X-Git-Url: https://git.mxchange.org/?p=mailer.git;a=blobdiff_plain;f=inc%2Fmodules%2Fguest%2Fwhat-login.php;h=ad2c106e3a66db890f2a30f350e2cfa52a7a84c3;hp=9aea8f972b276cbd4270e926cabd2de5e95b4af9;hb=963e55ca1ea79e255f235e359cde9f7862191dc5;hpb=0e899620c7a065952d6787c236fb2b33ae337d6a diff --git a/inc/modules/guest/what-login.php b/inc/modules/guest/what-login.php index 9aea8f972b..ad2c106e3a 100644 --- a/inc/modules/guest/what-login.php +++ b/inc/modules/guest/what-login.php @@ -33,8 +33,7 @@ ************************************************************************/ // Some security stuff... -if (ereg(basename(__FILE__), $_SERVER['PHP_SELF'])) -{ +if (!defined('__SECURITY')) { $INC = substr(dirname(__FILE__), 0, strpos(dirname(__FILE__), "/inc") + 4) . "/security.php"; require($INC); } @@ -42,35 +41,32 @@ if (ereg(basename(__FILE__), $_SERVER['PHP_SELF'])) // Add description as navigation point ADD_DESCR("guest", basename(__FILE__)); -OPEN_TABLE("100%", "guest_content_align", ""); global $DATA, $FATAL; // Initialize data -$probe_nickname = false; $UID = false; $hash = ""; +$probe_nickname = false; $uid = false; $hash = ""; unset($login); unset($online); -if ((!empty($GLOBALS['userid'])) && (isSessionVariableSet('u_hash'))) -{ +if ((!empty($GLOBALS['userid'])) && (isSessionVariableSet('u_hash'))) { // Already logged in? - $UID = $GLOBALS['userid']; + $uid = $GLOBALS['userid']; } elseif ((!empty($_POST['id'])) && (!empty($_POST['password'])) && (isset($_POST['ok']))) { // Set userid and crypt password when login data was submitted - $probe_nickname = ((EXT_IS_ACTIVE("nickname")) && (("".round($_POST['id'])."") != $_POST['id'])); - if ($probe_nickname) - { + $probe_nickname = ((EXT_IS_ACTIVE("nickname")) && (("".bigintval($_POST['id'])."") != $_POST['id'])); + if ($probe_nickname === true) { // Nickname entered - $UID = SQL_ESCAPE($_POST['id']); + $uid = SQL_ESCAPE($_POST['id']); } else { // Direct userid entered - $UID = bigintval($_POST['id']); + $uid = bigintval($_POST['id']); } } elseif (!empty($_POST['new_pass'])) { // New password requested - $UID = "0"; - if (!empty($_POST['id'])) $UID = $_POST['id']; + $uid = 0; + if (!empty($_POST['id'])) $uid = $_POST['id']; } else { // Not logged in - $UID = "0"; $hash = ""; + $uid = 0; $hash = ""; } $URL = ""; $ADD = ""; @@ -78,124 +74,127 @@ $URL = ""; $ADD = ""; if (empty($_POST['new_pass'])) $_POST['new_pass'] = ""; if (empty($_GET['login'])) $_GET['login'] = ""; -if (IS_LOGGED_IN()) { +if (IS_MEMBER()) { // Login immidiately... $URL = URL."/modules.php?module=login"; +} elseif ((isset($_POST['ok'])) && ("".$uid."" != "".$_POST['id']."")) { + // Invalid input (no nickname extension installed but nickname entered) + $ERROR = CODE_EXTENSION_PROBLEM; } elseif (isset($_POST['ok'])) { // Add last_login if available $LAST = ""; if (GET_EXT_VERSION("sql_patches") >= "0.2.8") { $LAST = ", last_login"; - } + } // END - if // Check login data $password = ""; - if ($probe_nickname) { + if ($probe_nickname === true) { // Nickname entered $result = SQL_QUERY_ESC("SELECT userid, password, last_online".$LAST." FROM "._MYSQL_PREFIX."_user_data WHERE nickname='%s' AND status='CONFIRMED' LIMIT 1", - array($UID), __FILE__, __LINE__); - list($UID2, $password, $online, $login) = SQL_FETCHROW($result); - if (!empty($UID2)) $UID = $UID2; + array($uid), __FILE__, __LINE__); + list($uid2, $password, $online, $login) = SQL_FETCHROW($result); + if (!empty($uid2)) $uid = bigintval($uid2); } else { // Direct userid entered - $result = SQL_QUERY_ESC("SELECT userid, password, last_online".$LAST." FROM "._MYSQL_PREFIX."_user_data WHERE userid=%d AND status='CONFIRMED' LIMIT 1", - array(bigintval($UID), $hash), __FILE__, __LINE__); + $result = SQL_QUERY_ESC("SELECT userid, password, last_online".$LAST." FROM "._MYSQL_PREFIX."_user_data WHERE userid=%s AND status='CONFIRMED' LIMIT 1", + array($uid, $hash), __FILE__, __LINE__); list($dmy, $password, $online, $login) = SQL_FETCHROW($result); } + + // Is there an entry? if (SQL_NUMROWS($result) == 1) { - // Valid data found so let's load the last login data - if (isset($_POST['ok'])) { - // By default the hash is empty - $hash = ""; - - // Check for old MD5 passwords - if ((strlen($password) == 32) && (md5($_POST['password']) == $password)) { - // Just set the hash to the password from DB... :) - $hash = $password; - } else { - // Encrypt hash for comparsion - $hash = generateHash($_POST['password'], substr($password, 0, -40)); - } + // By default the hash is empty + $hash = ""; - if ($hash == $password) { - // New hashed password found so let's generate a new one - $hash = generateHash($_POST['password']); + // Check for old MD5 passwords + if ((strlen($password) == 32) && (md5($_POST['password']) == $password)) { + // Just set the hash to the password from DB... :) + $hash = $password; + } else { + // Encrypt hash for comparsion + $hash = generateHash($_POST['password'], substr($password, 0, -40)); + } - // ... and update database - $result_update = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_user_data SET password='%s' WHERE userid=%d AND status='CONFIRMED' LIMIT 1", - array($hash, $UID), __FILE__, __LINE__); + if ($hash == $password) { + // New hashed password found so let's generate a new one + $hash = generateHash($_POST['password']); - // No login bonus by default - $BONUS = false; + // ... and update database + $result_update = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_user_data SET password='%s' WHERE userid=%s AND status='CONFIRMED' LIMIT 1", + array($hash, $uid), __FILE__, __LINE__); - // Probe for last online timemark - $probe = time() - $online; - if (!empty($login)) $probe = time() - $login; - if ((GET_EXT_VERSION("bonus") >= "0.2.2") && ($probe >= $_CONFIG['login_timeout'])) { - // Add login bonus to user's account - $ADD = ", login_bonus=login_bonus+'".$_CONFIG['login_bonus']."'"; - $BONUS = true; + // No login bonus by default + $BONUS = false; - // Subtract login bonus from userid's account or jackpot - if ((GET_EXT_VERSION("bonus") >= "0.3.5") && ($_CONFIG['bonus_mode'] != "ADD")) BONUS_POINTS_HANDLER('login_bonus'); - } + // Probe for last online timemark + $probe = time() - $online; + if (!empty($login)) $probe = time() - $login; + if ((GET_EXT_VERSION("bonus") >= "0.2.2") && ($probe >= $_CONFIG['login_timeout'])) { + // Add login bonus to user's account + $ADD = ", login_bonus=login_bonus+'".$_CONFIG['login_bonus']."'"; + $BONUS = true; + // Subtract login bonus from userid's account or jackpot + if ((GET_EXT_VERSION("bonus") >= "0.3.5") && ($_CONFIG['bonus_mode'] != "ADD")) BONUS_POINTS_HANDLER('login_bonus'); + } // END - if - // Secure lifetime from input form - $l = bigintval($_POST['lifetime']); - $life = "-1"; - if ($l > 0) { - // Calculate lifetime of cookies - $life = time() + $l; - // Calculate new hash with the secret key and master salt together - $hash = generatePassString($hash); + // Secure lifetime from input form + $l = bigintval($_POST['lifetime']); + $life = "-1"; + if ($l > 0) { + // Calculate lifetime of cookies + $life = time() + $l; - // Update cookies - $login = (set_session("userid" , $UID , $life, COOKIE_PATH) - && set_session("u_hash" , $hash, $life, COOKIE_PATH) - && set_session("lifetime", $l , $life, COOKIE_PATH)); + // Calculate new hash with the secret key and master salt together + $hash = generatePassString($hash); - // Update global array - $GLOBALS['userid'] = $UID; - } else { - // Check for login data - $login = IS_LOGGED_IN(); - } + // Update cookies + $login = (set_session("userid" , $uid , $life, COOKIE_PATH) + && set_session("u_hash" , $hash, $life, COOKIE_PATH) + && set_session("lifetime", $l , $life, COOKIE_PATH)); + + // Update global array + $GLOBALS['userid'] = $uid; + } else { + // Check for login data + $login = IS_MEMBER(); + } - if ($login) { - // Update database records - $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_user_data SET total_logins=total_logins+1".$ADD." WHERE userid=%d LIMIT 1", - array(bigintval($UID)), __FILE__, __LINE__); - if (SQL_AFFECTEDROWS($link) == 1) { - // Procedure to checking for login data - if (($BONUS) && (EXT_IS_ACTIVE("bonus"))) { - // Bonus added (just displaying!) - $URL = URL."/modules.php?module=chk_login&mode=bonus"; - } else { - // Bonus not added - $URL = URL."/modules.php?module=chk_login&mode=login"; - } + if ($login) { + // Update database records + $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_user_data SET total_logins=total_logins+1".$ADD." WHERE userid=%s LIMIT 1", + array($uid), __FILE__, __LINE__); + if (SQL_AFFECTEDROWS() == 1) { + // Procedure to checking for login data + if (($BONUS) && (EXT_IS_ACTIVE("bonus"))) { + // Bonus added (just displaying!) + $URL = URL."/modules.php?module=chk_login&mode=bonus"; } else { - // Cannot update counter! - $URL = URL."/modules.php?module=".$GLOBALS['module']."&what=login&login=".CODE_CNTR_FAILED; + // Bonus not added + $URL = URL."/modules.php?module=chk_login&mode=login"; } } else { - // Cookies not setable! - $URL = URL."/modules.php?module=".$GLOBALS['module']."&what=login&login=".CODE_NO_COOKIES; + // Cannot update counter! + $URL = URL."/modules.php?module=".$GLOBALS['module']."&what=login&login=".CODE_CNTR_FAILED; } } else { - // Wrong password! - $ERROR = CODE_WRONG_PASS; + // Cookies not setable! + $URL = URL."/modules.php?module=".$GLOBALS['module']."&what=login&login=".CODE_NO_COOKIES; } } else { - // Fatal error! - $ERROR = CODE_LOGIN_FAILED; + // Update failture counter + SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_user_data SET login_failtures=login_failtures+1,last_failture=NOW() WHERE userid=%s LIMIT 1", + array($uid), __FILE__, __LINE__); + + // Wrong password! + $ERROR = CODE_WRONG_PASS; } } else { // Other account status? - $result = SQL_QUERY_ESC("SELECT status FROM "._MYSQL_PREFIX."_user_data WHERE userid=%d LIMIT 1", - array(bigintval($UID)), __FILE__, __LINE__); + $result = SQL_QUERY_ESC("SELECT status FROM "._MYSQL_PREFIX."_user_data WHERE userid=%s LIMIT 1", + array($uid), __FILE__, __LINE__); if (SQL_NUMROWS($result) == 1) { // Load status @@ -214,9 +213,7 @@ if (IS_LOGGED_IN()) { $ERROR = CODE_UNKNOWN_STATUS; break; } - } - else - { + } else { // ID not found! $ERROR = CODE_WRONG_ID; } @@ -224,56 +221,47 @@ if (IS_LOGGED_IN()) { // Construct URL $URL = URL."/modules.php?module=".$GLOBALS['module']."&what=login&login=".$ERROR; } -} - elseif ((!empty($_POST['new_pass'])) && (isset($UID))) -{ +} elseif ((!empty($_POST['new_pass'])) && (isset($uid))) { // Compile email when found in address (only secure chars!) if (!empty($_POST['email'])) $_POST['email'] = str_replace("{DOT}", '.', $_POST['email']); // Set ID number when left empty - if (empty($_POST['id'])) $_POST['id'] = "0"; + if (empty($_POST['id'])) $_POST['id'] = 0; // Probe userid/nickname $probe_nickname = ((EXT_IS_ACTIVE("nickname")) && (("".round($_POST['id'])."") != $_POST['id'])); - if ($probe_nickname) - { + if ($probe_nickname) { // Nickname entered $result = SQL_QUERY_ESC("SELECT userid, status FROM "._MYSQL_PREFIX."_user_data WHERE nickname='%s' OR email='%s' LIMIT 1", - array(addslashes($UID), $_POST['email']), __FILE__, __LINE__); - } - else - { + array(addslashes($uid), $_POST['email']), __FILE__, __LINE__); + } else { // Direct userid entered - $result = SQL_QUERY_ESC("SELECT userid, status FROM "._MYSQL_PREFIX."_user_data WHERE userid=%d OR email='%s' LIMIT 1", - array(bigintval($UID), $_POST['email']), __FILE__, __LINE__); + $result = SQL_QUERY_ESC("SELECT userid, status FROM "._MYSQL_PREFIX."_user_data WHERE userid=%s OR email='%s' LIMIT 1", + array($uid, $_POST['email']), __FILE__, __LINE__); } - if (SQL_NUMROWS($result) == 1) - { + + // Any entry found? + if (SQL_NUMROWS($result) == 1) { // This data is valid, so we create a new pass... :-) - list($UID, $status) = SQL_FETCHROW($result); + list($uid, $status) = SQL_FETCHROW($result); - if ($status == "CONFIRMED") - { + if ($status == "CONFIRMED") { // Ooppps, this was missing! ;-) We should update the database... $NEW_PASS = GEN_PASS(); - $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_user_data SET password='%s' WHERE userid=%d LIMIT 1", - array(generateHash($NEW_PASS), bigintval($UID)), __FILE__, __LINE__); + $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_user_data SET password='%s' WHERE userid=%s LIMIT 1", + array(generateHash($NEW_PASS), $uid), __FILE__, __LINE__); // Prepare data and message for email - $DATA = array($NEW_PASS, getenv('REMOTE_ADDR')); - $msg = LOAD_EMAIL_TEMPLATE("new-pass", "", bigintval($UID)); + $msg = LOAD_EMAIL_TEMPLATE("new-pass", array('new_pass' => $NEW_PASS), $uid); // ... and send it away - SEND_EMAIL(bigintval($UID), GUEST_NEW_PASSWORD, $msg); + SEND_EMAIL($uid, GUEST_NEW_PASSWORD, $msg); // Output note to user LOAD_TEMPLATE("admin_settings_saved", false, GUEST_NEW_PASSWORD_SEND); - } - else - { + } else { // Account is locked or unconfirmed - switch ($status) - { + switch ($status) { case "LOCKED" : $MSG = CODE_ID_LOCKED; break; case "UNCONFIRMED": $MSG = CODE_ID_UNCONFIRMED; break; } @@ -281,25 +269,27 @@ if (IS_LOGGED_IN()) { // Load URL LOAD_URL("modules.php?module=".$GLOBALS['module']."&what=login&login=".$MSG); } - } - else - { + } else { // ID or email is wrong LOAD_TEMPLATE("admin_settings_saved", false, "".GUEST_WRONG_ID_EMAIL.""); } } - else -{ - // Login problems? - if (!empty($_GET['login'])) - { - // Ok, which one now? - $MSG = " + +// Login problems? +if (!empty($_GET['login'])) { + // Use code from URL + $ERROR = SQL_ESCAPE($_GET['login']); +} // END - if + +// Login problems? +if (!empty($ERROR)) { + // Ok, which one now? + $MSG = "   "; - switch ($_GET['login']) - { + + switch ($ERROR) { case CODE_WRONG_PASS: $MSG .= LOGIN_WRONG_PASS; break; @@ -320,6 +310,14 @@ if (IS_LOGGED_IN()) { $MSG .= LOGIN_NO_COOKIES; break; + case CODE_EXTENSION_PROBLEM: + if (IS_ADMIN()) { + $MSG .= sprintf(EXTENSION_PROBLEM_NOT_INSTALLED, "nickname"); + } else { + $MSG .= LOGIN_WRONG_ID; + } + break; + default: $MSG .= LOGIN_WRONG_ID; break; @@ -328,40 +326,30 @@ if (IS_LOGGED_IN()) {   \n"; - define ('LOGIN_FAILURE_MSG', $MSG); - } - else - { - // No problems, no output - define ('LOGIN_FAILURE_MSG', ""); - } - // Display login form with resend-password form - if (EXT_IS_ACTIVE("nickname")) - { - LOAD_TEMPLATE("guest_nickname_login"); - } - else - { - LOAD_TEMPLATE("guest_login"); - } + define('LOGIN_FAILURE_MSG', $MSG); +} else { + // No problems, no output + define('LOGIN_FAILURE_MSG', ""); +} + +// Display login form with resend-password form +if (EXT_IS_ACTIVE("nickname")) { + LOAD_TEMPLATE("guest_nickname_login"); +} else { + LOAD_TEMPLATE("guest_login"); } // Was an URL constructed? -if (!empty($URL)) -{ +if (!empty($URL)) { // URL was constructed - if (!empty($FATAL[0])) - { + if (!empty($FATAL[0])) { // Fatal errors! require_once(PATH."inc/fatal_errors.php"); - } - else - { + } else { // Load URL LOAD_URL($URL); } -} +} // END - if -CLOSE_TABLE(); // ?>