1 | <?php
|
---|
2 | /**
|
---|
3 | * Database auth plug-in for phpBB3
|
---|
4 | *
|
---|
5 | * Authentication plug-ins is largely down to Sergey Kanareykin, our thanks to him.
|
---|
6 | *
|
---|
7 | * This is for authentication via the integrated user table
|
---|
8 | *
|
---|
9 | * @package login
|
---|
10 | * @version $Id$
|
---|
11 | * @copyright (c) 2005 phpBB Group
|
---|
12 | * @license http://opensource.org/licenses/gpl-license.php GNU Public License
|
---|
13 | *
|
---|
14 | */
|
---|
15 |
|
---|
16 | /**
|
---|
17 | * @ignore
|
---|
18 | */
|
---|
19 | if (!defined('IN_PHPBB'))
|
---|
20 | {
|
---|
21 | exit;
|
---|
22 | }
|
---|
23 |
|
---|
24 | /**
|
---|
25 | * Login function
|
---|
26 | */
|
---|
27 | function login_db(&$username, &$password)
|
---|
28 | {
|
---|
29 | global $db, $config;
|
---|
30 |
|
---|
31 | // do not allow empty password
|
---|
32 | if (!$password)
|
---|
33 | {
|
---|
34 | return array(
|
---|
35 | 'status' => LOGIN_ERROR_PASSWORD,
|
---|
36 | 'error_msg' => 'NO_PASSWORD_SUPPLIED',
|
---|
37 | 'user_row' => array('user_id' => ANONYMOUS),
|
---|
38 | );
|
---|
39 | }
|
---|
40 |
|
---|
41 | if (!$username)
|
---|
42 | {
|
---|
43 | return array(
|
---|
44 | 'status' => LOGIN_ERROR_USERNAME,
|
---|
45 | 'error_msg' => 'LOGIN_ERROR_USERNAME',
|
---|
46 | 'user_row' => array('user_id' => ANONYMOUS),
|
---|
47 | );
|
---|
48 | }
|
---|
49 |
|
---|
50 | $sql = 'SELECT user_id, username, user_password, user_passchg, user_pass_convert, user_email, user_type, user_login_attempts
|
---|
51 | FROM ' . USERS_TABLE . "
|
---|
52 | WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'";
|
---|
53 | $result = $db->sql_query($sql);
|
---|
54 | $row = $db->sql_fetchrow($result);
|
---|
55 | $db->sql_freeresult($result);
|
---|
56 |
|
---|
57 | if (!$row)
|
---|
58 | {
|
---|
59 | return array(
|
---|
60 | 'status' => LOGIN_ERROR_USERNAME,
|
---|
61 | 'error_msg' => 'LOGIN_ERROR_USERNAME',
|
---|
62 | 'user_row' => array('user_id' => ANONYMOUS),
|
---|
63 | );
|
---|
64 | }
|
---|
65 | $show_captcha = $config['max_login_attempts'] && $row['user_login_attempts'] >= $config['max_login_attempts'];
|
---|
66 |
|
---|
67 | // If there are too much login attempts, we need to check for an confirm image
|
---|
68 | // Every auth module is able to define what to do by itself...
|
---|
69 | if ($show_captcha)
|
---|
70 | {
|
---|
71 | // Visual Confirmation handling
|
---|
72 | if (!class_exists('phpbb_captcha_factory'))
|
---|
73 | {
|
---|
74 | global $phpbb_root_path, $phpEx;
|
---|
75 | include ($phpbb_root_path . 'includes/captcha/captcha_factory.' . $phpEx);
|
---|
76 | }
|
---|
77 |
|
---|
78 | $captcha =& phpbb_captcha_factory::get_instance($config['captcha_plugin']);
|
---|
79 | $captcha->init(CONFIRM_LOGIN);
|
---|
80 | $vc_response = $captcha->validate($row);
|
---|
81 | if ($vc_response)
|
---|
82 | {
|
---|
83 | return array(
|
---|
84 | 'status' => LOGIN_ERROR_ATTEMPTS,
|
---|
85 | 'error_msg' => 'LOGIN_ERROR_ATTEMPTS',
|
---|
86 | 'user_row' => $row,
|
---|
87 | );
|
---|
88 | }
|
---|
89 | else
|
---|
90 | {
|
---|
91 | $captcha->reset();
|
---|
92 | }
|
---|
93 |
|
---|
94 | }
|
---|
95 |
|
---|
96 | // If the password convert flag is set we need to convert it
|
---|
97 | if ($row['user_pass_convert'])
|
---|
98 | {
|
---|
99 | // in phpBB2 passwords were used exactly as they were sent, with addslashes applied
|
---|
100 | $password_old_format = isset($_REQUEST['password']) ? (string) $_REQUEST['password'] : '';
|
---|
101 | $password_old_format = (!STRIP) ? addslashes($password_old_format) : $password_old_format;
|
---|
102 | $password_new_format = '';
|
---|
103 |
|
---|
104 | set_var($password_new_format, stripslashes($password_old_format), 'string');
|
---|
105 |
|
---|
106 | if ($password == $password_new_format)
|
---|
107 | {
|
---|
108 | if (!function_exists('utf8_to_cp1252'))
|
---|
109 | {
|
---|
110 | global $phpbb_root_path, $phpEx;
|
---|
111 | include($phpbb_root_path . 'includes/utf/data/recode_basic.' . $phpEx);
|
---|
112 | }
|
---|
113 |
|
---|
114 | // cp1252 is phpBB2's default encoding, characters outside ASCII range might work when converted into that encoding
|
---|
115 | // plain md5 support left in for conversions from other systems.
|
---|
116 | if ((strlen($row['user_password']) == 34 && (phpbb_check_hash(md5($password_old_format), $row['user_password']) || phpbb_check_hash(md5(utf8_to_cp1252($password_old_format)), $row['user_password'])))
|
---|
117 | || (strlen($row['user_password']) == 32 && (md5($password_old_format) == $row['user_password'] || md5(utf8_to_cp1252($password_old_format)) == $row['user_password'])))
|
---|
118 | {
|
---|
119 | $hash = phpbb_hash($password_new_format);
|
---|
120 |
|
---|
121 | // Update the password in the users table to the new format and remove user_pass_convert flag
|
---|
122 | $sql = 'UPDATE ' . USERS_TABLE . '
|
---|
123 | SET user_password = \'' . $db->sql_escape($hash) . '\',
|
---|
124 | user_pass_convert = 0
|
---|
125 | WHERE user_id = ' . $row['user_id'];
|
---|
126 | $db->sql_query($sql);
|
---|
127 |
|
---|
128 | $row['user_pass_convert'] = 0;
|
---|
129 | $row['user_password'] = $hash;
|
---|
130 | }
|
---|
131 | else
|
---|
132 | {
|
---|
133 | // Although we weren't able to convert this password we have to
|
---|
134 | // increase login attempt count to make sure this cannot be exploited
|
---|
135 | $sql = 'UPDATE ' . USERS_TABLE . '
|
---|
136 | SET user_login_attempts = user_login_attempts + 1
|
---|
137 | WHERE user_id = ' . $row['user_id'];
|
---|
138 | $db->sql_query($sql);
|
---|
139 |
|
---|
140 | return array(
|
---|
141 | 'status' => LOGIN_ERROR_PASSWORD_CONVERT,
|
---|
142 | 'error_msg' => 'LOGIN_ERROR_PASSWORD_CONVERT',
|
---|
143 | 'user_row' => $row,
|
---|
144 | );
|
---|
145 | }
|
---|
146 | }
|
---|
147 | }
|
---|
148 |
|
---|
149 | // Check password ...
|
---|
150 | if (!$row['user_pass_convert'] && phpbb_check_hash($password, $row['user_password']))
|
---|
151 | {
|
---|
152 | // Check for old password hash...
|
---|
153 | if (strlen($row['user_password']) == 32)
|
---|
154 | {
|
---|
155 | $hash = phpbb_hash($password);
|
---|
156 |
|
---|
157 | // Update the password in the users table to the new format
|
---|
158 | $sql = 'UPDATE ' . USERS_TABLE . "
|
---|
159 | SET user_password = '" . $db->sql_escape($hash) . "',
|
---|
160 | user_pass_convert = 0
|
---|
161 | WHERE user_id = {$row['user_id']}";
|
---|
162 | $db->sql_query($sql);
|
---|
163 |
|
---|
164 | $row['user_password'] = $hash;
|
---|
165 | }
|
---|
166 |
|
---|
167 | if ($row['user_login_attempts'] != 0)
|
---|
168 | {
|
---|
169 | // Successful, reset login attempts (the user passed all stages)
|
---|
170 | $sql = 'UPDATE ' . USERS_TABLE . '
|
---|
171 | SET user_login_attempts = 0
|
---|
172 | WHERE user_id = ' . $row['user_id'];
|
---|
173 | $db->sql_query($sql);
|
---|
174 | }
|
---|
175 |
|
---|
176 | // User inactive...
|
---|
177 | if ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE)
|
---|
178 | {
|
---|
179 | return array(
|
---|
180 | 'status' => LOGIN_ERROR_ACTIVE,
|
---|
181 | 'error_msg' => 'ACTIVE_ERROR',
|
---|
182 | 'user_row' => $row,
|
---|
183 | );
|
---|
184 | }
|
---|
185 |
|
---|
186 | // Successful login... set user_login_attempts to zero...
|
---|
187 | return array(
|
---|
188 | 'status' => LOGIN_SUCCESS,
|
---|
189 | 'error_msg' => false,
|
---|
190 | 'user_row' => $row,
|
---|
191 | );
|
---|
192 | }
|
---|
193 |
|
---|
194 | // Password incorrect - increase login attempts
|
---|
195 | $sql = 'UPDATE ' . USERS_TABLE . '
|
---|
196 | SET user_login_attempts = user_login_attempts + 1
|
---|
197 | WHERE user_id = ' . $row['user_id'];
|
---|
198 | $db->sql_query($sql);
|
---|
199 |
|
---|
200 | // Give status about wrong password...
|
---|
201 | return array(
|
---|
202 | 'status' => ($show_captcha) ? LOGIN_ERROR_ATTEMPTS : LOGIN_ERROR_PASSWORD,
|
---|
203 | 'error_msg' => ($show_captcha) ? 'LOGIN_ERROR_ATTEMPTS' : 'LOGIN_ERROR_PASSWORD',
|
---|
204 | 'user_row' => $row,
|
---|
205 | );
|
---|
206 | }
|
---|
207 |
|
---|
208 | ?>
|
---|