about summary refs log tree commit diff stats
diff options
context:
space:
mode:
authorKelly Rauchenberger <fefferburbia@gmail.com>2008-08-16 16:30:53 +0000
committerKelly Rauchenberger <fefferburbia@gmail.com>2008-08-16 16:30:53 +0000
commitc74b7d042daa0c419edfeaa97efbf7d8a216ac57 (patch)
tree3066530bab48e527d3697a53f011fa76b37ce24b
parentb4e87de5d010650481a66981e78ea3c6a4cbb00c (diff)
downloadinstadisc-c74b7d042daa0c419edfeaa97efbf7d8a216ac57.tar.gz
instadisc-c74b7d042daa0c419edfeaa97efbf7d8a216ac57.tar.bz2
instadisc-c74b7d042daa0c419edfeaa97efbf7d8a216ac57.zip
Central: Fixed instaDisc_verifyUser()
Previously, instaDisc_verifyUser() was lazy and checked a user's
existance by routing the input through instaDisc_checkVerification()
with the static Verification ID of 0, but it was forgotten that a static
Verification ID would work once and be rejected after that. Refs #25
-rw-r--r--central/trunk/includes/instadisc.php9
-rw-r--r--central/trunk/login.php27
2 files changed, 13 insertions, 23 deletions
diff --git a/central/trunk/includes/instadisc.php b/central/trunk/includes/instadisc.php index 95aeb88..e6fc862 100644 --- a/central/trunk/includes/instadisc.php +++ b/central/trunk/includes/instadisc.php
@@ -11,8 +11,7 @@ function instaDisc_checkVerification($username, $verification, $verificationID,
11 $getverid2 = mysql_query($getverid); 11 $getverid2 = mysql_query($getverid);
12 $getverid3 = mysql_fetch_array($getverid2); 12 $getverid3 = mysql_fetch_array($getverid2);
13 if ($getverid3['id'] != $verificationID) 13 if ($getverid3['id'] != $verificationID)
14 { 14 { $getitem = "SELECT * FROM " . $table . " WHERE " . $nameField . " = \"" . mysql_real_escape_string($username) . "\"";
15 $getitem = "SELECT * FROM " . $table . " WHERE " . $nameField . " = \"" . mysql_real_escape_string($username) . "\"";
16 $getitem2 = mysql_query($getitem); 15 $getitem2 = mysql_query($getitem);
17 $getitem3 = mysql_fetch_array($getitem2); 16 $getitem3 = mysql_fetch_array($getitem2);
18 if ($getitem3[$nameField] == $username) 17 if ($getitem3[$nameField] == $username)
@@ -233,7 +232,11 @@ function instaDisc_deactivateAccount($username, $penKey)
233 232
234function instaDisc_verifyUser($username, $password) 233function instaDisc_verifyUser($username, $password)
235{ 234{
236 return instaDisc_checkVerification($username, md5($username . ':' . md5($password) . ':0'), 0, 'users', 'username', 'password'); 235 $getuser = "SELECT * FROM users WHERE username = \"" . mysql_real_escape_string($username). "\" AND password = \"" . mysql_real_escape_string(md5($password)) . "\"";
236 $getuser2 = mysql_query($getuser);
237 $getuser3 = mysql_fetch_array($getuser2);
238
239 return ($getuser3['username'] == $username);
237} 240}
238 241
239function instaDisc_deleteAccount($username) 242function instaDisc_deleteAccount($username)
diff --git a/central/trunk/login.php b/central/trunk/login.php index fc3fe21..b40b467 100644 --- a/central/trunk/login.php +++ b/central/trunk/login.php
@@ -12,29 +12,16 @@ if (!isset($_GET['submit']))
12 $numOfErrors = 0; 12 $numOfErrors = 0;
13 $errors = array(); 13 $errors = array();
14 14
15 $getuser = "SELECT * FROM users WHERE username = \"" . mysql_real_escape_string($_POST['username']) . "\" AND password = \"" . mysql_real_escape_string(md5($_POST['password'])) . "\""; 15 if (instaDisc_verifyUser($_POST['username'], $_POST['password']))
16 $getuser2 = mysql_query($getuser);
17 $getuser3 = mysql_fetch_array($getuser2);
18 if ($getuser3['username'] != $_POST['username'])
19 { 16 {
20 addError($numOfErrors, $errors, '', 'Account could not be found'); 17 $_SESSION['username'] == $_POST['username'];
21 }
22 18
23 if ($numOfErrors > 0) 19 $template = new FITemplate('loggedin');
24 { 20 $template->add('SITENAME', instaDisc_getConfig('siteName'));
25 showForm($_POST['username'], $_POST['password'], $errors); 21 $template->display();
26 } else { 22 } else {
27 if (instaDisc_verifyUser($_POST['username'], $_POST['password'])) 23 addError($numOfErrors, $errors, '', 'Account could not be found');
28 { 24 showForm($_POST['username'], $_POST['password'], $errors);
29 $_SESSION['username'] == $_POST['username'];
30
31 $template = new FITemplate('loggedin');
32 $template->add('SITENAME', instaDisc_getConfig('siteName'));
33 $template->display();
34 } else {
35 addError($numOfErrors, $errors, '', 'Account could not be found');
36 showForm($_POST['username'], $_POST['password'], $errors);
37 }
38 } 25 }
39} 26}
40 27