session_start(); include dirname(__FILE__) . "/login.inc.php"; $gString = getgString(); // protect if public signup is false lib_login_protect_signup(); // mailback account creation requires building a random password if ($cache == "random") { $password = lib_login_create_random_passwd(); $passwordagain = $password; } /*---------------------------------------------------------------------* ** it is the uber user... so we take $username, $password and * ** $passwordagain and use it to create can account... then we redirect * ** back to create_login.php * **---------------------------------------------------------------------*/ $error = lib_login_create_account($username, $password, $passwordagain, $email, $question, $answer); $error = urlencode($error); // find out where we came from, sript all GET vars off the URL $goback = GetReferer(); $goback = explode("?", $goback); $goback = $goback[0]; if ($cache == "random" && $error == "success") { // do mail stuff here... and make an attempt at error checkin? huh? $this_site = lib_login_get_this_site(); $admin_email = lib_login_get_admin_email(); // $gString[79] = "an account has been created for you at $this_site with // the following details" // $gString[2] = "username" // $gString[3] = "password" // $gString[80] = "your password reset question is:" // $gString[81] = "with the answer"
function lib_login_check_valid_lp($username, $password) { global $UBER_USER; global $UBER_PASS; global $ADMIN_EMAIL; global $LOG_MESSAGE; global $SUB_HEAD_TAG_OPEN; global $SUB_HEAD_TAG_CLOSE; global $HEADER_TAG_OPEN; global $HEADER_TAG_CLOSE; global $PUNISH_BAD_ATTEMPTS; global $BAD_ATTEMPTS_MAX; global $gDB; $db = $gDB; /*----------------------------------* ** uberuser account starts with * ** $UBER_PASS as a password. when * ** that combo is called we test to * ** see if an account for it already * ** exists. if not, we make one. * ** otherwise we pass on to the rest * ** of the function... * **----------------------------------*/ // this is not as insecure as it looks... if ($username == $UBER_USER && $password == $UBER_PASS && !lib_login_account_exists($UBER_USER)) { $foo = lib_login_create_account($UBER_USER, $UBER_PASS, $UBER_PASS, $ADMIN_EMAIL, "", ""); if ($foo != "success") { // $gString[64] = "a serious error has ocurred in creating the uber user account" // $gString[65] = "php_lib_login was unable to create the uber user account with // "the data given. the following exception has been thrown:" // $gString[66] = "please consult your configuration and try again. this system // is completely insecure" echo "{$HEADER_TAG_OPEN} {$gString['64']} {$HEADER_TAG_CLOSE}"; echo "{$HEADER_TAG_OPEN} {$gString['65']}:<p> <b>{$foo}</b><p>"; echo $gString[66] . $HEADER_TAG_CLOSE; } return $UBER_USER; } $username = trim("{$username}"); $password = trim("{$password}"); $password = md5($password); //store encrypted passwords only // this the link back to the login page... // strip GET off of URL $login_page = GetReferer(); // oops... maybe referer not login page... $login_page = explode("?", $login_page); $login_page = $login_page[0]; // first we should check to see if the user is on punishment time. if they are, they // are not allowed to login and should be bounced. if they aren't we should check and // see if they should be put on punishment time because they have exceeded their max // failed login attempts and punish them if necessary. if ($PUNISH_BAD_ATTEMPTS == "TRUE" && $username != $UBER_USER) { if (lib_login_test_bad_attempt_punishment($username)) { header("Location: {$login_page}?error=punished"); lib_login_no_browser_redirect("{$login_page}?error=punished"); die; } if (lib_login_test_bad_attempts($username)) { lib_login_enact_bad_attempt_punishment($username); } } $sql_valid_lp_test = <<<SQL \t\tSELECT \t* \t\tFROM \ttbl_users \t\tWHERE \tusername='******' \t\tAND \tpassword='******' SQL; /*----------------------------------* ** test for valid l/p * **----------------------------------*/ $result = $db->Execute($sql_valid_lp_test); // if the field is NULL, no rows were returned and, // therefor the l/p is wrong so we redirect to the login page if ($result->EOF) { if ($username == $UBER_USER) { lib_login_write_log($LOG_MESSAGE[2], $username); } else { lib_login_write_log($LOG_MESSAGE[1], $username); } // if we have set a max on bad login attempts then we should log // this bad attempt! if ($PUNISH_BAD_ATTEMPTS == "TRUE" && $username != $UBER_USER) { lib_login_write_bad_attempt($username); } header("Location: {$login_page}?error=invalid"); lib_login_no_browser_redirect("{$login_page}?error=invalid"); die; // don't let the rest of the code run if login fails!! } // a successful login - clear the bad attempts, write the log, return the username if ($PUNISH_BAD_ATTEMPTS == "TRUE") { lib_login_clear_bad_attempts($username); } lib_login_write_log($LOG_MESSAGE[0], $username); return $result->Fields["username"]; }