function compare_passwords($plain, $hashed)
{
// Backwards compatibility
if (strpos($hashed, ':') === false) {
return secure_compare(md5($plain), $hashed);
}
return secure_compare(salted_hash($plain, $hashed), $hashed);
}
function captcha_validate($code)
{
global $site_sess, $captcha_enable, $user_info;
if (!$captcha_enable || $user_info['user_level'] == ADMIN) {
return true;
}
$sess_code = trim($site_sess->get_session_var('captcha'));
$valid = $sess_code != '' && secure_compare($sess_code, $code);
$site_sess->drop_session_var('captcha');
return $valid;
}
function csrf_check($use_show_error = false)
{
global $HTTP_SERVER_VARS, $HTTP_POST_VARS, $site_sess, $csrf_protection_name, $csrf_protection_expires;
if ($HTTP_SERVER_VARS['REQUEST_METHOD'] !== 'POST') {
return;
}
if (isset($HTTP_POST_VARS[$csrf_protection_name])) {
$session = $site_sess->get_session_var($csrf_protection_name);
if (!is_array($session)) {
return false;
}
$found = false;
foreach ($session as $token => $time) {
if (!secure_compare($token, (string) $HTTP_POST_VARS[$csrf_protection_name])) {
continue;
}
if ($csrf_protection_expires) {
if (time() <= $time + $csrf_protection_expires) {
$found = true;
} else {
unset($session[$token]);
}
} else {
$found = true;
}
break;
}
$site_sess->set_session_var($csrf_protection_name, $session);
if ($found) {
return;
}
}
header($HTTP_SERVER_VARS['SERVER_PROTOCOL'] . ' 403 Forbidden');
if ($use_show_error) {
csrf_rewrite();
show_error_page('CSRF check failed.');
} else {
echo "<html><head><title>CSRF check failed</title></head><body>CSRF check failed.</body></html>";
exit;
}
}
function start_session($user_id = GUEST, $login_process = 0)
{
global $site_db;
$this->user_info = $this->load_user_info($user_id);
if ($this->user_info['user_id'] != GUEST && !$login_process) {
if (secure_compare($this->read_cookie_data("userpass"), md5($this->user_info['user_password'])) && $this->user_info['user_level'] > USER_AWAITING) {
$this->set_cookie_data("userpass", md5($this->user_info['user_password']));
} else {
$this->set_cookie_data("userpass", "", 0);
$this->user_info = $this->load_user_info(GUEST);
}
}
//if (!$login_process) {
$sql = "REPLACE INTO " . SESSIONS_TABLE . "\n (session_id, session_user_id, session_lastaction, session_location, session_ip)\n VALUES\n ('" . addslashes($this->session_id) . "', " . $this->user_info['user_id'] . ", {$this->current_time}, '{$this->user_location}', '{$this->user_ip}')";
$site_db->query($sql);
//}
$this->session_info['session_user_id'] = $this->user_info['user_id'];
$this->session_info['session_lastaction'] = $this->current_time;
$this->session_info['session_location'] = $this->user_location;
$this->session_info['session_ip'] = $this->user_ip;
if ($this->user_info['user_id'] != GUEST) {
$this->user_info['user_lastvisit'] = !empty($this->user_info['user_lastaction']) ? $this->user_info['user_lastaction'] : $this->current_time;
$sql = "UPDATE " . USERS_TABLE . "\n SET " . get_user_table_field("", "user_lastaction") . " = {$this->current_time}, " . get_user_table_field("", "user_location") . " = '{$this->user_location}', " . get_user_table_field("", "user_lastvisit") . " = " . $this->user_info['user_lastvisit'] . "\n WHERE " . get_user_table_field("", "user_id") . " = " . $this->user_info['user_id'];
$site_db->query($sql);
}
$this->set_cookie_data("lastvisit", $this->user_info['user_lastvisit']);
$this->set_cookie_data("userid", $this->user_info['user_id']);
return true;
}
