diff options
| author | Meik Sievertsen <acydburn@phpbb.com> | 2006-03-12 23:19:55 +0000 |
|---|---|---|
| committer | Meik Sievertsen <acydburn@phpbb.com> | 2006-03-12 23:19:55 +0000 |
| commit | 9988679d567a8bba9bade92dd9524bb012a1fe43 (patch) | |
| tree | 72da21e7465fed3ca99f20bd809a3df9c020530d /phpBB/includes/auth/auth_db.php | |
| parent | f4cfd3665f7cf1ed96ce4c2eca03ac6854aae258 (diff) | |
| download | forums-9988679d567a8bba9bade92dd9524bb012a1fe43.tar forums-9988679d567a8bba9bade92dd9524bb012a1fe43.tar.gz forums-9988679d567a8bba9bade92dd9524bb012a1fe43.tar.bz2 forums-9988679d567a8bba9bade92dd9524bb012a1fe43.tar.xz forums-9988679d567a8bba9bade92dd9524bb012a1fe43.zip | |
- streamlined reports to consist of the feature set we decided upon (Nils, your turn now)
- use getenv instead of $_ENV (with $_ENV the case could be wrong)
- permission fixes (there was a bug arising with getting permission flags - re-added them and handled roles deletion differently)
- implemented max login attempts
- changed the expected return parameters for logins/sessions
- added acp page for editing report/denial reasons
- other fixes here and there
git-svn-id: file:///svn/phpbb/trunk@5622 89ea8834-ac86-4346-8a33-228a782c2dd0
Diffstat (limited to 'phpBB/includes/auth/auth_db.php')
| -rw-r--r-- | phpBB/includes/auth/auth_db.php | 102 |
1 files changed, 97 insertions, 5 deletions
diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php index 42e1ac7c1f..a53ae0e819 100644 --- a/phpBB/includes/auth/auth_db.php +++ b/phpBB/includes/auth/auth_db.php @@ -24,22 +24,114 @@ function login_db(&$username, &$password) { global $db, $config; - $sql = 'SELECT user_id, username, user_password, user_passchg, user_email, user_type + $sql = 'SELECT user_id, username, user_password, user_passchg, user_email, user_type, user_login_attempts FROM ' . USERS_TABLE . " WHERE username = '" . $db->sql_escape($username) . "'"; $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); $db->sql_freeresult($result); - if ($row) + if (!$row) { - if (md5($password) == $row['user_password']) + return array( + 'status' => LOGIN_ERROR_USERNAME, + 'error_msg' => 'LOGIN_ERROR_USERNAME', + 'user_row' => array('user_id' => ANONYMOUS), + ); + } + + // If there are too much login attempts, we need to check for an confirm image + // Every auth module is able to define what to do by itself... + if ($config['max_login_attempts'] && $row['user_login_attempts'] > $config['max_login_attempts']) + { + $confirm_id = request_var('confirm_id', ''); + $confirm_code = request_var('confirm_code', ''); + + // Visual Confirmation handling + if (!$confirm_id) { - return ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE) ? 0 : $row; + return array( + 'status' => LOGIN_ERROR_ATTEMPTS, + 'error_msg' => 'LOGIN_ERROR_ATTEMPTS', + 'user_row' => $row, + ); + } + else + { + global $user; + + $sql = 'SELECT code + FROM ' . CONFIRM_TABLE . " + WHERE confirm_id = '" . $db->sql_escape($confirm_id) . "' + AND session_id = '" . $db->sql_escape($user->session_id) . "' + AND confirm_type = " . CONFIRM_LOGIN; + $result = $db->sql_query($sql); + $confirm_row = $db->sql_fetchrow($result); + $db->sql_freeresult($result); + + if ($confirm_row) + { + if ($confirm_row['code'] != $confirm_code) + { + return array( + 'status' => LOGIN_ERROR_ATTEMPTS, + 'error_msg' => 'CONFIRM_CODE_WRONG', + 'user_row' => $row, + ); + } + else + { + $sql = 'DELETE FROM ' . CONFIRM_TABLE . " + WHERE confirm_id = '" . $db->sql_escape($confirm_id) . "' + AND session_id = '" . $db->sql_escape($user->session_id) . "' + AND confirm_type = " . CONFIRM_LOGIN; + $db->sql_query($sql); + } + } + else + { + return array( + 'status' => LOGIN_ERROR_ATTEMPTS, + 'error_msg' => 'CONFIRM_CODE_WRONG', + 'user_row' => $row, + ); + } } } - return false; + // Password correct... + if (md5($password) == $row['user_password']) + { + // Successful, reset login attempts (the user passed all stages) + $db->sql_query('UPDATE ' . USERS_TABLE . ' SET user_login_attempts = 0 WHERE user_id = ' . $row['user_id']); + + // User inactive... + if ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE) + { + return array( + 'status' => LOGIN_ERROR_ACTIVE, + 'error_msg' => 'ACTIVE_ERROR', + 'user_row' => $row, + ); + } + + // Successful login... set user_login_attempts to zero... + return array( + 'status' => LOGIN_SUCCESS, + 'error_msg' => false, + 'user_row' => $row, + ); + } + + // Password incorrect - increase login attempts + $db->sql_query('UPDATE ' . USERS_TABLE . ' SET user_login_attempts = user_login_attempts + 1 WHERE user_id = ' . $row['user_id']); + + // Give status about wrong password... + return array( + 'status' => LOGIN_ERROR_PASSWORD, + 'error_msg' => 'LOGIN_ERROR_PASSWORD', + 'user_row' => $row, + ); } ?>
\ No newline at end of file |