X-Git-Url: http://git.harvie.cz/?a=blobdiff_plain;f=wwwroot%2Finc%2Feventz%2Flogin.inc;h=154cdef2d451029112f8ffc110a50bb72ed79ec3;hb=ac3bdc7218ef24f47f2d6adaae65c59079900665;hp=94f7f4c4a2c2097e5b7743513602992f8e195d28;hpb=46c0767c5262746b930aeb4f0f30f86bbf5496a6;p=mirrors%2FKyberia-bloodline.git

diff --git a/wwwroot/inc/eventz/login.inc b/wwwroot/inc/eventz/login.inc
index 94f7f4c..154cdef 100644
--- a/wwwroot/inc/eventz/login.inc
+++ b/wwwroot/inc/eventz/login.inc
@@ -1,14 +1,17 @@
 <?php
 function login() {
-// lockout capatibility
-// with ldap sync
-// <h1> This is da default one</h1>
-//    require(INCLUDE_DIR.'ldap.inc');
 
     global $db,$error,$node_id;
     $login = mysql_real_escape_string($_POST['login']);
     $password = $_POST['password']; // Not SQLi but be carefull
-    $hash = md5($password);
+    $password_hash_algos=array('sha256','sha1','md5'); //List of supported algos can be obtained using: php -r 'print_r(hash_algos());'
+
+    $hash_query='(';
+    foreach($password_hash_algos as $algo) {
+      $hash_query.="password='".hash($algo, $password)."' OR ";
+    }
+    $hash_query.='false )';
+
     $login_type = $_POST['login_type'];
     $referer = $_SERVER['HTTP_REFERER'];
 
@@ -19,17 +22,19 @@ function login() {
 
     switch ($login_type) {
         case "name":
-            $q = "select * from users where login='$login' and password='$hash'";
+            $q = "select * from users where login='$login' and $hash_query";
             $set = $db->query($q);
             $set->next();
             $user_id = $set->getString('user_id');
             $user_name = $set->getString('login');
         break;
+        case "base36id":
+					$login = base_convert($login, 36, 10);
         case "id":
             // HA! if it is number, escape_string is not enough
 	    $login=intval($login);
 
-            $q="select * from users where user_id='$login' and password='$hash'";
+            $q="select * from users where user_id='$login' and $hash_query";
             $set=$db->query($q);
             $set->next();
             $user_id=$set->getString('user_id');
@@ -37,8 +42,6 @@ function login() {
         break;
     }
 
-//    $ldap_response=LDAPuser::auth($user_id,$password);
-
     if (!$set) { //XXX test
         $error="Zadal si nespravne uzivatelske meno [alebo id] alebo heslo. Rob so sebou nieco";
         return false;
@@ -57,11 +60,11 @@ Prajem prijemnu odvykacku:-)";
             return false;
         }
 
-//ldap replicate
-// LDAPuser::ldap_mysql_sync($user_name,$user_id,$password);
+//	Login sucessfull
 
+	// prevent session fixation
+	session_regenerate_id(); 
 
-//
         $cube_vector=$set->getString('cube_vector');
 
         // saves friends list as an array into user session
@@ -94,7 +97,6 @@ where node_access.user_id='$user_id' and node_bookmark='yes' order by node_name"
             $_SESSION['fook'][$fookset->getString('node_parent')]=true;
         }
 
-//        LDAPuser::replicate($user_name,$user_id,$password);
 
         //save bookstyle into user session
         $q="select node_content from nodes where node_parent=19 and external_link='session://bookstyl' and node_creator='$user_id'";