/** * Reset all login keys for the specified user * Called on password changes */ function session_reset_keys($user_id, $user_ip) { global $db, $userdata, $board_config; $key_sql = $user_id == $userdata['user_id'] && !empty($userdata['session_key']) ? "AND key_id != '" . md5($userdata['session_key']) . "'" : ''; $sql = 'DELETE FROM ' . SESSIONS_KEYS_TABLE . ' WHERE user_id = ' . (int) $user_id . "\n\t\t\t{$key_sql}"; if (!$db->sql_query($sql)) { message_die(CRITICAL_ERROR, 'Error removing auto-login keys', '', __LINE__, __FILE__, $sql); } $where_sql = 'session_user_id = ' . (int) $user_id; $where_sql .= $user_id == $userdata['user_id'] ? " AND session_id <> '" . $userdata['session_id'] . "'" : ''; $sql = 'DELETE FROM ' . SESSIONS_TABLE . "\n\t\tWHERE {$where_sql}"; if (!$db->sql_query($sql)) { message_die(CRITICAL_ERROR, 'Error removing user session(s)', '', __LINE__, __FILE__, $sql); } if (!empty($key_sql)) { $auto_login_key = dss_rand() . dss_rand(); $current_time = time(); $sql = 'UPDATE ' . SESSIONS_KEYS_TABLE . "\n\t\t\tSET last_ip = '{$user_ip}', key_id = '" . md5($auto_login_key) . "', last_login = {$current_time}\n\t\t\tWHERE key_id = '" . md5($userdata['session_key']) . "'"; if (!$db->sql_query($sql)) { message_die(CRITICAL_ERROR, 'Error updating session key', '', __LINE__, __FILE__, $sql); } // And now rebuild the cookie $sessiondata['userid'] = $user_id; $sessiondata['autologinid'] = $auto_login_key; $cookiename = $board_config['cookie_name']; $cookiepath = $board_config['cookie_path']; $cookiedomain = $board_config['cookie_domain']; $cookiesecure = $board_config['cookie_secure']; setcookie($cookiename . '_data', serialize($sessiondata), $current_time + 31536000, $cookiepath, $cookiedomain, $cookiesecure); $userdata['session_key'] = $auto_login_key; unset($sessiondata); unset($auto_login_key); } }
} $db->sql_freeresult($result); $sql = 'SELECT COUNT(session_id) AS attempts FROM ' . CONFIRM_TABLE . " \n\t\t\tWHERE session_id = '" . $userdata['session_id'] . "'"; if (!($result = $db->sql_query($sql))) { message_die(GENERAL_ERROR, 'Could not obtain confirm code count', '', __LINE__, __FILE__, $sql); } if ($row = $db->sql_fetchrow($result)) { if ($row['attempts'] > 3) { message_die(GENERAL_MESSAGE, $lang['Too_many_registers']); } } $db->sql_freeresult($result); // Generate the required confirmation code // NB 0 (zero) could get confused with O (the letter) so we make change it $code = dss_rand(); $code = substr(str_replace('0', 'Z', strtoupper(base_convert($code, 16, 35))), 2, 6); $confirm_id = md5(uniqid($user_ip)); $sql = 'INSERT INTO ' . CONFIRM_TABLE . " (confirm_id, session_id, code) \n\t\t\tVALUES ('{$confirm_id}', '" . $userdata['session_id'] . "', '{$code}')"; if (!$db->sql_query($sql)) { message_die(GENERAL_ERROR, 'Could not insert new confirm code information', '', __LINE__, __FILE__, $sql); } unset($code); $confirm_image = '<img src="' . append_sid("profile.{$phpEx}?mode=confirm&id={$confirm_id}") . '" alt="" title="" />'; $s_hidden_fields .= '<input type="hidden" name="confirm_id" value="' . $confirm_id . '" />'; $template->assign_block_vars('switch_confirm', array()); } // // Let's do an overall check for settings/versions which would prevent // us from doing file uploads.... //
function make_bbcode_uid() { // Unique ID for this message.. $uid = dss_rand(); $uid = substr($uid, 0, BBCODE_UID_LEN); return $uid; }
function gen_rand_string($hash) { $rand_str = dss_rand(); return $hash ? md5($rand_str) : substr($rand_str, 8); }
} else { exit; } /** * The next part is orginnaly written by ted from mastercode.nl and modified for using in this mod. **/ header("content-type:image/png"); header('Cache-control: no-cache, no-store'); $width = 250; $height = 60; $img = imagecreatetruecolor($width, $height); $background = imagecolorallocate($img, color("bg"), color("bg"), color("bg")); srand(make_seed()); imagefilledrectangle($img, 0, 0, 249, 59, $background); for ($g = 0; $g < 30; $g++) { $t = dss_rand(); $t = $t[0]; $ypos = rand(0, $height); $xpos = rand(0, $width); $kleur = imagecolorallocate($img, color("bgtekst"), color("bgtekst"), color("bgtekst")); imagettftext($img, size(), move(), $xpos, $ypos, $kleur, font(), $t); } $stukje = $width / (strlen($code) + 3); for ($j = 0; $j < strlen($code); $j++) { $tek = $code[$j]; $ypos = rand(35, 41); $xpos = $stukje * ($j + 1); $color2 = imagecolorallocate($img, color("tekst"), color("tekst"), color("tekst")); imagettftext($img, size(), move(), $xpos, $ypos, $color2, font(), $tek); } imagepng($img);
/** * Return unique id * @param string $extra additional entropy */ function unique_id($extra = 'c') { return dss_rand(); }
function generateRegisterID() { global $userdata; #Generate and delete old confirm ID's from the confirm table based #upon inactive sessions $sql = 'SELECT session_id FROM sessions'; $result = mysql_query($sql); if (!$result) { return "Error"; } $confirm_sql = ''; $count = 0; while ($count < mysql_num_rows($result)) { $confirm_sql .= ($confirm_sql != '' ? ', ' : '') . "'" . mysql_result($result, $count, 0) . "'"; $count++; } mysql_free_result($result); $sql = "DELETE FROM confirm WHERE session_id NOT IN ({$confirm_sql})"; $result = mysql_query($sql); if (!$result) { return "Error"; } # # Check number of create requests # $sql = "SELECT COUNT(session_id) AS attempts from confirm WHERE session_id = '" . $userdata['session_id'] . "'"; $result = mysql_query($sql); if (!$result) { return "Error"; } if (mysql_result($result, 0, 0) > 3) { return "Error"; } mysql_free_result($result); // Generate the required confirmation code // NB 0 (zero) could get confused with O (the letter) so we make change it $code = dss_rand(); $code = substr(str_replace('0', 'Z', strtoupper(base_convert($code, 16, 35))), 2, 6); $confirm_id = md5(uniqid($user_ip)); $sql = "INSERT INTO confirm (confirm_id, session_id, code) VALUES ('{$confirm_id}', '" . $userdata['session_id'] . "', '{$code}')"; $result = mysql_query($sql); if (!$result) { return "Error"; } unset($code); return $confirm_id; }
function session_begin($user_id, $user_ip, $page_id, $auto_create = 0, $enable_autologin = 0, $admin = 0) { global $db, $board_config; global $SID; $cookiename = $board_config['cookie_name']; $cookiepath = $board_config['cookie_path']; $cookiedomain = $board_config['cookie_domain']; $cookiesecure = $board_config['cookie_secure']; if (isset($_COOKIE[$cookiename . '_sid']) || isset($_COOKIE[$cookiename . '_data'])) { $session_id = isset($_COOKIE[$cookiename . '_sid']) ? $_COOKIE[$cookiename . '_sid'] : ''; $sessiondata = isset($_COOKIE[$cookiename . '_data']) ? unserialize(stripslashes($_COOKIE[$cookiename . '_data'])) : array(); $sessionmethod = SESSION_METHOD_COOKIE; } else { $sessiondata = array(); $session_id = isset($_GET['sid']) ? $_GET['sid'] : ''; $sessionmethod = SESSION_METHOD_GET; } // if (!preg_match('/^[A-Za-z0-9]*$/', $session_id)) { $session_id = ''; } $page_id = (int) $page_id; $last_visit = 0; $current_time = time(); // Begin PNphpBB2 Module /* // // Are auto-logins allowed? // If allow_autologin is not set or is true then they are // (same behaviour as old 2.0.x session code) // if (isset($board_config['allow_autologin']) && !$board_config['allow_autologin']) { $enable_autologin = $sessiondata['autologinid'] = false; } // // First off attempt to join with the autologin value if we have one // If not, just use the user_id value // $userdata = array(); if ($user_id != ANONYMOUS) { if (isset($sessiondata['autologinid']) && (string) $sessiondata['autologinid'] != '' && $user_id) { $sql = 'SELECT u.* FROM ' . USERS_TABLE . ' u, ' . SESSIONS_KEYS_TABLE . ' k WHERE u.user_id = ' . (int) $user_id . " AND u.user_active = 1 AND k.user_id = u.user_id AND k.key_id = '" . md5($sessiondata['autologinid']) . "'"; if (!($result = $db->sql_query($sql))) { message_die(CRITICAL_ERROR, 'Error doing DB query userdata row fetch', '', __LINE__, __FILE__, $sql); } $userdata = $db->sql_fetchrow($result); $db->sql_freeresult($result); $enable_autologin = $login = 1; } else if (!$auto_create) { $sessiondata['autologinid'] = ''; $sessiondata['userid'] = $user_id; $sql = 'SELECT * FROM ' . USERS_TABLE . ' WHERE user_id = ' . (int) $user_id . ' AND user_active = 1'; if (!($result = $db->sql_query($sql))) { message_die(CRITICAL_ERROR, 'Error doing DB query userdata row fetch', '', __LINE__, __FILE__, $sql); } $userdata = $db->sql_fetchrow($result); $db->sql_freeresult($result); $login = 1; } } // // At this point either $userdata should be populated or // one of the below is true // * Key didn't match one in the DB // * User does not exist // * User is inactive // if (!sizeof($userdata) || !is_array($userdata) || !$userdata) { $sessiondata['autologinid'] = ''; $sessiondata['userid'] = $user_id = ANONYMOUS; $enable_autologin = $login = 0; $sql = 'SELECT * FROM ' . USERS_TABLE . ' WHERE user_id = ' . (int) $user_id; if (!($result = $db->sql_query($sql))) { message_die(CRITICAL_ERROR, 'Error doing DB query userdata row fetch', '', __LINE__, __FILE__, $sql); } $userdata = $db->sql_fetchrow($result); $db->sql_freeresult($result); } */ if (UserUtil::isLoggedIn()) { $user_id = UserUtil::getVar('uid'); // Does the user have admin rights? $admin = SecurityUtil::checkPermission('ZphpBB2::', '::', ACCESS_ADMIN) ? 1 : 0; // ZphpBB2 => Main user synchronization ZphpBB2_Util::phpBBupdateAccountById($user_id); // <= ZphpBB2 } else { $user_id = ANONYMOUS; // -1 } $sql = "SELECT * \n FROM " . USERS_TABLE . " \n WHERE user_id = {$user_id}"; if (!($result = $db->sql_query($sql))) { message_die(CRITICAL_ERROR, 'Could not obtain lastvisit data from user table', '', __LINE__, __FILE__, $sql); } $userdata = $db->sql_fetchrow($result); if ($user_id != ANONYMOUS) { if ($auto_create) { if ($userdata['user_active']) { // We have to login automagically $login = 1; } else { // Autologin is not set. Don't login, set as anonymous user $login = 0; $user_id = $userdata['user_id'] = ANONYMOUS; $sql = 'SELECT * FROM ' . USERS_TABLE . ' WHERE user_id = ' . ANONYMOUS; $result = $db->sql_query($sql); $userdata = $db->sql_fetchrow($result); $db->sql_freeresult($result); } } else { $login = 1; } } else { $login = 0; } // End PNphpBB2 Module // // Initial ban check against user id, IP and email address // preg_match('/(..)(..)(..)(..)/', $user_ip, $user_ip_parts); $sql = "SELECT ban_ip, ban_userid, ban_email \n FROM " . BANLIST_TABLE . " \n WHERE ban_ip IN ('" . $user_ip_parts[1] . $user_ip_parts[2] . $user_ip_parts[3] . $user_ip_parts[4] . "', '" . $user_ip_parts[1] . $user_ip_parts[2] . $user_ip_parts[3] . "ff', '" . $user_ip_parts[1] . $user_ip_parts[2] . "ffff', '" . $user_ip_parts[1] . "ffffff')\n OR ban_userid = {$user_id}"; if ($user_id != ANONYMOUS) { $sql .= " OR ban_email LIKE '" . str_replace("\\'", "''", $userdata['user_email']) . "' \n OR ban_email LIKE '" . substr(str_replace("\\'", "''", $userdata['user_email']), strpos(str_replace("\\'", "''", $userdata['user_email']), "@")) . "'"; } if (!($result = $db->sql_query($sql))) { message_die(CRITICAL_ERROR, 'Could not obtain ban information', '', __LINE__, __FILE__, $sql); } if ($ban_info = $db->sql_fetchrow($result)) { if ($ban_info['ban_ip'] || $ban_info['ban_userid'] || $ban_info['ban_email']) { message_die(CRITICAL_MESSAGE, 'You_been_banned'); } } // // Create or update the session // // Begin PNphpBB2 Module // -- Remove session_admin // $sql = "UPDATE " . SESSIONS_TABLE . " // SET session_user_id = $user_id, session_start = $current_time, session_time = $current_time, session_page = $page_id, session_logged_in = $login, session_admin = $admin // WHERE session_id = '" . $session_id . "' // AND session_ip = '$user_ip'"; $sql = "UPDATE " . SESSIONS_TABLE . "\n SET session_user_id = {$user_id}, session_start = {$current_time}, session_time = {$current_time}, session_page = {$page_id}, session_logged_in = {$login}\n WHERE session_id = '" . $session_id . "' \n AND session_ip = '{$user_ip}'"; // End PNphpBB2 Module if (!$db->sql_query($sql) || !$db->sql_affectedrows()) { $session_id = md5(dss_rand()); // Begin PNphpBB2 Module // -- Remove session_admin // $sql = "INSERT INTO " . SESSIONS_TABLE . " // (session_id, session_user_id, session_start, session_time, session_ip, session_page, session_logged_in, session_admin) // VALUES ('$session_id', $user_id, $current_time, $current_time, '$user_ip', $page_id, $login, $admin)"; $sql = "INSERT INTO " . SESSIONS_TABLE . "\n (session_id, session_user_id, session_start, session_time, session_ip, session_page, session_logged_in)\n VALUES ('{$session_id}', {$user_id}, {$current_time}, {$current_time}, '{$user_ip}', {$page_id}, {$login})"; // End PNphpBB2 Module if (!$db->sql_query($sql)) { message_die(CRITICAL_ERROR, 'Error creating new session', '', __LINE__, __FILE__, $sql); } } if ($user_id != ANONYMOUS) { $last_visit = $userdata['user_session_time'] > 0 ? $userdata['user_session_time'] : $current_time; // Begin PNphpBB2 Module // if (!$admin) // { // End PNphpBB2 Module $sql = "UPDATE " . USERS_TABLE . " \n SET user_session_time = {$current_time}, user_session_page = {$page_id}, user_lastvisit = {$last_visit}\n WHERE user_id = {$user_id}"; if (!$db->sql_query($sql)) { message_die(CRITICAL_ERROR, 'Error updating last visit time', '', __LINE__, __FILE__, $sql); } // Begin PNphpBB2 Module // } // End PNphpBB2 Module $userdata['user_lastvisit'] = $last_visit; // Begin PNphpBB2 Module /* // // Regenerate the auto-login key // if ($enable_autologin) { $auto_login_key = dss_rand() . dss_rand(); if (isset($sessiondata['autologinid']) && (string) $sessiondata['autologinid'] != '') { $sql = 'UPDATE ' . SESSIONS_KEYS_TABLE . " SET last_ip = '$user_ip', key_id = '" . md5($auto_login_key) . "', last_login = $current_time WHERE key_id = '" . md5($sessiondata['autologinid']) . "'"; } else { $sql = 'INSERT INTO ' . SESSIONS_KEYS_TABLE . "(key_id, user_id, last_ip, last_login) VALUES ('" . md5($auto_login_key) . "', $user_id, '$user_ip', $current_time)"; } if ( !$db->sql_query($sql) ) { message_die(CRITICAL_ERROR, 'Error updating session key', '', __LINE__, __FILE__, $sql); } $sessiondata['autologinid'] = $auto_login_key; unset($auto_login_key); } else { $sessiondata['autologinid'] = ''; } // $sessiondata['autologinid'] = (!$admin) ? (( $enable_autologin && $sessionmethod == SESSION_METHOD_COOKIE ) ? $auto_login_key : '') : $sessiondata['autologinid']; */ // End PNphpBB2 Module $sessiondata['userid'] = $user_id; } $userdata['session_id'] = $session_id; $userdata['session_ip'] = $user_ip; $userdata['session_user_id'] = $user_id; $userdata['session_logged_in'] = $login; $userdata['session_page'] = $page_id; $userdata['session_start'] = $current_time; $userdata['session_time'] = $current_time; // Begin PNphpBB2 Module // $userdata['session_admin'] = $admin; // $userdata['session_key'] = $sessiondata['autologinid']; // End PNphpBB2 Module setcookie($cookiename . '_data', serialize($sessiondata), $current_time + 31536000, $cookiepath, $cookiedomain, $cookiesecure); setcookie($cookiename . '_sid', $session_id, 0, $cookiepath, $cookiedomain, $cookiesecure); $SID = 'sid=' . $session_id; return $userdata; }