diff options
Diffstat (limited to 'phpBB/includes/auth')
| -rw-r--r-- | phpBB/includes/auth/auth_db.php | 102 |
1 files changed, 97 insertions, 5 deletions
diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php index 42e1ac7c1f..a53ae0e819 100644 --- a/phpBB/includes/auth/auth_db.php +++ b/phpBB/includes/auth/auth_db.php @@ -24,22 +24,114 @@ function login_db(&$username, &$password) { global $db, $config; - $sql = 'SELECT user_id, username, user_password, user_passchg, user_email, user_type + $sql = 'SELECT user_id, username, user_password, user_passchg, user_email, user_type, user_login_attempts FROM ' . USERS_TABLE . " WHERE username = '" . $db->sql_escape($username) . "'"; $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); $db->sql_freeresult($result); - if ($row) + if (!$row) { - if (md5($password) == $row['user_password']) + return array( + 'status' => LOGIN_ERROR_USERNAME, + 'error_msg' => 'LOGIN_ERROR_USERNAME', + 'user_row' => array('user_id' => ANONYMOUS), + ); + } + + // If there are too much login attempts, we need to check for an confirm image + // Every auth module is able to define what to do by itself... + if ($config['max_login_attempts'] && $row['user_login_attempts'] > $config['max_login_attempts']) + { + $confirm_id = request_var('confirm_id', ''); + $confirm_code = request_var('confirm_code', ''); + + // Visual Confirmation handling + if (!$confirm_id) { - return ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE) ? 0 : $row; + return array( + 'status' => LOGIN_ERROR_ATTEMPTS, + 'error_msg' => 'LOGIN_ERROR_ATTEMPTS', + 'user_row' => $row, + ); + } + else + { + global $user; + + $sql = 'SELECT code + FROM ' . CONFIRM_TABLE . " + WHERE confirm_id = '" . $db->sql_escape($confirm_id) . "' + AND session_id = '" . $db->sql_escape($user->session_id) . "' + AND confirm_type = " . CONFIRM_LOGIN; + $result = $db->sql_query($sql); + $confirm_row = $db->sql_fetchrow($result); + $db->sql_freeresult($result); + + if ($confirm_row) + { + if ($confirm_row['code'] != $confirm_code) + { + return array( + 'status' => LOGIN_ERROR_ATTEMPTS, + 'error_msg' => 'CONFIRM_CODE_WRONG', + 'user_row' => $row, + ); + } + else + { + $sql = 'DELETE FROM ' . CONFIRM_TABLE . " + WHERE confirm_id = '" . $db->sql_escape($confirm_id) . "' + AND session_id = '" . $db->sql_escape($user->session_id) . "' + AND confirm_type = " . CONFIRM_LOGIN; + $db->sql_query($sql); + } + } + else + { + return array( + 'status' => LOGIN_ERROR_ATTEMPTS, + 'error_msg' => 'CONFIRM_CODE_WRONG', + 'user_row' => $row, + ); + } } } - return false; + // Password correct... + if (md5($password) == $row['user_password']) + { + // Successful, reset login attempts (the user passed all stages) + $db->sql_query('UPDATE ' . USERS_TABLE . ' SET user_login_attempts = 0 WHERE user_id = ' . $row['user_id']); + + // User inactive... + if ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE) + { + return array( + 'status' => LOGIN_ERROR_ACTIVE, + 'error_msg' => 'ACTIVE_ERROR', + 'user_row' => $row, + ); + } + + // Successful login... set user_login_attempts to zero... + return array( + 'status' => LOGIN_SUCCESS, + 'error_msg' => false, + 'user_row' => $row, + ); + } + + // Password incorrect - increase login attempts + $db->sql_query('UPDATE ' . USERS_TABLE . ' SET user_login_attempts = user_login_attempts + 1 WHERE user_id = ' . $row['user_id']); + + // Give status about wrong password... + return array( + 'status' => LOGIN_ERROR_PASSWORD, + 'error_msg' => 'LOGIN_ERROR_PASSWORD', + 'user_row' => $row, + ); } ?>
\ No newline at end of file |