From 0df7a9b3e38773207441fac64c5e5c6323e59d6f Mon Sep 17 00:00:00 2001
From: Meik Sievertsen <acydburn@phpbb.com>
Date: Fri, 16 Jan 2009 17:39:06 +0000
Subject: [PATCH] get login working

git-svn-id: file:///svn/phpbb/trunk@9271 89ea8834-ac86-4346-8a33-228a782c2dd0
---
 phpBB/includes/auth/db.php | 260 +++++++++++++++----------------------
 1 file changed, 102 insertions(+), 158 deletions(-)

diff --git a/phpBB/includes/auth/db.php b/phpBB/includes/auth/db.php
index 9e9f347d6a..11b90e4df7 100644
--- a/phpBB/includes/auth/db.php
+++ b/phpBB/includes/auth/db.php
@@ -21,194 +21,138 @@ if (!defined('IN_PHPBB'))
 	exit;
 }
 
-/**
-* Login function
-*/
-function login_db(&$username, &$password)
+class phpbb_auth_db /* extends phpbb_auth */
 {
-	global $db;
-
-	// do not allow empty password
-	if (!$password)
+	/**
+	* Login function
+	*/
+	function login(&$username, &$password)
 	{
-		return array(
-			'status'	=> LOGIN_ERROR_PASSWORD,
-			'error_msg'	=> 'NO_PASSWORD_SUPPLIED',
-			'user_row'	=> array('user_id' => ANONYMOUS),
-		);
-	}
-
-	if (!$username)
-	{
-		return array(
-			'status'	=> LOGIN_ERROR_USERNAME,
-			'error_msg'	=> 'LOGIN_ERROR_USERNAME',
-			'user_row'	=> array('user_id' => ANONYMOUS),
-		);
-	}
-
-	$sql = 'SELECT user_id, username, user_password, user_passchg, user_pass_convert, user_email, user_type, user_login_attempts
-		FROM ' . USERS_TABLE . "
-		WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'";
-	$result = $db->sql_query($sql);
-	$row = $db->sql_fetchrow($result);
-	$db->sql_freeresult($result);
-
-	if (!$row)
-	{
-		return array(
-			'status'	=> LOGIN_ERROR_USERNAME,
-			'error_msg'	=> 'LOGIN_ERROR_USERNAME',
-			'user_row'	=> array('user_id' => ANONYMOUS),
-		);
-	}
-
-	// If there are too much login attempts, we need to check for an confirm image
-	// Every auth module is able to define what to do by itself...
-	if (phpbb::$config['max_login_attempts'] && $row['user_login_attempts'] >= phpbb::$config['max_login_attempts'])
-	{
-		$confirm_id = request_var('confirm_id', '');
-		$confirm_code = request_var('confirm_code', '');
-
-		// Visual Confirmation handling
-		if (!$confirm_id)
+		// do not allow empty password
+		if (!$password)
 		{
 			return array(
-				'status'		=> LOGIN_ERROR_ATTEMPTS,
-				'error_msg'		=> 'LOGIN_ERROR_ATTEMPTS',
-				'user_row'		=> $row,
+				'status'	=> LOGIN_ERROR_PASSWORD,
+				'error_msg'	=> 'NO_PASSWORD_SUPPLIED',
+				'user_row'	=> array('user_id' => ANONYMOUS),
 			);
 		}
-		else
-		{
-			$captcha = phpbb_captcha_factory::get_instance(phpbb::$config['captcha_plugin']);
-			$captcha->init(CONFIRM_LOGIN);
-			$vc_response = $captcha->validate();
-			if ($vc_response)
-			{
-				return array(
-						'status'		=> LOGIN_ERROR_ATTEMPTS,
-						'error_msg'		=> 'LOGIN_ERROR_ATTEMPTS',
-						'user_row'		=> $row,
-				);
-			}
-		}
-	}
 
-	// @todo: safe to remove?
-	// If the password convert flag is set we need to convert it
-	/*if ($row['user_pass_convert'])
-	{
-		// in phpBB2 passwords were used exactly as they were sent, with addslashes applied
-		$disabled = phpbb_request::super_globals_disabled();
-		phpbb_request::enable_super_globals();
-		$password_old_format = isset($_REQUEST['password']) ? (string) $_REQUEST['password'] : '';
-		$password_old_format = (!STRIP) ? addslashes($password_old_format) : $password_old_format;
-		$password_new_format = '';
-		if ($disabled)
+		if (!$username)
 		{
-			phpbb_request::disable_super_globals();
+			return array(
+				'status'	=> LOGIN_ERROR_USERNAME,
+				'error_msg'	=> 'LOGIN_ERROR_USERNAME',
+				'user_row'	=> array('user_id' => ANONYMOUS),
+			);
 		}
 
-		set_var($password_new_format, stripslashes($password_old_format), 'string');
+		$sql = 'SELECT user_id, username, user_password, user_passchg, user_pass_convert, user_email, user_type, user_login_attempts
+			FROM ' . USERS_TABLE . "
+			WHERE username_clean = '" . phpbb::$db->sql_escape(utf8_clean_string($username)) . "'";
+		$result = phpbb::$db->sql_query($sql);
+		$row = phpbb::$db->sql_fetchrow($result);
+		phpbb::$db->sql_freeresult($result);
 
-		if ($password == $password_new_format)
+		if (!$row)
 		{
-			if (!function_exists('utf8_to_cp1252'))
+			return array(
+				'status'	=> LOGIN_ERROR_USERNAME,
+				'error_msg'	=> 'LOGIN_ERROR_USERNAME',
+				'user_row'	=> array('user_id' => ANONYMOUS),
+			);
+		}
+
+		// If there are too much login attempts, we need to check for an confirm image
+		// Every auth module is able to define what to do by itself...
+		if (phpbb::$config['max_login_attempts'] && $row['user_login_attempts'] >= phpbb::$config['max_login_attempts'])
+		{
+			$confirm_id = request_var('confirm_id', '');
+			$confirm_code = request_var('confirm_code', '');
+
+			// Visual Confirmation handling
+			if (!$confirm_id)
 			{
-				include(PHPBB_ROOT_PATH . 'includes/utf/data/recode_basic.' . PHP_EXT);
-			}
-
-			// cp1252 is phpBB2's default encoding, characters outside ASCII range might work when converted into that encoding
-			if (md5($password_old_format) == $row['user_password'] || md5(utf8_to_cp1252($password_old_format)) == $row['user_password'])
-			{
-				$hash = phpbb_hash($password_new_format);
-
-				// Update the password in the users table to the new format and remove user_pass_convert flag
-				$sql = 'UPDATE ' . USERS_TABLE . '
-					SET user_password = \'' . $db->sql_escape($hash) . '\',
-						user_pass_convert = 0
-					WHERE user_id = ' . $row['user_id'];
-				$db->sql_query($sql);
-
-				$row['user_pass_convert'] = 0;
-				$row['user_password'] = $hash;
-			}
-			else
-			{
-				// Although we weren't able to convert this password we have to
-				// increase login attempt count to make sure this cannot be exploited
-				$sql = 'UPDATE ' . USERS_TABLE . '
-					SET user_login_attempts = user_login_attempts + 1
-					WHERE user_id = ' . $row['user_id'];
-				$db->sql_query($sql);
-
 				return array(
-					'status'		=> LOGIN_ERROR_PASSWORD_CONVERT,
-					'error_msg'		=> 'LOGIN_ERROR_PASSWORD_CONVERT',
+					'status'		=> LOGIN_ERROR_ATTEMPTS,
+					'error_msg'		=> 'LOGIN_ERROR_ATTEMPTS',
 					'user_row'		=> $row,
 				);
 			}
-		}
-	}*/
-
-	// Check password ...
-	if (!$row['user_pass_convert'] && phpbb_check_hash($password, $row['user_password']))
-	{
-		// Check for old password hash...
-		if (strlen($row['user_password']) == 32)
-		{
-			$hash = phpbb_hash($password);
-
-			// Update the password in the users table to the new format
-			$sql = 'UPDATE ' . USERS_TABLE . "
-				SET user_password = '" . $db->sql_escape($hash) . "',
-					user_pass_convert = 0
-				WHERE user_id = {$row['user_id']}";
-			$db->sql_query($sql);
-
-			$row['user_password'] = $hash;
+			else
+			{
+				$captcha = phpbb_captcha_factory::get_instance(phpbb::$config['captcha_plugin']);
+				$captcha->init(CONFIRM_LOGIN);
+				$vc_response = $captcha->validate();
+				if ($vc_response)
+				{
+					return array(
+							'status'		=> LOGIN_ERROR_ATTEMPTS,
+							'error_msg'		=> 'LOGIN_ERROR_ATTEMPTS',
+							'user_row'		=> $row,
+					);
+				}
+			}
 		}
 
-		if ($row['user_login_attempts'] != 0)
+		// Check password ...
+		if (!$row['user_pass_convert'] && phpbb::$security->check_password($password, $row['user_password']))
 		{
-			// Successful, reset login attempts (the user passed all stages)
-			$sql = 'UPDATE ' . USERS_TABLE . '
-				SET user_login_attempts = 0
-				WHERE user_id = ' . $row['user_id'];
-			$db->sql_query($sql);
-		}
+			// Check for old password hash...
+			if (strlen($row['user_password']) == 32)
+			{
+				$hash = phpbb::$security->hash_password($password);
 
-		// User inactive...
-		if ($row['user_type'] == phpbb::USER_INACTIVE || $row['user_type'] == phpbb::USER_IGNORE)
-		{
+				// Update the password in the users table to the new format
+				$sql = 'UPDATE ' . USERS_TABLE . "
+					SET user_password = '" . phpbb::$db->sql_escape($hash) . "',
+						user_pass_convert = 0
+					WHERE user_id = {$row['user_id']}";
+				phpbb::$db->sql_query($sql);
+
+				$row['user_password'] = $hash;
+			}
+
+			if ($row['user_login_attempts'] != 0)
+			{
+				// Successful, reset login attempts (the user passed all stages)
+				$sql = 'UPDATE ' . USERS_TABLE . '
+					SET user_login_attempts = 0
+					WHERE user_id = ' . $row['user_id'];
+				phpbb::$db->sql_query($sql);
+			}
+
+			// User inactive...
+			if ($row['user_type'] == phpbb::USER_INACTIVE || $row['user_type'] == phpbb::USER_IGNORE)
+			{
+				return array(
+					'status'		=> LOGIN_ERROR_ACTIVE,
+					'error_msg'		=> 'ACTIVE_ERROR',
+					'user_row'		=> $row,
+				);
+			}
+
+			// Successful login... set user_login_attempts to zero...
 			return array(
-				'status'		=> LOGIN_ERROR_ACTIVE,
-				'error_msg'		=> 'ACTIVE_ERROR',
+				'status'		=> LOGIN_SUCCESS,
+				'error_msg'		=> false,
 				'user_row'		=> $row,
 			);
 		}
 
-		// Successful login... set user_login_attempts to zero...
+		// Password incorrect - increase login attempts
+		$sql = 'UPDATE ' . USERS_TABLE . '
+			SET user_login_attempts = user_login_attempts + 1
+			WHERE user_id = ' . $row['user_id'];
+		phpbb::$db->sql_query($sql);
+
+		// Give status about wrong password...
 		return array(
-			'status'		=> LOGIN_SUCCESS,
-			'error_msg'		=> false,
+			'status'		=> LOGIN_ERROR_PASSWORD,
+			'error_msg'		=> 'LOGIN_ERROR_PASSWORD',
 			'user_row'		=> $row,
 		);
 	}
-
-	// Password incorrect - increase login attempts
-	$sql = 'UPDATE ' . USERS_TABLE . '
-		SET user_login_attempts = user_login_attempts + 1
-		WHERE user_id = ' . $row['user_id'];
-	$db->sql_query($sql);
-
-	// Give status about wrong password...
-	return array(
-		'status'		=> LOGIN_ERROR_PASSWORD,
-		'error_msg'		=> 'LOGIN_ERROR_PASSWORD',
-		'user_row'		=> $row,
-	);
 }
 
 ?>
\ No newline at end of file