phpBB/includes/auth/db.php

   1 <?php
   2 /**
   3 * Database auth plug-in for phpBB3
   4 *
   5 * Authentication plug-ins is largely down to Sergey Kanareykin, our thanks to him.
   6 *
   7 * This is for authentication via the integrated user table
   8 *
   9 * @package login
  10 * @version $Id$
  11 * @copyright (c) 2005 phpBB Group
  12 * @license http://opensource.org/licenses/gpl-license.php GNU Public License
  13 *
  14 */
  15
  16 /**
  17 * @ignore
  18 */
  19 if (!defined('IN_PHPBB'))
  20 {
  21         exit;
  22 }
  23
  24 class phpbb_auth_db /* extends phpbb_auth */
  25 {
  26         /**
  27         * Login function
  28         */
  29         function login(&$username, &$password)
  30         {
  31                 // do not allow empty password
  32                 if (!$password)
  33                 {
  34                         return array(
  35                                 'status'        => LOGIN_ERROR_PASSWORD,
  36                                 'error_msg'     => 'NO_PASSWORD_SUPPLIED',
  37                                 'user_row'      => array('user_id' => ANONYMOUS),
  38                         );
  39                 }
  40
  41                 if (!$username)
  42                 {
  43                         return array(
  44                                 'status'        => LOGIN_ERROR_USERNAME,
  45                                 'error_msg'     => 'LOGIN_ERROR_USERNAME',
  46                                 'user_row'      => array('user_id' => ANONYMOUS),
  47                         );
  48                 }
  49
  50                 $sql = 'SELECT user_id, username, user_password, user_passchg, user_pass_convert, user_email, user_type, user_login_attempts
  51                         FROM ' . USERS_TABLE . "
  52                         WHERE username_clean = '" . phpbb::$db->sql_escape(utf8_clean_string($username)) . "'";
  53                 $result = phpbb::$db->sql_query($sql);
  54                 $row = phpbb::$db->sql_fetchrow($result);
  55                 phpbb::$db->sql_freeresult($result);
  56
  57                 if (!$row)
  58                 {
  59                         return array(
  60                                 'status'        => LOGIN_ERROR_USERNAME,
  61                                 'error_msg'     => 'LOGIN_ERROR_USERNAME',
  62                                 'user_row'      => array('user_id' => ANONYMOUS),
  63                         );
  64                 }
  65
  66                 // If there are too much login attempts, we need to check for an confirm image
  67                 // Every auth module is able to define what to do by itself...
  68                 if (phpbb::$config['max_login_attempts'] && $row['user_login_attempts'] >= phpbb::$config['max_login_attempts'])
  69                 {
  70                         $confirm_id = request_var('confirm_id', '');
  71                         $confirm_code = request_var('confirm_code', '');
  72
  73                         // Visual Confirmation handling
  74                         if (!$confirm_id)
  75                         {
  76                                 return array(
  77                                         'status'                => LOGIN_ERROR_ATTEMPTS,
  78                                         'error_msg'             => 'LOGIN_ERROR_ATTEMPTS',
  79                                         'user_row'              => $row,
  80                                 );
  81                         }
  82                         else
  83                         {
  84                                 $captcha = phpbb_captcha_factory::get_instance(phpbb::$config['captcha_plugin']);
  85                                 $captcha->init(CONFIRM_LOGIN);
  86                                 $vc_response = $captcha->validate();
  87                                 if ($vc_response)
  88                                 {
  89                                         return array(
  90                                                         'status'                => LOGIN_ERROR_ATTEMPTS,
  91                                                         'error_msg'             => 'LOGIN_ERROR_ATTEMPTS',
  92                                                         'user_row'              => $row,
  93                                         );
  94                                 }
  95                         }
  96                 }
  97
  98                 // Check password ...
  99                 if (!$row['user_pass_convert'] && phpbb::$security->check_password($password, $row['user_password']))
 100                 {
 101                         // Check for old password hash...
 102                         if (strlen($row['user_password']) == 32)
 103                         {
 104                                 $hash = phpbb::$security->hash_password($password);
 105
 106                                 // Update the password in the users table to the new format
 107                                 $sql = 'UPDATE ' . USERS_TABLE . "
 108                                         SET user_password = '" . phpbb::$db->sql_escape($hash) . "',
 109                                                 user_pass_convert = 0
 110                                         WHERE user_id = {$row['user_id']}";
 111                                 phpbb::$db->sql_query($sql);
 112
 113                                 $row['user_password'] = $hash;
 114                         }
 115
 116                         if ($row['user_login_attempts'] != 0)
 117                         {
 118                                 // Successful, reset login attempts (the user passed all stages)
 119                                 $sql = 'UPDATE ' . USERS_TABLE . '
 120                                         SET user_login_attempts = 0
 121                                         WHERE user_id = ' . $row['user_id'];
 122                                 phpbb::$db->sql_query($sql);
 123                         }
 124
 125                         // User inactive...
 126                         if ($row['user_type'] == phpbb::USER_INACTIVE || $row['user_type'] == phpbb::USER_IGNORE)
 127                         {
 128                                 return array(
 129                                         'status'                => LOGIN_ERROR_ACTIVE,
 130                                         'error_msg'             => 'ACTIVE_ERROR',
 131                                         'user_row'              => $row,
 132                                 );
 133                         }
 134
 135                         // Successful login... set user_login_attempts to zero...
 136                         return array(
 137                                 'status'                => LOGIN_SUCCESS,
 138                                 'error_msg'             => false,
 139                                 'user_row'              => $row,
 140                         );
 141                 }
 142
 143                 // Password incorrect - increase login attempts
 144                 $sql = 'UPDATE ' . USERS_TABLE . '
 145                         SET user_login_attempts = user_login_attempts + 1
 146                         WHERE user_id = ' . $row['user_id'];
 147                 phpbb::$db->sql_query($sql);
 148
 149                 // Give status about wrong password...
 150                 return array(
 151                         'status'                => LOGIN_ERROR_PASSWORD,
 152                         'error_msg'             => 'LOGIN_ERROR_PASSWORD',
 153                         'user_row'              => $row,
 154                 );
 155         }
 156 }
 157
 158 ?>