function compare_passwords($plain, $hashed) { // Backwards compatibility if (strpos($hashed, ':') === false) { return secure_compare(md5($plain), $hashed); } return secure_compare(salted_hash($plain, $hashed), $hashed); }
function captcha_validate($code) { global $site_sess, $captcha_enable, $user_info; if (!$captcha_enable || $user_info['user_level'] == ADMIN) { return true; } $sess_code = trim($site_sess->get_session_var('captcha')); $valid = $sess_code != '' && secure_compare($sess_code, $code); $site_sess->drop_session_var('captcha'); return $valid; }
function csrf_check($use_show_error = false) { global $HTTP_SERVER_VARS, $HTTP_POST_VARS, $site_sess, $csrf_protection_name, $csrf_protection_expires; if ($HTTP_SERVER_VARS['REQUEST_METHOD'] !== 'POST') { return; } if (isset($HTTP_POST_VARS[$csrf_protection_name])) { $session = $site_sess->get_session_var($csrf_protection_name); if (!is_array($session)) { return false; } $found = false; foreach ($session as $token => $time) { if (!secure_compare($token, (string) $HTTP_POST_VARS[$csrf_protection_name])) { continue; } if ($csrf_protection_expires) { if (time() <= $time + $csrf_protection_expires) { $found = true; } else { unset($session[$token]); } } else { $found = true; } break; } $site_sess->set_session_var($csrf_protection_name, $session); if ($found) { return; } } header($HTTP_SERVER_VARS['SERVER_PROTOCOL'] . ' 403 Forbidden'); if ($use_show_error) { csrf_rewrite(); show_error_page('CSRF check failed.'); } else { echo "<html><head><title>CSRF check failed</title></head><body>CSRF check failed.</body></html>"; exit; } }
function start_session($user_id = GUEST, $login_process = 0) { global $site_db; $this->user_info = $this->load_user_info($user_id); if ($this->user_info['user_id'] != GUEST && !$login_process) { if (secure_compare($this->read_cookie_data("userpass"), md5($this->user_info['user_password'])) && $this->user_info['user_level'] > USER_AWAITING) { $this->set_cookie_data("userpass", md5($this->user_info['user_password'])); } else { $this->set_cookie_data("userpass", "", 0); $this->user_info = $this->load_user_info(GUEST); } } //if (!$login_process) { $sql = "REPLACE INTO " . SESSIONS_TABLE . "\n (session_id, session_user_id, session_lastaction, session_location, session_ip)\n VALUES\n ('" . addslashes($this->session_id) . "', " . $this->user_info['user_id'] . ", {$this->current_time}, '{$this->user_location}', '{$this->user_ip}')"; $site_db->query($sql); //} $this->session_info['session_user_id'] = $this->user_info['user_id']; $this->session_info['session_lastaction'] = $this->current_time; $this->session_info['session_location'] = $this->user_location; $this->session_info['session_ip'] = $this->user_ip; if ($this->user_info['user_id'] != GUEST) { $this->user_info['user_lastvisit'] = !empty($this->user_info['user_lastaction']) ? $this->user_info['user_lastaction'] : $this->current_time; $sql = "UPDATE " . USERS_TABLE . "\n SET " . get_user_table_field("", "user_lastaction") . " = {$this->current_time}, " . get_user_table_field("", "user_location") . " = '{$this->user_location}', " . get_user_table_field("", "user_lastvisit") . " = " . $this->user_info['user_lastvisit'] . "\n WHERE " . get_user_table_field("", "user_id") . " = " . $this->user_info['user_id']; $site_db->query($sql); } $this->set_cookie_data("lastvisit", $this->user_info['user_lastvisit']); $this->set_cookie_data("userid", $this->user_info['user_id']); return true; }