X-Git-Url: http://git.harvie.cz/?a=blobdiff_plain;f=wwwroot%2Finc%2Feventz%2Flogin.inc;h=3849129186b43d2b6983a0aeb2d32d4471de8d6f;hb=1e66e7ace822bce360c88bd3a082fc5cccfadfe0;hp=ef4800af8bcb58f5b927488cc9f581f43a0d15a3;hpb=fe69da5f874fb15c978927554677a4c98dea9265;p=mirrors%2FKyberia-bloodline.git diff --git a/wwwroot/inc/eventz/login.inc b/wwwroot/inc/eventz/login.inc index ef4800a..3849129 100644 --- a/wwwroot/inc/eventz/login.inc +++ b/wwwroot/inc/eventz/login.inc @@ -1,13 +1,9 @@ This is da default one -// require(INCLUDE_DIR.'ldap.inc'); global $db,$error,$node_id; $login = mysql_real_escape_string($_POST['login']); - $password = $_POST['password']; //XXX nice SQLi + $password = $_POST['password']; // Not SQLi but be carefull $hash = md5($password); $login_type = $_POST['login_type']; $referer = $_SERVER['HTTP_REFERER']; @@ -26,6 +22,9 @@ function login() { $user_name = $set->getString('login'); break; case "id": + // HA! if it is number, escape_string is not enough + $login=intval($login); + $q="select * from users where user_id='$login' and password='$hash'"; $set=$db->query($q); $set->next(); @@ -34,8 +33,6 @@ function login() { break; } -// $ldap_response=LDAPuser::auth($user_id,$password); - if (!$set) { //XXX test $error="Zadal si nespravne uzivatelske meno [alebo id] alebo heslo. Rob so sebou nieco"; return false; @@ -54,11 +51,11 @@ Prajem prijemnu odvykacku:-)"; return false; } -//ldap replicate -// LDAPuser::ldap_mysql_sync($user_name,$user_id,$password); +// Login sucessfull + // prevent session fixation + session_regenerate_id(); -// $cube_vector=$set->getString('cube_vector'); // saves friends list as an array into user session @@ -91,7 +88,6 @@ where node_access.user_id='$user_id' and node_bookmark='yes' order by node_name" $_SESSION['fook'][$fookset->getString('node_parent')]=true; } -// LDAPuser::replicate($user_name,$user_id,$password); //save bookstyle into user session $q="select node_content from nodes where node_parent=19 and external_link='session://bookstyl' and node_creator='$user_id'";