@unlink($_CONF['backup_path'] . 'test.txt'); } else { $display .= '<li>' . sprintf($LANG_SECTEST['failed_tmp'], 'backups') . '</li>'; } } if (makeTempfile($_CONF['path_data'] . 'test.txt')) { $display .= doTest($url, 'data/test.txt', 'data directory'); @unlink($_CONF['path_data'] . 'test.txt'); } else { $display .= '<li>' . sprintf($LANG_SECTEST['failed_tmp'], 'data') . '</li>'; } $display .= checkDefaultPassword(); $display .= '</ol>'; } else { $resultInstallDirCheck = checkInstallDir(); $resultPasswordCheck = checkDefaultPassword(); if ($failed_tests == 0) { $display .= '<p>' . $LANG_SECTEST['okay'] . '</p>'; } else { $display .= '<ol>'; $display .= $resultInstallDirCheck . LB . $resultPasswordCheck; $display .= '</ol>'; } } if ($failed_tests > 0) { $display .= '<p class="warningsmall"><strong>' . $LANG_SECTEST['please_fix'] . '</strong></p>'; DB_save($_TABLES['vars'], 'name,value', "'security_check','0'"); } else { $display .= '<p>' . $LANG_SECTEST['please_note'] . '</p>'; DB_save($_TABLES['vars'], 'name,value', "'security_check','1'"); }
//validate the token //if token validates, check for user and add session variables if (isset($_POST['form_token']) && validateTokenField($_POST)) { //sanitize all these data before they get to the database !! IMPORTANT $db_pass = getHashValue($_POST['password']); $db_username = sanitize($_POST['username']); include_once ROOT_DIR . '/database/dbUserProfile.php'; //Retrieve the user category using the username and password $currentUser = retrieve_UserByAuth($db_username, $db_pass); if ($currentUser) { //if the usercategory is returned, log the user in and assign session variables $_SESSION['logged_in'] = true; $_SESSION['access_level'] = $accessLevel[$currentUser['UserCategory']]; $_SESSION['_username'] = $db_username; $_SESSION['_id'] = $currentUser['UserProfileID']; checkDefaultPassword(); //check if the user is still using the default password echo "<script type=\"text/javascript\">window.location = \"index.php\";</script>"; exit; } else { //if no user category was found, then the credentials were wrong $error['invalid_username'] = "******"; } } else { if (isset($_POST['form_token']) && !validateTokenField($_POST)) { //if data was posted but the token was invalid then add it to the error array $error['csrf'] = 'The request could not be completed: security check failed!'; } } /*How should errors be displayed: * if(!empty($error))