From: Neil S. <sir...@us...> - 2003-06-18 10:20:36
|
CVSROOT : /cvsroot/publicdnsadmin Module : publicdnsadmin Commit time: 2003-06-18 10:20:35 UTC Modified files: index.php login.php signup.php lib/gfx_code.inc.php Log message: Author: SiRVu|caN Log message: few changes, gfx check on login now ---------------------- diff included ---------------------- Index: publicdnsadmin/index.php diff -u publicdnsadmin/index.php:1.2 publicdnsadmin/index.php:1.3 --- publicdnsadmin/index.php:1.2 Fri Jun 13 06:28:58 2003 +++ publicdnsadmin/index.php Wed Jun 18 03:20:24 2003 @@ -12,6 +12,12 @@ require("lib/prepend.php"); require("lib/header.php"); +if (!extension_loaded("gd")) { // checking if LibGD is present in apache/php + $SHOW_GFXUSRCHK = 0; + } else { + $SHOW_GFXUSRCHK = 1; +} + if ($_SESSION["_UID"]) { ?> @@ -84,17 +90,51 @@ ?> <h3>Login</h3> -<?php if ($_GET["error"] == 1) { ?><p class="error">Login failed: invalid username/password</p> -<?php } elseif ($_GET["logout"] == 1) { ?><p>You have been logged out</p><?php } ?> +<?php +if ($_GET["error"] == 1) { + if ($NEWUSERS_GFXCHECK) { + echo "<p class=\"error\">Login failed: invalid username/password/gfx code</p>"; + } else { + echo "<p class=\"error\">Login failed: invalid username/password</p>"; + } +} elseif ($_GET["logout"] == 1) { + echo "<p>You have been logged out</p>"; +} +?> <form action="login.php" method="post"> <table border="0" cellspacing="0" cellpadding="2"> <tr> <td><b>Username:</b></td> - <td><input type="text" name="username" size="20" maxlength="15" value=""></td> + <td><input type="text" name="username" size="25" maxlength="15" value=""></td> </tr> <tr> <td><b>Password:</b></td> - <td><input type="password" name="password" size="20" maxlength="15" value=""></td> + <td><input type="password" name="password" size="25" maxlength="15" value=""></td> +</tr> +<? +if ($SHOW_GFXUSRCHK && $NEWUSERS_GFXCHECK) { +?> +<tr> + <td><b>Security Check:</b></td> +<td> +<? + $dbh = db_connect(); + $code_length = 10; + $code_base = md5( CRC_SALT_0001 . time() . microtime() . CRC_SALT_0009 . uniqid(1) ); + $code = strtoupper(substr(str_replace("1","",str_replace("i","",str_replace("I","",str_replace("o","",str_replace("O","",str_replace("l","",str_replace("L","",str_replace("0","",$code_base)))))))),0,$code_length)); + $ts = time()+1800; + $crckey = md5( $ts . $_SERVER["HTTP_USER_AGENT"] . CRC_SALT_0010 . $code . CRC_SALT_0008 ); + echo "<input type=hidden name=gfxcode_crc value=\"" . $crckey . "\">\n"; + echo "<input type=hidden name=gfxcode_ts value=\"" . $ts . "\">\n"; + $dbh->query("INSERT INTO gfxcodes VALUES ('" . $code . "','" . $crckey . "','" . $ts . "')"); + echo "<img src=\"gfx_code.php?crc=" . $crckey . "\" width=150 height=50 border=0 alt=\"Type Code in Box\"></td></tr>"; + echo "<tr><td></td><td><input type=text size=25 maxlength=$code_length name=gfxcode_val value=\"\"></td>"; + $dbh->disconnect(); +?> +</tr> +<? +} +?> </tr> <tr> <td colspan="2" align="right"><input type="reset" value="Reset"> <input type="submit" value="Login"></td> Index: publicdnsadmin/lib/gfx_code.inc.php diff -u publicdnsadmin/lib/gfx_code.inc.php:1.1 publicdnsadmin/lib/gfx_code.inc.php:1.2 --- publicdnsadmin/lib/gfx_code.inc.php:1.1 Wed Jun 18 01:05:47 2003 +++ publicdnsadmin/lib/gfx_code.inc.php Wed Jun 18 03:20:25 2003 @@ -7,7 +7,7 @@ Distributed under the GPL license, see LICENSE for more information - $Id: gfx_code.inc.php,v 1.1 2003/06/18 08:05:47 sirvulcan Exp $ + $Id: gfx_code.inc.php,v 1.2 2003/06/18 10:20:25 sirvulcan Exp $ */ include("lib/config.php"); @@ -181,5 +181,26 @@ // output the picture ImageJPEG($newIm,"",$JPEG_OUT_QUALITY); // JPEG Quality die; +} + +function check_code($gfxcode_ts, $gfxcode_crc, $gfxcode_val) { + global $gfxcode_ts, $gfxcode_crc, $gfxcode_val; + $dbh = db_connect(); + + $c = $dbh->query("SELECT expire FROM gfxcodes"); + while ($d = $c->fetchRow()) { + if ($d["expire"] < time()) { + $dbh->query("DELETE FROM gfxcodes WHERE expire='" . $d["expire"] . "'"); + } + } + + $r = $dbh->query("SELECT expire FROM gfxcodes WHERE crc='" . $gfxcode_crc . "' AND code='" . strtoupper($gfxcode_val) . "'"); + if ($r->numRows() == 0) { + return 0; + } else { + $dbh->query("DELETE FROM gfxcodes WHERE crc='" . $gfxcode_crc . "' AND code='" . strtoupper($gfxcode_val) . "'"); + return 1; + } + $dbh->disconnect(); } ?> Index: publicdnsadmin/login.php diff -u publicdnsadmin/login.php:1.1.1.1 publicdnsadmin/login.php:1.2 --- publicdnsadmin/login.php:1.1.1.1 Wed Apr 16 00:19:05 2003 +++ publicdnsadmin/login.php Wed Jun 18 03:20:24 2003 @@ -13,22 +13,44 @@ $username = trim(addslashes($_POST["username"])); $password = addslashes(md5($_POST["password"])); +$gfxcode_ts = $_POST["gfxcode_ts"]; +$gfxcode_crc = $_POST["gfxcode_crc"]; +$gfxcode_val = $_POST["gfxcode_val"]; $dbh = db_connect(); $login_ok = 0; -$result = $dbh->query("SELECT * FROM users WHERE username = '$username' AND password = '$password'"); -if (!$dbh->isError($result) && $result->numRows()) { - $row = $result->fetchRow(); - $_SESSION["_UID"] = $row["id"]; - $login_ok = 1; - +if (!extension_loaded("gd")) { // checking if LibGD is present in apache/php + $SHOW_GFXUSRCHK = 0; + } else { + $SHOW_GFXUSRCHK = 1; +} + +if ($SHOW_GFXUSRCHK && $NEWUSERS_GFXCHECK) { + $gfx_ok = 0; + $gfx_ok = check_code($gfxcode_ts, $gfxcode_crc, $gfxcode_val); + if ($gfx_ok != 0) { + $result = $dbh->query("SELECT * FROM users WHERE username = '$username' AND password = '$password'"); + if (!$dbh->isError($result) && $result->numRows()) { + $row = $result->fetchRow(); + $_SESSION["_UID"] = $row["id"]; + $login_ok = 1; + } + } +} else { + $gfx_ok = 1; + $result = $dbh->query("SELECT * FROM users WHERE username = '$username' AND password = '$password'"); + if (!$dbh->isError($result) && $result->numRows()) { + $row = $result->fetchRow(); + $_SESSION["_UID"] = $row["id"]; + $login_ok = 1; + } } $dbh->disconnect(); -if ($login_ok) { +if ($login_ok && $gfx_ok) { header("Location: index.php"); } else { header("Location: index.php?error=1"); Index: publicdnsadmin/signup.php diff -u publicdnsadmin/signup.php:1.2 publicdnsadmin/signup.php:1.3 --- publicdnsadmin/signup.php:1.2 Wed Jun 18 01:05:47 2003 +++ publicdnsadmin/signup.php Wed Jun 18 03:20:24 2003 @@ -18,6 +18,9 @@ $company = trim(addslashes($_POST["company"])); $password = trim(addslashes($_POST["password"])); $pass_confirm = trim(addslashes($_POST["pass_confirm"])); +$gfxcode_ts = $_POST["gfxcode_ts"]; +$gfxcode_crc = $_POST["gfxcode_crc"]; +$gfxcode_val = $_POST["gfxcode_val"]; $dbh = db_connect(); @@ -27,32 +30,6 @@ $SHOW_GFXUSRCHK = 1; } -if ($SHOW_GFXUSRCHK && $NEWUSERS_GFXCHECK) { - if ($clic == 1 && ($gfxcode_crc != md5( $gfxcode_ts . $_SERVER["HTTP_USER_AGENT"] . CRC_SALT_0010 . strtoupper($gfxcode_val) . CRC_SALT_0008))) { - $failed = 1; - if ($first_error) { echo "<center>"; $first_error=0; } - echo "<p>You entered an invalid code from the picture. <a href=\"signup.php\">Please try again</a>.</p>"; - } else { - if ($clic == 1) { - $ENABLE_COOKIE_TABLE = 1; - $dbh->query("DELETE FROM gfxcodes WHERE expire<now()::abstime::int4"); - $r = $dbh->query("SELECT expire FROM gfxcodes WHERE crc='" . $gfxcode_crc . "' AND code='" . strtoupper($gfxcode_val) . "'"); - if ($r->numRows()==0) { - $failed = 1; - if ($first_error) { echo "<center>"; $first_error=0; } - echo "<p>You entered an invalid/expired code from the picture. <a href=\"newuser.php\">Please try again</a>.</p>"; - } else { - } - } - $ENABLE_COOKIE_TABLE = 0; - if ($failed==0) { - $ENABLE_COOKIE_TABLE = 1; - $dbh->query("DELETE FROM gfxcodes WHERE crc='" . $gfxcode_crc . "' AND code='" . strtoupper($gfxcode_val) . "'"); - $ENABLE_COOKIE_TABLE = 0; - } - } -} - ?> <h3>Signup</h3> <? @@ -97,6 +74,17 @@ require("lib/footer.php"); die(); } // email checks + + // gfx code checks + if ($SHOW_GFXUSRCHK && $NEWUSERS_GFXCHECK && $gfxcode_ts && $gfxcode_crc && $gfxcode_val) { + $gfx_ok = 0; + $gfx_ok = check_code($gfxcode_ts, $gfxcode_crc, $gfxcode_val); + if ($gfx_ok == 0) { + echo "<p class=\"error\">Invalid GFX Code.</p>"; + require("lib/footer.php"); + die(); + } + } // gfx code checks $usercheck = $dbh->query("SELECT username FROM users WHERE username='".$username."'"); if (!$dbh->isError($usercheck) && ($usercheck->numRows() > 0)) { ----------------------- End of diff ----------------------- |