$col_user_password_salt_exists = isset($row['user_password_salt']) ? true : false; if ($col_user_password_salt_exists) { require 'include/passwordhash.inc.php'; $sql = "SELECT user_password, user_password_salt, user_password_hash_algorithm, user_password_iterations FROM {$CONFIG['TABLE_PREFIX']}users WHERE user_group = 1 AND user_name = '{$user}'"; $result = cpg_db_query($sql); $password_params = $result->fetchAssoc(true); } if (!$col_user_password_salt_exists || !$password_params['user_password_salt']) { $sql = "SELECT user_active FROM {$CONFIG['TABLE_PREFIX']}users WHERE user_group = 1 AND user_name = '{$user}' AND (user_password = '******' OR user_password = '******')"; $result = cpg_db_query($sql); if (!$result->numRows()) { //not authenticated, try mysql account details html_auth_box('MySQL'); die; } } elseif (!cpg_password_validate($pass, $password_params)) { //not authenticated, try mysql account details html_auth_box('MySQL'); die; } //authenticated, do the update $_SESSION['auth'] = true; start_update(); } else { //try to autenticate via MySQL details (in configuration) if ($superCage->post->getEscaped('user') == $CONFIG['dbuser'] && $superCage->post->getEscaped('pass') == $CONFIG['dbpass']) { //authenticated, do the update $_SESSION['auth'] = true; start_update(); } else { //no go, try again
public function login($username = null, $password = null, $remember = false) { global $CONFIG; // Create the session_id from concat(cookievalue,client_id) $session_id = $this->session_id . $this->client_id; // Check the login method (username, email address or both) switch ($CONFIG['login_method']) { case 'both': $sql_user_email = "(user_name = '{$username}' OR user_email = '{$username}')"; break; case 'email': $sql_user_email = "user_email = '{$username}'"; break; case 'username': default: $sql_user_email = "user_name = '{$username}'"; break; } $sql = "SELECT user_password, user_password_salt, user_password_hash_algorithm, user_password_iterations FROM {$this->usertable} WHERE {$sql_user_email} AND user_active = 'YES' LIMIT 1"; $result = $this->query($sql); if (!$result->numRows()) { return false; } require 'include/passwordhash.inc.php'; $password_params = $result->fetchAssoc(true); // Check for user in users table $sql = "SELECT user_id, user_name, user_password FROM {$this->usertable} WHERE {$sql_user_email} "; if (!$password_params['user_password_salt']) { $sql .= "AND BINARY user_password = '******'"; } elseif (!cpg_password_validate($password, $password_params)) { return false; } $sql .= " AND user_active = 'YES' LIMIT 1"; $result = $this->query($sql); if (!$result->numRows()) { return false; } $USER_DATA = $result->fetchAssoc(true); // Update lastvisit value and salt password if needed $salt_password = !$password_params['user_password_salt'] ? ', ' . cpg_password_create_update_string($password) : ''; $sql = "UPDATE {$this->usertable} SET user_lastvisit = NOW() {$salt_password} WHERE user_id = {$USER_DATA['user_id']}"; $this->query($sql); // If this is a 'remember me' login set the remember field to true if ($remember) { $remember_sql = ",remember = '1' "; // Change cookie life time to 2 weeks if (CPG_COOKIES_ALLOWED) { setcookie($this->client_id, $this->session_id, time() + CPG_WEEK * 2, $CONFIG['cookie_path']); } } else { $remember_sql = ''; // Kill the cookie when closing the browser if (CPG_COOKIES_ALLOWED) { setcookie($this->client_id, $this->session_id, 0, $CONFIG['cookie_path']); } } // Update guest session with user's information $sql = "UPDATE {$this->sessionstable} SET "; $sql .= "user_id = {$USER_DATA['user_id']} "; $sql .= $remember_sql; $sql .= "WHERE session_id = '" . md5($session_id) . "'"; $this->query($sql); return $USER_DATA; }