Mercurial Mercurial > repos > enano-1.1 / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
includes/sessions.php
changeset 133 af0f6ec48de3
parent 131 f59a8881f7e9
child 135 c5dbad7ec2d0
equal deleted inserted replaced
132:0ae1b281a884 133:af0f6ec48de3 
   148   /**
 
   148   /**
 
   149    * Regex that defines a valid username, minus the ^ and $, these are added later
 
   149    * Regex that defines a valid username, minus the ^ and $, these are added later
 
   150    * @var string
 
   150    * @var string
 
   151    */
 
   151    */
 
   152    
   152    
   153    var $valid_username = '([A-Za-z0-9 \!\@\(\)-]+)';
 
   153   //var $valid_username = '([A-Za-z0-9 \!\@\(\)-]+)';
 
       
   154   var $valid_username = '([^<>_&\?\'"%\n\r\t\a]+)';
 
   154    
   155    
   155   /**
 
   156   /**
 
   156    * What we're allowed to do as far as permissions go. This changes based on the value of the "auth" URI param.
 
   157    * What we're allowed to do as far as permissions go. This changes based on the value of the "auth" URI param.
 
   157    * @var string
 
   158    * @var string
 
   158    */
 
   159    */
 
   574     $password = $aes->decrypt($aes_data, $bin_key, ENC_HEX);
 
   575     $password = $aes->decrypt($aes_data, $bin_key, ENC_HEX);
 
   575     
   576     
   576     // Initialize our success switch
 
   577     // Initialize our success switch
 
   577     $success = false;
 
   578     $success = false;
 
   578     
   579     
       
   580     // Escaped username
 
       
   581     $db_username = $this->prepare_text(strtolower($username));
 
       
   582     
   579     // Select the user data from the table, and decrypt that so we can verify the password
 
   583     // Select the user data from the table, and decrypt that so we can verify the password
 
   580     $this->sql('SELECT password,old_encryption,user_id,user_level,theme,style,temp_password,temp_password_time FROM '.table_prefix.'users WHERE lcase(username)=\''.$this->prepare_text(strtolower($username)).'\';');
 
   584     $this->sql('SELECT password,old_encryption,user_id,user_level,theme,style,temp_password,temp_password_time FROM '.table_prefix.'users WHERE lcase(username)=\''.$db_username.'\' OR username=\'' . $db_username . '\';');
 
   581     if($db->numrows() < 1)
 
   585     if($db->numrows() < 1)
 
   582       return 'The username and/or password is incorrect.';
 
   586     {
 
       
   587       // This wasn't logged in <1.0.2, dunno how it slipped through
 
       
   588       if($level > USER_LEVEL_MEMBER)
 
       
   589         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
 
       
   590       else
 
       
   591         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
 
       
   592         
       
   593       return "The username and/or password is incorrect.";
 
       
   594     }
 
   583     $row = $db->fetchrow();
 
   595     $row = $db->fetchrow();
 
   584     
   596     
   585     // Check to see if we're logging in using a temporary password
 
   597     // Check to see if we're logging in using a temporary password
 
   586     
   598     
   587     if((intval($row['temp_password_time']) + 3600*24) > time() )
 
   599     if((intval($row['temp_password_time']) + 3600*24) > time() )
 
  1390     
  1402     
  1391     if(!preg_match('#^'.$this->valid_username.'$#', $username)) return 'The username you chose contains invalid characters.';
 
  1403     if(!preg_match('#^'.$this->valid_username.'$#', $username)) return 'The username you chose contains invalid characters.';
 
  1392     $username = $this->prepare_text($username);
 
  1404     $username = $this->prepare_text($username);
 
  1393     $email = $this->prepare_text($email);
 
  1405     $email = $this->prepare_text($email);
 
  1394     $real_name = $this->prepare_text($real_name);
 
  1406     $real_name = $this->prepare_text($real_name);
 
  1395     $password = $aes->encrypt($password, $this->private_key, ENC_HEX);
 
       
  1396     
  1407     
  1397     $nameclause = ( $real_name != '' ) ? ' OR real_name=\''.$real_name.'\'' : '';
 
  1408     $nameclause = ( $real_name != '' ) ? ' OR real_name=\''.$real_name.'\'' : '';
 
  1398     $q = $this->sql('SELECT * FROM '.table_prefix.'users WHERE lcase(username)=\''.strtolower($username).'\' OR email=\''.$email.'\''.$nameclause.';');
 
  1409     $q = $this->sql('SELECT * FROM '.table_prefix.'users WHERE lcase(username)=\''.strtolower($username).'\' OR email=\''.$email.'\''.$nameclause.';');
 
  1399     if($db->numrows() > 0) {
 
  1410     if($db->numrows() > 0)
 
       
  1411     {
 
  1400       $r = 'The ';
 
  1412       $r = 'The ';
 
  1401       $i=0;
 
  1413       $i=0;
 
  1402       $row = $db->fetchrow();
 
  1414       $row = $db->fetchrow();
 
  1403       // Wow! An error checker that actually speaks English with the properest grammar! :-P
 
  1415       // Wow! An error checker that actually speaks English with the properest grammar! :-P
 
  1404       if($row['username'] == $username) { $r .= 'username'; $i++; }
 
  1416       if ( $row['username'] == $username )
 
  1405       if($row['email'] == $email) { if($i) $r.=', '; $r .= 'e-mail address'; $i++; }
 
  1417       {
 
  1406       if($row['real_name'] == $real_name && $real_name != '') { if($i) $r.=', and '; $r .= 'real name'; $i++; }
 
  1418         $r .= 'username';
 
       
  1419         $i++;
 
       
  1420       }
 
       
  1421       if ( $row['email'] == $email )
 
       
  1422       {
 
       
  1423         if($i) $r.=', ';
 
       
  1424         $r .= 'e-mail address';
 
       
  1425         $i++;
 
       
  1426       }
 
       
  1427       if ( $row['real_name'] == $real_name && $real_name != '' )
 
       
  1428       {
 
       
  1429         if($i) $r.=', and ';
 
       
  1430         $r .= 'real name';
 
       
  1431         $i++;
 
       
  1432       }
 
  1407       $r .= ' that you entered ';
 
  1433       $r .= ' that you entered ';
 
  1408       $r .= ( $i == 1 ) ? 'is' : 'are';
 
  1434       $r .= ( $i == 1 ) ? 'is' : 'are';
 
  1409       $r .= ' already in use by another user.';
 
  1435       $r .= ' already in use by another user.';
 
  1410       return $r;
 
  1436       return $r;
 
  1411     }
 
  1437     }
 
       
  1438     
       
  1439     // Is the password strong enough?
 
       
  1440     if ( getConfig('pw_strength_enable') )
 
       
  1441     {
 
       
  1442       $min_score = intval( getConfig('pw_strength_minimum') );
 
       
  1443       $pass_score = password_score($password);
 
       
  1444       if ( $pass_score < $min_score )
 
       
  1445       {
 
       
  1446         return 'The password you entered did not meet the complexity requirements for this site. Please choose a stronger password.';
 
       
  1447       }
 
       
  1448     }
 
       
  1449     
       
  1450     $password = $aes->encrypt($password, $this->private_key, ENC_HEX);
 
  1412     
  1451     
  1413     // Require the account to be activated?
 
  1452     // Require the account to be activated?
 
  1414     switch(getConfig('account_activation'))
 
  1453     switch(getConfig('account_activation'))
 
  1415     {
 
  1454     {
 
  1416       case 'none':
 
  1455       case 'none':
Enano CMS (1.1.x)