[Postfixadmin-devel] Why it need mysql_query() two times while auth admin user?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi, all.

I read login.php file, and found something confused.

----<-- login.php ----
if ($_SERVER['REQUEST_METHOD'] == "POST")
{
    // Skip some lines here.

    $result = db_query ("SELECT password FROM $table_admin WHERE 
username='$fUsername' AND active='1'");
    if ($result['rows'] == 1)
    {
        $row = db_array ($result['result']);
        $password = pacrypt ($fPassword, $row['password']);
        $result = db_query ("SELECT * FROM $table_admin WHERE 
username='$fUsername' AND password='$password' AND active='1'");
        if ($result['rows'] != 1)
----<----

Why it use sql query two times? Can we implement this just via compare 
string like below (patch generated with PostfixAdmin-2.2.1.1)?

----<-- login.php ----
|--- login.php   2007-12-29 20:32:33.000000000 -0500
+++ login.php.bak       2008-10-27 14:46:22.000000000 -0400
@@ -67,18 +67,23 @@
     {
         $row = db_array ($result['result']);
         $password = pacrypt ($fPassword, $row['password']);
-        $result = db_query ("SELECT * FROM $table_admin WHERE 
username='$fUsername' AND password='$password' AND active='1'");
-        if ($result['rows'] != 1)
+
+        //$result = db_query ("SELECT * FROM $table_admin WHERE 
username='$fUsername' AND password='$password' AND active='1'");
+        //if ($result['rows'] != 1)
+        if ($password != $row['password'])
         {
             $error = 1;
-            $tMessage = $PALANG['pLogin_password_incorrect'];
+            //$tMessage = $PALANG['pLogin_password_incorrect'];
+            $tMessage = $PALANG['pLogin_incorrect'];
             $tUsername = $fUsername;
         }
     }
     else
     {
         $error = 1;
+        //$tMessage = $PALANG['pLogin_username_incorrect'];
         $tMessage = $PALANG['pLogin_username_incorrect'];
+        $tMessage = $PALANG['pLogin_incorrect'];
     }

     if ($error != 1)|
----<----

I'm new to PHP. Thanks for your reply. :)

-- 
Best regards.

- Open Source Mail Server Solution for RHEL/CentOS 5.x:
  http://code.google.com/p/iredmail/



