/**
* Check if the user is who he/she says he is
* Makes sure the user is who they claim to be by requiring a password to be typed in every hour.
* Is turned on and off by the securityDisable setting.
* Uses the adminLogin() function of Subs-Auth.php if they need to login, which saves all request (post and get) data.
*
* @param string $type = admin
*/
function validateSession($type = 'admin')
{
global $modSettings, $sourcedir, $user_info, $sc, $user_settings;
// We don't care if the option is off, because Guests should NEVER get past here.
is_not_guest();
// Validate what type of session check this is.
$types = array();
call_integration_hook('integrate_validateSession', array($types));
$type = in_array($type, $types) || $type == 'moderate' ? $type : 'admin';
// If we're using XML give an additional ten minutes grace as an admin can't log on in XML mode.
$refreshTime = isset($_GET['xml']) ? 4200 : 3600;
// Is the security option off?
if (!empty($modSettings['securityDisable' . ($type != 'admin' ? '_' . $type : '')])) {
return;
}
// Or are they already logged in?, Moderator or admin sesssion is need for this area
if (!empty($_SESSION[$type . '_time']) && $_SESSION[$type . '_time'] + $refreshTime >= time() || !empty($_SESSION['admin_time']) && $_SESSION['admin_time'] + $refreshTime >= time()) {
return;
}
require_once $sourcedir . '/Subs-Auth.php';
// Hashed password, ahoy!
if (isset($_POST[$type . '_hash_pass']) && strlen($_POST[$type . '_hash_pass']) == 40) {
checkSession();
$good_password = in_array(true, call_integration_hook('integrate_verify_password', array($user_info['username'], $_POST[$type . '_hash_pass'], true)), true);
if ($good_password || $_POST[$type . '_hash_pass'] == sha1($user_info['passwd'] . $sc)) {
$_SESSION[$type . '_time'] = time();
return;
}
}
// Posting the password... check it.
if (isset($_POST[$type . '_pass'])) {
checkSession();
$good_password = in_array(true, call_integration_hook('integrate_verify_password', array($user_info['username'], $_POST[$type . '_pass'], false)), true);
// Password correct?
if ($good_password || sha1(strtolower($user_info['username']) . $_POST[$type . '_pass']) == $user_info['passwd']) {
$_SESSION[$type . '_time'] = time();
return;
}
}
// OpenID?
if (!empty($user_settings['openid_uri'])) {
require_once $sourcedir . '/Subs-OpenID.php';
smf_openID_revalidate();
$_SESSION[$type . '_time'] = time();
return;
}
// Need to type in a password for that, man.
if (!isset($_GET['xml'])) {
adminLogin($type);
} else {
return 'session_verify_fail';
}
}
function validateSession()
{
global $modSettings, $sourcedir, $user_info, $sc, $user_settings;
// We don't care if the option is off, because Guests should NEVER get past here.
is_not_guest();
// If we're using XML give an additional ten minutes grace as an admin can't log on in XML mode.
$refreshTime = isset($_GET['xml']) ? 4200 : 3600;
// Is the security option off? Or are they already logged in?
if (!empty($modSettings['securityDisable']) || !empty($_SESSION['admin_time']) && $_SESSION['admin_time'] + $refreshTime >= time()) {
return;
}
require_once $sourcedir . '/Subs-Auth.php';
// Hashed password, ahoy!
if (isset($_POST['admin_hash_pass']) && strlen($_POST['admin_hash_pass']) == 40) {
checkSession();
$good_password = in_array(true, call_integration_hook('integrate_verify_password', array($user_info['username'], $_POST['admin_hash_pass'], true)), true);
if ($good_password || $_POST['admin_hash_pass'] == sha1($user_info['passwd'] . $sc)) {
$_SESSION['admin_time'] = time();
unset($_SESSION['request_referer']);
return;
}
}
// Posting the password... check it.
if (isset($_POST['admin_pass'])) {
checkSession();
$good_password = in_array(true, call_integration_hook('integrate_verify_password', array($user_info['username'], $_POST['admin_pass'], false)), true);
// Password correct?
if ($good_password || sha1(strtolower($user_info['username']) . $_POST['admin_pass']) == $user_info['passwd']) {
$_SESSION['admin_time'] = time();
unset($_SESSION['request_referer']);
return;
}
}
// OpenID?
if (!empty($user_settings['openid_uri'])) {
require_once $sourcedir . '/Subs-OpenID.php';
smf_openID_revalidate();
$_SESSION['admin_time'] = time();
unset($_SESSION['request_referer']);
return;
}
// Better be sure to remember the real referer
if (empty($_SESSION['request_referer'])) {
$_SESSION['request_referer'] = isset($_SERVER['HTTP_REFERER']) ? @parse_url($_SERVER['HTTP_REFERER']) : array();
} elseif (empty($_POST)) {
unset($_SESSION['request_referer']);
}
// Need to type in a password for that, man.
adminLogin();
}
<?php
require 'controller.php';
require 'session.php';
$email = $_POST['email'];
$password = $_POST['password'];
$type = $_POST['type'];
if ($type == 'admin') {
$message = adminLogin($email, $password);
} else {
$message = login($email, $password);
}
if ($message) {
$response = setSession($email, $type, $message);
echo $response;
} else {
echo false;
}
<?php
session_start();
include "dbconnection.php";
$email = clean($_REQUEST['email']);
$password = clean(md5($_REQUEST['password']));
$result = adminLogin($email, $password);
$row = mysql_fetch_array($result);
$loginuser = $row['email'];
$loginpassword = $row['password'];
$adminfullname = $row['fullname'];
$userId = $row['user_id'];
if ($loginuser == $email and $loginpassword == $password) {
$_SESSION['email'] = $loginuser;
$_SESSION['password'] = $loginpassword;
$_SESSION['fullname'] = $adminfullname;
$_SESSION['user_id'] = $userId;
if ($_SESSION['fullname'] == 'Administrator') {
header("location:dashboard.php");
} else {
header("location:momforum.php");
}
if (isset($_REQUEST['rememberme'])) {
header("location:dashboard.php");
setcookie("email", $_SESSION['email'], time() + 60 * 60 * 24 * 100, "/");
setcookie("password", $_REQUEST['password'], time() + 60 * 60 * 24 * 100, "/");
setcookie($_COOKIE['email'], $_COOKIE['password'], $expire);
}
} else {
header("location:index.php?msg");
}
}
}
}
/****************************************************************************
* Action Handler
*****************************************************************************/
if (array_key_exists('action', $_POST)) {
switch ($_POST['action']) {
case 'update_base_url':
saveBaseURL();
break;
case 'add_license_key':
$status_license_key = addLicenseKey($_POST['license_key']);
break;
case 'login':
$login_error = adminLogin($nss);
break;
}
}
/****************************************************************************
* Begin Template
*****************************************************************************/
?>
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<title>neosmart STREAM Admin</title>
<link href='nss-admin/reset.css' type='text/css' rel='stylesheet' />
<link href='nss-admin/style.css' type='text/css' rel='stylesheet' />
<script type='text/javascript' src='nss-includes/jquery.js'></script>
function validateSession()
{
global $modSettings, $sourcedir, $user_info, $sc, $user_settings;
// We don't care if the option is off, because Guests should NEVER get past here.
is_not_guest();
// If we're using XML give an additional ten minutes grace as an admin can't log on in XML mode.
$refreshTime = isset($_GET['xml']) ? 4200 : 3600;
// Is the security option off? Or are they already logged in?
if (!empty($modSettings['securityDisable']) || !empty($_SESSION['admin_time']) && $_SESSION['admin_time'] + $refreshTime >= time()) {
return;
}
require_once $sourcedir . '/Subs-Auth.php';
// Hashed password, ahoy!
if (isset($_POST['admin_hash_pass']) && strlen($_POST['admin_hash_pass']) == 40) {
checkSession();
$good_password = false;
if (isset($modSettings['integrate_verify_password']) && is_callable($modSettings['integrate_verify_password'])) {
if (call_user_func(strpos($modSettings['integrate_verify_password'], '::') === false ? $modSettings['integrate_verify_password'] : explode('::', $modSettings['integrate_verify_password']), $user_info['username'], $_POST['admin_hash_pass'], true) === true) {
$good_password = true;
}
}
if ($good_password || $_POST['admin_hash_pass'] == sha1($user_info['passwd'] . $sc)) {
$_SESSION['admin_time'] = time();
return;
}
}
// Posting the password... check it.
if (isset($_POST['admin_pass'])) {
checkSession();
$good_password = false;
if (isset($modSettings['integrate_verify_password']) && is_callable($modSettings['integrate_verify_password'])) {
if (call_user_func(strpos($modSettings['integrate_verify_password'], '::') === false ? $modSettings['integrate_verify_password'] : explode('::', $modSettings['integrate_verify_password']), $user_info['username'], $_POST['admin_pass'], false) === true) {
$good_password = true;
}
}
// Password correct?
if ($good_password || sha1(strtolower($user_info['username']) . $_POST['admin_pass']) == $user_info['passwd']) {
$_SESSION['admin_time'] = time();
return;
}
}
// OpenID?
if (!empty($user_settings['openid_uri'])) {
require_once $sourcedir . '/Subs-OpenID.php';
smf_openID_revalidate();
$_SESSION['admin_time'] = time();
return;
}
// Need to type in a password for that, man.
adminLogin();
}
require_once "../libraries/validation.php";
require_once "../table/admin.php";
require_once "../table/misc.php";
//Which Table to include
require_once "../module/adminLogin.php";
// Which Module to include
$req = new Req();
$mysqli = new mysqli_functions();
$connection = $mysqli->connect();
if (is_bool($connection)) {
Res::sendFailure($mysqli->message);
}
$module = new adminLogin($connection);
switch ($req->getCmd()) {
case "adminLogin":
adminLogin();
break;
case "forgotPwd":
forgotPwd();
break;
default:
$connection->close();
Res::sendInvalid("invalidCmd:" . $req->getCmd());
}
$mysqli->disconnect();
function adminLogin()
{
global $req;
global $connection;
global $module;
$req->hasParams("user", "pwd", "rem");
<?php
ob_start();
session_start();
require '../functions/functions.php';
if (adminLogin($_POST['username'], $_POST['password'])) {
$_SESSION['status'] = "admin";
$_SESSION['username'] = $_POST['username'];
$data['status'] = 1;
echo json_encode($data);
exit;
} else {
$data['status'] = 0;
echo json_encode($data);
exit;
}
ob_end_flush();
function validateSession()
{
global $modSettings, $sourcedir, $user_info, $sc;
// We don't care if the option is off, because Guests should NEVER get past here.
is_not_guest();
// Is the security option off? Or are they already logged in?
if (!empty($modSettings['securityDisable']) || !empty($_SESSION['admin_time']) && $_SESSION['admin_time'] + 3600 >= time()) {
return;
}
require_once $sourcedir . '/Subs-Auth.php';
// Hashed password, ahoy!
if (isset($_POST['admin_hash_pass']) && strlen($_POST['admin_hash_pass']) == 40) {
checkSession();
$good_password = false;
if (isset($modSettings['integrate_verify_password']) && function_exists($modSettings['integrate_verify_password'])) {
if (call_user_func($modSettings['integrate_verify_password'], $user_info['username'], $_POST['admin_hash_pass'], true) === true) {
$good_password = true;
}
}
if ($good_password || $_POST['admin_hash_pass'] == sha1($user_info['passwd'] . $sc)) {
$_SESSION['admin_time'] = time();
return;
}
}
// Posting the password... check it.
if (isset($_POST['admin_pass'])) {
checkSession();
$good_password = false;
if (isset($modSettings['integrate_verify_password']) && function_exists($modSettings['integrate_verify_password'])) {
if (call_user_func($modSettings['integrate_verify_password'], $user_info['username'], $_POST['admin_pass'], false) === true) {
$good_password = true;
}
}
// Password correct?
if ($good_password || sha1(strtolower($user_info['username']) . $_POST['admin_pass']) == $user_info['passwd']) {
$_SESSION['admin_time'] = time();
return;
}
}
// Need to type in a password for that, man.
adminLogin();
}
$loginPwd = stripslashes(trim($_POST['login-pwd']));
if (strlen($loginPwd) < 6 || strlen($loginPwd) > 18) {
echo "0 密码不符合要求";
} else {
$DB->connect($mysql_host, $mysql_user, $mysql_pass, $mysql_dbname, '');
$Password = $DB->fetch_one("SELECT `password` FROM `" . $table_member . "` WHERE `uid`=" . $loginArr['uid']);
$DB->close();
if ($Password == md5($loginPwd)) {
adminCookie();
echo "1 登录成功";
} else {
echo "0 您输入的密码不正确";
}
}
} else {
if (adminLogin()) {
header("location:./admin/");
} else {
$tmp = template("admin.html");
$tmp->assign('codeName', $code_name);
$tmp->assign('codeVersion', $code_version);
$tmp->assign('siteName', $site_name);
$tmp->assign('siteDomain', $site_domain);
$tmp->assign('siteCatalog', $site_catalog);
$tmp->assign('siteIcp', $site_icp);
$tmp->output();
}
}
} else {
header("location:./");
}
/**
* Check if the user is who he/she says he is.
*
* What it does:
* - This function makes sure the user is who they claim to be by requiring a
* password to be typed in every hour.
* - This check can be turned on and off by the securityDisable setting.
* - Uses the adminLogin() function of subs/Auth.subs.php if they need to login,
* which saves all request (POST and GET) data.
*
* @param string $type = admin
*/
function validateSession($type = 'admin')
{
global $modSettings, $user_info, $user_settings;
// Guests are not welcome here.
is_not_guest();
// Validate what type of session check this is.
$types = array();
call_integration_hook('integrate_validateSession', array(&$types));
$type = in_array($type, $types) || $type == 'moderate' ? $type : 'admin';
// Set the lifetime for our admin session. Default is ten minutes.
$refreshTime = 600;
if (isset($modSettings['admin_session_lifetime'])) {
// Maybe someone is paranoid or mistakenly misconfigured the param? Give them at least 5 minutes.
if ($modSettings['admin_session_lifetime'] < 5) {
$refreshTime = 300;
} elseif ($modSettings['admin_session_lifetime'] > 14400) {
$refreshTime = 86400;
} else {
$refreshTime = $modSettings['admin_session_lifetime'] * 60;
}
}
// If we're using XML give an additional ten minutes grace as an admin can't log on in XML mode.
if (isset($_GET['xml'])) {
$refreshTime += 600;
}
// Is the security option off?
if (!empty($modSettings['securityDisable' . ($type != 'admin' ? '_' . $type : '')])) {
return;
}
// If their admin or moderator session hasn't expired yet, let it pass, let the admin session trump a moderation one as well
if (!empty($_SESSION[$type . '_time']) && $_SESSION[$type . '_time'] + $refreshTime >= time() || !empty($_SESSION['admin_time']) && $_SESSION['admin_time'] + $refreshTime >= time()) {
return;
}
require_once SUBSDIR . '/Auth.subs.php';
// Comming from the login screen
if (isset($_POST[$type . '_pass']) || isset($_POST[$type . '_hash_pass'])) {
checkSession();
validateToken('admin-login');
// Hashed password, ahoy!
if (isset($_POST[$type . '_hash_pass']) && strlen($_POST[$type . '_hash_pass']) === 64) {
// Allow integration to verify the password
$good_password = in_array(true, call_integration_hook('integrate_verify_password', array($user_info['username'], $_POST[$type . '_hash_pass'], true)), true);
$password = $_POST[$type . '_hash_pass'];
if ($good_password || validateLoginPassword($password, $user_info['passwd'])) {
$_SESSION[$type . '_time'] = time();
unset($_SESSION['request_referer']);
return;
}
}
// Posting the password... check it.
if (isset($_POST[$type . '_pass']) && str_replace('*', '', $_POST[$type . '_pass']) !== '') {
// Give integrated systems a chance to verify this password
$good_password = in_array(true, call_integration_hook('integrate_verify_password', array($user_info['username'], $_POST[$type . '_pass'], false)), true);
// Password correct?
$password = $_POST[$type . '_pass'];
if ($good_password || validateLoginPassword($password, $user_info['passwd'], $user_info['username'])) {
$_SESSION[$type . '_time'] = time();
unset($_SESSION['request_referer']);
return;
}
}
}
// OpenID?
if (!empty($user_settings['openid_uri'])) {
require_once SUBSDIR . '/OpenID.subs.php';
$openID = new OpenID();
$openID->revalidate();
$_SESSION[$type . '_time'] = time();
unset($_SESSION['request_referer']);
return;
}
// Better be sure to remember the real referer
if (empty($_SESSION['request_referer'])) {
$_SESSION['request_referer'] = isset($_SERVER['HTTP_REFERER']) ? @parse_url($_SERVER['HTTP_REFERER']) : array();
} elseif (empty($_POST)) {
unset($_SESSION['request_referer']);
}
// Need to type in a password for that, man.
if (!isset($_GET['xml'])) {
adminLogin($type);
} else {
return 'session_verify_fail';
}
}
<?php
require_once '../lib/connections/db.php';
include '../lib/functions/functions.php';
$returnURL = "index.php";
//For login
// we check if everything is filled in and perform checks
if (!$_POST['username'] || !$_POST['password']) {
die(msg(0, "Username and / or password fields empty!"));
} else {
$res = adminLogin($_POST['username'], $_POST['password']);
if ($res == 1) {
die(msg(0, "Unknown User! You are not authorised to log in as an admin."));
}
if ($res == 2) {
die(msg(0, "Username and / or password incorrect!"));
}
if ($res == 99) {
echo msg(1, $returnURL);
}
}
function msg($status, $txt)
{
return '{"status":' . $status . ',"txt":"' . $txt . '"}';
}
<?php
error_reporting(E_ALL);
set_time_limit(0);
header("content-Type: text/html; charset=utf-8");
require dirname(__FILE__) . "/../database/config_mysql.php";
require dirname(__FILE__) . "/../database/config_secure.php";
require dirname(__FILE__) . "/../database/config_site.php";
require dirname(__FILE__) . "/../database/config_group.php";
require dirname(__FILE__) . "/../database/config_mail.php";
require dirname(__FILE__) . "/../function.php";
require dirname(__FILE__) . "/../class/class_Mysql.php";
require dirname(__FILE__) . "/../class/class_Xxtea.php";
require dirname(__FILE__) . "/include/config.php";
require dirname(__FILE__) . "/include/function.php";
require dirname(__FILE__) . "/class/class_Query.php";
ini_set('date.timezone', $site_timezone);
if (!adminLogin()) {
header("location:../");
exit;
}
if (isset($_GET['page']) && is_numeric($_GET['page']) && $_GET['page'] > 1) {
$page = intval($_GET['page']);
} else {
$page = "1";
}
$DB = new DB_MySQL();
$QA = new QueryAction();
