X-Git-Url: https://git.mxchange.org/?p=mailer.git;a=blobdiff_plain;f=inc%2Fmodules%2Fguest%2Fwhat-login.php;h=1cd74d3e09611910e57a8493b619c7226ac9de13;hp=7a147e018faba53c1e08a9c50009120f11b0e2ce;hb=641ca2a3526aa0612781dddf83dd77dbb003adff;hpb=7f104f6fe558bb56b4205241435a2357c2feece1 diff --git a/inc/modules/guest/what-login.php b/inc/modules/guest/what-login.php index 7a147e018f..1cd74d3e09 100644 --- a/inc/modules/guest/what-login.php +++ b/inc/modules/guest/what-login.php @@ -39,7 +39,7 @@ if (!defined('__SECURITY')) { } // Add description as navigation point -ADD_DESCR("guest", basename(__FILE__)); +ADD_DESCR("guest", __FILE__); global $DATA, $FATAL; @@ -52,7 +52,7 @@ if ((!empty($GLOBALS['userid'])) && (isSessionVariableSet('u_hash'))) { $uid = $GLOBALS['userid']; } elseif ((!empty($_POST['id'])) && (!empty($_POST['password'])) && (isset($_POST['ok']))) { // Set userid and crypt password when login data was submitted - $probe_nickname = ((EXT_IS_ACTIVE("nickname")) && (("".bigintval($_POST['id'])."") != $_POST['id'])); + $probe_nickname = ((EXT_IS_ACTIVE("nickname")) && (("".($_POST['id'] + 0)."") != $_POST['id'])); if ($probe_nickname === true) { // Nickname entered $uid = SQL_ESCAPE($_POST['id']); @@ -88,22 +88,25 @@ if (IS_MEMBER()) { } // END - if // Check login data - $password = ""; + $password = ""; $uid2 = ""; $dmy = ""; if ($probe_nickname === true) { // Nickname entered - $result = SQL_QUERY_ESC("SELECT userid, password, last_online".$LAST." FROM "._MYSQL_PREFIX."_user_data WHERE nickname='%s' AND status='CONFIRMED' LIMIT 1", - array($uid), __FILE__, __LINE__); + $result = SQL_QUERY_ESC("SELECT userid, password, last_online".$LAST." FROM `"._MYSQL_PREFIX."_user_data` WHERE nickname='%s' AND status='CONFIRMED' LIMIT 1", + array($uid), __FILE__, __LINE__); list($uid2, $password, $online, $login) = SQL_FETCHROW($result); if (!empty($uid2)) $uid = bigintval($uid2); } else { // Direct userid entered - $result = SQL_QUERY_ESC("SELECT userid, password, last_online".$LAST." FROM "._MYSQL_PREFIX."_user_data WHERE userid=%s AND status='CONFIRMED' LIMIT 1", - array($uid, $hash), __FILE__, __LINE__); - list($dmy, $password, $online, $login) = SQL_FETCHROW($result); + $result = SQL_QUERY_ESC("SELECT userid, password, last_online".$LAST." FROM `"._MYSQL_PREFIX."_user_data` WHERE userid=%s AND status='CONFIRMED' LIMIT 1", + array($uid, $hash), __FILE__, __LINE__); + list($uid2, $password, $online, $login) = SQL_FETCHROW($result); } // Is there an entry? - if (SQL_NUMROWS($result) == 1) { + if ((SQL_NUMROWS($result) == 1) && ((($probe_nickname) && (!empty($uid2))) || ($uid2 == $uid))) { + // Free result + SQL_FREERESULT($result); + // By default the hash is empty $hash = ""; @@ -112,7 +115,7 @@ if (IS_MEMBER()) { // Just set the hash to the password from DB... :) $hash = $password; } else { - // Encrypt hash for comparsion + // Hash password with improved way for comparsion $hash = generateHash($_POST['password'], substr($password, 0, -40)); } @@ -121,8 +124,8 @@ if (IS_MEMBER()) { $hash = generateHash($_POST['password']); // ... and update database - $result_update = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_user_data SET password='%s' WHERE userid=%s AND status='CONFIRMED' LIMIT 1", - array($hash, $uid), __FILE__, __LINE__); + SQL_QUERY_ESC("UPDATE `"._MYSQL_PREFIX."_user_data` SET password='%s' WHERE userid=%s AND status='CONFIRMED' LIMIT 1", + array($hash, $uid), __FILE__, __LINE__); // No login bonus by default $BONUS = false; @@ -130,19 +133,24 @@ if (IS_MEMBER()) { // Probe for last online timemark $probe = time() - $online; if (!empty($login)) $probe = time() - $login; - if ((GET_EXT_VERSION("bonus") >= "0.2.2") && ($probe >= $_CONFIG['login_timeout'])) { + if ((GET_EXT_VERSION("bonus") >= "0.2.2") && ($probe >= getConfig('login_timeout'))) { // Add login bonus to user's account - $ADD = ", login_bonus=login_bonus+'".$_CONFIG['login_bonus']."'"; + $ADD = sprintf(", login_bonus=login_bonus+%s", + (float)getConfig('login_bonus') + ); $BONUS = true; // Subtract login bonus from userid's account or jackpot - if ((GET_EXT_VERSION("bonus") >= "0.3.5") && ($_CONFIG['bonus_mode'] != "ADD")) BONUS_POINTS_HANDLER('login_bonus'); + if ((GET_EXT_VERSION("bonus") >= "0.3.5") && (getConfig('bonus_mode') != "ADD")) BONUS_POINTS_HANDLER('login_bonus'); } // END - if + // Init variables + $life = "-1"; $login = false; // Secure lifetime from input form $l = bigintval($_POST['lifetime']); - $life = "-1"; + + // Is the lifetime set? if ($l > 0) { // Calculate lifetime of cookies $life = time() + $l; @@ -153,7 +161,8 @@ if (IS_MEMBER()) { // Update cookies $login = (set_session("userid" , $uid , $life, COOKIE_PATH) && set_session("u_hash" , $hash, $life, COOKIE_PATH) - && set_session("lifetime", $l , $life, COOKIE_PATH)); + && set_session("lifetime", $l , $life, COOKIE_PATH) + ); // Update global array $GLOBALS['userid'] = $uid; @@ -164,8 +173,8 @@ if (IS_MEMBER()) { if ($login) { // Update database records - $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_user_data SET total_logins=total_logins+1".$ADD." WHERE userid=%s LIMIT 1", - array($uid), __FILE__, __LINE__); + $result = SQL_QUERY_ESC("UPDATE `"._MYSQL_PREFIX."_user_data` SET total_logins=total_logins+1".$ADD." WHERE userid=%s LIMIT 1", + array($uid), __FILE__, __LINE__); if (SQL_AFFECTEDROWS() == 1) { // Procedure to checking for login data if (($BONUS) && (EXT_IS_ACTIVE("bonus"))) { @@ -183,35 +192,36 @@ if (IS_MEMBER()) { // Cookies not setable! $URL = URL."/modules.php?module=index&what=login&login=".CODE_NO_COOKIES; } - } else { + } elseif (GET_EXT_VERSION("sql_patches") >= "0.4.7") { // Update failture counter - SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_user_data SET login_failtures=login_failtures+1,last_failture=NOW() WHERE userid=%s LIMIT 1", + SQL_QUERY_ESC("UPDATE `"._MYSQL_PREFIX."_user_data` SET login_failtures=login_failtures+1,last_failture=NOW() WHERE userid=%s LIMIT 1", array($uid), __FILE__, __LINE__); // Wrong password! $ERROR = CODE_WRONG_PASS; } - } else { + } elseif ((($probe_nickname) && (!empty($uid2))) || ($uid2 == $uid)) { // Other account status? - $result = SQL_QUERY_ESC("SELECT status FROM "._MYSQL_PREFIX."_user_data WHERE userid=%s LIMIT 1", - array($uid), __FILE__, __LINE__); - if (SQL_NUMROWS($result) == 1) - { + $result = SQL_QUERY_ESC("SELECT status FROM `"._MYSQL_PREFIX."_user_data` WHERE userid=%s LIMIT 1", + array($uid), __FILE__, __LINE__); + + // Entry found? + if (SQL_NUMROWS($result) == 1) { // Load status list($status) = SQL_FETCHROW($result); - switch ($status) - { - case "LOCKED": - $ERROR = CODE_ID_LOCKED; - break; - - case "UNCONFIRMED": - $ERROR = CODE_ID_UNCONFIRMED; - break; - - default: - $ERROR = CODE_UNKNOWN_STATUS; - break; + switch ($status) { + case "LOCKED": + $ERROR = CODE_ID_LOCKED; + break; + + case "UNCONFIRMED": + $ERROR = CODE_ID_UNCONFIRMED; + break; + + default: + DEBUG_LOG(__FILE__, __LINE__, sprintf("Unknown error status %s detected.", $status)); + $ERROR = CODE_UNKNOWN_STATUS; + break; } } else { // ID not found! @@ -220,6 +230,9 @@ if (IS_MEMBER()) { // Construct URL $URL = URL."/modules.php?module=index&what=login&login=".$ERROR; + } else { + // ID not found! + $ERROR = CODE_WRONG_ID; } } elseif ((!empty($_POST['new_pass'])) && (isset($uid))) { // Compile email when found in address (only secure chars!) @@ -228,16 +241,26 @@ if (IS_MEMBER()) { // Set ID number when left empty if (empty($_POST['id'])) $_POST['id'] = 0; + // Init result + $result = false; + // Probe userid/nickname - $probe_nickname = ((EXT_IS_ACTIVE("nickname")) && (("".round($_POST['id'])."") != $_POST['id'])); - if ($probe_nickname) { + if ((EXT_IS_ACTIVE("nickname")) && (("".round($_POST['id'])."") != $_POST['id'])) { // Nickname entered - $result = SQL_QUERY_ESC("SELECT userid, status FROM "._MYSQL_PREFIX."_user_data WHERE nickname='%s' OR email='%s' LIMIT 1", - array(addslashes($uid), $_POST['email']), __FILE__, __LINE__); - } else { + $result = SQL_QUERY_ESC("SELECT userid, status FROM `"._MYSQL_PREFIX."_user_data` WHERE nickname='%s' OR email='%s' LIMIT 1", + array($uid, $_POST['email']), __FILE__, __LINE__); + } elseif (($uid > 0) && (empty($_POST['email']))) { // Direct userid entered - $result = SQL_QUERY_ESC("SELECT userid, status FROM "._MYSQL_PREFIX."_user_data WHERE userid=%s OR email='%s' LIMIT 1", - array($uid, $_POST['email']), __FILE__, __LINE__); + $result = SQL_QUERY_ESC("SELECT userid, status FROM `"._MYSQL_PREFIX."_user_data` WHERE userid=%s LIMIT 1", + array(bigintval($uid)), __FILE__, __LINE__); + } elseif (!empty($_POST['email'])) { + // Email entered + $result = SQL_QUERY_ESC("SELECT userid, status FROM `"._MYSQL_PREFIX."_user_data` WHERE email='%s' LIMIT 1", + array($_POST['email']), __FILE__, __LINE__); + } else { + // Userid not set! + DEBUG_LOG(__FILE__, __LINE__, "Userid is not set! BUG!"); + $ERROR = CODE_WRONG_ID; } // Any entry found? @@ -248,8 +271,8 @@ if (IS_MEMBER()) { if ($status == "CONFIRMED") { // Ooppps, this was missing! ;-) We should update the database... $NEW_PASS = GEN_PASS(); - $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_user_data SET password='%s' WHERE userid=%s LIMIT 1", - array(generateHash($NEW_PASS), $uid), __FILE__, __LINE__); + $result = SQL_QUERY_ESC("UPDATE `"._MYSQL_PREFIX."_user_data` SET password='%s' WHERE userid=%s LIMIT 1", + array(generateHash($NEW_PASS), $uid), __FILE__, __LINE__); // Prepare data and message for email $msg = LOAD_EMAIL_TEMPLATE("new-pass", array('new_pass' => $NEW_PASS), $uid); @@ -262,8 +285,12 @@ if (IS_MEMBER()) { } else { // Account is locked or unconfirmed switch ($status) { - case "LOCKED" : $MSG = CODE_ID_LOCKED; break; - case "UNCONFIRMED": $MSG = CODE_ID_UNCONFIRMED; break; + case "LOCKED" : $ERROR = CODE_ID_LOCKED; break; + case "UNCONFIRMED": $ERROR = CODE_ID_UNCONFIRMED; break; + default: // Unhandled account status! + $ERROR = CODE_UNHANDLED_STATUS; + DEBUG_LOG(__FILE__, __LINE__, sprintf("Undhandled account status %s detected.", $status)); + break; } // Load URL @@ -319,6 +346,7 @@ if (!empty($ERROR)) { break; default: + DEBUG_LOG(__FILE__, __LINE__, sprintf("Unhandled error code %s detected.", $ERROR)); $MSG .= LOGIN_WRONG_ID; break; }