nice if a developer wants to check this out for sucuity vulnerabilities and code efficiency, please do. In the meantime Giba, would you be so kind and post this to the XOOPS Core patch tracker, so we can process this in the normal development process? Thanks for the great feature!

Herko

9
Mithrandir
Re: Ativacao.php - Analysing code for team security

Looks good. Only change, I'd suggest is this one:
// If the e-mail doesn't exist in the database, $getuser returns array()...
if ($getuser == array() ) {
    echo 
"

E-mail doesn't appear to be registered in our databases!

"
;
    include(
"footer.php");
    exit();
}

I'll be adding this in XOOPS 2.1 with language constants etc. (but do add it to the patches tracker as it is easy to keep track of it there)

Thanks

10
giba
Re: Ativacao.php - Analysing code for team security
  • 2005/1/5 9:31

  • giba

  • Just can't stay away

  • Posts: 638

  • Since: 2003/4/26


Ok Thanks

Quote:

Mithrandir wrote:
Looks good. Only change, I'd suggest is this one:
// If the e-mail doesn't exist in the database, $getuser returns array()...
if ($getuser == array() ) {
    echo 
"

E-mail doesn't appear to be registered in our databases!

"
;
    include(
"footer.php");
    exit();
}

I'll be adding this in XOOPS 2.1 with language constants etc. (but do add it to the patches tracker as it is easy to keep track of it there)

Thanks


Who aditional in patches tracker ?

Login

Who's Online

318 user(s) are online (257 user(s) are browsing Support Forums)


Members: 0


Guests: 318


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits