These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | /*************************************************************************** |
||
3 | * For license information see LICENSE.md |
||
4 | * see lib2/login.class.php. !! |
||
5 | ***************************************************************************/ |
||
6 | |||
7 | // unknown error occurred |
||
8 | define('LOGIN_UNKNOWN_ERROR', -1); |
||
9 | // login succeeded |
||
10 | define('LOGIN_OK', 0); |
||
11 | // bad username or password |
||
12 | define('LOGIN_BADUSERPW', 1); |
||
13 | // too many login attempts in short time |
||
14 | define('LOGIN_TOOMUCHLOGINS', 2); |
||
15 | // the user account locked |
||
16 | define('LOGIN_USERNOTACTIVE', 3); |
||
17 | // given username/password was empty |
||
18 | define('LOGIN_EMPTY_USERPASSWORD', 4); |
||
19 | // logout was successfully |
||
20 | define('LOGIN_LOGOUT_OK', 5); |
||
21 | |||
22 | // login times in seconds |
||
23 | define('LOGIN_TIME', 60 * 60); |
||
24 | define('LOGIN_TIME_PERMANENT', 90 * 24 * 60 * 60); |
||
25 | |||
26 | $login = new login(); |
||
27 | |||
28 | class login |
||
0 ignored issues
–
show
|
|||
29 | { |
||
30 | public $userid = 0; |
||
31 | public $username = ''; |
||
32 | public $permanent = false; |
||
33 | public $lastlogin = ''; |
||
34 | public $sessionid = ''; |
||
35 | public $admin = 0; |
||
36 | public $verified = false; |
||
37 | |||
38 | View Code Duplication | public function __construct() |
|
39 | { |
||
40 | global $cookie; |
||
41 | |||
42 | if ($cookie->is_set('userid') && $cookie->is_set('username')) { |
||
43 | $this->userid = $cookie->get('userid') + 0; |
||
44 | $this->username = $cookie->get('username'); |
||
45 | $this->permanent = (($cookie->get('permanent') + 0) == 1); |
||
46 | $this->lastlogin = $cookie->get('lastlogin'); |
||
47 | $this->sessionid = $cookie->get('sessionid'); |
||
48 | $this->verified = false; |
||
49 | |||
50 | $this->verify(); |
||
51 | } else { |
||
52 | $this->pClear(); |
||
53 | } |
||
54 | } |
||
55 | |||
56 | View Code Duplication | public function pClear() |
|
57 | { |
||
58 | // set to no valid login |
||
59 | $this->userid = 0; |
||
60 | $this->username = ''; |
||
61 | $this->permanent = false; |
||
62 | $this->lastlogin = ''; |
||
63 | $this->sessionid = ''; |
||
64 | $this->admin = 0; |
||
65 | $this->verified = true; |
||
66 | |||
67 | $this->pStoreCookie(); |
||
68 | } |
||
69 | |||
70 | View Code Duplication | public function pStoreCookie() |
|
71 | { |
||
72 | global $cookie; |
||
73 | $cookie->set('userid', $this->userid); |
||
74 | $cookie->set('username', $this->username); |
||
75 | $cookie->set('permanent', ($this->permanent == true ? 1 : 0)); |
||
76 | $cookie->set('lastlogin', $this->lastlogin); |
||
77 | $cookie->set('sessionid', $this->sessionid); |
||
78 | } |
||
79 | |||
80 | public function verify() |
||
81 | { |
||
82 | global $locale, $opt; |
||
83 | |||
84 | if ($this->verified == true) { |
||
85 | return; |
||
86 | } |
||
87 | |||
88 | if ($this->userid == 0) { |
||
89 | $this->pClear(); |
||
90 | |||
91 | return; |
||
92 | } |
||
93 | |||
94 | if ($this->checkLoginsCount() == false) { |
||
95 | $this->pClear(); |
||
96 | |||
97 | return; |
||
98 | } |
||
99 | |||
100 | $min_lastlogin = date('Y-m-d H:i:s', time() - LOGIN_TIME); |
||
101 | $min_lastlogin_permanent = date('Y-m-d H:i:s', time() - LOGIN_TIME_PERMANENT); |
||
102 | |||
103 | $rs = sql( |
||
104 | "SELECT `sys_sessions`.`last_login`, `user`.`admin` |
||
105 | FROM &db.`sys_sessions`, &db.`user` |
||
106 | WHERE `sys_sessions`.`user_id`=`user`.`user_id` |
||
107 | AND `user`.`is_active_flag`=1 |
||
108 | AND `sys_sessions`.`uuid`='&1' |
||
109 | AND `sys_sessions`.`user_id`='&2' |
||
110 | AND ((`sys_sessions`.`permanent`=1 |
||
111 | AND `sys_sessions`.`last_login`>'&3') |
||
112 | OR (`sys_sessions`.`permanent`=0 AND `sys_sessions`.`last_login`>'&4')) |
||
113 | ", |
||
114 | $this->sessionid, |
||
115 | $this->userid, |
||
116 | $min_lastlogin_permanent, |
||
117 | $min_lastlogin |
||
118 | ); |
||
119 | |||
120 | // sys_session.last_login controls the automatic logout of users at the OC website. |
||
121 | // user.last_login gives the overall last login date, including OKAPI logins. |
||
122 | |||
123 | if ($rUser = sql_fetch_assoc($rs)) { |
||
124 | View Code Duplication | if ((($this->permanent == true) && (strtotime($rUser['last_login']) + LOGIN_TIME_PERMANENT / 2 < time())) || |
|
125 | (($this->permanent == false) && (strtotime($rUser['last_login']) + LOGIN_TIME / 2 < time())) |
||
126 | ) { |
||
127 | sql( |
||
128 | "UPDATE `sys_sessions` |
||
129 | SET `sys_sessions`.`last_login`=NOW() |
||
130 | WHERE `sys_sessions`.`uuid`='&1' |
||
131 | AND `sys_sessions`.`user_id`='&2'", |
||
132 | $this->sessionid, |
||
133 | $this->userid |
||
134 | ); |
||
135 | $rUser['last_login'] = date('Y-m-d H:i:s'); |
||
136 | } |
||
137 | |||
138 | if (isset($locale)) { |
||
139 | sql( |
||
140 | "UPDATE `user` |
||
141 | SET `last_login`=NOW(), |
||
142 | `language`='&2', |
||
143 | `language_guessed` = 0, |
||
144 | `domain`='&3' |
||
145 | WHERE `user_id`='&1'", |
||
146 | $this->userid, |
||
147 | $locale, |
||
148 | $opt['page']['domain'] |
||
149 | ); |
||
150 | } else { |
||
151 | sql("UPDATE `user` SET `last_login`=NOW() WHERE `user_id`='&1'", $this->userid); |
||
152 | } |
||
153 | |||
154 | $this->lastlogin = $rUser['last_login']; |
||
155 | $this->admin = $rUser['admin']; |
||
156 | $this->verified = true; |
||
157 | } else { |
||
158 | // prevent bruteforce |
||
159 | sql("INSERT INTO `sys_logins` (`remote_addr`, `success`) VALUES ('&1', 0)", $_SERVER['REMOTE_ADDR']); |
||
160 | |||
161 | $this->pClear(); |
||
162 | } |
||
163 | sql_free_result($rs); |
||
164 | |||
165 | $this->pStoreCookie(); |
||
166 | } |
||
167 | |||
168 | /** |
||
169 | * @param int|bool $privilege |
||
170 | * @return bool |
||
171 | */ |
||
172 | View Code Duplication | public function hasAdminPriv($privilege = false) |
|
173 | { |
||
174 | $this->verify(); |
||
175 | |||
176 | if ($privilege === false) { |
||
177 | return $this->admin > 0; |
||
178 | } |
||
179 | |||
180 | return ($this->admin & $privilege) == $privilege; |
||
181 | } |
||
182 | |||
183 | public function listingAdmin() |
||
184 | { |
||
185 | global $opt; |
||
186 | |||
187 | return $this->hasAdminPriv(ADMIN_LISTING) && $opt['logic']['admin']['enable_listing_admins']; |
||
188 | } |
||
189 | |||
190 | public function checkLoginsCount() |
||
191 | { |
||
192 | global $opt; |
||
193 | |||
194 | // cleanup old entries |
||
195 | // (execute only every 50 search calls) |
||
196 | View Code Duplication | if (mt_rand(1, 50) === 1) { |
|
197 | sql("DELETE FROM `sys_logins` WHERE `date_created`<'&1'", date('Y-m-d H:i:s', time() - 3600)); |
||
198 | } |
||
199 | |||
200 | // check the number of login attempts in the last hour ... |
||
201 | $loginCount = sqlValue( |
||
202 | "SELECT COUNT(*) `count` FROM `sys_logins` WHERE `remote_addr`='" . sql_escape( |
||
203 | $_SERVER['REMOTE_ADDR'] |
||
204 | ) . "' AND `date_created`>'" . sql_escape(date('Y-m-d H:i:s', time() - 3600)) . "'", |
||
205 | 0 |
||
206 | ); |
||
207 | if ($loginCount > $opt['page']['max_logins_per_hour']) { |
||
208 | return false; |
||
209 | } |
||
210 | |||
211 | return true; |
||
212 | } |
||
213 | } |
||
214 |
You can fix this by adding a namespace to your class:
When choosing a vendor namespace, try to pick something that is not too generic to avoid conflicts with other libraries.