-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathauthenticate.php
104 lines (103 loc) · 3.15 KB
/
authenticate.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
<?php
declare(strict_types=1);
/**
* MCCodes v2 by Dabomstew & ColdBlooded
*
* Repository: https://github.com/davemacaulay/mccodesv2
* License: MIT License
*/
global $db, $set;
require_once('globals_nonauth.php');
// Check CSRF input
if (!isset($_POST['verf'])
|| !verify_csrf_code('login', stripslashes($_POST['verf'])))
{
die(
"<h3>{$set['game_name']} Error</h3>
Your request has expired for security reasons! Please try again.<br />
<a href='login.php'>> Back</a>");
}
// Check username and password input
$username =
(array_key_exists('username', $_POST) && is_string($_POST['username']))
? $_POST['username'] : '';
$password =
(array_key_exists('password', $_POST) && is_string($_POST['password']))
? $_POST['password'] : '';
if (empty($username) || empty($password))
{
die(
"<h3>{$set['game_name']} Error</h3>
You did not fill in the login form!<br />
<a href='login.php'>> Back</a>");
}
$form_username = $db->escape(stripslashes($username));
$raw_password = stripslashes($password);
$uq =
$db->query(
"SELECT `userid`, `userpass`, `pass_salt`
FROM `users`
WHERE `login_name` = '$form_username'");
if ($db->num_rows($uq) == 0)
{
$db->free_result($uq);
die(
"<h3>{$set['game_name']} Error</h3>
Invalid username or password!<br />
<a href='login.php'>> Back</a>");
}
else
{
$mem = $db->fetch_row($uq);
$db->free_result($uq);
$login_failed = false;
// Pass Salt generation: autofix
if (empty($mem['pass_salt']))
{
if (md5($raw_password) != $mem['userpass'])
{
$login_failed = true;
}
$salt = generate_pass_salt();
$enc_psw = encode_password($mem['userpass'], $salt, true);
$e_salt = $db->escape($salt); // in case of changed salt function
$e_encpsw = $db->escape($enc_psw); // ditto for password encoder
$db->query(
"UPDATE `users`
SET `pass_salt` = '{$e_salt}', `userpass` = '{$e_encpsw}'
WHERE `userid` = {$mem['userid']}");
}
else
{
$login_failed =
!(verify_user_password($raw_password, $mem['pass_salt'],
$mem['userpass']));
}
if ($login_failed)
{
die(
"<h3>{$set['game_name']} Error</h3>
Invalid username or password!<br />
<a href='login.php'>> Back</a>");
}
session_regenerate_id();
$_SESSION['loggedin'] = 1;
$_SESSION['userid'] = $mem['userid'];
$IP = $db->escape($_SERVER['REMOTE_ADDR']);
$db->query(
"UPDATE `users`
SET `lastip_login` = '$IP', `last_login` = "
. $_SERVER['REQUEST_TIME']
. "
WHERE `userid` = {$mem['userid']}");
if ($set['validate_period'] == 'login' && $set['validate_on'])
{
$db->query(
"UPDATE `users`
SET `verified` = 0
WHERE `userid` = {$mem['userid']}");
}
$loggedin_url = 'https://' . determine_game_urlbase() . '/loggedin.php';
header("Location: {$loggedin_url}");
exit;
}