/** * Attempt to log a user in. * @param string $username * @param string $password * @return boolean true on successful login (i.e. password matches etc) */ public function login($username, $password) { $username = escape_string($username); $table = table_by_key($this->db_table); $active = db_get_boolean(True); $query = "SELECT password FROM {$table} WHERE " . $this->id_field . "='{$username}' AND active='{$active}'"; $result = db_query($query); if ($result['rows'] == 1) { $row = db_array($result['result']); $crypt_password = pacrypt($password, $row['password']); if ($row['password'] == $crypt_password) { return true; } } return false; }
/** * @param string $subject * @param string $body * @param string $interval_time * @param date $activeFrom * @param date $activeUntil */ function set_away($subject, $body, $interval_time, $activeFrom, $activeUntil) { $this->remove(); // clean out any notifications that might already have been sent. $E_username = escape_string($this->username); $activeFrom = date("Y-m-d 00:00:00", strtotime($activeFrom)); # TODO check if result looks like a valid date $activeUntil = date("Y-m-d 23:59:59", strtotime($activeUntil)); # TODO check if result looks like a valid date list(, $domain) = explode('@', $this->username); $vacation_data = array('email' => $this->username, 'domain' => $domain, 'subject' => $subject, 'body' => $body, 'interval_time' => $interval_time, 'active' => db_get_boolean(true), 'activefrom' => $activeFrom, 'activeuntil' => $activeUntil); // is there an entry in the vacaton table for the user, or do we need to insert? $table_vacation = table_by_key('vacation'); $result = db_query("SELECT * FROM {$table_vacation} WHERE email = '{$E_username}'"); if ($result['rows'] == 1) { $result = db_update('vacation', 'email', $this->username, $vacation_data); } else { $result = db_insert('vacation', $vacation_data); } # TODO error check # TODO wrap whole function in db_begin / db_commit (or rollback)? return $this->updateAlias(1); }
function upgrade_1284() { # migrate the ALL domain to the superadmin column # Note: The ALL domain is not (yet) deleted to stay backwards-compatible for now (will be done in a later upgrade function) $result = db_query("SELECT username FROM " . table_by_key('domain_admins') . " where domain='ALL'"); if ($result['rows'] > 0) { while ($row = db_array($result['result'])) { printdebug("Setting superadmin flag for " . $row['username']); db_update('admin', 'username', $row['username'], array('superadmin' => db_get_boolean(true))); } } }
if ($_SERVER['REQUEST_METHOD'] == "GET") { include "../templates/header.php"; include "../templates/users_login.php"; include "../templates/footer.php"; } if ($_SERVER['REQUEST_METHOD'] == "POST") { $fUsername = escape_string($_POST['fUsername']); $fPassword = escape_string($_POST['fPassword']); $lang = safepost('lang'); if ($lang != check_language(0)) { # only set cookie if language selection was changed setcookie('lang', $lang, time() + 60 * 60 * 24 * 30); # language cookie, lifetime 30 days # (language preference cookie is processed even if username and/or password are invalid) } $active = db_get_boolean(True); $query = "SELECT password FROM {$table_mailbox} WHERE username='******' AND active={$active}"; $result = db_query($query); if ($result['rows'] == 1) { $row = db_array($result['result']); $password = pacrypt($fPassword, $row['password']); $query = "SELECT * FROM {$table_mailbox} WHERE username='******' AND password='******' AND active={$active}"; $result = db_query($query); if ($result['rows'] != 1) { $error = 1; $tMessage = $PALANG['pLogin_password_incorrect']; $tUsername = $fUsername; } } else { $error = 1; $tMessage = $PALANG['pLogin_username_incorrect'];
/** * Replaces database specific parts in a query * @param String sql query with placeholders * @param int (optional) whether errors should be ignored (0=false) * @param String (optional) MySQL specific code to attach, useful for COMMENT= on CREATE TABLE * @return String sql query */ function db_query_parsed($sql, $ignore_errors = 0, $attach_mysql = "") { global $CONF; if ($CONF['database_type'] == 'mysql' || $CONF['database_type'] == 'mysqli') { $replace = array('{AUTOINCREMENT}' => 'int(11) not null auto_increment', '{PRIMARY}' => 'primary key', '{UNSIGNED}' => 'unsigned', '{FULLTEXT}' => 'FULLTEXT', '{BOOLEAN}' => 'tinyint(1) NOT NULL', '{UTF-8}' => '/*!40100 CHARACTER SET utf8 COLLATE utf8_unicode_ci */', '{LATIN1}' => '/*!40100 CHARACTER SET latin1 COLLATE latin1_swedish_ci */', '{IF_NOT_EXISTS}' => 'IF NOT EXISTS', '{RENAME_COLUMN}' => 'CHANGE COLUMN'); $sql = "{$sql} {$attach_mysql}"; } elseif ($CONF['database_type'] == 'pgsql') { $replace = array('{AUTOINCREMENT}' => 'SERIAL', '{PRIMARY}' => 'primary key', '{UNSIGNED}' => '', '{FULLTEXT}' => '', '{BOOLEAN}' => 'BOOLEAN NOT NULL', '{UTF-8}' => '', '{LATIN1}' => '', '{IF_NOT_EXISTS}' => '', '{RENAME_COLUMN}' => 'ALTER COLUMN', 'int(1)' => 'int', 'int(10)' => 'int', 'int(11)' => 'int', 'int(4)' => 'int'); } else { echo "Sorry, unsupported database type " . $conf['database_type']; exit; } $replace['{BOOL_TRUE}'] = db_get_boolean(True); $replace['{BOOL_FALSE}'] = db_get_boolean(False); $query = trim(str_replace(array_keys($replace), $replace, $sql)); if (safeget('debug') != "") { print "<p style='color:#999'>{$query}"; } $result = db_query($query, $ignore_errors); if (safeget('debug') != "") { print "<div style='color:#f00'>" . $result['error'] . "</div>"; } return $result; }
$maildir = $fDomain . "/" . $fUsername . "/"; } else { $maildir = $fDomain . "/" . escape_string(strtolower($_POST['fUsername'])) . "/"; } } else { $maildir = $fUsername . "/"; } if (!empty($fQuota)) { $quota = multiply_quota($fQuota); } else { $quota = 0; } if ($fActive == "on") { $sqlActive = db_get_boolean(True); } else { $sqlActive = db_get_boolean(False); } if ('pgsql' == $CONF['database_type']) { db_query('BEGIN'); } $result = db_query("INSERT INTO {$table_alias} (address,goto,domain,created,modified,active) VALUES ('{$fUsername}','{$fUsername}','{$fDomain}',NOW(),NOW(),'{$sqlActive}')"); if ($result['rows'] != 1) { $tDomain = $fDomain; $tMessage = $PALANG['pAlias_result_error'] . "<br />({$fUsername} -> {$fUsername})</br />"; } /* # TODO: The following code segment is from admin/create-mailbox.php. To be compared/merged with the code from /create-mailbox.php. Lines starting with /* were inserted to keep this section in commented mode. if ($result['rows'] != 1)
/** * List domains for an admin user. * @param String $username * @return array of domain names. */ function list_domains_for_admin($username) { global $CONF; global $table_domain, $table_domain_admins; $list = array(); // does $username need escaping here? $active_sql = db_get_boolean(True); $backupmx_sql = db_get_boolean(False); $query = "SELECT {$table_domain}.domain, {$table_domain_admins}.username FROM {$table_domain} \n LEFT JOIN {$table_domain_admins} ON {$table_domain}.domain={$table_domain_admins}.domain \n WHERE {$table_domain_admins}.username='******' \n AND {$table_domain}.active={$active_sql} \n AND {$table_domain}.backupmx={$backupmx_sql} \n ORDER BY {$table_domain_admins}.domain"; $result = db_query($query); if ($result['rows'] > 0) { $i = 0; while ($row = db_array($result['result'])) { $list[$i] = $row['domain']; $i++; } } return $list; }
/** * db_where_clause * Action: builds and returns a WHERE clause for database queries. All given conditions will be AND'ed. * Call: db_where_clause (array $conditions, array $struct) * param array $conditios: array('field' => 'value', 'field2' => 'value2, ...) * param array $struct - field structure, used for automatic bool conversion * param string $additional_raw_where - raw sniplet to include in the WHERE part - typically needs to start with AND * param array $searchmode - operators to use (=, <, > etc.) - defaults to = if not specified for a field (see * $allowed_operators for available operators) */ function db_where_clause($condition, $struct, $additional_raw_where = '', $searchmode = array()) { if (!is_array($condition)) { die('db_where_cond: parameter $cond is not an array!'); } elseif (!is_array($searchmode)) { die('db_where_cond: parameter $searchmode is not an array!'); } elseif (count($condition) == 0 && trim($additional_raw_where) == '') { die("db_where_cond: parameter is an empty array!"); # die() might sound harsh, but can prevent information leaks } elseif (!is_array($struct)) { die('db_where_cond: parameter $struct is not an array!'); } $allowed_operators = explode(' ', '< > >= <= = != <> CONT LIKE'); $where_parts = array(); $having_parts = array(); foreach ($condition as $field => $value) { if (isset($struct[$field]) && $struct[$field]['type'] == 'bool') { $value = db_get_boolean($value); } $operator = '='; if (isset($searchmode[$field])) { if (in_array($searchmode[$field], $allowed_operators)) { $operator = $searchmode[$field]; if ($operator == 'CONT') { # CONT - as in "contains" $operator = ' LIKE '; # add spaces $value = '%' . $value . '%'; } elseif ($operator == 'LIKE') { # LIKE -without adding % wildcards (the search value can contain %) $operator = ' LIKE '; # add spaces } } else { die('db_where_clause: Invalid searchmode for ' . $field); } } $querypart = $field . $operator . "'" . escape_string($value) . "'"; if ($struct[$field]['select'] != '') { $having_parts[$field] = $querypart; } else { $where_parts[$field] = $querypart; } } $query = ' WHERE 1=1 '; $query .= " {$additional_raw_where} "; if (count($where_parts) > 0) { $query .= " AND ( " . join(" AND ", $where_parts) . " ) "; } if (count($having_parts) > 0) { $query .= " HAVING ( " . join(" AND ", $having_parts) . " ) "; } return $query; }
if ($result['rows'] != 1) { $error = 1; } } } } //Set the vacation data for $fUsername if (!empty($fChange)) { $goto = ''; $result = db_query("SELECT * FROM {$table_alias} WHERE address='{$fUsername}'"); if ($result['rows'] == 1) { $row = db_array($result['result']); $goto = $row['goto']; } $Active = db_get_boolean(True); $notActive = db_get_boolean(False); // I don't think we need to care if the vacation entry is inactive or active.. as long as we don't try and // insert a duplicate $result = db_query("SELECT * FROM {$table_vacation} WHERE email = '{$fUsername}'"); if ($result['rows'] == 1) { $result = db_query("UPDATE {$table_vacation} SET active = {$Active}, subject = '{$fSubject}', body = '{$fBody}', created = NOW() WHERE email = '{$fUsername}'"); } else { $result = db_query("INSERT INTO {$table_vacation} (email,subject,body,domain,created,active) VALUES ('{$fUsername}','{$fSubject}','{$fBody}','{$fDomain}',NOW(),{$Active})"); } if ($result['rows'] != 1) { $error = 1; } if ($goto == '') { $goto = $vacation_goto; $sql = "INSERT INTO {$table_alias} (goto, address, domain, modified) VALUES ('{$goto}', '{$fUsername}', '{$fDomain}', NOW())"; } else {
$pAdminCreate_domain_domain_text = $PALANG['pAdminCreate_domain_domain_text_error2']; } } if ($error != 1) { $tAliases = $CONF['aliases']; $tMailboxes = $CONF['mailboxes']; $tMaxquota = $CONF['maxquota']; if ($fBackupmx == "on") { $fAliases = -1; $fMailboxes = -1; $fMaxquota = -1; $fBackupmx = 1; $sqlBackupmx = db_get_boolean(true); } else { $fBackupmx = 0; $sqlBackupmx = db_get_boolean(false); } $sql_query = "INSERT INTO {$table_domain} (domain,description,aliases,mailboxes,maxquota,transport,backupmx,created,modified) VALUES ('{$fDomain}','{$fDescription}',{$fAliases},{$fMailboxes},{$fMaxquota},'{$fTransport}',{$sqlBackupmx},NOW(),NOW())"; $result = db_query($sql_query); if ($result['rows'] != 1) { $tMessage = $PALANG['pAdminCreate_domain_result_error'] . "<br />({$fDomain})<br />"; } else { if ($fDefaultaliases == "on") { foreach ($CONF['default_aliases'] as $address => $goto) { $address = $address . "@" . $fDomain; $result = db_query("INSERT INTO {$table_alias} (address,goto,domain,created,modified) VALUES ('{$address}','{$goto}','{$fDomain}',NOW(),NOW())"); } } $tMessage = $PALANG['pAdminCreate_domain_result_success'] . "<br />({$fDomain})</br />"; } }
function _inp_bool($val) { return $val ? db_get_boolean(true) : db_get_boolean(false); }