static function checkForScript($value)
{
// [FIXME] replace this function with a sanitization method applied on request data
// we can use the htmlpurifier project if we need to display html or htmlspecialchars to display text
// for now we limit to log the attempt and stop the script
if (csa($value, "<") || csa($value, ">") || csa($value, "(") || csa($value, ")")) {
log_security("XSS attempt: {$value}");
exit;
}
if (csa($value, "'")) {
log_security("SQL injection attempt: {$value}");
exit;
}
}
/**
* Login Customer
*/
function login()
{
if ($this->post['user']->getPassword() == $this->post['password']) {
// Only customers are allowed to login to the order form
if ($this->post['user']->getType() != "Client") {
$this->setError(array("type" => "[ONLY_CUSTOMERS_CAN_LOGIN]"));
return;
}
// Login success
$_SESSION['client']['userdbo'] = $this->post['user'];
log_notice("CustomerLoginPage::login()", "User: "******" logged in.");
$this->gotoPage("cart");
} else {
// Login failure
log_security("CustomerLoginPage::login()", "Password Incorrect.");
$this->setError(array("type" => "[LOGIN_FAILED]"));
}
}
/**
* Login
*
* Validate the login. Store the UserDBO in the session if OK, or display an error
* if the login failed.
*/
function login()
{
try {
$user_dbo = load_UserDBO($this->post['username']);
if ($user_dbo->getPassword() == $this->post['password'] && ($user_dbo->getType() == "Administrator" || $user_dbo->getType() == "Account Manager")) {
// Login success
if (isset($this->post['theme'])) {
$user_dbo->setTheme($this->post['theme']);
}
$_SESSION['client']['userdbo'] = $user_dbo;
log_notice("Login", "User: "******" logged in");
$_SESSION['jsFunction'] = "reloadMenu()";
$this->gotoPage("home");
}
} catch (DBNoRowsFoundException $e) {
}
// Login failure
log_security("Login", "Login failed for " . $this->post['username']);
throw new SWUserException("[LOGIN_FAILED]");
}
