X-Git-Url: http://git.harvie.cz/?a=blobdiff_plain;f=wwwroot%2Finc%2Feventz%2Flogin.inc;h=154cdef2d451029112f8ffc110a50bb72ed79ec3;hb=ac3bdc7218ef24f47f2d6adaae65c59079900665;hp=ac5c4366711c96531a1a5d80aaf29e1911794c67;hpb=41bddecc78c79984db66e98e610727f1932eaed3;p=mirrors%2FKyberia-bloodline.git diff --git a/wwwroot/inc/eventz/login.inc b/wwwroot/inc/eventz/login.inc index ac5c436..154cdef 100644 --- a/wwwroot/inc/eventz/login.inc +++ b/wwwroot/inc/eventz/login.inc @@ -1,14 +1,17 @@ This is da default one -// require(INCLUDE_DIR.'ldap.inc'); global $db,$error,$node_id; $login = mysql_real_escape_string($_POST['login']); - $password = $_POST['password']; //XXX nice SQLi - $hash = md5($password); + $password = $_POST['password']; // Not SQLi but be carefull + $password_hash_algos=array('sha256','sha1','md5'); //List of supported algos can be obtained using: php -r 'print_r(hash_algos());' + + $hash_query='('; + foreach($password_hash_algos as $algo) { + $hash_query.="password='".hash($algo, $password)."' OR "; + } + $hash_query.='false )'; + $login_type = $_POST['login_type']; $referer = $_SERVER['HTTP_REFERER']; @@ -19,14 +22,19 @@ function login() { switch ($login_type) { case "name": - $q = "select * from users where login='$login' and password='$hash'"; + $q = "select * from users where login='$login' and $hash_query"; $set = $db->query($q); $set->next(); $user_id = $set->getString('user_id'); $user_name = $set->getString('login'); break; + case "base36id": + $login = base_convert($login, 36, 10); case "id": - $q="select * from users where user_id='$login' and password='$hash'"; + // HA! if it is number, escape_string is not enough + $login=intval($login); + + $q="select * from users where user_id='$login' and $hash_query"; $set=$db->query($q); $set->next(); $user_id=$set->getString('user_id'); @@ -34,8 +42,6 @@ function login() { break; } -// $ldap_response=LDAPuser::auth($user_id,$password); - if (!$set) { //XXX test $error="Zadal si nespravne uzivatelske meno [alebo id] alebo heslo. Rob so sebou nieco"; return false; @@ -54,11 +60,11 @@ Prajem prijemnu odvykacku:-)"; return false; } -//ldap replicate -// LDAPuser::ldap_mysql_sync($user_name,$user_id,$password); +// Login sucessfull + // prevent session fixation + session_regenerate_id(); -// $cube_vector=$set->getString('cube_vector'); // saves friends list as an array into user session @@ -91,7 +97,6 @@ where node_access.user_id='$user_id' and node_bookmark='yes' order by node_name" $_SESSION['fook'][$fookset->getString('node_parent')]=true; } -// LDAPuser::replicate($user_name,$user_id,$password); //save bookstyle into user session $q="select node_content from nodes where node_parent=19 and external_link='session://bookstyl' and node_creator='$user_id'"; @@ -110,9 +115,9 @@ where node_access.user_id='$user_id' and node_bookmark='yes' order by node_name" $_SESSION['mood_name'] = $mset->getString('node_name'); $_SESSION['mood_content'] = addslashes(substr(strip_tags($mset->getString('node_content')),0,223)); } - // last login - $db->query(sprintf('update users set last_login = NOW() where user_id = %d', $user_id)); + + $db->query(sprintf('update users set date_last_login = NOW() where user_id = %d', $user_id)); $_SESSION['user_id']=$user_id; $_SESSION['user_name']=addslashes($user_name);