<?php
function login() {
-// lockout capatibility
-// with ldap sync
-// <h1> This is da default one</h1>
-// require(INCLUDE_DIR.'ldap.inc');
global $db,$error,$node_id;
$login = mysql_real_escape_string($_POST['login']);
- $password = $_POST['password']; //XXX nice SQLi
- $hash = md5($password);
+ $password = $_POST['password']; // Not SQLi but be carefull
+ $password_hash_algos=array('sha256','sha1','md5'); //List of supported algos can be obtained using: php -r 'print_r(hash_algos());'
+
+ $hash_query='(';
+ foreach($password_hash_algos as $algo) {
+ $hash_query.="password='".hash($algo, $password)."' OR ";
+ }
+ $hash_query.='false )';
+
$login_type = $_POST['login_type'];
$referer = $_SERVER['HTTP_REFERER'];
return false;
}
- switch ($login_type) {
- case "name":
- $q = "select * from users where login='$login' and password='$hash'";
- $set = $db->query($q);
- $set->next();
- $user_id = $set->getString('user_id');
- $user_name = $set->getString('login');
- break;
- case "id":
- $q="select * from users where user_id='$login' and password='$hash'";
- $set=$db->query($q);
- $set->next();
- $user_id=$set->getString('user_id');
- $user_name=$set->getString('login');
- break;
- }
-
-// $ldap_response=LDAPuser::auth($user_id,$password);
+ switch ($login_type) {
+ case "name":
+ $q = "select * from users where login='$login' and $hash_query";
+ break;
+ case "base36id":
+ $login = base_convert($login, 36, 10);
+ case "id":
+ $login=intval($login); //HA! if it is number, escape_string is not enough
+ $q="select * from users where user_id='$login' and $hash_query";
+ break;
+ }
+
+ $set = $db->query($q);
+ $set->next();
+ $user_id = $set->getString('user_id');
+ $user_name = $set->getString('login');
+ $xmpp = $set->getString('xmpp');
if (!$set) { //XXX test
$error="Zadal si nespravne uzivatelske meno [alebo id] alebo heslo. Rob so sebou nieco";
return false;
}
-//ldap replicate
-// LDAPuser::ldap_mysql_sync($user_name,$user_id,$password);
+// Login sucessfull
+ // prevent session fixation
+ session_regenerate_id();
-//
$cube_vector=$set->getString('cube_vector');
// saves friends list as an array into user session
$_SESSION['fook'][$fookset->getString('node_parent')]=true;
}
-// LDAPuser::replicate($user_name,$user_id,$password);
//save bookstyle into user session
$q="select node_content from nodes where node_parent=19 and external_link='session://bookstyl' and node_creator='$user_id'";
$_SESSION['user_id']=$user_id;
$_SESSION['user_name']=addslashes($user_name);
+ setcookie('jabber_login', strtolower($xmpp), time()+60*60*24*10, '/'); //10days on whole domain - should have persistent username in future...
+ setcookie('jabber_password', hash('md5', 'jabber:'.$_POST['password']), time()+60*60*24*10, '/'); //10days on whole domain
if (!empty($cube_vector)) $_SESSION['cube_vector']=$cube_vector;
if (empty($_SESSION['template_set'])) $_SESSION['template_set']=$set->getString('template_set');
if (is_numeric($_POST['screen_width'])) $_SESSION['browser']['screen_width']=$_POST['screen_width'];
GIT.Harvie.CZ / mirrors / Kyberia-bloodline.git / blobdiff