function authenticate_user($user, $password, $password_is_hash = false) { global $db, $panther_user; $field = is_int($user) ? 'u.id' : 'u.username'; $ps = $db->run('SELECT u.*, g.*, o.logged, o.idle FROM ' . $db->prefix . 'users AS u INNER JOIN ' . $db->prefix . 'groups AS g ON g.g_id=u.group_id LEFT JOIN ' . $db->prefix . 'online AS o ON o.user_id=u.id WHERE ' . $field . '=?', array($user)); // Check if there's a user matching $user and $password $panther_user = $ps->fetch(); if (!isset($panther_user['id']) || $password_is_hash && !panther_hash_equals($password, $panther_user['password']) || !$password_is_hash && !panther_hash_equals($password, $panther_user['password'])) { set_default_user(); } else { $panther_user['is_guest'] = false; } }
$insert = array('ip_address' => get_remote_address(), 'username' => $form_username); $db->insert('login_queue', $insert) or message($lang_login['IP address in queue']); $attempt = $db->lastInsertId($db->prefix . 'login_queue'); // This time, it's actually in our favour. Yes, I know! while (!check_queue($form_username, $attempt, $db)) { usleep(250 * 1000); } //Force delay between logins, remove dead attempts usleep(ATTEMPT_DELAY * 1000); $data = array(':id' => $attempt, ':timeout' => TIMEOUT * 1000); $db->delete('login_queue', 'id=:id OR last_checked < NOW() - INTERVAL :timeout MICROSECOND', $data); } $data = array(':username' => $form_username); $ps = $db->select('users', 'password, salt, group_id, id, login_key', $data, 'username=:username'); $cur_user = $ps->fetch(); if (!panther_hash_equals($cur_user['password'], panther_hash($form_password . $cur_user['salt']))) { $errors[] = sprintf($lang_login['Wrong user/pass'], ' <a href="' . panther_link($panther_url['request_password']) . '">' . $lang_login['Forgotten pass'] . '</a>'); } ($hook = get_extensions('login_after_validation')) ? eval($hook) : null; if (empty($errors)) { // Update the status if this is the first time the user logged in if ($cur_user['group_id'] == PANTHER_UNVERIFIED) { $update = array('group_id' => $panther_config['o_default_user_group']); $data = array(':id' => $cur_user['id']); $db->update('users', $update, 'id=:id', $data); // Regenerate the users info cache if (!defined('FORUM_CACHE_FUNCTIONS_LOADED')) { require PANTHER_ROOT . 'include/cache.php'; } generate_users_info_cache(); }
function confirm_referrer($script, $use_ip = true) { global $lang_common, $panther_user; // Yeah, pretty complex ternary =) $sent_hash = isset($_POST['csrf_token']) ? panther_trim($_POST['csrf_token']) : (isset($_GET['csrf_token']) ? panther_trim($_GET['csrf_token']) : ''); if (!panther_hash_equals(generate_csrf_token($script, $use_ip), $sent_hash)) { message($lang_common['Bad referrer']); } }