includes/sessions.php
changeset 177 b4aaca42c8a4
parent 170 4c5c2b66a34d
child 183 eec079676fe7
child 191 8e2fffc5c622
equal deleted inserted replaced
176:b796208d050d 177:b4aaca42c8a4
   583     
   583     
   584     // Select the user data from the table, and decrypt that so we can verify the password
   584     // Select the user data from the table, and decrypt that so we can verify the password
   585     $this->sql('SELECT password,old_encryption,user_id,user_level,theme,style,temp_password,temp_password_time FROM '.table_prefix.'users WHERE lcase(username)=\''.$db_username_lower.'\' OR username=\'' . $db_username . '\';');
   585     $this->sql('SELECT password,old_encryption,user_id,user_level,theme,style,temp_password,temp_password_time FROM '.table_prefix.'users WHERE lcase(username)=\''.$db_username_lower.'\' OR username=\'' . $db_username . '\';');
   586     if($db->numrows() < 1)
   586     if($db->numrows() < 1)
   587     {
   587     {
   588       return "The username and/or password is incorrect.";
       
   589       // This wasn't logged in <1.0.2, dunno how it slipped through
   588       // This wasn't logged in <1.0.2, dunno how it slipped through
   590       if($level > USER_LEVEL_MEMBER)
   589       if($level > USER_LEVEL_MEMBER)
   591         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
   590         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
   592       else
   591       else
   593         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
   592         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
   594         
   593       return "The username and/or password is incorrect.";  
   595     }
   594     }
   596     $row = $db->fetchrow();
   595     $row = $db->fetchrow();
   597     
   596     
   598     // Check to see if we're logging in using a temporary password
   597     // Check to see if we're logging in using a temporary password
   599     
   598     
   706     // Initialize our success switch
   705     // Initialize our success switch
   707     $success = false;
   706     $success = false;
   708     
   707     
   709     // Retrieve the real password from the database
   708     // Retrieve the real password from the database
   710     $this->sql('SELECT password,old_encryption,user_id,user_level,temp_password,temp_password_time FROM '.table_prefix.'users WHERE lcase(username)=\''.$this->prepare_text(strtolower($username)).'\';');
   709     $this->sql('SELECT password,old_encryption,user_id,user_level,temp_password,temp_password_time FROM '.table_prefix.'users WHERE lcase(username)=\''.$this->prepare_text(strtolower($username)).'\';');
   711     if($db->numrows() < 1)
   710     if ( $db->numrows() < 1 )
   712       return 'The username and/or password is incorrect.';
   711     {
       
   712       // This wasn't logged in <1.0.2, dunno how it slipped through
       
   713       if($level > USER_LEVEL_MEMBER)
       
   714         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
       
   715       else
       
   716         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
       
   717       return "The username and/or password is incorrect.";  
       
   718     }
   713     $row = $db->fetchrow();
   719     $row = $db->fetchrow();
   714     
   720     
   715     // Check to see if we're logging in using a temporary password
   721     // Check to see if we're logging in using a temporary password
   716     
   722     
   717     if((intval($row['temp_password_time']) + 3600*24) > time() )
   723     if((intval($row['temp_password_time']) + 3600*24) > time() )