/**
 * Log the user in
 *
 * @param uname $ the name of the user logging in
 * @param pass $ the password of the user logging in
 * @param whether $ or not to remember this login if not set false
 * @return bool true if the user successfully logged in, false otherwise
 */
function pnUserLogIn($uname, $pass, $rememberme = false)
{
    $uname = isset($uname) ? $uname : '';
    if (!pnVarValidate($uname, 'uname') || !isset($pass)) {
        return false;
    }
    if (!pnUserLoggedIn()) {
        // get the database connection
        $dbconn =& pnDBGetConn(true);
        $pntable =& pnDBGetTables();
        // Get user information
        $userscolumn =& $pntable['users_column'];
        $userstable = $pntable['users'];
        $query = "SELECT {$userscolumn['uid']},\n                         {$userscolumn['pass']}\n                  FROM {$userstable}\n                  WHERE {$userscolumn['uname']} = '" . pnVarPrepForStore($uname) . "'";
        $result =& $dbconn->Execute($query);
        if ($result->EOF) {
            return false;
        }
        list($uid, $realpass) = $result->fields;
        $result->Close();
        // check if we need to create a session
        if (!session_id()) {
            // Start session
            if (!pnSessionSetup()) {
                die('Session setup failed');
            }
            if (!pnSessionInit()) {
                die('Session initialisation failed');
            }
        }
        // Confirm that passwords match
        if (!comparePasswords($pass, $realpass, $uname, substr($realpass, 0, 2))) {
            return false;
        }
        // Set user session information (new table)
        $sessioninfocolumn =& $pntable['session_info_column'];
        $sessioninfotable = $pntable['session_info'];
        $query = "UPDATE {$sessioninfotable}\n                  SET {$sessioninfocolumn['uid']} = " . pnVarPrepForStore($uid) . "\n                  WHERE {$sessioninfocolumn['sessid']} = '" . pnVarPrepForStore(session_id()) . "'";
        $dbconn->Execute($query);
        // Set session variables
        pnSessionSetVar('uid', (int) $uid);
        if (!empty($rememberme)) {
            pnSessionSetVar('rememberme', 1);
        }
        // now we've logged in the permissions previously calculated are invalid
        $GLOBALS['authinfogathered'] = 0;
    }
    return true;
}
Example #2
0
/**
 * Initialise PostNuke
 * <br>
 * Carries out a number of initialisation tasks to get PostNuke up and
 * running.
 * @returns void
 */
function pnInit()
{
    // proper error_repoting
    // e_all for development
    // error_reporting(E_ALL);
    // without warnings and notices for release
    error_reporting(E_ALL & ~E_NOTICE & ~E_WARNING & ~E_DEPRECATED);
    // Hack for some weird PHP systems that should have the
    // LC_* constants defined, but don't
    if (!defined('LC_TIME')) {
        define('LC_TIME', 'LC_TIME');
    }
    // ADODB configuration
    define('ADODB_DIR', 'pnadodb');
    require 'pnadodb/adodb.inc.php';
    // Temporary fix for hacking the hlpfile global
    // TODO - remove with pre-0.71 code
    global $hlpfile;
    $hlpfile = '';
    // Initialise and load configuration
    global $pnconfig, $pndebug;
    $pnconfig = array();
    include 'config.php';
    // Set up multisites
    // added this @define for .71, ugly ?
    // i guess the E_ALL stuff.
    @define('WHERE_IS_PERSO', '');
    // Initialise and load pntables
    global $pntable;
    $pntable = array();
    // if a multisite has its own pntables.
    if (file_exists(WHERE_IS_PERSO . 'pntables.php')) {
        include WHERE_IS_PERSO . 'pntables.php';
    } else {
        require 'pntables.php';
    }
    // Decode encoded DB parameters
    if ($pnconfig['encoded']) {
        $pnconfig['dbuname'] = base64_decode($pnconfig['dbuname']);
        $pnconfig['dbpass'] = base64_decode($pnconfig['dbpass']);
        $pnconfig['encoded'] = 0;
    }
    // Connect to database
    if (!pnDBInit()) {
        die('Database initialisation failed');
    }
    // debugger if required
    if ($pndebug['debug']) {
        include_once 'includes/lensdebug.inc.php';
        global $dbg, $debug_sqlcalls;
        $dbg = new LensDebug();
        $debug_sqlcalls = 0;
    }
    // Build up old config array
    pnConfigInit();
    // Set compression on if desired
    //
    if (pnConfigGetVar('UseCompression') == 1) {
        ob_start("ob_gzhandler");
    }
    // Other includes
    include 'includes/pnSession.php';
    include 'includes/pnUser.php';
    // Start session
    if (!pnSessionSetup()) {
        die('Session setup failed');
    }
    if (!pnSessionInit()) {
        die('Session initialisation failed');
    }
    include 'includes/security.php';
    // See if a language update is required
    $newlang = pnVarCleanFromInput('newlang');
    if (!empty($newlang)) {
        $lang = $newlang;
        pnSessionSetVar('lang', $newlang);
    } else {
        $lang = pnSessionGetVar('lang');
    }
    // Load global language defines
    if (isset($lang) && file_exists('language/' . pnVarPrepForOS($lang) . '/global.php')) {
        $currentlang = $lang;
    } else {
        $currentlang = pnConfigGetVar('language');
        pnSessionSetVar('lang', $currentlang);
    }
    include 'language/' . pnVarPrepForOS($currentlang) . '/global.php';
    include 'modules/NS-Languages/api.php';
    // Cross-Site Scripting attack defense - Sent by larsneo
    // some syntax checking against injected javascript
    $pnAntiCrackerMode = pnConfigGetVar('pnAntiCracker');
    if ($pnAntiCrackerMode == 1) {
        pnSecureInput();
    }
    // Banner system
    include 'includes/pnBanners.php';
    // Other other includes
    include 'includes/advblocks.php';
    include 'includes/counter.php';
    include 'includes/pnHTML.php';
    include 'includes/pnMod.php';
    include 'includes/queryutil.php';
    include 'includes/xhtml.php';
    include 'includes/oldfuncs.php';
    // Handle referer
    if (pnConfigGetVar('httpref') == 1) {
        include 'referer.php';
        httpreferer();
    }
    return true;
}
/**
 * generate an authorisation key
 * <br />
 * The authorisation key is used to confirm that actions requested by a
 * particular user have followed the correct path.  Any stage that an
 * action could be made (e.g. a form or a 'delete' button) this function
 * must be called and the resultant string passed to the client as either
 * a GET or POST variable.  When the action then takes place it first calls
 * <code>pnSecConfirmAuthKey()</code> to ensure that the operation has
 * indeed been manually requested by the user and that the key is valid
 * 
 * @public 
 * @param modname $ the module this authorisation key is for (optional)
 * @return string an encrypted key for use in authorisation of operations
 */
function pnSecGenAuthKey($modname = '')
{
    // since we need sessions for authorisation keys we should check
    // if a session exists and if not create one
    if (!session_id()) {
        // Start session
        if (!pnSessionSetup()) {
            die('Session setup failed');
        }
        if (!pnSessionInit()) {
            die('Session initialisation failed');
        }
    }
    if (empty($modname)) {
        $modname = pnVarCleanFromInput('module');
    }
    // get the module info
    $modinfo = pnModGetInfo(pnModGetIDFromName($modname));
    // Date gives extra security but leave it out for now
    // $key = pnSessionGetVar('rand') . $modname . date ('YmdGi');
    $key = pnSessionGetVar('rand') . strtolower($modinfo['name']);
    // Encrypt key
    $authid = md5($key);
    // Return encrypted key
    return $authid;
}
Example #4
0
/**
* Initialise PostNuke
* <br />
* Carries out a number of initialisation tasks to get PostNuke up and
* running.
*
* @returns void
*/
function pnInit()
{
    // force register_globals=off
    // force register_globals = off
    if (!defined('_PNINSTALLVER') && ini_get('register_globals')) {
        foreach ($GLOBALS as $s_variable_name => $m_variable_value) {
            if (!in_array($s_variable_name, array('GLOBALS', 'argv', 'argc', '_FILES', '_COOKIE', '_POST', '_GET', '_SERVER', '_ENV', '_SESSION', '_REQUEST', 's_variable_name', 'm_variable_value'))) {
                unset($GLOBALS[$s_variable_name]);
            }
        }
        unset($GLOBALS['s_variable_name']);
        unset($GLOBALS['m_variable_value']);
    }
    // proper error_repoting
    // E_ALL for development
    // error_reporting(E_ALL);
    // without warnings and notices for release
    error_reporting(E_ALL & ~E_NOTICE & ~E_WARNING);
    // Hack for some weird PHP systems that should have the
    // LC_* constants defined, but don't
    if (!defined('LC_TIME')) {
        define('LC_TIME', 'LC_TIME');
    }
    // Initialise and load configuration
    $pnconfig = array();
    $pndebug = array();
    include 'config.php';
    $GLOBALS['pnconfig'] = $pnconfig;
    $GLOBALS['pndebug'] = $pndebug;
    // Initialize the (ugly) additional header array
    $GLOBALS['additional_header'] = array();
    // load ADODB
    pnADODBInit();
    // Connect to database
    if (!pnDBInit()) {
        die('Database initialisation failed');
    }
    // Set up multisites
    // added this @define for .71, ugly ?
    // i guess the E_ALL stuff.
    @define('WHERE_IS_PERSO', '');
    // Initialise and load pntables
    pnDBSetTables();
    // user and modules system includes
    include 'includes/pnUser.php';
    include 'includes/pnMod.php';
    // Set compression on if desired
    if (pnConfigGetVar('UseCompression') == 1) {
        ob_start("ob_gzhandler");
    }
    if (isset($_REQUEST['_SESSION'])) {
        die('Attempted pollution of SESSION space via GPC request');
    }
    // Other includes
    include 'includes/pnSession.php';
    if (pnConfigGetVar('anonymoussessions') || !empty($_REQUEST['POSTNUKESID'])) {
        // Start session
        if (!pnSessionSetup()) {
            die('Session setup failed');
        }
        if (!pnSessionInit()) {
            die('Session initialisation failed');
        }
    }
    // load security functions.
    include 'includes/pnSecurity.php';
    include 'includes/pnBlocks.php';
    // Load our language files
    include 'includes/pnLang.php';
    pnLangLoad();
    // inclusion of pnrender class -- jn
    include 'includes/pnRender.class.php';
    include 'includes/pnTheme.php';
    include 'includes/pnHTML.php';
    // Legacy includes
    if (pnConfigGetVar('loadlegacy') == '1') {
        include 'includes/legacy/legacy.php';
        include 'includes/legacy/queryutil.php';
        include 'includes/legacy/xhtml.php';
        include 'includes/legacy/oldfuncs.php';
    }
    // Check for site closed
    if (pnConfigGetVar('siteoff') && !pnSecAuthAction(0, 'Settings::', 'SiteOff::', ACCESS_ADMIN)) {
        include 'includes/templates/siteoff.htm';
        die;
    }
    // Cross-Site Scripting attack defense - Sent by larsneo
    // some syntax checking against injected javascript
    if (pnConfigGetVar('pnAntiCracker') == '1') {
        include 'includes/pnAntiCracker.php';
        pnSecureInput();
    }
    // load safehtml class for xss filtering
    // the XML_HTMLSAX3 define is also needed inside the class so we
    // cannot use the path directly in the include.
    if (pnConfigGetVar('safehtml') == '1') {
        define('XML_HTMLSAX3', 'includes/classes/safehtml/');
        include XML_HTMLSAX3 . 'safehtml.php';
    }
    // Banner system
    // TODO - move to banners module
    if (pnModAvailable('Banners')) {
        include 'includes/pnBanners.php';
    }
    // Call Stats module counter code if installed
    if (pnModAvailable('Stats') && !pnSecAuthAction(0, '.*', '.*', ACCESS_ADMIN)) {
        include 'includes/legacy/counter.php';
    }
    // Handle referer
    if (pnModAvailable('Referers') && pnConfigGetVar('httpref') == 1) {
        include 'includes/legacy/referer.php';
        httpreferer();
    }
    // Load the theme
    pnThemeLoad(pnUserGetTheme());
    return true;
}