get login working

git-svn-id: file:///svn/phpbb/trunk@9271 89ea8834-ac86-4346-8a33-228a782c2dd0
2025-06-28 14:18:52 +00:00 · 2009-01-16 17:39:06 +00:00 · 2009-01-16 17:39:06 +00:00 · 0df7a9b3e3
commit 0df7a9b3e3
parent eb690bf9f0
1 changed files with 102 additions and 158 deletions
--- a/phpBB/includes/auth/db.php
+++ b/phpBB/includes/auth/db.php
@ -21,194 +21,138 @@ if (!defined('IN_PHPBB'))
 	exit;
 }
-/**
+class phpbb_auth_db /* extends phpbb_auth */
 * Login function
 */
 function login_db(&$username, &$password)
 {
-	global $db;
+	/**
-
+	* Login function
-	// do not allow empty password
+	*/
-	if (!$password)
+	function login(&$username, &$password)
 	{
-		return array(
+		// do not allow empty password
-			'status'	=> LOGIN_ERROR_PASSWORD,
+		if (!$password)
 			'error_msg'	=> 'NO_PASSWORD_SUPPLIED',
 			'user_row'	=> array('user_id' => ANONYMOUS),
 		);
 	}
 	if (!$username)
 	{
 		return array(
 			'status'	=> LOGIN_ERROR_USERNAME,
 			'error_msg'	=> 'LOGIN_ERROR_USERNAME',
 			'user_row'	=> array('user_id' => ANONYMOUS),
 		);
 	}
 	$sql = 'SELECT user_id, username, user_password, user_passchg, user_pass_convert, user_email, user_type, user_login_attempts
 		FROM ' . USERS_TABLE . "
 		WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'";
 	$result = $db->sql_query($sql);
 	$row = $db->sql_fetchrow($result);
 	$db->sql_freeresult($result);
 	if (!$row)
 	{
 		return array(
 			'status'	=> LOGIN_ERROR_USERNAME,
 			'error_msg'	=> 'LOGIN_ERROR_USERNAME',
 			'user_row'	=> array('user_id' => ANONYMOUS),
 		);
 	}
 	// If there are too much login attempts, we need to check for an confirm image
 	// Every auth module is able to define what to do by itself...
 	if (phpbb::$config['max_login_attempts'] && $row['user_login_attempts'] >= phpbb::$config['max_login_attempts'])
 	{
 		$confirm_id = request_var('confirm_id', '');
 		$confirm_code = request_var('confirm_code', '');
 		// Visual Confirmation handling
 		if (!$confirm_id)
 		{
 			return array(
-				'status'		=> LOGIN_ERROR_ATTEMPTS,
+				'status'	=> LOGIN_ERROR_PASSWORD,
-				'error_msg'		=> 'LOGIN_ERROR_ATTEMPTS',
+				'error_msg'	=> 'NO_PASSWORD_SUPPLIED',
-				'user_row'		=> $row,
+				'user_row'	=> array('user_id' => ANONYMOUS),
 			);
 		}
 		else
 		{
 			$captcha = phpbb_captcha_factory::get_instance(phpbb::$config['captcha_plugin']);
 			$captcha->init(CONFIRM_LOGIN);
 			$vc_response = $captcha->validate();
 			if ($vc_response)
 			{
 				return array(
 						'status'		=> LOGIN_ERROR_ATTEMPTS,
 						'error_msg'		=> 'LOGIN_ERROR_ATTEMPTS',
 						'user_row'		=> $row,
 				);
 			}
 		}
 	}
-	// @todo: safe to remove?
+		if (!$username)
 	// If the password convert flag is set we need to convert it
 	/*if ($row['user_pass_convert'])
 	{
 		// in phpBB2 passwords were used exactly as they were sent, with addslashes applied
 		$disabled = phpbb_request::super_globals_disabled();
 		phpbb_request::enable_super_globals();
 		$password_old_format = isset($_REQUEST['password']) ? (string) $_REQUEST['password'] : '';
 		$password_old_format = (!STRIP) ? addslashes($password_old_format) : $password_old_format;
 		$password_new_format = '';
 		if ($disabled)
 		{
-			phpbb_request::disable_super_globals();
+			return array(
 				'status'	=> LOGIN_ERROR_USERNAME,
 				'error_msg'	=> 'LOGIN_ERROR_USERNAME',
 				'user_row'	=> array('user_id' => ANONYMOUS),
 			);
 		}
-		set_var($password_new_format, stripslashes($password_old_format), 'string');
+		$sql = 'SELECT user_id, username, user_password, user_passchg, user_pass_convert, user_email, user_type, user_login_attempts
 			FROM ' . USERS_TABLE . "
 			WHERE username_clean = '" . phpbb::$db->sql_escape(utf8_clean_string($username)) . "'";
 		$result = phpbb::$db->sql_query($sql);
 		$row = phpbb::$db->sql_fetchrow($result);
 		phpbb::$db->sql_freeresult($result);
-		if ($password == $password_new_format)
+		if (!$row)
 		{
-			if (!function_exists('utf8_to_cp1252'))
+			return array(
 				'status'	=> LOGIN_ERROR_USERNAME,
 				'error_msg'	=> 'LOGIN_ERROR_USERNAME',
 				'user_row'	=> array('user_id' => ANONYMOUS),
 			);
 		}
 		// If there are too much login attempts, we need to check for an confirm image
 		// Every auth module is able to define what to do by itself...
 		if (phpbb::$config['max_login_attempts'] && $row['user_login_attempts'] >= phpbb::$config['max_login_attempts'])
 		{
 			$confirm_id = request_var('confirm_id', '');
 			$confirm_code = request_var('confirm_code', '');
 			// Visual Confirmation handling
 			if (!$confirm_id)
 			{
 				include(PHPBB_ROOT_PATH . 'includes/utf/data/recode_basic.' . PHP_EXT);
 			}
 			// cp1252 is phpBB2's default encoding, characters outside ASCII range might work when converted into that encoding
 			if (md5($password_old_format) == $row['user_password'] || md5(utf8_to_cp1252($password_old_format)) == $row['user_password'])
 			{
 				$hash = phpbb_hash($password_new_format);
 				// Update the password in the users table to the new format and remove user_pass_convert flag
 				$sql = 'UPDATE ' . USERS_TABLE . '
 					SET user_password = \'' . $db->sql_escape($hash) . '\',
 						user_pass_convert = 0
 					WHERE user_id = ' . $row['user_id'];
 				$db->sql_query($sql);
 				$row['user_pass_convert'] = 0;
 				$row['user_password'] = $hash;
 			}
 			else
 			{
 				// Although we weren't able to convert this password we have to
 				// increase login attempt count to make sure this cannot be exploited
 				$sql = 'UPDATE ' . USERS_TABLE . '
 					SET user_login_attempts = user_login_attempts + 1
 					WHERE user_id = ' . $row['user_id'];
 				$db->sql_query($sql);
 				return array(
-					'status'		=> LOGIN_ERROR_PASSWORD_CONVERT,
+					'status'		=> LOGIN_ERROR_ATTEMPTS,
-					'error_msg'		=> 'LOGIN_ERROR_PASSWORD_CONVERT',
+					'error_msg'		=> 'LOGIN_ERROR_ATTEMPTS',
 					'user_row'		=> $row,
 				);
 			}
-		}
+			else
-	}*/
+			{
-
+				$captcha = phpbb_captcha_factory::get_instance(phpbb::$config['captcha_plugin']);
-	// Check password ...
+				$captcha->init(CONFIRM_LOGIN);
-	if (!$row['user_pass_convert'] && phpbb_check_hash($password, $row['user_password']))
+				$vc_response = $captcha->validate();
-	{
+				if ($vc_response)
-		// Check for old password hash...
+				{
-		if (strlen($row['user_password']) == 32)
+					return array(
-		{
+							'status'		=> LOGIN_ERROR_ATTEMPTS,
-			$hash = phpbb_hash($password);
+							'error_msg'		=> 'LOGIN_ERROR_ATTEMPTS',
-
+							'user_row'		=> $row,
-			// Update the password in the users table to the new format
+					);
-			$sql = 'UPDATE ' . USERS_TABLE . "
+				}
-				SET user_password = '" . $db->sql_escape($hash) . "',
+			}
 					user_pass_convert = 0
 				WHERE user_id = {$row['user_id']}";
 			$db->sql_query($sql);
 			$row['user_password'] = $hash;
 		}
-		if ($row['user_login_attempts'] != 0)
+		// Check password ...
 		if (!$row['user_pass_convert'] && phpbb::$security->check_password($password, $row['user_password']))
 		{
-			// Successful, reset login attempts (the user passed all stages)
+			// Check for old password hash...
-			$sql = 'UPDATE ' . USERS_TABLE . '
+			if (strlen($row['user_password']) == 32)
-				SET user_login_attempts = 0
+			{
-				WHERE user_id = ' . $row['user_id'];
+				$hash = phpbb::$security->hash_password($password);
 			$db->sql_query($sql);
 		}
-		// User inactive...
+				// Update the password in the users table to the new format
-		if ($row['user_type'] == phpbb::USER_INACTIVE || $row['user_type'] == phpbb::USER_IGNORE)
+				$sql = 'UPDATE ' . USERS_TABLE . "
-		{
+					SET user_password = '" . phpbb::$db->sql_escape($hash) . "',
 						user_pass_convert = 0
 					WHERE user_id = {$row['user_id']}";
 				phpbb::$db->sql_query($sql);
 				$row['user_password'] = $hash;
 			}
 			if ($row['user_login_attempts'] != 0)
 			{
 				// Successful, reset login attempts (the user passed all stages)
 				$sql = 'UPDATE ' . USERS_TABLE . '
 					SET user_login_attempts = 0
 					WHERE user_id = ' . $row['user_id'];
 				phpbb::$db->sql_query($sql);
 			}
 			// User inactive...
 			if ($row['user_type'] == phpbb::USER_INACTIVE || $row['user_type'] == phpbb::USER_IGNORE)
 			{
 				return array(
 					'status'		=> LOGIN_ERROR_ACTIVE,
 					'error_msg'		=> 'ACTIVE_ERROR',
 					'user_row'		=> $row,
 				);
 			}
 			// Successful login... set user_login_attempts to zero...
 			return array(
-				'status'		=> LOGIN_ERROR_ACTIVE,
+				'status'		=> LOGIN_SUCCESS,
-				'error_msg'		=> 'ACTIVE_ERROR',
+				'error_msg'		=> false,
 				'user_row'		=> $row,
 			);
 		}
-		// Successful login... set user_login_attempts to zero...
+		// Password incorrect - increase login attempts
 		$sql = 'UPDATE ' . USERS_TABLE . '
 			SET user_login_attempts = user_login_attempts + 1
 			WHERE user_id = ' . $row['user_id'];
 		phpbb::$db->sql_query($sql);
 		// Give status about wrong password...
 		return array(
-			'status'		=> LOGIN_SUCCESS,
+			'status'		=> LOGIN_ERROR_PASSWORD,
-			'error_msg'		=> false,
+			'error_msg'		=> 'LOGIN_ERROR_PASSWORD',
 			'user_row'		=> $row,
 		);
 	}
 	// Password incorrect - increase login attempts
 	$sql = 'UPDATE ' . USERS_TABLE . '
 		SET user_login_attempts = user_login_attempts + 1
 		WHERE user_id = ' . $row['user_id'];
 	$db->sql_query($sql);
 	// Give status about wrong password...
 	return array(
 		'status'		=> LOGIN_ERROR_PASSWORD,
 		'error_msg'		=> 'LOGIN_ERROR_PASSWORD',
 		'user_row'		=> $row,
 	);
 }
 ?>