Example #1
0
    /**
     * Checks what a user entered against the actual password on their account.
     * @param string $they_sent What the user entered.
     * @param string $we_have What we have in the database as their password.  Which may (or may not) be a salted MD5.
     * @return boolean Whether or not the users attempt matches what is already on file.
     */
    function session_validate_password($they_sent, $we_have)
    {
        global $c;
        if (preg_match('/^\\*\\*.+$/', $we_have)) {
            //  The "forced" style of "**plaintext" to allow easier admin setting
            return "**{$they_sent}" == $we_have;
        }
        if (isset($c->wp_includes) && substring($we_have, 0, 1) == '$') {
            // Include Wordpress password handling, if it's in the path.
            @(require_once $c->wp_includes . '/class-phpass.php');
            if (class_exists('PasswordHash')) {
                $wp_hasher = new PasswordHash(8, true);
                return $wp_hasher->CheckPassword($password, $hash);
            }
        }
        if (preg_match('/^\\*(.+)\\*{[A-Z]+}.+$/', $we_have, $regs)) {
            if (function_exists("session_salted_sha1")) {
                // A nicely salted sha1sum like "*<salt>*{SSHA}<salted_sha1>"
                $salt = $regs[1];
                $sha1_sent = session_salted_sha1($they_sent, $salt);
                return $sha1_sent == $we_have;
            } else {
                dbg_error_log("ERROR", "Password is salted SHA-1 but you are using PHP4!");
                echo <<<EOERRMSG
<html>
<head>
<title>Salted SHA1 Password format not supported with PHP4</title>
</head>
<body>
<h1>Salted SHA1 Password format not supported with PHP4</h1>
<p>At some point you have used PHP5 to set the password for this user and now you are
   using PHP4.  You will need to assign a new password to this user using PHP4, or ensure
   you use PHP5 everywhere (recommended).</p>
<p>AWL has now switched to using salted SHA-1 passwords by preference in a format
   compatible with OpenLDAP.</p>
</body>
</html>
EOERRMSG;
                exit;
            }
        }
        if (preg_match('/^\\*MD5\\*.+$/', $we_have, $regs)) {
            // A crappy unsalted md5sum like "*MD5*<md5>"
            $md5_sent = session_simple_md5($they_sent);
            return $md5_sent == $we_have;
        } else {
            if (preg_match('/^\\*(.+)\\*.+$/', $we_have, $regs)) {
                // A nicely salted md5sum like "*<salt>*<salted_md5>"
                $salt = $regs[1];
                $md5_sent = session_salted_md5($they_sent, $salt);
                return $md5_sent == $we_have;
            }
        }
        // Anything else is bad
        return false;
    }
Example #2
0
    /**
     * Checks what a user entered against the actual password on their account.
     * @param string $they_sent What the user entered.
     * @param string $we_have What we have in the database as their password.  Which may (or may not) be a salted MD5.
     * @return boolean Whether or not the users attempt matches what is already on file.
     */
    function session_validate_password($they_sent, $we_have)
    {
        if (preg_match('/^\\*\\*.+$/', $we_have)) {
            //  The "forced" style of "**plaintext" to allow easier admin setting
            return "**{$they_sent}" == $we_have;
        }
        if (preg_match('/^\\*(.+)\\*{[A-Z]+}.+$/', $we_have, $regs)) {
            if (function_exists("session_salted_sha1")) {
                // A nicely salted sha1sum like "*<salt>*{SSHA}<salted_sha1>"
                $salt = $regs[1];
                $sha1_sent = session_salted_sha1($they_sent, $salt);
                return $sha1_sent == $we_have;
            } else {
                dbg_error_log("ERROR", "Password is salted SHA-1 but you are using PHP4!");
                echo <<<EOERRMSG
<html>
<head>
<title>Salted SHA1 Password format not supported with PHP4</title>
</head>
<body>
<h1>Salted SHA1 Password format not supported with PHP4</h1>
<p>At some point you have used PHP5 to set the password for this user and now you are
   using PHP4.  You will need to assign a new password to this user using PHP4, or ensure
   you use PHP5 everywhere (recommended).</p>
<p>AWL has now switched to using salted SHA-1 passwords by preference in a format
   compatible with OpenLDAP.</p>
</body>
</html>
EOERRMSG;
                exit;
            }
        }
        if (preg_match('/^\\*(.+)\\*.+$/', $we_have, $regs)) {
            // A nicely salted md5sum like "*<salt>*<salted_md5>"
            $salt = $regs[1];
            $md5_sent = session_salted_md5($they_sent, $salt);
            return $md5_sent == $we_have;
        }
        // Anything else is bad
        return false;
    }
Example #3
0
/**
* Build SQL INSERT/UPDATE statement from an associative array of fieldnames => values.
* @param array $obj The object  of fieldnames => values.
* @param string $type The word "update" or something else (which implies "insert").
* @param string $tablename The name of the table being updated.
* @param string $where What the "WHERE ..." clause needs to be for an UPDATE statement.
* @param string $fprefix An optional string which all fieldnames in $assoc are prefixed with.
* @return string An SQL Update or Insert statement with all fields/values from the array.
*/
function sql_from_object($obj, $type, $tablename, $where, $fprefix = "")
{
    $fields = get_fields($tablename);
    $update = strtolower($type) == "update";
    if ($update) {
        $sql = "UPDATE {$tablename} SET ";
    } else {
        $sql = "INSERT INTO {$tablename} (";
    }
    $flst = "";
    $vlst = "";
    foreach ($fields as $fn => $typ) {
        // $prefixed_fn = $fprefix . $fn;
        dbg_error_log("DataUpdate", ":sql_from_object: %s => %s (%s)", $fn, $typ, isset($obj->{$fn}) ? $obj->{$fn} : "[undefined value]");
        if (!isset($obj->{$fn}) && isset($obj->{"xxxx{$fn}"})) {
            // Sometimes we will have prepended 'xxxx' to the field name so that the field
            // name differs from the column name in the database.
            $obj->{$fn} = $obj->{"xxxx{$fn}"};
        }
        if (!isset($obj->{$fn})) {
            continue;
        }
        $value = str_replace("'", "''", str_replace("\\", "\\\\", $obj->{$fn}));
        if ($fn == "password") {
            if ($value == "******" || $value == "") {
                continue;
            }
            if (!preg_match('/\\*[0-9a-z]+\\*[0-9a-z{}]+/i', $value)) {
                $value = function_exists("session_salted_sha1") ? session_salted_sha1($value) : (function_exists('session_salted_md5') ? session_salted_md5($value) : md5($value));
            }
        }
        if (preg_match('{^(time|date|interval)}i', $typ) && $value == "") {
            $value = "NULL";
        } else {
            if (preg_match('{^bool}i', $typ)) {
                $value = $value == false || $value == "f" || $value == "off" || $value == "no" ? "FALSE" : ($value == true || $value == "t" || $value == "on" || $value == "yes" ? "TRUE" : "NULL");
            } else {
                if (preg_match('{^interval}i', $typ)) {
                    $value = "'{$value}'::{$typ}";
                } else {
                    if (preg_match('{^int}i', $typ)) {
                        $value = $value == '' || $value === null ? 'NULL' : intval($value);
                    } else {
                        if (preg_match('{^bit}i', $typ)) {
                            $value = $value == '' || $value === null ? 'NULL' : "'{$value}'";
                        } else {
                            if (preg_match('{^(text|varchar)}i', $typ)) {
                                $value = "'{$value}'";
                            } else {
                                $value = "'{$value}'::{$typ}";
                            }
                        }
                    }
                }
            }
        }
        if ($update) {
            $flst .= ", {$fn} = {$value}";
        } else {
            $flst .= ", {$fn}";
            $vlst .= ", {$value}";
        }
    }
    $flst = substr($flst, 2);
    $vlst = substr($vlst, 2);
    $sql .= $flst;
    if ($update) {
        $sql .= " {$where}; ";
    } else {
        $sql .= ") VALUES( {$vlst} ); ";
    }
    return $sql;
}