sql_escape(utf8_clean_string($sess_id)). "' "; $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); $db->sql_freeresult($result); //if user logged into main site but not forum if($row && $userrow['username_clean'] == 'anonymous') { $user_info = unserialize($row['user_data']); if(strlen($user_info['username'])) { $clancmsuser = $user_info['username']; $sql = 'SELECT * FROM ' . USERS_TABLE . " WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($clancmsuser)) . "'"; $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); $db->sql_freeresult($result); //invalidate session return false; } } //no session mismatch, carry on return true; } /** * Login function */ function login_clancms(&$username, &$password) { global $db, $config; // do not allow empty password if (!$password) { return array( 'status' => LOGIN_ERROR_PASSWORD, 'error_msg' => 'NO_PASSWORD_SUPPLIED', 'user_row' => array('user_id' => ANONYMOUS), ); } if (!$username) { return array( 'status' => LOGIN_ERROR_USERNAME, 'error_msg' => 'LOGIN_ERROR_USERNAME', 'user_row' => array('user_id' => ANONYMOUS), ); } $sql = 'SELECT user_id, username, user_password, user_passchg, user_pass_convert, user_email, user_type, user_login_attempts FROM ' . USERS_TABLE . " WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'"; $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); $db->sql_freeresult($result); //if not in forum database, check main site db. if (!$row) { $sql = "SELECT user_salt FROM ".CLANCMSDB.".ClanCMS_users WHERE user_name = '". $db->sql_escape(utf8_clean_string($username))."'"; $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); $db->sql_freeresult($result); $salt = $row['user_salt']; $sql = "SELECT * FROM ".CLANCMSDB.".ClanCMS_users WHERE user_name = '". $db->sql_escape(utf8_clean_string($username))."' and user_password = '". sha1($salt . sha1($password))."'"; $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); $row2 = $db->sql_fetchrow($result); $db->sql_freeresult($result); if(!$row) { return array( 'status' => LOGIN_ERROR_USERNAME, 'error_msg' => 'LOGIN_ERROR_USERNAME', 'user_row' => array('user_id' => ANONYMOUS), ); } else { // retrieve default group id $sql = 'SELECT group_id FROM ' . GROUPS_TABLE . " WHERE group_name = '" . $db->sql_escape('REGISTERED') . "' AND group_type = " . GROUP_SPECIAL; $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); $db->sql_freeresult($result); if (!$row) { trigger_error('NO_GROUP'); } // generate user account data $clancms_user_row = array( 'username' => $username, 'user_password' => phpbb_hash($password), 'user_email' => (!empty($row2['user_email'])) ? utf8_htmlspecialchars(htmlspecialchars_decode($row2['user_email'])): '', 'group_id' => (int) $row['group_id'], 'user_type' => USER_NORMAL, 'user_ip' => $user->ip, 'user_new' => ($config['new_member_post_limit']) ? 1 : 0, ); unset($row); // this is the user's first login so create an empty profile return array( 'status' => LOGIN_SUCCESS_CREATE_PROFILE, 'error_msg' => false, 'user_row' => $clancms_user_row, ); } } $show_captcha = false; //$config['max_login_attempts'] && $row['user_login_attempts'] >= $config['max_login_attempts']; // If there are too much login attempts, we need to check for an confirm image // Every auth module is able to define what to do by itself... if ($show_captcha) { // Visual Confirmation handling if (!class_exists('phpbb_captcha_factory')) { global $phpbb_root_path, $phpEx; include ($phpbb_root_path . 'includes/captcha/captcha_factory.' . $phpEx); } $captcha =& phpbb_captcha_factory::get_instance($config['captcha_plugin']); $captcha->init(CONFIRM_LOGIN); $vc_response = $captcha->validate($row); if ($vc_response) { return array( 'status' => LOGIN_ERROR_ATTEMPTS, 'error_msg' => 'LOGIN_ERROR_ATTEMPTS', 'user_row' => $row, ); } else { $captcha->reset(); } } if (phpbb_check_hash($password, $row['user_password'])) { $sql = 'SELECT user_id, username, user_password, user_passchg, user_pass_convert, user_email, user_type, user_login_attempts FROM ' . USERS_TABLE . " WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'"; $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); $db->sql_freeresult($result); if ($row) { if ($row['user_login_attempts'] != 0) { // Successful, reset login attempts (the user passed all stages) $sql = 'UPDATE ' . USERS_TABLE . ' SET user_login_attempts = 0 WHERE user_id = ' . $row['user_id']; $db->sql_query($sql); } // User inactive... if ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE) { return array( 'status' => LOGIN_ERROR_ACTIVE, 'error_msg' => 'ACTIVE_ERROR', 'user_row' => $row, ); } // Successful login... set user_login_attempts to zero... return array( 'status' => LOGIN_SUCCESS, 'error_msg' => false, 'user_row' => $row, ); } } // Password incorrect - increase login attempts $sql = 'UPDATE ' . USERS_TABLE . ' SET user_login_attempts = user_login_attempts + 1 WHERE user_id = ' . (int) $row['user_id'] . ' AND user_login_attempts < ' . LOGIN_ATTEMPTS_MAX; $db->sql_query($sql); // Give status about wrong password... return array( 'status' => ($show_captcha) ? LOGIN_ERROR_ATTEMPTS : LOGIN_ERROR_PASSWORD, 'error_msg' => ($show_captcha) ? 'LOGIN_ERROR_ATTEMPTS' : 'LOGIN_ERROR_PASSWORD', 'user_row' => $row, ); } function autologin_clancms() { global $db; $sess_info = unserialize(decode($_COOKIE[sessionCookieName],md5(clancmsEncryptionKey))); $sess_id = $sess_info['session_id']; $sess_ip = $sess_info['ip_address']; $sql = "SELECT * FROM ".CLANCMSDB.".ClanCMS_sessions WHERE session_id = '". $db->sql_escape(utf8_clean_string($sess_id)). "' "; $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); $db->sql_freeresult($result); //if user found if($row) { $user_info = unserialize($row['user_data']); if(strlen($user_info['username'])) { $clancmsuser = $user_info['username']; $sql = 'SELECT * FROM ' . USERS_TABLE . " WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($clancmsuser)) . "'"; $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); $db->sql_freeresult($result); return $row; } } //no user forund. phpbb still wants a blank array return array(); } function logout_clancms($userrow,$newsession) { global $db; $sess_info = unserialize(decode($_COOKIE[sessionCookieName],md5(clancmsEncryptionKey))); $sess_id = $sess_info['session_id']; $sql = "DELETE FROM ".CLANCMSDB.".ClanCMS_sessions WHERE session_id = '". $db->sql_escape(utf8_clean_string($sess_id)). "' "; $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); $db->sql_freeresult($result); } function decode($string, $key = '') { if (preg_match('/[^a-zA-Z0-9\/\+=]/', $string)) { return FALSE; } $dec = base64_decode($string); if (clancms_mcrypt) { if (!($dec = mcrypt_decode($dec, $key))) { return FALSE; } } else { if(clancms_cookie_encrypted) { $dec = _xor_decode($dec, $key); } } return $dec; } function _xor_decode($string, $key) { $string = _xor_merge($string, $key); $dec = ''; for ($i = 0; $i < strlen($string); $i++) { $dec .= (substr($string, $i++, 1) ^ substr($string, $i, 1)); } return $dec; } function _xor_merge($string, $key) { $hash = sha1($key); $str = ''; for ($i = 0; $i < strlen($string); $i++) { $str .= substr($string, $i, 1) ^ substr($hash, ($i % strlen($hash)), 1); } return $str; } function mcrypt_decode($data, $key) { $data = _remove_cipher_noise($data, $key); $init_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, clancms_mcrypt_mode); if ($init_size > strlen($data)) { return FALSE; } $init_vect = substr($data, 0, $init_size); $data = substr($data, $init_size); return rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $data, clancms_mcrypt_mode, $init_vect), "\0"); } function _remove_cipher_noise($data, $key) { $keyhash = sha1($key); $keylen = strlen($keyhash); $str = ''; for ($i = 0, $j = 0, $len = strlen($data); $i < $len; ++$i, ++$j) { if ($j >= $keylen) { $j = 0; } $temp = ord($data[$i]) - ord($keyhash[$j]); if ($temp < 0) { $temp = $temp + 256; } $str .= chr($temp); } return $str; } ?>