session_start();
include dirname(__FILE__) . "/login.inc.php";
$gString = getgString();
// protect if public signup is false
lib_login_protect_signup();
// mailback account creation requires building a random password
if ($cache == "random") {
$password = lib_login_create_random_passwd();
$passwordagain = $password;
}
/*---------------------------------------------------------------------*
** it is the uber user... so we take $username, $password and *
** $passwordagain and use it to create can account... then we redirect *
** back to create_login.php *
**---------------------------------------------------------------------*/
$error = lib_login_create_account($username, $password, $passwordagain, $email, $question, $answer);
$error = urlencode($error);
// find out where we came from, sript all GET vars off the URL
$goback = GetReferer();
$goback = explode("?", $goback);
$goback = $goback[0];
if ($cache == "random" && $error == "success") {
// do mail stuff here... and make an attempt at error checkin? huh?
$this_site = lib_login_get_this_site();
$admin_email = lib_login_get_admin_email();
// $gString[79] = "an account has been created for you at $this_site with
// the following details"
// $gString[2] = "username"
// $gString[3] = "password"
// $gString[80] = "your password reset question is:"
// $gString[81] = "with the answer"
function lib_login_check_valid_lp($username, $password)
{
global $UBER_USER;
global $UBER_PASS;
global $ADMIN_EMAIL;
global $LOG_MESSAGE;
global $SUB_HEAD_TAG_OPEN;
global $SUB_HEAD_TAG_CLOSE;
global $HEADER_TAG_OPEN;
global $HEADER_TAG_CLOSE;
global $PUNISH_BAD_ATTEMPTS;
global $BAD_ATTEMPTS_MAX;
global $gDB;
$db = $gDB;
/*----------------------------------*
** uberuser account starts with *
** $UBER_PASS as a password. when *
** that combo is called we test to *
** see if an account for it already *
** exists. if not, we make one. *
** otherwise we pass on to the rest *
** of the function... *
**----------------------------------*/
// this is not as insecure as it looks...
if ($username == $UBER_USER && $password == $UBER_PASS && !lib_login_account_exists($UBER_USER)) {
$foo = lib_login_create_account($UBER_USER, $UBER_PASS, $UBER_PASS, $ADMIN_EMAIL, "", "");
if ($foo != "success") {
// $gString[64] = "a serious error has ocurred in creating the uber user account"
// $gString[65] = "php_lib_login was unable to create the uber user account with
// "the data given. the following exception has been thrown:"
// $gString[66] = "please consult your configuration and try again. this system
// is completely insecure"
echo "{$HEADER_TAG_OPEN} {$gString['64']} {$HEADER_TAG_CLOSE}";
echo "{$HEADER_TAG_OPEN} {$gString['65']}:<p> <b>{$foo}</b><p>";
echo $gString[66] . $HEADER_TAG_CLOSE;
}
return $UBER_USER;
}
$username = trim("{$username}");
$password = trim("{$password}");
$password = md5($password);
//store encrypted passwords only
// this the link back to the login page...
// strip GET off of URL
$login_page = GetReferer();
// oops... maybe referer not login page...
$login_page = explode("?", $login_page);
$login_page = $login_page[0];
// first we should check to see if the user is on punishment time. if they are, they
// are not allowed to login and should be bounced. if they aren't we should check and
// see if they should be put on punishment time because they have exceeded their max
// failed login attempts and punish them if necessary.
if ($PUNISH_BAD_ATTEMPTS == "TRUE" && $username != $UBER_USER) {
if (lib_login_test_bad_attempt_punishment($username)) {
header("Location: {$login_page}?error=punished");
lib_login_no_browser_redirect("{$login_page}?error=punished");
die;
}
if (lib_login_test_bad_attempts($username)) {
lib_login_enact_bad_attempt_punishment($username);
}
}
$sql_valid_lp_test = <<<SQL
\t\tSELECT \t*
\t\tFROM \ttbl_users
\t\tWHERE \tusername='******'
\t\tAND \tpassword='******'
SQL;
/*----------------------------------*
** test for valid l/p *
**----------------------------------*/
$result = $db->Execute($sql_valid_lp_test);
// if the field is NULL, no rows were returned and,
// therefor the l/p is wrong so we redirect to the login page
if ($result->EOF) {
if ($username == $UBER_USER) {
lib_login_write_log($LOG_MESSAGE[2], $username);
} else {
lib_login_write_log($LOG_MESSAGE[1], $username);
}
// if we have set a max on bad login attempts then we should log
// this bad attempt!
if ($PUNISH_BAD_ATTEMPTS == "TRUE" && $username != $UBER_USER) {
lib_login_write_bad_attempt($username);
}
header("Location: {$login_page}?error=invalid");
lib_login_no_browser_redirect("{$login_page}?error=invalid");
die;
// don't let the rest of the code run if login fails!!
}
// a successful login - clear the bad attempts, write the log, return the username
if ($PUNISH_BAD_ATTEMPTS == "TRUE") {
lib_login_clear_bad_attempts($username);
}
lib_login_write_log($LOG_MESSAGE[0], $username);
return $result->Fields["username"];
}
