Changeset 453
- Timestamp:
- Dec 31, 2013 5:10:26 AM (10 years ago)
- Location:
- trunk/lib
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/lib/App.inc.php
r452 r453 964 964 // urlencode is not used here, not for form data! 965 965 $query_args = array_merge($this->_carry_queries, $one_time_carry_queries); 966 foreach ($query_args as $key=>$val) { 967 printf('<input type="hidden" name="%s" value="%s" />', $key, $val); 968 } 966 foreach ($query_args as $key => $val) { 967 if (is_array($val)) { 968 foreach ($val as $subval) { 969 printf('<input type="hidden" name="%s[]" value="%s" />', $key, $subval); 970 } 971 } else { 972 printf('<input type="hidden" name="%s" value="%s" />', $key, $val); 973 } 974 } 975 unset($query_args, $key, $val, $subval); 969 976 } 970 977 -
trunk/lib/Auth_SQL.inc.php
r432 r453 4 4 * For details visit the project site: <http://trac.strangecode.com/codebase/> 5 5 * Copyright 2001-2012 Strangecode, LLC 6 * 6 * 7 7 * This file is part of The Strangecode Codebase. 8 8 * … … 11 11 * Free Software Foundation, either version 3 of the License, or (at your option) 12 12 * any later version. 13 * 13 * 14 14 * The Strangecode Codebase is distributed in the hope that it will be useful, but 15 15 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 16 16 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more 17 17 * details. 18 * 18 * 19 19 * You should have received a copy of the GNU General Public License along with 20 20 * The Strangecode Codebase. If not, see <http://www.gnu.org/licenses/>. … … 39 39 40 40 class Auth_SQL { 41 41 42 42 // Namespace of this auth object. 43 43 var $_ns; 44 44 45 45 // Static var for test. 46 46 var $_authentication_tested; … … 130 130 { 131 131 $app =& App::getInstance(); 132 132 133 133 $this->_ns = $namespace; 134 134 135 135 // Initialize default parameters. 136 136 $this->setParam($this->_default_params); … … 157 157 $app =& App::getInstance(); 158 158 $db =& DB::getInstance(); 159 160 159 160 161 161 static $_db_tested = false; 162 162 … … 277 277 { 278 278 $app =& App::getInstance(); 279 279 280 280 if (isset($this->_params[$param])) { 281 281 return $this->_params[$param]; … … 294 294 { 295 295 $db =& DB::getInstance(); 296 296 297 297 $this->initDB(); 298 298 … … 416 416 $app =& App::getInstance(); 417 417 $db =& DB::getInstance(); 418 418 419 419 $this->initDB(); 420 420 … … 425 425 return false; 426 426 } 427 427 428 // Convert 'priv' to 'user_type' nomenclature to support older implementations. 429 if (isset($user_data['priv'])) { 430 $user_data['user_type'] = $user_data['priv']; 431 } 432 428 433 // Register authenticated session. 429 434 $_SESSION['_auth_sql'][$this->_ns] = array( … … 563 568 $this->_authentication_tested = true; 564 569 565 // Some users will access from networks with a changing IP number (i.e. behind a proxy server). 570 // Some users will access from networks with a changing IP number (i.e. behind a proxy server). 566 571 // These users must be allowed entry by adding their IP to the list of trusted_networks, or their usernames to the list of match_remote_ip_exempt_usernames. 567 572 if ($trusted_net = ipInRange(getRemoteAddr(), $this->_params['trusted_networks'])) { … … 579 584 $user_in_trusted_network = false; 580 585 } 581 586 582 587 // Do we match the user's remote IP at all? Yes, if set in config and not disabled for specific user. 583 588 if ($this->getParam('match_remote_ip') && !$this->get('match_remote_ip_exempt')) { 584 589 $remote_ip_is_matched = (isset($_SESSION['_auth_sql'][$this->_ns]['remote_ip']) && $_SESSION['_auth_sql'][$this->_ns]['remote_ip'] == getRemoteAddr()) || $user_in_trusted_network; 585 590 } else { 586 $app->logMsg(sprintf('User_id %s exempt from remote_ip match (comparing %s == %s)', 591 $app->logMsg(sprintf('User_id %s exempt from remote_ip match (comparing %s == %s)', 587 592 ($this->get('user_id') ? $this->get('user_id') . ' (' . $this->get('username') . ')' : 'unknown'), 588 593 $_SESSION['_auth_sql'][$this->_ns]['remote_ip'], … … 593 598 594 599 // Test login with information stored in session. Skip IP matching for users from trusted networks. 595 if (isset($_SESSION['_auth_sql'][$this->_ns]['authenticated']) 600 if (isset($_SESSION['_auth_sql'][$this->_ns]['authenticated']) 596 601 && true === $_SESSION['_auth_sql'][$this->_ns]['authenticated'] 597 602 && isset($_SESSION['_auth_sql'][$this->_ns]['username']) … … 671 676 { 672 677 $app =& App::getInstance(); 673 678 674 679 if (!$this->isLoggedIn()) { 675 680 // Display message for requiring login. (RaiseMsg will ignore empty strings.) … … 694 699 $app =& App::getInstance(); 695 700 $db =& DB::getInstance(); 696 701 697 702 $this->initDB(); 698 703 … … 730 735 $user_id = isset($user_id) ? $user_id : $this->getVal('user_id'); 731 736 $qid = $db->query(" 732 SELECT 1 737 SELECT 1 733 738 FROM " . $this->_params['db_table'] . " 734 739 WHERE blocked = 'true' … … 745 750 { 746 751 $db =& DB::getInstance(); 747 752 748 753 $this->initDB(); 749 754 750 755 if ($this->getParam('blocking')) { 751 756 // Get user_id if specified. … … 769 774 { 770 775 $db =& DB::getInstance(); 771 776 772 777 $this->initDB(); 773 778 … … 789 794 { 790 795 $db =& DB::getInstance(); 791 796 792 797 $this->initDB(); 793 798 … … 846 851 { 847 852 $app =& App::getInstance(); 848 853 849 854 // Existing password hashes rely on the same key/salt being used to compare encryptions. 850 855 // Don't change this (or the value applied to signing_key) unless you know existing hashes or signatures will not be affected! 851 856 $more_salt = 'B36D18E5-3FE4-4D58-8150-F26642852B81'; 852 857 853 858 switch ($this->_params['encryption_type']) { 854 859 case AUTH_ENCRYPT_PLAINTEXT : … … 868 873 $hash = sha1($app->getParam('signing_key') . $password . $more_salt); 869 874 // Increase key strength by 12 bits. 870 for ($i=0; $i < 4096; $i++) { 871 $hash = sha1($hash); 872 } 875 for ($i=0; $i < 4096; $i++) { 876 $hash = sha1($hash); 877 } 873 878 return $hash; 874 879 break; … … 882 887 $hash = md5($app->getParam('signing_key') . $password . $more_salt); 883 888 // Increase key strength by 12 bits. 884 for ($i=0; $i < 4096; $i++) { 885 $hash = md5($hash); 886 } 889 for ($i=0; $i < 4096; $i++) { 890 $hash = md5($hash); 891 } 887 892 return $hash; 888 893 break; … … 902 907 $app =& App::getInstance(); 903 908 $db =& DB::getInstance(); 904 909 905 910 $this->initDB(); 906 911 … … 909 914 910 915 // Get old password. 911 $qid = $db->query(" 916 $qid = $db->query(" 912 917 SELECT userpass 913 918 FROM " . $this->_params['db_table'] . " … … 918 923 return false; 919 924 } 920 925 921 926 // Compare old with new to ensure we're actually *changing* the password. 922 927 $encrypted_password = $this->encryptPassword($password); … … 932 937 WHERE " . $this->_params['db_primary_key'] . " = '" . $db->escapeString($user_id) . "' 933 938 "); 934 939 935 940 if (mysql_affected_rows($db->getDBH()) != 1) { 936 941 $app->logMsg(sprintf('Failed to update password for user_id %s', $user_id), LOG_WARNING, __FILE__, __LINE__); 937 942 return false; 938 943 } 939 944 940 945 return true; 941 946 } … … 952 957 $app =& App::getInstance(); 953 958 $db =& DB::getInstance(); 954 959 955 960 $this->initDB(); 956 961 … … 1039 1044 { 1040 1045 $app =& App::getInstance(); 1041 1046 1042 1047 // return true; /// WTF? 1043 1048 $zone_members = preg_split('/,\s*/', $security_zone);
Note: See TracChangeset
for help on using the changeset viewer.