<?php

$hidden_hash_var='your_password_here';

$LOGGED_IN=false;
//clear it out in case someone sets it in the URL or something
unset($LOGGED_IN);

/*

create table user (
user_id int not null auto_increment primary key,
user_name text,
real_name text,
email text,
password text,
remote_addr text,
confirm_hash text,
is_confirmed int not null default 0
);

*/

function user_isloggedin() {
global $user_name,$id_hash,$hidden_hash_var,$LOGGED_IN;
//have we already run the hash checks?
//If so, return the pre-set var
if (isset($LOGGED_IN)) {
return $LOGGED_IN;
}
if ($user_name && $id_hash) {
$hash=md5($user_name.$hidden_hash_var);
if ($hash == $id_hash) {
$LOGGED_IN=true;
return true;
} else {
$LOGGED_IN=false;
return false;
}
} else {
$LOGGED_IN=false;
return false;
}
}

function user_login($user_name,$password) {
global $feedback;
if (!$user_name || !$password) {
$feedback .= ' ERROR - Missing user name or password ';
return false;
} else {
$user_name=strtolower($user_name);
$password=strtolower($password);
$sql="SELECT * FROM user WHERE user_name='$user_name' AND password='". md5($password) ."'";
$result=db_query($sql);
if (!$result || db_numrows($result) < 1){
$feedback .= ' ERROR - User not found or password incorrect ';
return false;
} else {
if (db_result($result,0,'is_confirmed') == '1') {
user_set_tokens($user_name);
$feedback .= ' SUCCESS - You Are Now Logged In ';
return true;
} else {
$feedback .= ' ERROR - You haven\'t Confirmed Your Account Yet ';
return false;
}
}
}
}

function user_logout() {
setcookie('user_name','',(time()+2592000),'/','',0);
setcookie('id_hash','',(time()+2592000),'/','',0);
}

function user_set_tokens($user_name_in) {
global $hidden_hash_var,$user_name,$id_hash;
if (!$user_name_in) {
$feedback .= ' ERROR - User Name Missing When Setting Tokens ';
return false;
}
$user_name=strtolower($user_name_in);
$id_hash= md5($user_name.$hidden_hash_var);

setcookie('user_name',$user_name,(time()+2592000),'/','',0);
setcookie('id_hash',$id_hash,(time()+2592000),'/','',0);
}

function user_confirm($hash,$email) {
/*
Call this function on the user confirmation page,
which they arrive at when the click the link in the
account confirmation email
*/

global $feedback,$hidden_hash_var;

//verify that they didn't tamper with the email address
$new_hash=md5($email.$hidden_hash_var);
if ($new_hash && ($new_hash==$hash)) {
//find this record in the db
$sql="SELECT * FROM user WHERE confirm_hash='$hash'";
$result=db_query($sql);
if (!$result || db_numrows($result) < 1) {
$feedback .= ' ERROR - Hash Not Found ';
return false;
} else {
//confirm the email and set account to active
$feedback .= ' User Account Updated - You Are Now Logged In ';
user_set_tokens(db_result($result,0,'user_name'));
$sql="UPDATE user SET email='$email',is_confirmed='1' WHERE confirm_hash='$hash'";
$result=db_query($sql);
return true;
}
} else {
$feedback .= ' HASH INVALID - UPDATE FAILED ';
return false;
}
}

function user_change_password ($new_password1,$new_password2,$change_user_name,$old_password) {
global $feedback;
//new passwords present and match?
if ($new_password1 && ($new_password1==$new_password2)) {
//is this password long enough?
if (account_pwvalid($new_password1)) {
//all vars are present?
if ($change_user_name && $old_password) {
//lower case eve