function start_session($updateUserFormatsStylesTypesPermissions) { global $databaseBaseURL; // these variables are defined in 'ini.inc.php' global $defaultMainFields; global $filesBaseDir; global $filesBaseURL; global $loginEmail; global $loginUserID; global $loginFirstName; global $loginLastName; global $abbrevInstitution; global $lastLogin; global $referer; // '$referer' is made globally available from within this function global $connection; // Initialize the session: if (!isset($_SESSION["sessionID"])) { // Ensure that cookies are enabled: if (ini_get('session.use_cookies') == 0) { // if 'session.use_cookies' is OFF for the current directory ini_set('session.use_cookies', 1); } // enable storage of sessions within cookies session_start(); $sessionID = session_id(); // get the current session ID if (!empty($sessionID)) { saveSessionVariable("sessionID", $sessionID); } } // Set the system's locale information: list($systemLocaleCollate, $systemLocaleCType) = setSystemLocale(); // Set the default timezone used by all date/time functions // Note: The 'date_default_timezone_set/date_default_timezone_get' functions are available since PHP 5.1.0 if (function_exists("date_default_timezone_set") && function_exists("date_default_timezone_get")) { @date_default_timezone_set(@date_default_timezone_get()); } // NOTE: Upon first connection to the MySQL server, function 'connectToMySQLDatabase()' will query the // MySQL server for the MySQL version and save it to a session variable // Extract session variables (only necessary if register globals is OFF!): if (isset($_SESSION['loginEmail'])) { $loginEmail = $_SESSION['loginEmail']; $loginUserID = $_SESSION['loginUserID']; $loginFirstName = $_SESSION['loginFirstName']; $loginLastName = $_SESSION['loginLastName']; $abbrevInstitution = $_SESSION['abbrevInstitution']; $lastLogin = $_SESSION['lastLogin']; } elseif ($updateUserFormatsStylesTypesPermissions) { // If the user isn't logged in we set the available export formats, citation styles, document types and permissions to // the defaults which are specified in the 'formats', 'styles', 'types' and 'user_permissions' tables for 'user_id = 0'. // (a 'user_id' of zero is used within these tables to indicate the default settings if the user isn't logged in) // NOTE: As an exception, for anyone who isn't logged in, we don't load the default number of records from option // 'records_per_page' in table 'user_options', but instead use the value given in variable '$defaultNumberOfRecords' // in 'ini.inc.php'. Similarly, if the user isn't logged in, the list of "main fields" is taken from variable // '$defaultMainFields' in 'ini.inc.php' and not from option 'main_fields' in table 'user_options. Same holds true // for variable '$autoCompleteUserInput' vs. option 'show_auto_completions'. // Get all export formats that were selected by the admin to be visible if a user isn't logged in // and (if some formats were found) save them as semicolon-delimited string to the session variable 'user_export_formats': getVisibleUserFormatsStylesTypes(0, "format", "export"); // Get all citation formats that were selected by the admin to be visible if a user isn't logged in // and (if some formats were found) save them as semicolon-delimited string to the session variable 'user_cite_formats': getVisibleUserFormatsStylesTypes(0, "format", "cite"); // Get all citation styles that were selected by the admin to be visible if a user isn't logged in // and (if some styles were found) save them as semicolon-delimited string to the session variable 'user_styles': getVisibleUserFormatsStylesTypes(0, "style", ""); // Get all document types that were selected by the admin to be visible if a user isn't logged in // and (if some types were found) save them as semicolon-delimited string to the session variable 'user_types': getVisibleUserFormatsStylesTypes(0, "type", ""); // Get the user permissions for the current user // and save all allowed user actions as semicolon-delimited string to the session variable 'user_permissions': getPermissions(0, "user", true); // Get the default view for the current user // and save it to the session variable 'userDefaultView': getDefaultView(0); // Get the default number of records per page preferred by the current user // and save it to the session variable 'userRecordsPerPage': getDefaultNumberOfRecords(0); // Get the user's preference for displaying auto-completions // and save it to the session variable 'userAutoCompletions': getPrefAutoCompletions(0); // Get the list of "main fields" for the current user // and save the list of fields as comma-delimited string to the session variable 'userMainFields': getMainFields(0); } else { // The scripts 'error.php', 'install.php' & 'update.php' use 'start_session(false);' so that they execute without errors // when there isn't any database yet. However, function 'buildQuickSearchElements()' (which builds the "Quick Search" form // in the page header) requires the session variable 'userMainFields' to be present. So we take the list of "main fields" // directly from the global variable '$defaultMainFields' and save it as session variable (we cannot use function // 'getMainFields()' here since this would require database access): if (!isset($_SESSION['userMainFields'])) { saveSessionVariable("userMainFields", $defaultMainFields); } } // Set the referrer: if (isset($_REQUEST['referer']) and !empty($_REQUEST['referer'])) { $referer = $_REQUEST['referer']; } elseif (isset($_SESSION['referer']) and !empty($_SESSION['referer'])) { $referer = $_SESSION['referer']; // get the referring URL from the superglobal '$_SESSION' variable (if any) deleteSessionVariable("referer"); } elseif (isset($_SERVER['HTTP_REFERER']) and !empty($_SERVER['HTTP_REFERER'])) { $referer = $_SERVER['HTTP_REFERER']; } else { // as an example, the referrer won't be set if a user clicked on a URL of type 'show.php?record=12345' within an email announcement $referer = "index.php"; } // if all other attempts fail, we'll re-direct to the main page // Verify important variables from 'ini.inc.php': // - Ensure that the given paths/URLs end with a slash: $databaseBaseURL = checkPath($databaseBaseURL, "URL"); $filesBaseDir = checkPath($filesBaseDir); $filesBaseURL = checkPath($filesBaseURL, "URL"); }
function check_login($referer, $loginEmail, $loginPassword) { global $username; global $password; global $hostName; global $databaseName; global $connection; global $HeaderString; global $loginUserID; global $loginFirstName; global $loginLastName; global $adminLoginEmail; global $abbrevInstitution; global $tableAuth, $tableUserData, $tableUsers; // defined in 'db.inc.php' global $loc; // Get the two character salt from the email address collected from the challenge $salt = substr($loginEmail, 0, 2); // Encrypt the loginPassword collected from the challenge (so that we can compare it to the encrypted passwords that are stored in the 'auth' table) $crypted_password = crypt($loginPassword, $salt); // CONSTRUCT SQL QUERY: $query = "SELECT user_id FROM {$tableAuth} WHERE email = " . quote_smart($loginEmail) . " AND password = "******"errors"); } // function 'deleteSessionVariable()' is defined in 'include.inc.php' if (isset($_SESSION['formVars'])) { // delete the 'formVars' session variable: deleteSessionVariable("formVars"); } // function 'deleteSessionVariable()' is defined in 'include.inc.php' $userID = $row["user_id"]; // extract the user's userID from the last query // Now we need to get the user's first name and last name (e.g., in order to display them within the login welcome message) $query = "SELECT user_id, first_name, last_name, abbrev_institution, language, last_login FROM {$tableUsers} WHERE user_id = " . quote_smart($userID); // CONSTRUCT SQL QUERY $result = queryMySQLDatabase($query); // RUN the query on the database through the connection (function 'queryMySQLDatabase()' is defined in 'include.inc.php') $row2 = mysql_fetch_array($result); // EXTRACT results: fetch the one row into the array '$row2' // Save the fetched user details to the session file: // Write back session variables: saveSessionVariable("loginEmail", $loginEmail); // function 'saveSessionVariable()' is defined in 'include.inc.php' saveSessionVariable("loginUserID", $row2["user_id"]); saveSessionVariable("loginFirstName", $row2["first_name"]); saveSessionVariable("loginLastName", $row2["last_name"]); saveSessionVariable("abbrevInstitution", $row2["abbrev_institution"]); saveSessionVariable("userLanguage", $row2["language"]); saveSessionVariable("lastLogin", $row2["last_login"]); // Get all user groups specified by the current user // and (if some groups were found) save them as semicolon-delimited string to the session variable 'userGroups': getUserGroups($tableUserData, $row2["user_id"]); // function 'getUserGroups()' is defined in 'include.inc.php' if ($loginEmail == $adminLoginEmail) { // ('$adminLoginEmail' is specified in 'ini.inc.php') // Get all user groups specified by the admin // and (if some groups were found) save them as semicolon-delimited string to the session variable 'adminUserGroups': getUserGroups($tableUsers, $row2["user_id"]); } // function 'getUserGroups()' is defined in 'include.inc.php' // Get all user queries that were saved previously by the current user // and (if some queries were found) save them as semicolon-delimited string to the session variable 'userQueries': getUserQueries($row2["user_id"]); // function 'getUserQueries()' is defined in 'include.inc.php' // Get all export formats that were selected previously by the current user // and (if some formats were found) save them as semicolon-delimited string to the session variable 'user_export_formats': getVisibleUserFormatsStylesTypes($row2["user_id"], "format", "export"); // function 'getVisibleUserFormatsStylesTypes()' is defined in 'include.inc.php' // Get all citation formats that were selected previously by the current user // and (if some formats were found) save them as semicolon-delimited string to the session variable 'user_cite_formats': getVisibleUserFormatsStylesTypes($row2["user_id"], "format", "cite"); // function 'getVisibleUserFormatsStylesTypes()' is defined in 'include.inc.php' // Get all citation styles that were selected previously by the current user // and (if some styles were found) save them as semicolon-delimited string to the session variable 'user_styles': getVisibleUserFormatsStylesTypes($row2["user_id"], "style", ""); // function 'getVisibleUserFormatsStylesTypes()' is defined in 'include.inc.php' // Get all document types that were selected previously by the current user // and (if some types were found) save them as semicolon-delimited string to the session variable 'user_types': getVisibleUserFormatsStylesTypes($row2["user_id"], "type", ""); // function 'getVisibleUserFormatsStylesTypes()' is defined in 'include.inc.php' // Get the user permissions for the current user // and save all allowed user actions as semicolon-delimited string to the session variable 'user_permissions': getPermissions($row2["user_id"], "user", true); // function 'getPermissions()' is defined in 'include.inc.php' // Get the default view for the current user // and save it to the session variable 'userDefaultView': getDefaultView($row2["user_id"]); // function 'getDefaultView()' is defined in 'include.inc.php' // Get the default number of records per page preferred by the current user // and save it to the session variable 'userRecordsPerPage': getDefaultNumberOfRecords($row2["user_id"]); // function 'getDefaultNumberOfRecords()' is defined in 'include.inc.php' // Get the user's preference for displaying auto-completions // and save it to the session variable 'userAutoCompletions': getPrefAutoCompletions($row2["user_id"]); // function 'getPrefAutoCompletions()' is defined in 'include.inc.php' // Get the list of "main fields" for the current user // and save the list of fields as comma-delimited string to the session variable 'userMainFields': getMainFields($row2["user_id"]); // function 'getMainFields()' is defined in 'include.inc.php' // We also update the user's entry within the 'users' table: $query = "UPDATE {$tableUsers} SET " . "last_login = NOW(), " . "logins = logins+1 " . "WHERE user_id = {$userID}"; // RUN the query on the database through the connection: $result = queryMySQLDatabase($query); // function 'queryMySQLDatabase()' is defined in 'include.inc.php' if (!preg_match("#/(error|user_login|install)\\.php#i", $referer)) { header("Location: " . $referer); } else { header("Location: index.php"); } // back to main page } else { // Ensure 'loginEmail' is not registered, so the user is not logged in if (isset($_SESSION['loginEmail'])) { // delete the 'loginEmail' session variable: deleteSessionVariable("loginEmail"); } // function 'deleteSessionVariable()' is defined in 'include.inc.php' // Save an error message: $HeaderString = "<b><span class=\"warning\">" . $loc["LoginFailedYouProvidedAnIncorrectEmailAddressOrPassword"] . "</span></b>"; // Write back session variables: saveSessionVariable("HeaderString", $HeaderString); // function 'saveSessionVariable()' is defined in 'include.inc.php' login_page($referer); } // ------------------- // (5) CLOSE the database connection: disconnectFromMySQLDatabase(); // function 'disconnectFromMySQLDatabase()' is defined in 'include.inc.php' }