function flights_submit($args) { global $opMode, $CONF; //global $DBGlvl,$DEBUG_OUTPUT; $DBGlvl=255; require_once dirname(__FILE__) . "/FN_flight.php"; $username = $args[0]; $passwd = $args[1]; $igcURL = $args[2]; $igcFilename = $args[3]; $private = $args[4]; $cat = $args[5]; $linkURL = $args[6]; $comments = $args[7]; $glider = $args[8]; $clientID = $args[9]; $clientPass = $args[10]; global $db, $CONF; $allowUploadWithoutPassword = 0; if ($clientID) { if (clientCheck($clientID, $clientPass)) { if ($CONF['servers']['list'][$clientID]['allowUploadWithoutPassword']) { $allowUploadWithoutPassword = 1; } } else { return new IXR_Error(200, "Client {$clientID} authentication failed"); } } if ($CONF['userdb']['password_users_table']) { $dbTable = $CONF['userdb']['password_users_table']; } else { } $sql = "SELECT " . $CONF['userdb']['user_id_field'] . ", " . $CONF['userdb']['username_field'] . ", " . $CONF['userdb']['password_field'] . " FROM " . $CONF['userdb']['users_table'] . " WHERE LOWER(" . $CONF['userdb']['username_field'] . ") = '" . strtolower($username) . "'"; if (!($result = $db->sql_query($sql))) { return new IXR_Error(200, "Error in obtaining userdata for {$username}"); } $passwordHashed = ''; if ($CONF['userdb']['password_users_table']) { $sql2 = "SELECT " . $CONF['userdb']['password_username_field'] . ", " . $CONF['userdb']['password_password_field'] . " FROM " . $CONF['userdb']['password_users_table'] . " WHERE LOWER(" . $CONF['userdb']['password_username_field'] . ") = '" . strtolower($username) . "'"; if (!($result2 = $db->sql_query($sql2))) { return new IXR_Error(200, "Error in obtaining userdata2 for {$username}"); } if ($row2 = $db->sql_fetchrow($result2)) { $passwordHashed = $row2[$CONF['userdb']['password_password_field']]; } } //echo "$passwordHashed %"; $passwdProblems = 0; if ($row = $db->sql_fetchrow($result)) { if (!$passwordHashed) { $passwordHashed = $row[$CONF['userdb']['password_field']]; } if (function_exists('leonardo_check_password')) { // phpbb3 has custom way of hashing passwords if (!leonardo_check_password($passwd, $passwordHashed)) { $passwdProblems = 1; } } else { if (md5($passwd) != $passwordHashed) { $passwdProblems = 1; } } } else { return new IXR_Error(200, "Error in obtaining userdata for {$username}"); } // check if the client is authrorized to by pass passord so that it can mass upload flights if ($passwdProblems && !$allowUploadWithoutPassword) { return new IXR_Error(201, "Error in password for {$username}"); } $userID = $row['user_id']; //$filename = dirname(__FILE__)."/flights/".$igcFilename; $filename = LEONARDO_ABS_PATH . '/' . $CONF['paths']['tmpigc'] . '/' . $igcFilename; if (!($handle = fopen($filename, 'w'))) { return new IXR_Error(202, "Cannot open file ({$filename})"); } // $igcURL=html_entity_decode($igcURL); $igcURL = rawurldecode($igcURL); // return new IXR_Error(203, "Cannot get igcURL ($igcURL)"); $igcStr = fetchURL($igcURL, 10); // timeout 10 secs if (!$igcStr) { return new IXR_Error(203, "Cannot get igcURL ({$igcURL})"); } if (!fwrite($handle, $igcStr)) { return new IXR_Error(204, "Cannot write to file ({$filename})"); } @fclose($handle); error_reporting(0); ob_start(); list($errCode, $flightID) = addFlightFromFile($filename, 0, $userID, array('private' => $private, 'cat' => $cat, 'category' => 1, 'linkURL' => $linkURL, 'comments' => $comments, 'glider' => $glider)); $errorBuffer = ob_get_contents(); ob_end_clean(); $flightID += 0; if ($errCode == 1 && $flightID != 0) { // all ok // return new IXR_Error(500,htmlspecialchars("flightID:$flightID^errCode:$errCode^" )); return $flightID; } else { if ($errCode == 1 && $flightID == 0) { $errStr = "The IGC file did not contain a valid flight"; //.urlencode($DEBUG_OUTPUT); } else { $errStr = htmlspecialchars(getAddFlightErrMsg($errCode, $flightID)); } // $errStr.=htmlspecialchars("#----------\n".$errorBuffer); return new IXR_Error(500, $errStr); } }
$sql = "SELECT ".$CONF['userdb']['user_id_field'].", ".$CONF['userdb']['username_field'].", ".$CONF['userdb']['password_field']. " FROM ".$CONF['userdb']['users_table']." WHERE ".$CONF['userdb']['username_field']." = '$user'"; if ( !($result = $db->sql_query($sql)) ) { echo "Invalid user data<BR>"; exit; } $passwdProblems=0; if( $row = $db->sql_fetchrow($result) ) { $passwordHashed=$row['user_password']; if ( function_exists('leonardo_check_password') ) { // phpbb3 has custom way of hashing passwords if( ! leonardo_check_password($pass,$passwordHashed) ) $passwdProblems=1; } else { if( md5($pass) != $passwordHashed ) $passwdProblems=1; } //if( md5($pass) != $row['user_password'] ) $passwdProblems=1; } else $passwdProblems=1; if ($passwdProblems) { echo "Invalid user data<BR></BODY></HTML>"; exit; } $userID=$row['user_id']; $filename = LEONARDO_ABS_PATH.'/'.$CONF['paths']['tmpigc'].'/'.$_POST['igcfn'].".igc";
} if (isset($HTTP_POST_VARS['login']) || isset($HTTP_GET_VARS['login']) || isset($HTTP_POST_VARS['logout']) || isset($HTTP_GET_VARS['logout'])) { if ((isset($HTTP_POST_VARS['login']) || isset($HTTP_GET_VARS['login'])) && (!$userdata['session_logged_in'] || isset($HTTP_POST_VARS['admin']))) { $username = isset($HTTP_POST_VARS['username']) ? phpbb_clean_username($HTTP_POST_VARS['username']) : ''; $password = isset($HTTP_POST_VARS['password']) ? $HTTP_POST_VARS['password'] : ''; $sql = "SELECT user_id, username, user_password, user_active, user_level\n\t\t\tFROM " . USERS_TABLE . "\n\t\t\tWHERE username = '******'", "''", $username) . "'"; if (!($result = $db->sql_query($sql))) { message_die(GENERAL_ERROR, 'Error in obtaining userdata', '', __LINE__, __FILE__, $sql); } if ($row = $db->sql_fetchrow($result)) { if ($row['user_level'] != ADMIN && $board_config['board_disable']) { redirect(append_sid(getLeonardoLink(array('op' => $CONF_main_page)), true)); } else { if (function_exists('leonardo_check_password')) { // phpbb3 has custom way of hashing passwords if (leonardo_check_password($password, $row['user_password'])) { $passwdIsOK = 1; } else { $passwdIsOK = 0; } } else { if (md5($password) == $row['user_password']) { $passwdIsOK = 1; } else { $passwdIsOK = 0; } } if ($passwdIsOK && $row['user_active']) { $autologin = isset($HTTP_POST_VARS['autologin']) ? TRUE : 0; $admin = isset($HTTP_POST_VARS['admin']) ? 1 : 0; $session_id = session_begin($row['user_id'], $user_ip, PAGE_INDEX, FALSE, $autologin, $admin);
log_msg($pname."=".$pval."\r\n"); } }*/ $user = str_replace("\\'", "''", $_POST['user']); $pass = str_replace("\\'", "''", $_POST['pass']); $sql = "SELECT " . $CONF['userdb']['user_id_field'] . ", " . $CONF['userdb']['username_field'] . ", " . $CONF['userdb']['password_field'] . " FROM " . $CONF['userdb']['users_table'] . " WHERE " . $CONF['userdb']['username_field'] . " = '{$user}'"; if (!($result = $db->sql_query($sql))) { echo "Invalid user data<BR>"; exit; } $passwdProblems = 0; if ($row = $db->sql_fetchrow($result)) { $passwordHashed = $row['user_password']; if (function_exists('leonardo_check_password')) { // phpbb3 has custom way of hashing passwords if (!leonardo_check_password($pass, $passwordHashed)) { $passwdProblems = 1; } } else { if (md5($pass) != $passwordHashed) { $passwdProblems = 1; } } //if( md5($pass) != $row['user_password'] ) $passwdProblems=1; } else { $passwdProblems = 1; } if ($passwdProblems) { echo "Invalid user data<BR></BODY></HTML>"; exit; }