/** * Log the user in * * @param uname $ the name of the user logging in * @param pass $ the password of the user logging in * @param whether $ or not to remember this login if not set false * @return bool true if the user successfully logged in, false otherwise */ function pnUserLogIn($uname, $pass, $rememberme = false) { $uname = isset($uname) ? $uname : ''; if (!pnVarValidate($uname, 'uname') || !isset($pass)) { return false; } if (!pnUserLoggedIn()) { // get the database connection $dbconn =& pnDBGetConn(true); $pntable =& pnDBGetTables(); // Get user information $userscolumn =& $pntable['users_column']; $userstable = $pntable['users']; $query = "SELECT {$userscolumn['uid']},\n {$userscolumn['pass']}\n FROM {$userstable}\n WHERE {$userscolumn['uname']} = '" . pnVarPrepForStore($uname) . "'"; $result =& $dbconn->Execute($query); if ($result->EOF) { return false; } list($uid, $realpass) = $result->fields; $result->Close(); // check if we need to create a session if (!session_id()) { // Start session if (!pnSessionSetup()) { die('Session setup failed'); } if (!pnSessionInit()) { die('Session initialisation failed'); } } // Confirm that passwords match if (!comparePasswords($pass, $realpass, $uname, substr($realpass, 0, 2))) { return false; } // Set user session information (new table) $sessioninfocolumn =& $pntable['session_info_column']; $sessioninfotable = $pntable['session_info']; $query = "UPDATE {$sessioninfotable}\n SET {$sessioninfocolumn['uid']} = " . pnVarPrepForStore($uid) . "\n WHERE {$sessioninfocolumn['sessid']} = '" . pnVarPrepForStore(session_id()) . "'"; $dbconn->Execute($query); // Set session variables pnSessionSetVar('uid', (int) $uid); if (!empty($rememberme)) { pnSessionSetVar('rememberme', 1); } // now we've logged in the permissions previously calculated are invalid $GLOBALS['authinfogathered'] = 0; } return true; }
/** * Initialise PostNuke * <br> * Carries out a number of initialisation tasks to get PostNuke up and * running. * @returns void */ function pnInit() { // proper error_repoting // e_all for development // error_reporting(E_ALL); // without warnings and notices for release error_reporting(E_ALL & ~E_NOTICE & ~E_WARNING & ~E_DEPRECATED); // Hack for some weird PHP systems that should have the // LC_* constants defined, but don't if (!defined('LC_TIME')) { define('LC_TIME', 'LC_TIME'); } // ADODB configuration define('ADODB_DIR', 'pnadodb'); require 'pnadodb/adodb.inc.php'; // Temporary fix for hacking the hlpfile global // TODO - remove with pre-0.71 code global $hlpfile; $hlpfile = ''; // Initialise and load configuration global $pnconfig, $pndebug; $pnconfig = array(); include 'config.php'; // Set up multisites // added this @define for .71, ugly ? // i guess the E_ALL stuff. @define('WHERE_IS_PERSO', ''); // Initialise and load pntables global $pntable; $pntable = array(); // if a multisite has its own pntables. if (file_exists(WHERE_IS_PERSO . 'pntables.php')) { include WHERE_IS_PERSO . 'pntables.php'; } else { require 'pntables.php'; } // Decode encoded DB parameters if ($pnconfig['encoded']) { $pnconfig['dbuname'] = base64_decode($pnconfig['dbuname']); $pnconfig['dbpass'] = base64_decode($pnconfig['dbpass']); $pnconfig['encoded'] = 0; } // Connect to database if (!pnDBInit()) { die('Database initialisation failed'); } // debugger if required if ($pndebug['debug']) { include_once 'includes/lensdebug.inc.php'; global $dbg, $debug_sqlcalls; $dbg = new LensDebug(); $debug_sqlcalls = 0; } // Build up old config array pnConfigInit(); // Set compression on if desired // if (pnConfigGetVar('UseCompression') == 1) { ob_start("ob_gzhandler"); } // Other includes include 'includes/pnSession.php'; include 'includes/pnUser.php'; // Start session if (!pnSessionSetup()) { die('Session setup failed'); } if (!pnSessionInit()) { die('Session initialisation failed'); } include 'includes/security.php'; // See if a language update is required $newlang = pnVarCleanFromInput('newlang'); if (!empty($newlang)) { $lang = $newlang; pnSessionSetVar('lang', $newlang); } else { $lang = pnSessionGetVar('lang'); } // Load global language defines if (isset($lang) && file_exists('language/' . pnVarPrepForOS($lang) . '/global.php')) { $currentlang = $lang; } else { $currentlang = pnConfigGetVar('language'); pnSessionSetVar('lang', $currentlang); } include 'language/' . pnVarPrepForOS($currentlang) . '/global.php'; include 'modules/NS-Languages/api.php'; // Cross-Site Scripting attack defense - Sent by larsneo // some syntax checking against injected javascript $pnAntiCrackerMode = pnConfigGetVar('pnAntiCracker'); if ($pnAntiCrackerMode == 1) { pnSecureInput(); } // Banner system include 'includes/pnBanners.php'; // Other other includes include 'includes/advblocks.php'; include 'includes/counter.php'; include 'includes/pnHTML.php'; include 'includes/pnMod.php'; include 'includes/queryutil.php'; include 'includes/xhtml.php'; include 'includes/oldfuncs.php'; // Handle referer if (pnConfigGetVar('httpref') == 1) { include 'referer.php'; httpreferer(); } return true; }
/** * generate an authorisation key * <br /> * The authorisation key is used to confirm that actions requested by a * particular user have followed the correct path. Any stage that an * action could be made (e.g. a form or a 'delete' button) this function * must be called and the resultant string passed to the client as either * a GET or POST variable. When the action then takes place it first calls * <code>pnSecConfirmAuthKey()</code> to ensure that the operation has * indeed been manually requested by the user and that the key is valid * * @public * @param modname $ the module this authorisation key is for (optional) * @return string an encrypted key for use in authorisation of operations */ function pnSecGenAuthKey($modname = '') { // since we need sessions for authorisation keys we should check // if a session exists and if not create one if (!session_id()) { // Start session if (!pnSessionSetup()) { die('Session setup failed'); } if (!pnSessionInit()) { die('Session initialisation failed'); } } if (empty($modname)) { $modname = pnVarCleanFromInput('module'); } // get the module info $modinfo = pnModGetInfo(pnModGetIDFromName($modname)); // Date gives extra security but leave it out for now // $key = pnSessionGetVar('rand') . $modname . date ('YmdGi'); $key = pnSessionGetVar('rand') . strtolower($modinfo['name']); // Encrypt key $authid = md5($key); // Return encrypted key return $authid; }
/** * Initialise PostNuke * <br /> * Carries out a number of initialisation tasks to get PostNuke up and * running. * * @returns void */ function pnInit() { // force register_globals=off // force register_globals = off if (!defined('_PNINSTALLVER') && ini_get('register_globals')) { foreach ($GLOBALS as $s_variable_name => $m_variable_value) { if (!in_array($s_variable_name, array('GLOBALS', 'argv', 'argc', '_FILES', '_COOKIE', '_POST', '_GET', '_SERVER', '_ENV', '_SESSION', '_REQUEST', 's_variable_name', 'm_variable_value'))) { unset($GLOBALS[$s_variable_name]); } } unset($GLOBALS['s_variable_name']); unset($GLOBALS['m_variable_value']); } // proper error_repoting // E_ALL for development // error_reporting(E_ALL); // without warnings and notices for release error_reporting(E_ALL & ~E_NOTICE & ~E_WARNING); // Hack for some weird PHP systems that should have the // LC_* constants defined, but don't if (!defined('LC_TIME')) { define('LC_TIME', 'LC_TIME'); } // Initialise and load configuration $pnconfig = array(); $pndebug = array(); include 'config.php'; $GLOBALS['pnconfig'] = $pnconfig; $GLOBALS['pndebug'] = $pndebug; // Initialize the (ugly) additional header array $GLOBALS['additional_header'] = array(); // load ADODB pnADODBInit(); // Connect to database if (!pnDBInit()) { die('Database initialisation failed'); } // Set up multisites // added this @define for .71, ugly ? // i guess the E_ALL stuff. @define('WHERE_IS_PERSO', ''); // Initialise and load pntables pnDBSetTables(); // user and modules system includes include 'includes/pnUser.php'; include 'includes/pnMod.php'; // Set compression on if desired if (pnConfigGetVar('UseCompression') == 1) { ob_start("ob_gzhandler"); } if (isset($_REQUEST['_SESSION'])) { die('Attempted pollution of SESSION space via GPC request'); } // Other includes include 'includes/pnSession.php'; if (pnConfigGetVar('anonymoussessions') || !empty($_REQUEST['POSTNUKESID'])) { // Start session if (!pnSessionSetup()) { die('Session setup failed'); } if (!pnSessionInit()) { die('Session initialisation failed'); } } // load security functions. include 'includes/pnSecurity.php'; include 'includes/pnBlocks.php'; // Load our language files include 'includes/pnLang.php'; pnLangLoad(); // inclusion of pnrender class -- jn include 'includes/pnRender.class.php'; include 'includes/pnTheme.php'; include 'includes/pnHTML.php'; // Legacy includes if (pnConfigGetVar('loadlegacy') == '1') { include 'includes/legacy/legacy.php'; include 'includes/legacy/queryutil.php'; include 'includes/legacy/xhtml.php'; include 'includes/legacy/oldfuncs.php'; } // Check for site closed if (pnConfigGetVar('siteoff') && !pnSecAuthAction(0, 'Settings::', 'SiteOff::', ACCESS_ADMIN)) { include 'includes/templates/siteoff.htm'; die; } // Cross-Site Scripting attack defense - Sent by larsneo // some syntax checking against injected javascript if (pnConfigGetVar('pnAntiCracker') == '1') { include 'includes/pnAntiCracker.php'; pnSecureInput(); } // load safehtml class for xss filtering // the XML_HTMLSAX3 define is also needed inside the class so we // cannot use the path directly in the include. if (pnConfigGetVar('safehtml') == '1') { define('XML_HTMLSAX3', 'includes/classes/safehtml/'); include XML_HTMLSAX3 . 'safehtml.php'; } // Banner system // TODO - move to banners module if (pnModAvailable('Banners')) { include 'includes/pnBanners.php'; } // Call Stats module counter code if installed if (pnModAvailable('Stats') && !pnSecAuthAction(0, '.*', '.*', ACCESS_ADMIN)) { include 'includes/legacy/counter.php'; } // Handle referer if (pnModAvailable('Referers') && pnConfigGetVar('httpref') == 1) { include 'includes/legacy/referer.php'; httpreferer(); } // Load the theme pnThemeLoad(pnUserGetTheme()); return true; }