public static function by_session($name, $session)
{
global $config, $database;
if ($database->engine->name == "mysql") {
$query = "SELECT * FROM users WHERE name = ? AND md5(concat(pass, ?)) = ?";
} else {
$query = "SELECT * FROM users WHERE name = ? AND md5(pass || ?) = ?";
}
$row = $database->get_row($query, array($name, get_session_ip($config), $session));
return is_null($row) ? null : new User($row);
}
$body .= "*** Please make sure you keep the original subject when replying us by email ***";
if ($_POST['reply_cc'] != $result['cc']) {
$reply_text = "CC: " . $_POST['reply_cc'] . "\r\n" . $reply_text;
}
$reply_text = "To: " . $_POST['reply_to'] . "\r\n" . $reply_text;
squery("INSERT INTO karnaf_replies(tid,reply,r_by,r_time,r_from,ip) VALUES(%d,'%s','%s',%d,'%s','%s')", $id, $reply_text, $nick, time(), $r_by, get_session_ip());
$newsubject = "[" . strtoupper($group) . "] Ticket #" . $result['id'];
if (!empty($result['title'])) {
$newsubject .= " - " . $result['title'];
}
send_mail($_POST['reply_to'], $newsubject, $body);
send_mail($_POST['reply_cc'], $newsubject, $body);
/* Don't update the user unless he was on the To or CC fields */
$email_update_str = "";
} else {
squery("INSERT INTO karnaf_replies(tid,reply,r_by,r_time,r_from,ip) VALUES(%d,'%s','%s',%d,'%s','%s')", $id, $reply_text, $nick, time(), $r_by, get_session_ip());
$email_update_str = "A new reply was sent to you.\r\nReply message:\r\n" . $reply_text;
}
}
$autostatus = "The ticket has been updated.";
if ($result['private_actions']) {
$is_private = 2;
} else {
$is_private = 0;
}
if ($_POST['close'] == "1") {
if ($result['status'] == "0") {
$autostatus = "The ticket is already closed.";
} else {
$autostatus = "The ticket has been closed.";
if (isset($email_update_str) && strstr($email_update_str, "A new reply was sent to you.\r\nReply message:")) {
<td>Phone:</td>
<td><input name="uphone" type="text"></td>
</tr>
<?php
}
?>
<tr>
<td>IP:</td>
<td>
<?php
if ($isoper) {
?>
<input name="uip" type="text">
<?php
} else {
echo get_session_ip();
}
?>
</td>
</tr>
<tr>
<td>Update by Mail:</td>
<td><input name="email_upd" type="checkbox" checked></td>
</tr>
<tr>
<td>Update by Memo:</td>
<td><input name="memo_upd" type="checkbox"<?php
if ($nick != "Guest") {
echo " checked";
}
?>
private function set_login_cookie($name, $pass)
{
global $config;
$addr = get_session_ip($config);
$hash = md5(strtolower($name) . $pass);
set_prefixed_cookie("user", $name, time() + 60 * 60 * 24 * 365, '/');
set_prefixed_cookie("session", md5($hash . $addr), time() + 60 * 60 * 24 * $config->get_int('login_memory'), '/');
}
/**
* @param string $name
* @param string $pass
*/
private function set_login_cookie($name, $pass)
{
global $config, $page;
$addr = get_session_ip($config);
$hash = User::by_name($name)->passhash;
$page->add_cookie("user", $name, time() + 60 * 60 * 24 * 365, '/');
$page->add_cookie("session", md5($hash . $addr), time() + 60 * 60 * 24 * $config->get_int('login_memory'), '/');
}
/**
* Get an auth token to be used in POST forms
*
* password = secret, avoid storing directly
* passhash = bcrypt(password), so someone who gets to the database can't get passwords
* sesskey = md5(passhash . IP), so if it gets sniffed it can't be used from another IP,
* and it can't be used to get the passhash to generate new sesskeys
* authtok = md5(sesskey, salt), presented to the user in web forms, to make sure that
* the form was generated within the session. Salted and re-hashed so that
* reading a web page from the user's cache doesn't give access to the session key
*
* @return string A string containing auth token (MD5sum)
*/
public function get_auth_token()
{
global $config;
$salt = DATABASE_DSN;
$addr = get_session_ip($config);
return md5(md5($this->passhash . $addr) . "salty-csrf-" . $salt);
}
/**
* Get an auth token to be used in POST forms
*
* password = secret, avoid storing directly
* passhash = md5(password), so someone who gets to the database can't get passwords
* sesskey = md5(passhash . IP), so if it gets sniffed it can't be used from another IP,
* and it can't be used to get the passhash to generate new sesskeys
* authtok = md5(sesskey, salt), presented to the user in web forms, to make sure that
* the form was generated within the session. Salted and re-hashed so that
* reading a web page from the user's cache doesn't give access to the session key
*/
public function get_auth_token()
{
global $config;
$salt = file_get_contents("config.php");
$addr = get_session_ip($config);
return md5(md5($this->passhash . $addr) . "salty-csrf-" . $salt);
}
function add_log($logtype, $action)
{
global $nick;
squery("INSERT INTO ws_logs(date,action,user,logtype,ip) VALUES(%d,'%s','%s','%s','%s')", time(), $action, $nick, $logtype, get_session_ip());
return 1;
}
<td>E-Mail:</td>
<td><input name="uemail" id="uemail" type="text" value="<?=($isoper?"":$a_email)?>"></td>
</tr>
<? if(!defined("IRC_MODE")) { ?>
<tr>
<td>Phone:</td>
<td><input name="uphone" type="text"></td>
</tr>
<? } ?>
<tr>
<td>IP:</td>
<td>
<? if($isoper) { ?>
<input name="uip" type="text">
<? } else { ?>
<?=get_session_ip()?>
<? } ?>
</td>
</tr>
<tr>
<td>Update by Mail:</td>
<td><input name="email_upd" type="checkbox" checked></td>
</tr>
<tr>
<td>Update by Memo:</td>
<td><input name="memo_upd" type="checkbox"<? if($nick != "Guest") echo " checked"; ?>></td>
</tr>
</table>
</td>
<td valign="top">
<table width="100%">