public static function userCheck($ACP = false) { global $CURUSER, $AUTH_DB, $DB, $CORE; //If we are not logged in empty the session meaning logout if (!isset($_SESSION['uid']) || !isset($_SESSION['pass'])) { return; } //get the user id if set $id = 0 + (int) $_SESSION['uid']; //empty session if there is no id or the passhash is incorrect length if (!$id || strlen($_SESSION['pass']) != 40) { return; } //get the column names for table accounts $columns = CORE_COLUMNS::get('accounts'); //Select accounts_more $res = $AUTH_DB->prepare("SELECT * FROM `" . $columns['self'] . "` WHERE `" . $columns['id'] . "` = :id LIMIT 1"); $res->bindParam(':id', $id, PDO::PARAM_INT); $res->execute(); $row = $res->fetch(); unset($res); //If user with that ID actually exists else empty session if (!$row) { $_SESSION = array(); return; } //check user pass if (strtolower($_SESSION['pass']) !== strtolower($row['sha_pass_hash'])) { $_SESSION = array(); return; } //if this is check for the admin panel if ($ACP) { $perms = new Permissions($row[$columns['id']]); //check if the account is allowed if (!$perms->IsAllowedToUseACP()) { $_SESSION = array(); return; } //save the permission object $CURUSER->setPermissionsObject($perms); } //let's add some security to the session $ss = new Secure(); $ss->cb = true; $ss->cib = 2; //if the session is stolen we empty it if (!$ss->check()) { unset($ss); $_SESSION = array(); return; } unset($ss); //find the webiste record $res = $DB->prepare("SELECT * FROM `account_data` WHERE `id` = :id LIMIT 1"); $res->bindParam(':id', $id, PDO::PARAM_INT); $res->execute(); $webRow = $res->fetch(PDO::FETCH_ASSOC); unset($res); //create new translated row $newRow['id'] = $row[$columns['id']]; $newRow['username'] = $row[$columns['username']]; $newRow['shapasshash'] = $row[$columns['shapasshash']]; $newRow['lastip'] = $row[$columns['lastip']]; $newRow['lastlogin'] = $row[$columns['lastlogin']]; $newRow['flags'] = $row[$columns['flags']]; $newRow['email'] = $row[$columns['email']]; $newRow['joindate'] = $row[$columns['joindate']]; $newRow['recruiter'] = $row[$columns['recruiter']]; //merge the website row with the newly made auth row if ($webRow) { $newRow = array_merge($newRow, $webRow); } //set the CMS database accounts_more record of this user $CURUSER->setrecord($newRow); //free the result and unset the row unset($row); unset($newRow); //if the session is not tagged as logged we do so if (!isset($_SESSION['logged'])) { $_SESSION['logged'] = '1'; } }