X-Git-Url: http://git.harvie.cz/?a=blobdiff_plain;f=wwwroot%2Finc%2Feventz%2Flogin.inc;h=94c6b9b96702ebc3615830a0b838d5731e596397;hb=0fd4a30fa839ce315009ad2c9ddae09198e40967;hp=ef4800af8bcb58f5b927488cc9f581f43a0d15a3;hpb=fe69da5f874fb15c978927554677a4c98dea9265;p=mirrors%2FKyberia-bloodline.git diff --git a/wwwroot/inc/eventz/login.inc b/wwwroot/inc/eventz/login.inc index ef4800a..94c6b9b 100644 --- a/wwwroot/inc/eventz/login.inc +++ b/wwwroot/inc/eventz/login.inc @@ -1,14 +1,28 @@ This is da default one -// require(INCLUDE_DIR.'ldap.inc'); global $db,$error,$node_id; $login = mysql_real_escape_string($_POST['login']); - $password = $_POST['password']; //XXX nice SQLi - $hash = md5($password); + $password = $_POST['password']; // Not SQLi but be carefull + $password_hash_algos=array('sha256','sha1','md5'); //List of supported algos can be obtained using: php -r 'print_r(hash_algos());' + + $hash_query='('; + foreach($password_hash_algos as $algo) { + $hash_query.="password='".hash($algo, $password)."' OR "; + } + $hash_query.='false )'; + $login_type = $_POST['login_type']; $referer = $_SERVER['HTTP_REFERER']; @@ -17,24 +31,23 @@ function login() { return false; } - switch ($login_type) { - case "name": - $q = "select * from users where login='$login' and password='$hash'"; - $set = $db->query($q); - $set->next(); - $user_id = $set->getString('user_id'); - $user_name = $set->getString('login'); - break; - case "id": - $q="select * from users where user_id='$login' and password='$hash'"; - $set=$db->query($q); - $set->next(); - $user_id=$set->getString('user_id'); - $user_name=$set->getString('login'); - break; - } - -// $ldap_response=LDAPuser::auth($user_id,$password); + switch ($login_type) { + case "name": + $q = "select * from users where login='$login' and $hash_query"; + break; + case "base36id": + $login = base_convert($login, 36, 10); + case "id": + $login=intval($login); //HA! if it is number, escape_string is not enough + $q="select * from users where user_id='$login' and $hash_query"; + break; + } + + $set = $db->query($q); + $set->next(); + $user_id = $set->getString('user_id'); + $user_name = $set->getString('login'); + $xmpp = strtolower($set->getString('xmpp')); if (!$set) { //XXX test $error="Zadal si nespravne uzivatelske meno [alebo id] alebo heslo. Rob so sebou nieco"; @@ -54,11 +67,11 @@ Prajem prijemnu odvykacku:-)"; return false; } -//ldap replicate -// LDAPuser::ldap_mysql_sync($user_name,$user_id,$password); +// Login sucessfull + // prevent session fixation + session_regenerate_id(); -// $cube_vector=$set->getString('cube_vector'); // saves friends list as an array into user session @@ -91,7 +104,6 @@ where node_access.user_id='$user_id' and node_bookmark='yes' order by node_name" $_SESSION['fook'][$fookset->getString('node_parent')]=true; } -// LDAPuser::replicate($user_name,$user_id,$password); //save bookstyle into user session $q="select node_content from nodes where node_parent=19 and external_link='session://bookstyl' and node_creator='$user_id'"; @@ -116,6 +128,13 @@ where node_access.user_id='$user_id' and node_bookmark='yes' order by node_name" $_SESSION['user_id']=$user_id; $_SESSION['user_name']=addslashes($user_name); + setcookie('jabber_login', $xmpp, time()+60*60*24*10, '/'); //10days on whole domain - should have persistent username in future... + $xmpp_pass=hash('md5', 'jabber:'.$_POST['password']); + setcookie('jabber_password', $xmpp_pass, time()+60*60*24*10, '/'); //10days on whole domain + $xmpp_domain='kyberia.cz'; //XXX TODO Hardcoded kyberia.cz jabber domain (NOT dev.kyberia.cz!!!!!) + jabberctl('register', array($xmpp, $xmpp_domain, $xmpp_pass)); + jabberctl('change_password', array($xmpp, $xmpp_domain, $xmpp_pass)); + jabberctl('push_alltoall', array($xmpp_domain, $xmpp_domain)); if (!empty($cube_vector)) $_SESSION['cube_vector']=$cube_vector; if (empty($_SESSION['template_set'])) $_SESSION['template_set']=$set->getString('template_set'); if (is_numeric($_POST['screen_width'])) $_SESSION['browser']['screen_width']=$_POST['screen_width'];