From c74b7d042daa0c419edfeaa97efbf7d8a216ac57 Mon Sep 17 00:00:00 2001 From: Kelly Rauchenberger Date: Sat, 16 Aug 2008 16:30:53 +0000 Subject: Central: Fixed instaDisc_verifyUser() Previously, instaDisc_verifyUser() was lazy and checked a user's existance by routing the input through instaDisc_checkVerification() with the static Verification ID of 0, but it was forgotten that a static Verification ID would work once and be rejected after that. Refs #25 --- central/trunk/includes/instadisc.php | 9 ++++++--- central/trunk/login.php | 27 +++++++-------------------- 2 files changed, 13 insertions(+), 23 deletions(-) (limited to 'central') diff --git a/central/trunk/includes/instadisc.php b/central/trunk/includes/instadisc.php index 95aeb88..e6fc862 100644 --- a/central/trunk/includes/instadisc.php +++ b/central/trunk/includes/instadisc.php @@ -11,8 +11,7 @@ function instaDisc_checkVerification($username, $verification, $verificationID, $getverid2 = mysql_query($getverid); $getverid3 = mysql_fetch_array($getverid2); if ($getverid3['id'] != $verificationID) - { - $getitem = "SELECT * FROM " . $table . " WHERE " . $nameField . " = \"" . mysql_real_escape_string($username) . "\""; + { $getitem = "SELECT * FROM " . $table . " WHERE " . $nameField . " = \"" . mysql_real_escape_string($username) . "\""; $getitem2 = mysql_query($getitem); $getitem3 = mysql_fetch_array($getitem2); if ($getitem3[$nameField] == $username) @@ -233,7 +232,11 @@ function instaDisc_deactivateAccount($username, $penKey) function instaDisc_verifyUser($username, $password) { - return instaDisc_checkVerification($username, md5($username . ':' . md5($password) . ':0'), 0, 'users', 'username', 'password'); + $getuser = "SELECT * FROM users WHERE username = \"" . mysql_real_escape_string($username). "\" AND password = \"" . mysql_real_escape_string(md5($password)) . "\""; + $getuser2 = mysql_query($getuser); + $getuser3 = mysql_fetch_array($getuser2); + + return ($getuser3['username'] == $username); } function instaDisc_deleteAccount($username) diff --git a/central/trunk/login.php b/central/trunk/login.php index fc3fe21..b40b467 100644 --- a/central/trunk/login.php +++ b/central/trunk/login.php @@ -12,29 +12,16 @@ if (!isset($_GET['submit'])) $numOfErrors = 0; $errors = array(); - $getuser = "SELECT * FROM users WHERE username = \"" . mysql_real_escape_string($_POST['username']) . "\" AND password = \"" . mysql_real_escape_string(md5($_POST['password'])) . "\""; - $getuser2 = mysql_query($getuser); - $getuser3 = mysql_fetch_array($getuser2); - if ($getuser3['username'] != $_POST['username']) + if (instaDisc_verifyUser($_POST['username'], $_POST['password'])) { - addError($numOfErrors, $errors, '', 'Account could not be found'); - } + $_SESSION['username'] == $_POST['username']; - if ($numOfErrors > 0) - { - showForm($_POST['username'], $_POST['password'], $errors); + $template = new FITemplate('loggedin'); + $template->add('SITENAME', instaDisc_getConfig('siteName')); + $template->display(); } else { - if (instaDisc_verifyUser($_POST['username'], $_POST['password'])) - { - $_SESSION['username'] == $_POST['username']; - - $template = new FITemplate('loggedin'); - $template->add('SITENAME', instaDisc_getConfig('siteName')); - $template->display(); - } else { - addError($numOfErrors, $errors, '', 'Account could not be found'); - showForm($_POST['username'], $_POST['password'], $errors); - } + addError($numOfErrors, $errors, '', 'Account could not be found'); + showForm($_POST['username'], $_POST['password'], $errors); } } -- cgit 1.4.1