← Back to branch summary

~azzar1/unity/add-show-desktop-key

« back to all changes in this revision

Viewing changes to www/php/phpBB3/includes/auth/auth_db.php

Merge setup-stuff.

phpBB is gone, configuration, setup and jail building are completely redone.

Please read doc/setup/install_proc.txt, or you'll not get far.

Show diffs side-by-side

added added

removed removed

Lines of Context:
www/php/phpBB3/includes/auth/auth_db.php
1
 
<?php
2
 
/**
3
 
* Database auth plug-in for phpBB3
4
 
*
5
 
* Authentication plug-ins is largely down to Sergey Kanareykin, our thanks to him.
6
 
*
7
 
* This is for authentication via the integrated user table
8
 
*
9
 
* @package login
10
 
* @version $Id: auth_db.php,v 1.24 2007/10/05 12:42:06 acydburn Exp $
11
 
* @copyright (c) 2005 phpBB Group
12
 
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
13
 
*
14
 
*/
15
 
 
16
 
/**
17
 
* @ignore
18
 
*/
19
 
if (!defined('IN_PHPBB'))
20
 
{
21
 
        exit;
22
 
}
23
 
 
24
 
/**
25
 
* Login function
26
 
*/
27
 
function login_db(&$username, &$password)
28
 
{
29
 
        global $db, $config;
30
 
 
31
 
        // do not allow empty password
32
 
        if (!$password)
33
 
        {
34
 
                return array(
35
 
                        'status'        => LOGIN_BREAK,
36
 
                        'error_msg'     => 'NO_PASSWORD_SUPPLIED',
37
 
                );
38
 
        }
39
 
 
40
 
        $sql = 'SELECT user_id, username, user_password, user_passchg, user_pass_convert, user_email, user_type, user_login_attempts
41
 
                FROM ' . USERS_TABLE . "
42
 
                WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'";
43
 
        $result = $db->sql_query($sql);
44
 
        $row = $db->sql_fetchrow($result);
45
 
        $db->sql_freeresult($result);
46
 
 
47
 
        if (!$row)
48
 
        {
49
 
                return array(
50
 
                        'status'        => LOGIN_ERROR_USERNAME,
51
 
                        'error_msg'     => 'LOGIN_ERROR_USERNAME',
52
 
                        'user_row'      => array('user_id' => ANONYMOUS),
53
 
                );
54
 
        }
55
 
 
56
 
        // If there are too much login attempts, we need to check for an confirm image
57
 
        // Every auth module is able to define what to do by itself...
58
 
        if ($config['max_login_attempts'] && $row['user_login_attempts'] >= $config['max_login_attempts'])
59
 
        {
60
 
                $confirm_id = request_var('confirm_id', '');
61
 
                $confirm_code = request_var('confirm_code', '');
62
 
 
63
 
                // Visual Confirmation handling
64
 
                if (!$confirm_id)
65
 
                {
66
 
                        return array(
67
 
                                'status'                => LOGIN_ERROR_ATTEMPTS,
68
 
                                'error_msg'             => 'LOGIN_ERROR_ATTEMPTS',
69
 
                                'user_row'              => $row,
70
 
                        );
71
 
                }
72
 
                else
73
 
                {
74
 
                        global $user;
75
 
 
76
 
                        $sql = 'SELECT code
77
 
                                FROM ' . CONFIRM_TABLE . "
78
 
                                WHERE confirm_id = '" . $db->sql_escape($confirm_id) . "'
79
 
                                        AND session_id = '" . $db->sql_escape($user->session_id) . "'
80
 
                                        AND confirm_type = " . CONFIRM_LOGIN;
81
 
                        $result = $db->sql_query($sql);
82
 
                        $confirm_row = $db->sql_fetchrow($result);
83
 
                        $db->sql_freeresult($result);
84
 
 
85
 
                        if ($confirm_row)
86
 
                        {
87
 
                                if (strcasecmp($confirm_row['code'], $confirm_code) === 0)
88
 
                                {
89
 
                                        $sql = 'DELETE FROM ' . CONFIRM_TABLE . "
90
 
                                                WHERE confirm_id = '" . $db->sql_escape($confirm_id) . "'
91
 
                                                        AND session_id = '" . $db->sql_escape($user->session_id) . "'
92
 
                                                        AND confirm_type = " . CONFIRM_LOGIN;
93
 
                                        $db->sql_query($sql);
94
 
                                }
95
 
                                else
96
 
                                {
97
 
                                        return array(
98
 
                                                'status'                => LOGIN_ERROR_ATTEMPTS,
99
 
                                                'error_msg'             => 'CONFIRM_CODE_WRONG',
100
 
                                                'user_row'              => $row,
101
 
                                        );
102
 
                                }
103
 
                        }
104
 
                        else
105
 
                        {
106
 
                                return array(
107
 
                                        'status'                => LOGIN_ERROR_ATTEMPTS,
108
 
                                        'error_msg'             => 'CONFIRM_CODE_WRONG',
109
 
                                        'user_row'              => $row,
110
 
                                );
111
 
                        }
112
 
                }
113
 
        }
114
 
 
115
 
        // If the password convert flag is set we need to convert it
116
 
        if ($row['user_pass_convert'])
117
 
        {
118
 
                // in phpBB2 passwords were used exactly as they were sent, with addslashes applied
119
 
                $password_old_format = isset($_REQUEST['password']) ? (string) $_REQUEST['password'] : '';
120
 
                $password_old_format = (!STRIP) ? addslashes($password_old_format) : $password_old_format;
121
 
                $password_new_format = '';
122
 
 
123
 
                set_var($password_new_format, stripslashes($password_old_format), 'string');
124
 
 
125
 
                if ($password == $password_new_format)
126
 
                {
127
 
                        if (!function_exists('utf8_to_cp1252'))
128
 
                        {
129
 
                                global $phpbb_root_path, $phpEx;
130
 
                                include($phpbb_root_path . 'includes/utf/data/recode_basic.' . $phpEx);
131
 
                        }
132
 
 
133
 
                        // cp1252 is phpBB2's default encoding, characters outside ASCII range might work when converted into that encoding
134
 
                        if (md5($password_old_format) == $row['user_password'] || md5(utf8_to_cp1252($password_old_format)) == $row['user_password'])
135
 
                        {
136
 
                                $hash = phpbb_hash($password_new_format);
137
 
 
138
 
                                // Update the password in the users table to the new format and remove user_pass_convert flag
139
 
                                $sql = 'UPDATE ' . USERS_TABLE . '
140
 
                                        SET user_password = \'' . $db->sql_escape($hash) . '\',
141
 
                                                user_pass_convert = 0
142
 
                                        WHERE user_id = ' . $row['user_id'];
143
 
                                $db->sql_query($sql);
144
 
 
145
 
                                $row['user_pass_convert'] = 0;
146
 
                                $row['user_password'] = $hash;
147
 
                        }
148
 
                        else
149
 
                        {
150
 
                                // Although we weren't able to convert this password we have to
151
 
                                // increase login attempt count to make sure this cannot be exploited
152
 
                                $sql = 'UPDATE ' . USERS_TABLE . '
153
 
                                        SET user_login_attempts = user_login_attempts + 1
154
 
                                        WHERE user_id = ' . $row['user_id'];
155
 
                                $db->sql_query($sql);
156
 
 
157
 
                                return array(
158
 
                                        'status'                => LOGIN_ERROR_PASSWORD_CONVERT,
159
 
                                        'error_msg'             => 'LOGIN_ERROR_PASSWORD_CONVERT',
160
 
                                        'user_row'              => $row,
161
 
                                );
162
 
                        }
163
 
                }
164
 
        }
165
 
 
166
 
        // Check password ...
167
 
        if (!$row['user_pass_convert'] && phpbb_check_hash($password, $row['user_password']))
168
 
        {
169
 
                // Check for old password hash...
170
 
                if (strlen($row['user_password']) == 32)
171
 
                {
172
 
                        $hash = phpbb_hash($password);
173
 
 
174
 
                        // Update the password in the users table to the new format
175
 
                        $sql = 'UPDATE ' . USERS_TABLE . "
176
 
                                SET user_password = '" . $db->sql_escape($hash) . "',
177
 
                                        user_pass_convert = 0
178
 
                                WHERE user_id = {$row['user_id']}";
179
 
                        $db->sql_query($sql);
180
 
 
181
 
                        $row['user_password'] = $hash;
182
 
                }
183
 
 
184
 
                if ($row['user_login_attempts'] != 0)
185
 
                {
186
 
                        // Successful, reset login attempts (the user passed all stages)
187
 
                        $sql = 'UPDATE ' . USERS_TABLE . '
188
 
                                SET user_login_attempts = 0
189
 
                                WHERE user_id = ' . $row['user_id'];
190
 
                        $db->sql_query($sql);
191
 
                }
192
 
 
193
 
                // User inactive...
194
 
                if ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE)
195
 
                {
196
 
                        return array(
197
 
                                'status'                => LOGIN_ERROR_ACTIVE,
198
 
                                'error_msg'             => 'ACTIVE_ERROR',
199
 
                                'user_row'              => $row,
200
 
                        );
201
 
                }
202
 
 
203
 
                // Successful login... set user_login_attempts to zero...
204
 
                return array(
205
 
                        'status'                => LOGIN_SUCCESS,
206
 
                        'error_msg'             => false,
207
 
                        'user_row'              => $row,
208
 
                );
209
 
        }
210
 
 
211
 
        // Password incorrect - increase login attempts
212
 
        $sql = 'UPDATE ' . USERS_TABLE . '
213
 
                SET user_login_attempts = user_login_attempts + 1
214
 
                WHERE user_id = ' . $row['user_id'];
215
 
        $db->sql_query($sql);
216
 
 
217
 
        // Give status about wrong password...
218
 
        return array(
219
 
                'status'                => LOGIN_ERROR_PASSWORD,
220
 
                'error_msg'             => 'LOGIN_ERROR_PASSWORD',
221
 
                'user_row'              => $row,
222
 
        );
223
 
}
224
 
 
225
 
?>
 
 
b'\\ No newline at end of file'