From cd9b3af2b5e76ee12651c17316ae9d0d9e84130f Mon Sep 17 00:00:00 2001
From: "Paul S. Owen" <psotfx@users.sourceforge.net>
Date: Sun, 9 Mar 2003 16:09:37 +0000
Subject: Some changes to the returned data format + cleanups

git-svn-id: file:///svn/phpbb/trunk@3622 89ea8834-ac86-4346-8a33-228a782c2dd0
---
 phpBB/includes/auth/auth_apache.php | 24 ++++++++++++++++--------
 phpBB/includes/auth/auth_db.php     | 17 ++++++++++-------
 phpBB/includes/auth/auth_ldap.php   | 35 +++++++++++++++++++----------------
 3 files changed, 45 insertions(+), 31 deletions(-)

(limited to 'phpBB/includes/auth')

diff --git a/phpBB/includes/auth/auth_apache.php b/phpBB/includes/auth/auth_apache.php
index 88d5be4f4f..f87ad738c0 100644
--- a/phpBB/includes/auth/auth_apache.php
+++ b/phpBB/includes/auth/auth_apache.php
@@ -1,24 +1,32 @@
 <?php
 
+// Authentication plug-ins is largely down to Sergey Kanareykin, our thanks to him.
 //
-// Authentication plug-ins is largely down to
-// Sergey Kanareykin, our thanks to him.
+// This is for initial authentication via Apaches basic realm authentication methods,
+// user data is then obtained from the integrated user table
 //
+// You can do any kind of checking you like here ... the return data format is
+// either the resulting row of user information, an integer zero (indicating an
+// inactive user) or some error string
 function login_apache(&$username, &$password)
 {
-	global $HTTP_SERVER_VARS, $HTTP_ENV_VARS;
+	global $db;
 
-	$php_auth_user = ( !empty($HTTP_SERVER_VARS['PHP_AUTH_USER']) ) ? $HTTP_SERVER_VARS['PHP_AUTH_USER'] : $HTTP_GET_VARS['PHP_AUTH_USER'];
-	$php_auth_pw = ( !empty($HTTP_SERVER_VARS['PHP_AUTH_PW']) ) ? $HTTP_SERVER_VARS['PHP_AUTH_PW'] : $HTTP_GET_VARS['PHP_AUTH_PW'];
+	$php_auth_user = (!empty($_SERVER['PHP_AUTH_USER'])) ? $_SERVER['PHP_AUTH_USER'] : $_GET['PHP_AUTH_USER'];
+	$php_auth_pw = (!empty($_SERVER['PHP_AUTH_PW'])) ? $_SERVER['PHP_AUTH_PW'] : $_GET['PHP_AUTH_PW'];
 
-	if ( $php_auth_user && $php_auth_pw )
+	if ($php_auth_user && $php_auth_pw)
 	{
 		$sql = "SELECT user_id, username, user_password, user_email, user_active
 			FROM " . USERS_TABLE . "
-			WHERE username = '" . str_replace("\'", "''", $username) . "'";
+			WHERE username = '" . $db->sql_escape($username) . "'";
 		$result = $db->sql_query($sql);
 
-		return ( $row = $db->sql_fetchrow($result) ) ? $row : false;
+		if ($row = $db->sql_fetchrow($result))
+		{
+			$db->sql_freeresult($result);
+			return (empty($row['user_active'])) ? 0 : $row;
+		}
 	}
 
 	return false;
diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php
index d91655ff04..3666eeb105 100644
--- a/phpBB/includes/auth/auth_db.php
+++ b/phpBB/includes/auth/auth_db.php
@@ -1,24 +1,27 @@
 <?php
 
+// Authentication plug-ins is largely down to Sergey Kanareykin, our thanks to him.
 //
-// Authentication plug-ins is largely down to
-// Sergey Kanareykin, our thanks to him.
+// This is for authentication via the integrated user table
 //
+// You can do any kind of checking you like here ... the return data format is
+// either the resulting row of user information, an integer zero (indicating an
+// inactive user) or some error string
 function login_db(&$username, &$password)
 {
-	global $db, $board_config;
+	global $db, $config;
 
 	$sql = "SELECT user_id, username, user_password, user_email, user_active
 		FROM " . USERS_TABLE . "
-		WHERE username = '" . str_replace("\'", "''", $username) . "'";
+		WHERE username = '" . $db->sql_escape($username) . "'";
 	$result = $db->sql_query($sql);
 
-	if ( $row = $db->sql_fetchrow($result) )
+	if ($row = $db->sql_fetchrow($result))
 	{
 		$db->sql_freeresult($result);
-		if ( md5($password) == $row['user_password'] && $row['user_active'] )
+		if (md5($password) == $row['user_password'])
 		{
-			return $row;
+			return (empty($row['user_active'])) ? 0 : $row;
 		}
 	}
 
diff --git a/phpBB/includes/auth/auth_ldap.php b/phpBB/includes/auth/auth_ldap.php
index 79af7a23e6..7df48722de 100644
--- a/phpBB/includes/auth/auth_ldap.php
+++ b/phpBB/includes/auth/auth_ldap.php
@@ -1,38 +1,46 @@
 <?php
 
+// Authentication plug-ins is largely down to Sergey Kanareykin, our thanks to him.
 //
-// Authentication plug-ins is largely down to
-// Sergey Kanareykin, our thanks to him.
+// This is for initial authentication via an LDAP server, user information is then
+// obtained from the integrated user table
 //
+// You can do any kind of checking you like here ... the return data format is
+// either the resulting row of user information, an integer zero (indicating an
+// inactive user) or some error string
 function login_ldap(&$username, &$password)
 {
-	global $board_config;
+	global $db, $config;
 
-	if ( !extension_loaded('ldap') )
+	if (!extension_loaded('ldap'))
 	{
 		return 'LDAP extension not available';
 	}
 
-	if ( !($ldap = @ldap_connect($board_config['ldap_server'])) )
+	if (!($ldap = @ldap_connect($config['ldap_server'])))
 	{
 		return 'Could not connect to LDAP server';
 	}
 
-	$search = @ldap_search($ldap, $board_config['ldap_base_dn'], $board_config['ldap_uid'] . '=' . $username, array($board_config['ldap_uid']));
+	$search = @ldap_search($ldap, $config['ldap_base_dn'], $config['ldap_uid'] . '=' . $username, array($config['ldap_uid']));
 	$result = @ldap_get_entries($ldap, $search);
 
-	if ( is_array($result) && count($result) > 1 )
+	if (is_array($result) && count($result) > 1)
 	{
-		if ( @ldap_bind($ldap, $result[0]['dn'], $password) )
+		if (@ldap_bind($ldap, $result[0]['dn'], $password))
 		{
 			@ldap_close($ldap);
 
 			$sql = "SELECT user_id, username, user_password, user_email, user_active
 				FROM " . USERS_TABLE . "
-				WHERE username = '" . str_replace("\'", "''", $username) . "'";
+				WHERE username = '" . $db->sql_escape($username) . "'";
 			$result = $db->sql_query($sql);
 
-			return ( $row = $db->sql_fetchrow($result) ) ? $row : false;
+			if ($row = $db->sql_fetchrow($result))
+			{
+				$db->sql_freeresult($result);
+				return (empty($row['user_active'])) ? 0 : $row;
+			}
 		}
 	}
 
@@ -41,10 +49,8 @@ function login_ldap(&$username, &$password)
 	return false;
 }
 
-//
 // This function is used to output any required fields in the authentication
 // admin panel. It also defines any required configuration table fields.
-//
 function admin_ldap(&$new)
 {
 	global $user;
@@ -64,22 +70,19 @@ function admin_ldap(&$new)
 	</tr>
 <?php
 
-	//
 	// These are fields required in the config table
-	//
 	return array('ldap_server', 'ldap_base_dn', 'ldap_uid');
 
 }
 
-//
 // Would be nice to allow syncing of 'appropriate' data when user updates
 // their username, password, etc. ... should be up to the plugin what data
 // is updated.
 //
 // $mode perhaps being one of NEW, UPDATE, DELETE
-//
 function usercp_ldap($mode)
 {
+	global $db, $config;
 
 }
 
-- 
cgit v1.2.1