Exemplo n.º 1
0
function phpraid_login()
{
    global $db_user_id, $db_group_id, $db_user_name, $db_user_email, $db_user_password, $db_table_user_name;
    global $db_table_group_name, $auth_user_class, $auth_alt_user_class, $table_prefix, $db_raid, $phpraid_config;
    $username = $password = "";
    if (isset($_POST['username'])) {
        // User is logging in, set encryption flag to 0 to identify login with plain text password.
        $pwdencrypt = FALSE;
        $username = mb_strtolower(scrub_input($_POST['username']), "UTF-8");
        $password = $_POST['password'];
        $wrmpass = md5($_POST['password']);
    } elseif (isset($_COOKIE['username']) && isset($_COOKIE['password'])) {
        // User is not logging in but processing cooking, set encryption flag to 1 to identify login with encrypted password.
        $pwdencrypt = TRUE;
        $username = mb_strtolower(scrub_input($_COOKIE['username']), "UTF-8");
        $password = $_COOKIE['password'];
        $wrmpass = '';
    } else {
        phpraid_logout();
    }
    // from site/page/.. change pwd (testing)
    //if(isset($_POST['username2'])){
    //	$username = scrub_input(strtolower($_POST['username2']));
    //$password = $pwd_hasher->HashPassword($_POST['password2']);
    //	$password = md5($_POST['password2']);
    //}
    //database
    $sql = sprintf("SELECT " . $db_user_id . "," . $db_user_name . "," . $db_user_email . "," . $db_user_password . " FROM " . $table_prefix . $db_table_user_name . " WHERE " . $db_user_name . " = %s", quote_smart($username));
    $result = $db_raid->sql_query($sql) or print_error($sql, mysql_error(), 1);
    //WRM database
    //$sql = sprintf("SELECT username, password FROM " . $phpraid_config['db_prefix'] . "profile WHERE username = %s",
    //				quote_smart($username)
    //		);
    //$result2 = $db_raid->sql_query($sql) or print_error($sql, mysql_error(), 1);
    //if ($data2 = $db_raid->sql_fetchrow($result2))
    //{
    //	$wrmuserpassword = $data2['password'];
    //}
    while ($data = $db_raid->sql_fetchrow($result, true)) {
        //$testVal = password_check($password, $data[$db_user_id]);
        //echo "<br>Processing: " . $data[$db_user_name] . " : Password Check: " . $testVal;
        if ($username == mb_strtolower($data[$db_user_name], "UTF-8") && ($cmspass = password_check($password, $data[$db_user_id], $pwdencrypt))) {
            // The user has a matching username and proper password in the phpbb database.
            // We need to validate the users group.  If it does not contain the user group that has been set as
            //	authorized to use WRM, we need to fail the login with a proper message.
            if ($auth_user_class != 0) {
                $FoundUserInGroup = FALSE;
                $sql = sprintf("SELECT " . $db_user_id . "," . $db_group_id . " FROM " . $table_prefix . $db_table_group_name . " WHERE " . $db_user_id . " = %s", quote_smart($data[$db_user_id]));
                $resultgroup = $db_raid->sql_query($sql) or print_error($sql, mysql_error(), 1);
                while ($datagroup = $db_raid->sql_fetchrow($resultgroup, true)) {
                    if ($datagroup[$db_group_id] == $auth_user_class or $datagroup[$db_group_id] == $auth_alt_user_class) {
                        $FoundUserInGroup = TRUE;
                    }
                }
                if ($FoundUserInGroup == FALSE) {
                    phpraid_logout();
                    return -1;
                }
            }
            // User is properly logged in and is allowed to use WRM, go ahead and process his login.
            $autologin = scrub_input($_POST['autologin']);
            if (isset($autologin)) {
                // they want automatic logins so set the cookie
                // set to expire in one month
                setcookie('username', $data[$db_user_name], time() + 2629743);
                setcookie('password', $cmspass, time() + 2629743);
            }
            // set user profile variables
            $_SESSION['username'] = mb_strtolower($data[$db_user_name], "UTF-8");
            $_SESSION['session_logged_in'] = 1;
            $_SESSION['profile_id'] = $data[$db_user_id];
            $_SESSION['email'] = $data[$db_user_email];
            if ($phpraid_config['default_group'] != 'nil') {
                $user_priv = $phpraid_config['default_group'];
            } else {
                $user_priv = '0';
            }
            // User is all logged in and setup, the session is initialized properly.  Now we need to create the users
            //    profile in the WRM database if it does not already exist.
            $sql = sprintf("SELECT * FROM " . $phpraid_config['db_prefix'] . "profile WHERE profile_id = %s", quote_smart($_SESSION['profile_id']));
            $result = $db_raid->sql_query($sql) or print_error($sql, mysql_error(), 1);
            if ($data = $db_raid->sql_fetchrow($result)) {
                //We found the profile in the database, update.
                if ($wrmpass != '') {
                    $sql = sprintf("UPDATE " . $phpraid_config['db_prefix'] . "profile SET email = %s, password = %s, last_login_time = %s WHERE profile_id = %s", quote_smart($_SESSION['email']), quote_smart($wrmpass), quote_smart(time()), quote_smart($_SESSION['profile_id']));
                } else {
                    $sql = sprintf("UPDATE " . $phpraid_config['db_prefix'] . "profile SET email = %s, last_login_time = %s WHERE profile_id = %s", quote_smart($_SESSION['email']), quote_smart(time()), quote_smart($_SESSION['profile_id']));
                }
                $db_raid->sql_query($sql) or print_error($sql, mysql_error(), 1);
            } else {
                //Profile not found in the database or DB Error, insert.
                $sql = sprintf("INSERT INTO " . $phpraid_config['db_prefix'] . "profile VALUES (%s, %s, %s, %s, %s, %s)", quote_smart($_SESSION['profile_id']), quote_smart($_SESSION['email']), quote_smart($wrmpass), quote_smart($user_priv), quote_smart(mb_strtolower($_SESSION['username'], "UTF-8")), quote_smart(time()));
                $db_raid->sql_query($sql) or print_error($sql, mysql_error(), 1);
            }
            get_permissions();
            //security fix
            unset($username);
            unset($password);
            unset($cmspass);
            unset($wrmpass);
            return 1;
        }
    }
    return 0;
}
Exemplo n.º 2
0
function phpraid_login()
{
    global $db_raid, $phpraid_config;
    global $db_user_id, $db_user_name, $db_user_email, $db_user_password, $table_prefix, $db_table_user_name;
    $username = $password = "";
    if (isset($_POST['username'])) {
        // User is logging in, set encryption flag to 0 to identify login with plain text password.
        $pwdencrypt = FALSE;
        $username = mb_strtolower(scrub_input($_POST['username']), "UTF-8");
        $password = $_POST['password'];
    } elseif (isset($_COOKIE['username']) && isset($_COOKIE['password'])) {
        // User is not logging in but processing cooking, set encryption flag to 1 to identify login with encrypted password.
        $pwdencrypt = TRUE;
        $username = mb_strtolower(scrub_input($_COOKIE['username']), "UTF-8");
        $password = $_COOKIE['password'];
    } else {
        phpraid_logout();
    }
    $sql = "SELECT * FROM " . $phpraid_config['db_prefix'] . "profile";
    $sql = sprintf("SELECT " . $db_user_id . " , " . $db_user_name . " , " . $db_user_email . " , " . $db_user_password . " FROM " . $table_prefix . $db_table_user_name . " WHERE " . $db_user_name . " = %s", quote_smart($username));
    $result = $db_raid->sql_query($sql) or print_error($sql, mysql_error(), 1);
    while ($data = $db_raid->sql_fetchrow($result, true)) {
        if ($username == mb_strtolower($data[$db_user_name], "UTF-8") && ($cmspass = password_check($password, $data[$db_user_id], $pwdencrypt))) {
            // User is properly logged in and is allowed to use WRM, go ahead and process his login.
            $autologin = scrub_input($_POST['autologin']);
            if (isset($autologin)) {
                // they want automatic logins so set the cookie
                // set to expire in one month
                setcookie('username', $data[$db_user_name], time() + 2629743);
                setcookie('password', $cmspass, time() + 2629743);
            }
            // set user profile variables
            $_SESSION['username'] = mb_strtolower($data[$db_user_name], "UTF-8");
            $_SESSION['session_logged_in'] = 1;
            $_SESSION['profile_id'] = $data[$db_user_id];
            $_SESSION['email'] = $data[$db_user_email];
            // get user permissions
            get_permissions();
            // ********************
            // * NOTE * IUMS Auth does not do profile checking like external bridges do.
            // ********************
            /* if($phpraid_config['default_group'] != 'nil')
            				$user_priv = $phpraid_config['default_group'];
            			else
            				$user_priv = '0'; */
            // User is all logged in and setup, the session is initialized properly.  Now we need to create the users
            //    profile in the WRM database if it does not already exist.
            /* $sql = sprintf("SELECT * FROM " . $phpraid_config['db_prefix'] . "profile WHERE profile_id = %s",
            							quote_smart($_SESSION['profile_id'])
            					);
            			$result = $db_raid->sql_query($sql) or print_error($sql, mysql_error(), 1);
            			if ($data = $db_raid->sql_fetchrow($result))
            			{*/
            //We found the profile in the database, update.
            /*	$sql = sprintf(	"UPDATE " . $phpraid_config['db_prefix'] . "profile ".
            								" SET email = %s, password = %s, last_login_time = %s WHERE profile_id = %s",
            							quote_smart($_SESSION['email']),quote_smart($wrmuserpassword),
            							quote_smart(time()),quote_smart($_SESSION['profile_id'])
            						);
            				$db_raid->sql_query($sql) or print_error($sql, mysql_error(), 1);
            			}
            			else
            			{
            				//Profile not found in the database or DB Error, insert.
            				$sql = sprintf("INSERT INTO " . $phpraid_config['db_prefix'] . "profile VALUES (%s, %s, %s, %s, %s, %s)",
            							quote_smart($_SESSION['profile_id']), quote_smart($_SESSION['email']), quote_smart($wrmuserpassword),
            							quote_smart($user_priv), quote_smart(strtolower($_SESSION['username'])), quote_smart(time())
            						);
            				$db_raid->sql_query($sql) or print_error($sql, mysql_error(), 1);
            			}*/
            $sql = sprintf("UPDATE " . $phpraid_config['db_prefix'] . "profile SET last_login_time=%s WHERE profile_id=%s", quote_smart(time()), quote_smart($_SESSION['profile_id']));
            $db_raid->sql_query($sql) or print_error($sql, mysql_error(), 1);
            //security fix
            unset($username);
            unset($password);
            unset($cmspass);
            return 1;
        }
    }
    return 0;
}