/**
* Login API
* @param string $email email of user
* @param string $password password of user
* @param obj $mysqli mysql connection
* @return bool success or not
*/
function login($email, $password, $mysqli)
{
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare("SELECT id, username, password, salt\n FROM members\n WHERE email = ?\n LIMIT 1")) {
$stmt->bind_param('s', $email);
// Bind "$email" to parameter.
$stmt->execute();
// Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $username, $db_password, $salt);
$stmt->fetch();
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
if (checkbrute($user_id, $mysqli) == true) {
// Account is locked
// Send an email to user saying their account is locked
return false;
} else {
// Check if the password in the database matches
// the password the user submitted.
if ($db_password == $password) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512', $password . $user_browser);
// Login successful.
return true;
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
$mysqli->query("INSERT INTO login_attempts(user_id, time)\n VALUES ('{$user_id}', '{$now}')");
return false;
}
}
} else {
// No user exists.
return false;
}
}
}
/**
* 执行SQL,并返回结果
*/
function query()
{
$tArgs = func_get_args();
$tSql = array_shift($tArgs);
# 锁表查询
if ($this->_lock) {
$tSql .= ' ' . $this->_lock;
$this->_lock = '';
}
# 使用缓存
if ($this->cache) {
$tMem =& Cache_Memcache::instance('default');
if ('md5' == $this->cache['key']) {
$this->cache['key'] = md5($tSql . ($tArgs ? join(',', $tArgs) : ''));
}
if (false !== ($tData = $tMem->get($this->cache['key']))) {
return $tData;
}
}
# 查询数据库
$this->db =& self::instance($this->_config);
if ($tArgs) {
$tQuery = $this->db->prepare($tSql);
$tQuery->execute($tArgs);
} else {
$tQuery = $this->db->query($tSql);
}
if (!$tQuery) {
$this->error = $this->db->errorInfo();
isset($this->error[1]) || ($this->error = array());
return array();
}
# 不缓存查询结果
if (!$this->cache) {
return $tQuery->fetchAll(PDO::FETCH_ASSOC);
}
# 设置缓存
$tData = $tQuery->fetchAll(PDO::FETCH_ASSOC);
$tMem->set($this->cache['key'], $tData, 0, $this->cache['expire']);
$this->cache = array();
return $tData;
}
/**
* SIG Access Return Method
*
* This method determines if a user has access to a specific Special Interest Group
*
* @return bool
*/
public function getSIGAccess($sigID, $sigRequiredAccessLevel)
{
/** Looking up this user's access permissions to the sig */
$stmt_sig_lookup = $this->_db->prepare('SELECT sig_access_level FROM sig_memberships WHERE userid = ? AND sig_id = ? AND groupid = ? LIMIT 1');
$stmt_sig_lookup->execute(array($this->_userID, $sigID, $this->_group->getGroupID()));
if ($stmt_sig_lookup->rowCount() == 1) {
/** The user is a member of this Special Interest Group, so we'll confirm their access level now */
$sigAccessLevel = $stmt_sig_lookup->fetch(\PDO::FETCH_ASSOC);
/** Comparing the user's sig_access_level to the required $sigRequiredAccessLevel */
if ($sigAccessLevel['sig_access_level'] >= $sigRequiredAccessLevel) {
/** The user has access*/
return true;
} else {
/** The user does not have access */
return false;
}
} else {
/** The user is not a member of this Special Interest Group */
return false;
}
}
/**
* Faz o insert de um novo registro em uma tabela do sistema de administracao
*
* @param obj $pdo - objeto pdo
* @param string $tabela - nome da tabela que sofreara o insert
* @param array $data - array com os nomes dos campos da tabela e os valores
* @return boolean
*/
function i3GeoAdminInsert($pdo, $tabela, $data)
{
global $esquemaadmin;
$keys = array_keys($data);
$fields = implode(",", $keys);
$placeholder = str_repeat("?,", count($keys));
$placeholder = trim($placeholder, ",");
$sql = "INSERT INTO " . $esquemaadmin . "{$tabela}({$fields}) VALUES ({$placeholder})";
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
try {
$prep = $pdo->prepare($sql);
} catch (PDOException $e) {
return "prepare ";
}
try {
$exec = $prep->execute(array_values($data));
//atualiza o log
i3GeoAdminInsertLog($pdo, $sql, array_values($data));
return true;
} catch (PDOException $e) {
return "execute ";
}
}
