/** * Login API * @param string $email email of user * @param string $password password of user * @param obj $mysqli mysql connection * @return bool success or not */ function login($email, $password, $mysqli) { // Using prepared statements means that SQL injection is not possible. if ($stmt = $mysqli->prepare("SELECT id, username, password, salt\n FROM members\n WHERE email = ?\n LIMIT 1")) { $stmt->bind_param('s', $email); // Bind "$email" to parameter. $stmt->execute(); // Execute the prepared query. $stmt->store_result(); // get variables from result. $stmt->bind_result($user_id, $username, $db_password, $salt); $stmt->fetch(); // hash the password with the unique salt. $password = hash('sha512', $password . $salt); if ($stmt->num_rows == 1) { // If the user exists we check if the account is locked // from too many login attempts if (checkbrute($user_id, $mysqli) == true) { // Account is locked // Send an email to user saying their account is locked return false; } else { // Check if the password in the database matches // the password the user submitted. if ($db_password == $password) { // Password is correct! // Get the user-agent string of the user. $user_browser = $_SERVER['HTTP_USER_AGENT']; // XSS protection as we might print this value $user_id = preg_replace("/[^0-9]+/", "", $user_id); $_SESSION['user_id'] = $user_id; // XSS protection as we might print this value $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username); $_SESSION['username'] = $username; $_SESSION['login_string'] = hash('sha512', $password . $user_browser); // Login successful. return true; } else { // Password is not correct // We record this attempt in the database $now = time(); $mysqli->query("INSERT INTO login_attempts(user_id, time)\n VALUES ('{$user_id}', '{$now}')"); return false; } } } else { // No user exists. return false; } } }
/** * 执行SQL,并返回结果 */ function query() { $tArgs = func_get_args(); $tSql = array_shift($tArgs); # 锁表查询 if ($this->_lock) { $tSql .= ' ' . $this->_lock; $this->_lock = ''; } # 使用缓存 if ($this->cache) { $tMem =& Cache_Memcache::instance('default'); if ('md5' == $this->cache['key']) { $this->cache['key'] = md5($tSql . ($tArgs ? join(',', $tArgs) : '')); } if (false !== ($tData = $tMem->get($this->cache['key']))) { return $tData; } } # 查询数据库 $this->db =& self::instance($this->_config); if ($tArgs) { $tQuery = $this->db->prepare($tSql); $tQuery->execute($tArgs); } else { $tQuery = $this->db->query($tSql); } if (!$tQuery) { $this->error = $this->db->errorInfo(); isset($this->error[1]) || ($this->error = array()); return array(); } # 不缓存查询结果 if (!$this->cache) { return $tQuery->fetchAll(PDO::FETCH_ASSOC); } # 设置缓存 $tData = $tQuery->fetchAll(PDO::FETCH_ASSOC); $tMem->set($this->cache['key'], $tData, 0, $this->cache['expire']); $this->cache = array(); return $tData; }
/** * SIG Access Return Method * * This method determines if a user has access to a specific Special Interest Group * * @return bool */ public function getSIGAccess($sigID, $sigRequiredAccessLevel) { /** Looking up this user's access permissions to the sig */ $stmt_sig_lookup = $this->_db->prepare('SELECT sig_access_level FROM sig_memberships WHERE userid = ? AND sig_id = ? AND groupid = ? LIMIT 1'); $stmt_sig_lookup->execute(array($this->_userID, $sigID, $this->_group->getGroupID())); if ($stmt_sig_lookup->rowCount() == 1) { /** The user is a member of this Special Interest Group, so we'll confirm their access level now */ $sigAccessLevel = $stmt_sig_lookup->fetch(\PDO::FETCH_ASSOC); /** Comparing the user's sig_access_level to the required $sigRequiredAccessLevel */ if ($sigAccessLevel['sig_access_level'] >= $sigRequiredAccessLevel) { /** The user has access*/ return true; } else { /** The user does not have access */ return false; } } else { /** The user is not a member of this Special Interest Group */ return false; } }
/** * Faz o insert de um novo registro em uma tabela do sistema de administracao * * @param obj $pdo - objeto pdo * @param string $tabela - nome da tabela que sofreara o insert * @param array $data - array com os nomes dos campos da tabela e os valores * @return boolean */ function i3GeoAdminInsert($pdo, $tabela, $data) { global $esquemaadmin; $keys = array_keys($data); $fields = implode(",", $keys); $placeholder = str_repeat("?,", count($keys)); $placeholder = trim($placeholder, ","); $sql = "INSERT INTO " . $esquemaadmin . "{$tabela}({$fields}) VALUES ({$placeholder})"; $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); try { $prep = $pdo->prepare($sql); } catch (PDOException $e) { return "prepare "; } try { $exec = $prep->execute(array_values($data)); //atualiza o log i3GeoAdminInsertLog($pdo, $sql, array_values($data)); return true; } catch (PDOException $e) { return "execute "; } }