Some changes to the returned data format + cleanups

git-svn-id: file:///svn/phpbb/trunk@3622 89ea8834-ac86-4346-8a33-228a782c2dd0
2025-06-28 14:18:52 +00:00 · 2003-03-09 16:09:37 +00:00 · 2003-03-09 16:09:37 +00:00 · cd9b3af2b5
commit cd9b3af2b5
parent aa718d4a02
3 changed files with 45 additions and 31 deletions
--- a/phpBB/includes/auth/auth_apache.php
+++ b/phpBB/includes/auth/auth_apache.php
@ -1,24 +1,32 @@
 <?php
 // Authentication plug-ins is largely down to Sergey Kanareykin, our thanks to him.
 //
-// Authentication plug-ins is largely down to
+// This is for initial authentication via Apaches basic realm authentication methods,
-// Sergey Kanareykin, our thanks to him.
+// user data is then obtained from the integrated user table
 //
 // You can do any kind of checking you like here ... the return data format is
 // either the resulting row of user information, an integer zero (indicating an
 // inactive user) or some error string
 function login_apache(&$username, &$password)
 {
-	global $HTTP_SERVER_VARS, $HTTP_ENV_VARS;
+	global $db;
-	$php_auth_user = ( !empty($HTTP_SERVER_VARS['PHP_AUTH_USER']) ) ? $HTTP_SERVER_VARS['PHP_AUTH_USER'] : $HTTP_GET_VARS['PHP_AUTH_USER'];
+	$php_auth_user = (!empty($_SERVER['PHP_AUTH_USER'])) ? $_SERVER['PHP_AUTH_USER'] : $_GET['PHP_AUTH_USER'];
-	$php_auth_pw = ( !empty($HTTP_SERVER_VARS['PHP_AUTH_PW']) ) ? $HTTP_SERVER_VARS['PHP_AUTH_PW'] : $HTTP_GET_VARS['PHP_AUTH_PW'];
+	$php_auth_pw = (!empty($_SERVER['PHP_AUTH_PW'])) ? $_SERVER['PHP_AUTH_PW'] : $_GET['PHP_AUTH_PW'];
 	if ($php_auth_user && $php_auth_pw)
 	{
 		$sql = "SELECT user_id, username, user_password, user_email, user_active
 			FROM " . USERS_TABLE . "
-			WHERE username = '" . str_replace("\'", "''", $username) . "'";
+			WHERE username = '" . $db->sql_escape($username) . "'";
 		$result = $db->sql_query($sql);
-		return ( $row = $db->sql_fetchrow($result) ) ? $row : false;
+		if ($row = $db->sql_fetchrow($result))
 		{
 			$db->sql_freeresult($result);
 			return (empty($row['user_active'])) ? 0 : $row;
 		}
 	}
 	return false;
--- a/phpBB/includes/auth/auth_db.php
+++ b/phpBB/includes/auth/auth_db.php
@ -1,24 +1,27 @@
 <?php
 // Authentication plug-ins is largely down to Sergey Kanareykin, our thanks to him.
 //
-// Authentication plug-ins is largely down to
+// This is for authentication via the integrated user table
 // Sergey Kanareykin, our thanks to him.
 //
 // You can do any kind of checking you like here ... the return data format is
 // either the resulting row of user information, an integer zero (indicating an
 // inactive user) or some error string
 function login_db(&$username, &$password)
 {
-	global $db, $board_config;
+	global $db, $config;
 	$sql = "SELECT user_id, username, user_password, user_email, user_active
 		FROM " . USERS_TABLE . "
-		WHERE username = '" . str_replace("\'", "''", $username) . "'";
+		WHERE username = '" . $db->sql_escape($username) . "'";
 	$result = $db->sql_query($sql);
 	if ($row = $db->sql_fetchrow($result))
 	{
 		$db->sql_freeresult($result);
-		if ( md5($password) == $row['user_password'] && $row['user_active'] )
+		if (md5($password) == $row['user_password'])
 		{
-			return $row;
+			return (empty($row['user_active'])) ? 0 : $row;
 		}
 	}
--- a/phpBB/includes/auth/auth_ldap.php
+++ b/phpBB/includes/auth/auth_ldap.php
@ -1,24 +1,28 @@
 <?php
 // Authentication plug-ins is largely down to Sergey Kanareykin, our thanks to him.
 //
-// Authentication plug-ins is largely down to
+// This is for initial authentication via an LDAP server, user information is then
-// Sergey Kanareykin, our thanks to him.
+// obtained from the integrated user table
 //
 // You can do any kind of checking you like here ... the return data format is
 // either the resulting row of user information, an integer zero (indicating an
 // inactive user) or some error string
 function login_ldap(&$username, &$password)
 {
-	global $board_config;
+	global $db, $config;
 	if (!extension_loaded('ldap'))
 	{
 		return 'LDAP extension not available';
 	}
-	if ( !($ldap = @ldap_connect($board_config['ldap_server'])) )
+	if (!($ldap = @ldap_connect($config['ldap_server'])))
 	{
 		return 'Could not connect to LDAP server';
 	}
-	$search = @ldap_search($ldap, $board_config['ldap_base_dn'], $board_config['ldap_uid'] . '=' . $username, array($board_config['ldap_uid']));
+	$search = @ldap_search($ldap, $config['ldap_base_dn'], $config['ldap_uid'] . '=' . $username, array($config['ldap_uid']));
 	$result = @ldap_get_entries($ldap, $search);
 	if (is_array($result) && count($result) > 1)
@ -29,10 +33,14 @@ function login_ldap(&$username, &$password)
 			$sql = "SELECT user_id, username, user_password, user_email, user_active
 				FROM " . USERS_TABLE . "
-				WHERE username = '" . str_replace("\'", "''", $username) . "'";
+				WHERE username = '" . $db->sql_escape($username) . "'";
 			$result = $db->sql_query($sql);
-			return ( $row = $db->sql_fetchrow($result) ) ? $row : false;
+			if ($row = $db->sql_fetchrow($result))
 			{
 				$db->sql_freeresult($result);
 				return (empty($row['user_active'])) ? 0 : $row;
 			}
 		}
 	}
@ -41,10 +49,8 @@ function login_ldap(&$username, &$password)
 	return false;
 }
 //
 // This function is used to output any required fields in the authentication
 // admin panel. It also defines any required configuration table fields.
 //
 function admin_ldap(&$new)
 {
 	global $user;
@ -64,22 +70,19 @@ function admin_ldap(&$new)
 	</tr>
 <?php
 	//
 	// These are fields required in the config table
 	//
 	return array('ldap_server', 'ldap_base_dn', 'ldap_uid');
 }
 //
 // Would be nice to allow syncing of 'appropriate' data when user updates
 // their username, password, etc. ... should be up to the plugin what data
 // is updated.
 //
 // $mode perhaps being one of NEW, UPDATE, DELETE
 //
 function usercp_ldap($mode)
 {
 	global $db, $config;
 }