/** * Checks what a user entered against the actual password on their account. * @param string $they_sent What the user entered. * @param string $we_have What we have in the database as their password. Which may (or may not) be a salted MD5. * @return boolean Whether or not the users attempt matches what is already on file. */ function session_validate_password($they_sent, $we_have) { global $c; if (preg_match('/^\\*\\*.+$/', $we_have)) { // The "forced" style of "**plaintext" to allow easier admin setting return "**{$they_sent}" == $we_have; } if (isset($c->wp_includes) && substring($we_have, 0, 1) == '$') { // Include Wordpress password handling, if it's in the path. @(require_once $c->wp_includes . '/class-phpass.php'); if (class_exists('PasswordHash')) { $wp_hasher = new PasswordHash(8, true); return $wp_hasher->CheckPassword($password, $hash); } } if (preg_match('/^\\*(.+)\\*{[A-Z]+}.+$/', $we_have, $regs)) { if (function_exists("session_salted_sha1")) { // A nicely salted sha1sum like "*<salt>*{SSHA}<salted_sha1>" $salt = $regs[1]; $sha1_sent = session_salted_sha1($they_sent, $salt); return $sha1_sent == $we_have; } else { dbg_error_log("ERROR", "Password is salted SHA-1 but you are using PHP4!"); echo <<<EOERRMSG <html> <head> <title>Salted SHA1 Password format not supported with PHP4</title> </head> <body> <h1>Salted SHA1 Password format not supported with PHP4</h1> <p>At some point you have used PHP5 to set the password for this user and now you are using PHP4. You will need to assign a new password to this user using PHP4, or ensure you use PHP5 everywhere (recommended).</p> <p>AWL has now switched to using salted SHA-1 passwords by preference in a format compatible with OpenLDAP.</p> </body> </html> EOERRMSG; exit; } } if (preg_match('/^\\*MD5\\*.+$/', $we_have, $regs)) { // A crappy unsalted md5sum like "*MD5*<md5>" $md5_sent = session_simple_md5($they_sent); return $md5_sent == $we_have; } else { if (preg_match('/^\\*(.+)\\*.+$/', $we_have, $regs)) { // A nicely salted md5sum like "*<salt>*<salted_md5>" $salt = $regs[1]; $md5_sent = session_salted_md5($they_sent, $salt); return $md5_sent == $we_have; } } // Anything else is bad return false; }
/** * Checks what a user entered against the actual password on their account. * @param string $they_sent What the user entered. * @param string $we_have What we have in the database as their password. Which may (or may not) be a salted MD5. * @return boolean Whether or not the users attempt matches what is already on file. */ function session_validate_password($they_sent, $we_have) { if (preg_match('/^\\*\\*.+$/', $we_have)) { // The "forced" style of "**plaintext" to allow easier admin setting return "**{$they_sent}" == $we_have; } if (preg_match('/^\\*(.+)\\*{[A-Z]+}.+$/', $we_have, $regs)) { if (function_exists("session_salted_sha1")) { // A nicely salted sha1sum like "*<salt>*{SSHA}<salted_sha1>" $salt = $regs[1]; $sha1_sent = session_salted_sha1($they_sent, $salt); return $sha1_sent == $we_have; } else { dbg_error_log("ERROR", "Password is salted SHA-1 but you are using PHP4!"); echo <<<EOERRMSG <html> <head> <title>Salted SHA1 Password format not supported with PHP4</title> </head> <body> <h1>Salted SHA1 Password format not supported with PHP4</h1> <p>At some point you have used PHP5 to set the password for this user and now you are using PHP4. You will need to assign a new password to this user using PHP4, or ensure you use PHP5 everywhere (recommended).</p> <p>AWL has now switched to using salted SHA-1 passwords by preference in a format compatible with OpenLDAP.</p> </body> </html> EOERRMSG; exit; } } if (preg_match('/^\\*(.+)\\*.+$/', $we_have, $regs)) { // A nicely salted md5sum like "*<salt>*<salted_md5>" $salt = $regs[1]; $md5_sent = session_salted_md5($they_sent, $salt); return $md5_sent == $we_have; } // Anything else is bad return false; }
/** * Build SQL INSERT/UPDATE statement from an associative array of fieldnames => values. * @param array $obj The object of fieldnames => values. * @param string $type The word "update" or something else (which implies "insert"). * @param string $tablename The name of the table being updated. * @param string $where What the "WHERE ..." clause needs to be for an UPDATE statement. * @param string $fprefix An optional string which all fieldnames in $assoc are prefixed with. * @return string An SQL Update or Insert statement with all fields/values from the array. */ function sql_from_object($obj, $type, $tablename, $where, $fprefix = "") { $fields = get_fields($tablename); $update = strtolower($type) == "update"; if ($update) { $sql = "UPDATE {$tablename} SET "; } else { $sql = "INSERT INTO {$tablename} ("; } $flst = ""; $vlst = ""; foreach ($fields as $fn => $typ) { // $prefixed_fn = $fprefix . $fn; dbg_error_log("DataUpdate", ":sql_from_object: %s => %s (%s)", $fn, $typ, isset($obj->{$fn}) ? $obj->{$fn} : "[undefined value]"); if (!isset($obj->{$fn}) && isset($obj->{"xxxx{$fn}"})) { // Sometimes we will have prepended 'xxxx' to the field name so that the field // name differs from the column name in the database. $obj->{$fn} = $obj->{"xxxx{$fn}"}; } if (!isset($obj->{$fn})) { continue; } $value = str_replace("'", "''", str_replace("\\", "\\\\", $obj->{$fn})); if ($fn == "password") { if ($value == "******" || $value == "") { continue; } if (!preg_match('/\\*[0-9a-z]+\\*[0-9a-z{}]+/i', $value)) { $value = function_exists("session_salted_sha1") ? session_salted_sha1($value) : (function_exists('session_salted_md5') ? session_salted_md5($value) : md5($value)); } } if (preg_match('{^(time|date|interval)}i', $typ) && $value == "") { $value = "NULL"; } else { if (preg_match('{^bool}i', $typ)) { $value = $value == false || $value == "f" || $value == "off" || $value == "no" ? "FALSE" : ($value == true || $value == "t" || $value == "on" || $value == "yes" ? "TRUE" : "NULL"); } else { if (preg_match('{^interval}i', $typ)) { $value = "'{$value}'::{$typ}"; } else { if (preg_match('{^int}i', $typ)) { $value = $value == '' || $value === null ? 'NULL' : intval($value); } else { if (preg_match('{^bit}i', $typ)) { $value = $value == '' || $value === null ? 'NULL' : "'{$value}'"; } else { if (preg_match('{^(text|varchar)}i', $typ)) { $value = "'{$value}'"; } else { $value = "'{$value}'::{$typ}"; } } } } } } if ($update) { $flst .= ", {$fn} = {$value}"; } else { $flst .= ", {$fn}"; $vlst .= ", {$value}"; } } $flst = substr($flst, 2); $vlst = substr($vlst, 2); $sql .= $flst; if ($update) { $sql .= " {$where}; "; } else { $sql .= ") VALUES( {$vlst} ); "; } return $sql; }