$action = isset($HTTP_GET_VARS['action']) ? $HTTP_GET_VARS['action'] : ''; // prepare to logout an active administrator if the login page is accessed again if (tep_session_is_registered('admin')) { $action = 'logoff'; } if (tep_not_null($action)) { switch ($action) { case 'process': if (tep_session_is_registered('redirect_origin') && isset($redirect_origin['auth_user'])) { $username = tep_db_prepare_input($redirect_origin['auth_user']); $password = tep_db_prepare_input($redirect_origin['auth_pw']); } else { $username = tep_db_prepare_input($HTTP_POST_VARS['username']); $password = tep_db_prepare_input($HTTP_POST_VARS['password']); } $actionRecorder = new actionRecorderAdmin('ar_admin_login', null, $username); if ($actionRecorder->canPerform()) { $check_query = tep_db_query("select id, user_name, user_password from " . TABLE_ADMINISTRATORS . " where user_name = '" . tep_db_input($username) . "'"); if (tep_db_num_rows($check_query) == 1) { $check = tep_db_fetch_array($check_query); if (tep_validate_password($password, $check['user_password'])) { // migrate old hashed password to new phpass password if (tep_password_type($check['user_password']) != 'phpass') { tep_db_query("update " . TABLE_ADMINISTRATORS . " set user_password = '******' where id = '" . (int) $check['id'] . "'"); } tep_session_register('admin'); $admin = array('id' => $check['id'], 'username' => $check['user_name']); $actionRecorder->_user_id = $admin['id']; $actionRecorder->record(); if (tep_session_is_registered('redirect_origin')) { $page = $redirect_origin['page'];
<?php if (isset($_GET['action']) && $_GET['action'] == 'process' && (SESSION_FORCE_COOKIE_USE == 'true' && isset($_COOKIE[session_name()]) || SESSION_FORCE_COOKIE_USE == 'false')) { $email_address = xos_db_prepare_input($_POST['email_address']); $password = xos_db_prepare_input($_POST['password']); // action recorder require DIR_WS_CLASSES . 'action_recorder.php'; $actionRecorder = new actionRecorderAdmin('ar_admin_login', null, $email_address); if ($actionRecorder->canPerform() || !$actionRecorder->check()) { // Check if email exists $check_admin_query = xos_db_query("select admin_id as login_id, admin_groups_id as login_groups_id, admin_firstname as login_firstname, admin_email_address as login_email_address, admin_password as login_password, admin_modified as login_modified, admin_logdate as login_logdate, admin_lognum as login_lognum from " . TABLE_ADMIN . " where admin_email_address = '" . xos_db_input($email_address) . "'"); if (!xos_db_num_rows($check_admin_query)) { $login_error = 'incorrect_values'; $actionRecorder->record(false); } else { $check_admin = xos_db_fetch_array($check_admin_query); // Check that password is good if (!xos_validate_password($password, $check_admin['login_password'])) { $login_error = 'incorrect_values'; $actionRecorder->record(false); } else { // migrate old hashed password to new phpass password if (xos_password_type($check_admin['login_password']) != 'phpass') { xos_db_query("update " . TABLE_ADMIN . " set admin_password = '******' where admin_id = '" . (int) $check_admin['login_id'] . "'"); } if (isset($_SESSION['password_forgotten'])) { unset($_SESSION['password_forgotten']); } $login_email_address = $check_admin['login_email_address']; $login_logdate = $check_admin['login_logdate']; $login_lognum = $check_admin['login_lognum'];