source: trunk/forum/includes/auth/auth_db.php

Last change on this file was 702, checked in by george, 15 years ago
  • Upraveno: Aktualizace fóra.
File size: 5.8 KB
Line 
1<?php
2/**
3* Database auth plug-in for phpBB3
4*
5* Authentication plug-ins is largely down to Sergey Kanareykin, our thanks to him.
6*
7* This is for authentication via the integrated user table
8*
9* @package login
10* @version $Id$
11* @copyright (c) 2005 phpBB Group
12* @license http://opensource.org/licenses/gpl-license.php GNU Public License
13*
14*/
15
16/**
17* @ignore
18*/
19if (!defined('IN_PHPBB'))
20{
21 exit;
22}
23
24/**
25* Login function
26*/
27function login_db(&$username, &$password)
28{
29 global $db, $config;
30
31 // do not allow empty password
32 if (!$password)
33 {
34 return array(
35 'status' => LOGIN_ERROR_PASSWORD,
36 'error_msg' => 'NO_PASSWORD_SUPPLIED',
37 'user_row' => array('user_id' => ANONYMOUS),
38 );
39 }
40
41 if (!$username)
42 {
43 return array(
44 'status' => LOGIN_ERROR_USERNAME,
45 'error_msg' => 'LOGIN_ERROR_USERNAME',
46 'user_row' => array('user_id' => ANONYMOUS),
47 );
48 }
49
50 $sql = 'SELECT user_id, username, user_password, user_passchg, user_pass_convert, user_email, user_type, user_login_attempts
51 FROM ' . USERS_TABLE . "
52 WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'";
53 $result = $db->sql_query($sql);
54 $row = $db->sql_fetchrow($result);
55 $db->sql_freeresult($result);
56
57 if (!$row)
58 {
59 return array(
60 'status' => LOGIN_ERROR_USERNAME,
61 'error_msg' => 'LOGIN_ERROR_USERNAME',
62 'user_row' => array('user_id' => ANONYMOUS),
63 );
64 }
65 $show_captcha = $config['max_login_attempts'] && $row['user_login_attempts'] >= $config['max_login_attempts'];
66
67 // If there are too much login attempts, we need to check for an confirm image
68 // Every auth module is able to define what to do by itself...
69 if ($show_captcha)
70 {
71 // Visual Confirmation handling
72 if (!class_exists('phpbb_captcha_factory'))
73 {
74 global $phpbb_root_path, $phpEx;
75 include ($phpbb_root_path . 'includes/captcha/captcha_factory.' . $phpEx);
76 }
77
78 $captcha =& phpbb_captcha_factory::get_instance($config['captcha_plugin']);
79 $captcha->init(CONFIRM_LOGIN);
80 $vc_response = $captcha->validate($row);
81 if ($vc_response)
82 {
83 return array(
84 'status' => LOGIN_ERROR_ATTEMPTS,
85 'error_msg' => 'LOGIN_ERROR_ATTEMPTS',
86 'user_row' => $row,
87 );
88 }
89 else
90 {
91 $captcha->reset();
92 }
93
94 }
95
96 // If the password convert flag is set we need to convert it
97 if ($row['user_pass_convert'])
98 {
99 // in phpBB2 passwords were used exactly as they were sent, with addslashes applied
100 $password_old_format = isset($_REQUEST['password']) ? (string) $_REQUEST['password'] : '';
101 $password_old_format = (!STRIP) ? addslashes($password_old_format) : $password_old_format;
102 $password_new_format = '';
103
104 set_var($password_new_format, stripslashes($password_old_format), 'string');
105
106 if ($password == $password_new_format)
107 {
108 if (!function_exists('utf8_to_cp1252'))
109 {
110 global $phpbb_root_path, $phpEx;
111 include($phpbb_root_path . 'includes/utf/data/recode_basic.' . $phpEx);
112 }
113
114 // cp1252 is phpBB2's default encoding, characters outside ASCII range might work when converted into that encoding
115 // plain md5 support left in for conversions from other systems.
116 if ((strlen($row['user_password']) == 34 && (phpbb_check_hash(md5($password_old_format), $row['user_password']) || phpbb_check_hash(md5(utf8_to_cp1252($password_old_format)), $row['user_password'])))
117 || (strlen($row['user_password']) == 32 && (md5($password_old_format) == $row['user_password'] || md5(utf8_to_cp1252($password_old_format)) == $row['user_password'])))
118 {
119 $hash = phpbb_hash($password_new_format);
120
121 // Update the password in the users table to the new format and remove user_pass_convert flag
122 $sql = 'UPDATE ' . USERS_TABLE . '
123 SET user_password = \'' . $db->sql_escape($hash) . '\',
124 user_pass_convert = 0
125 WHERE user_id = ' . $row['user_id'];
126 $db->sql_query($sql);
127
128 $row['user_pass_convert'] = 0;
129 $row['user_password'] = $hash;
130 }
131 else
132 {
133 // Although we weren't able to convert this password we have to
134 // increase login attempt count to make sure this cannot be exploited
135 $sql = 'UPDATE ' . USERS_TABLE . '
136 SET user_login_attempts = user_login_attempts + 1
137 WHERE user_id = ' . $row['user_id'];
138 $db->sql_query($sql);
139
140 return array(
141 'status' => LOGIN_ERROR_PASSWORD_CONVERT,
142 'error_msg' => 'LOGIN_ERROR_PASSWORD_CONVERT',
143 'user_row' => $row,
144 );
145 }
146 }
147 }
148
149 // Check password ...
150 if (!$row['user_pass_convert'] && phpbb_check_hash($password, $row['user_password']))
151 {
152 // Check for old password hash...
153 if (strlen($row['user_password']) == 32)
154 {
155 $hash = phpbb_hash($password);
156
157 // Update the password in the users table to the new format
158 $sql = 'UPDATE ' . USERS_TABLE . "
159 SET user_password = '" . $db->sql_escape($hash) . "',
160 user_pass_convert = 0
161 WHERE user_id = {$row['user_id']}";
162 $db->sql_query($sql);
163
164 $row['user_password'] = $hash;
165 }
166
167 if ($row['user_login_attempts'] != 0)
168 {
169 // Successful, reset login attempts (the user passed all stages)
170 $sql = 'UPDATE ' . USERS_TABLE . '
171 SET user_login_attempts = 0
172 WHERE user_id = ' . $row['user_id'];
173 $db->sql_query($sql);
174 }
175
176 // User inactive...
177 if ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE)
178 {
179 return array(
180 'status' => LOGIN_ERROR_ACTIVE,
181 'error_msg' => 'ACTIVE_ERROR',
182 'user_row' => $row,
183 );
184 }
185
186 // Successful login... set user_login_attempts to zero...
187 return array(
188 'status' => LOGIN_SUCCESS,
189 'error_msg' => false,
190 'user_row' => $row,
191 );
192 }
193
194 // Password incorrect - increase login attempts
195 $sql = 'UPDATE ' . USERS_TABLE . '
196 SET user_login_attempts = user_login_attempts + 1
197 WHERE user_id = ' . $row['user_id'];
198 $db->sql_query($sql);
199
200 // Give status about wrong password...
201 return array(
202 'status' => ($show_captcha) ? LOGIN_ERROR_ATTEMPTS : LOGIN_ERROR_PASSWORD,
203 'error_msg' => ($show_captcha) ? 'LOGIN_ERROR_ATTEMPTS' : 'LOGIN_ERROR_PASSWORD',
204 'user_row' => $row,
205 );
206}
207
208?>
Note: See TracBrowser for help on using the repository browser.