Changed database access to PDO using prepared statements
This commit is contained in:
91
login.php
91
login.php
@@ -12,35 +12,86 @@ session_start();
|
||||
|
||||
include("config.php");
|
||||
include("dbconnect.php");
|
||||
|
||||
include("lib.php");
|
||||
|
||||
// include language file
|
||||
|
||||
function user_login($user_name, $user_pass) {
|
||||
global $dbh;
|
||||
|
||||
if (strlen($user_name) < 1) {
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (strlen($user_pass) < 1) {
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
$sql = "SELECT user_id, user_pass, user_displayname, user_language,
|
||||
user_imagesize, user_imagecount, user_mac, user_dateformat,
|
||||
user_dns1suffix, user_dns2suffix, user_menu_assets,
|
||||
user_menu_assetclasses, user_menu_assetclassgroups,
|
||||
user_menu_locations, user_menu_nodes, user_menu_subnets,
|
||||
user_menu_users, user_menu_vlans, user_menu_zones,
|
||||
user_tooltips
|
||||
FROM user
|
||||
WHERE user_name=?";
|
||||
$sth = $dbh->prepare($sql);
|
||||
$sth->execute([$user_name]);
|
||||
|
||||
if (!$user = $sth->fetch(PDO::FETCH_OBJ)) {
|
||||
// no user record found
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
// TODO use secure algo with salt!
|
||||
if (strcmp(md5($user_pass), $user->user_pass) != 0) {
|
||||
// password does not match
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
// all ok: user is logged in, register session data
|
||||
$_SESSION['suser_id'] = $user->user_id;
|
||||
$_SESSION['suser_displayname'] = $user->user_displayname;
|
||||
$_SESSION['suser_language'] = $user->user_language;
|
||||
$_SESSION['suser_imagesize'] = $user->user_imagesize;
|
||||
$_SESSION['suser_imagecount'] = $user->user_imagecount;
|
||||
$_SESSION['suser_mac'] = $user->user_mac;
|
||||
$_SESSION['suser_dateformat'] = $user->user_dateformat;
|
||||
$_SESSION['suser_dns1suffix'] = $user->user_dns1suffix;
|
||||
$_SESSION['suser_dns2suffix'] = $user->user_dns2suffix;
|
||||
$_SESSION['suser_menu_assets'] = $user->user_menu_assets;
|
||||
$_SESSION['suser_menu_assetclasses'] = $user->user_menu_assetclasses;
|
||||
$_SESSION['suser_menu_assetclassgroups'] = $user->user_menu_assetclassgroups;
|
||||
$_SESSION['suser_menu_locations'] = $user->user_menu_locations;
|
||||
$_SESSION['suser_menu_nodes'] = $user->user_menu_nodes;
|
||||
$_SESSION['suser_menu_subnets'] = $user->user_menu_subnets;
|
||||
$_SESSION['suser_menu_users'] = $user->user_menu_users;
|
||||
$_SESSION['suser_menu_vlans'] = $user->user_menu_vlans;
|
||||
$_SESSION['suser_menu_zones'] = $user->user_menu_zones;
|
||||
$_SESSION['suser_tooltips'] = $user->user_tooltips;
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
// No header included, this page has no menu
|
||||
|
||||
$language = lang_getfrombrowser($config_lang, $config_lang_default, null, false);
|
||||
include('lang/' . $language . '.php');
|
||||
|
||||
// check for submit
|
||||
if ($_SERVER['REQUEST_METHOD']=="POST" ) {
|
||||
/// get post info
|
||||
$user_name = sanitize($_POST['user_name']);
|
||||
$user_pass = sanitize($_POST['user_pass']);
|
||||
|
||||
// login
|
||||
$login = $user->user_login($user_name, $user_pass);
|
||||
|
||||
if($login==TRUE) {
|
||||
// redirect
|
||||
header_location("index.php");
|
||||
} else {
|
||||
// not ok, break session
|
||||
$_SESSION = array();
|
||||
session_destroy();
|
||||
}
|
||||
$user_name = sanitize($_POST['user_name']);
|
||||
$user_pass = sanitize($_POST['user_pass']);
|
||||
|
||||
if (user_login($user_name, $user_pass) == TRUE) {
|
||||
header_location("index.php");
|
||||
} else {
|
||||
$_SESSION = array();
|
||||
session_destroy();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
$smarty->assign("config_version", $config_version);
|
||||
$smarty->assign($lang);
|
||||
|
||||
$smarty->display("login.tpl");
|
||||
|
||||
include("footer.php");
|
||||
|
||||
Reference in New Issue
Block a user