updated to a slightly more improved version of the session management code
should solve bugs with logging in on register_globals = off;
This commit is contained in:
Jeremy Newman
@@ -50,7 +50,7 @@ function do_account($cmd = null)
|
|||||||
exit;
|
exit;
|
||||||
|
|
||||||
case "logout":
|
case "logout":
|
||||||
apidb_session_destroy();
|
$GLOBALS['session']->destroy();
|
||||||
addmsg("You are successfully logged out.", "green");
|
addmsg("You are successfully logged out.", "green");
|
||||||
redirect(apidb_fullurl("index.php"));
|
redirect(apidb_fullurl("index.php"));
|
||||||
exit;
|
exit;
|
||||||
|
|||||||
@@ -18,10 +18,6 @@ require(BASE."include/"."html.php");
|
|||||||
$sidebar_func_list = array();
|
$sidebar_func_list = array();
|
||||||
$help_list = array();
|
$help_list = array();
|
||||||
|
|
||||||
// start session ...
|
|
||||||
apidb_session_start();
|
|
||||||
|
|
||||||
|
|
||||||
function apidb_help_add($desc, $id)
|
function apidb_help_add($desc, $id)
|
||||||
{
|
{
|
||||||
global $help_list;
|
global $help_list;
|
||||||
@@ -239,4 +235,15 @@ define("STANDARD_NOTIFY_FOOTER","------- You are receiving this mail because: --
|
|||||||
"You are an maintainer of this app or an appdb administrator\n".
|
"You are an maintainer of this app or an appdb administrator\n".
|
||||||
"to change your preferences go to: ".APPDB_ROOT."preferences.php\n");
|
"to change your preferences go to: ".APPDB_ROOT."preferences.php\n");
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Start DB Connection
|
||||||
|
*/
|
||||||
|
opendb();
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Init Session (stores user info and cart info in session)
|
||||||
|
*/
|
||||||
|
$session = new session("whq_appdb");
|
||||||
|
$session->register("current");
|
||||||
|
|
||||||
?>
|
?>
|
||||||
|
|||||||
@@ -1,104 +1,103 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
function apidb_session_start()
|
/*
|
||||||
{
|
* session.php - session handler functions
|
||||||
|
|
||||||
session_set_cookie_params(time() + 3600 * 48);
|
|
||||||
session_start();
|
|
||||||
|
|
||||||
if(isset($_SESSION['current']))
|
|
||||||
$_SESSION['current']->connect();
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function apidb_session_destroy()
|
|
||||||
{
|
|
||||||
session_destroy();
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
/**
|
|
||||||
* session handler functions
|
|
||||||
* sessions are stored in a mysql table
|
* sessions are stored in a mysql table
|
||||||
*/
|
*/
|
||||||
function _session_open($save_path, $session_name)
|
|
||||||
|
class session
|
||||||
{
|
{
|
||||||
opendb();
|
// create session object
|
||||||
//mysql_query("CREATE TABLE IF NOT EXISTS session_list (session_id varchar(64) not null, ".
|
function session ($name)
|
||||||
// "userid int, ip varchar(64), data text, messages text, stamp timestamp, primary key(session_id))");
|
{
|
||||||
return true;
|
// set name for this session
|
||||||
}
|
$this->name = $name;
|
||||||
|
|
||||||
function _session_close()
|
// define options for sessions
|
||||||
{
|
ini_set('session.name', $this->name);
|
||||||
return true;
|
ini_set('session.use_cookies', true);
|
||||||
}
|
ini_set('session.use_only_cookies', true);
|
||||||
|
|
||||||
function _session_read($key)
|
// setup session object
|
||||||
{
|
session_set_save_handler(
|
||||||
global $msg_buffer;
|
array(&$this, "_open"),
|
||||||
|
array(&$this, "_close"),
|
||||||
|
array(&$this, "_read"),
|
||||||
|
array(&$this, "_write"),
|
||||||
|
array(&$this, "_destroy"),
|
||||||
|
array(&$this, "_gc")
|
||||||
|
);
|
||||||
|
|
||||||
opendb();
|
// default lifetime on session cookie (90 days)
|
||||||
$result = mysql_query("SELECT data, messages FROM session_list WHERE session_id = '$key'");
|
session_set_cookie_params(
|
||||||
|
(60*60*24*90),
|
||||||
|
'/'
|
||||||
|
);
|
||||||
|
|
||||||
if(!$result)
|
// start the loaded session
|
||||||
return null;
|
session_start();
|
||||||
|
}
|
||||||
|
|
||||||
|
// register variables into session (dynamic load and save of vars)
|
||||||
|
function register ($var)
|
||||||
|
{
|
||||||
|
global $$var;
|
||||||
|
|
||||||
|
// load $var into memory
|
||||||
|
if (isset($_SESSION[$var]))
|
||||||
|
$$var = $_SESSION[$var];
|
||||||
|
|
||||||
|
// store var into session
|
||||||
|
$_SESSION[$var] =& $$var;
|
||||||
|
}
|
||||||
|
|
||||||
|
// destroy session
|
||||||
|
function destroy ()
|
||||||
|
{
|
||||||
|
session_destroy();
|
||||||
|
}
|
||||||
|
|
||||||
|
// open session file (not needed for DB access)
|
||||||
|
function _open ($save_path, $session_name) { return true; }
|
||||||
|
|
||||||
|
// close session file (not needed for DB access)
|
||||||
|
function _close () { return true; }
|
||||||
|
|
||||||
|
// read session
|
||||||
|
function _read ($key)
|
||||||
|
{
|
||||||
|
$result = mysql_query("SELECT data FROM session_list WHERE session_id = '".$key."'");
|
||||||
|
if (!$result) { return null; }
|
||||||
$r = mysql_fetch_object($result);
|
$r = mysql_fetch_object($result);
|
||||||
|
|
||||||
if($r->messages)
|
|
||||||
$msg_buffer = explode("|", $r->messages);
|
|
||||||
|
|
||||||
return $r->data;
|
return $r->data;
|
||||||
}
|
}
|
||||||
|
|
||||||
function _session_write($key, $value)
|
// write session to DB
|
||||||
{
|
function _write ($key, $value)
|
||||||
global $msg_buffer;
|
{
|
||||||
global $apidb_debug;
|
|
||||||
|
|
||||||
opendb();
|
|
||||||
|
|
||||||
if($msg_buffer)
|
|
||||||
$messages = implode("|", $msg_buffer);
|
|
||||||
else
|
|
||||||
$messages = "";
|
$messages = "";
|
||||||
|
if(isset($GLOBALS['msg_buffer']))
|
||||||
|
$messages = implode("|", $GLOBALS['msg_buffer']);
|
||||||
|
|
||||||
// remove single quotes
|
mysql_query("REPLACE session_list VALUES ('$key', ".$_SESSION['current']->userid.", '".get_remote()."', '".addslashes($value)."', '$messages', NOW())");
|
||||||
$value = str_replace("'", "", $value);
|
|
||||||
|
|
||||||
//DEBUGGING
|
|
||||||
if ($apidb_debug)
|
|
||||||
mysql_query("INSERT INTO debug VALUES(null, '$key = $messages')");
|
|
||||||
|
|
||||||
|
|
||||||
if(isset($_SESSION['current']))
|
|
||||||
mysql_query("REPLACE session_list VALUES ('$key', ".$_SESSION['current']->userid.", '".get_remote()."', '$value', '$messages', NOW())");
|
|
||||||
else
|
|
||||||
mysql_query("REPLACE session_list VALUES ('$key', 0, '".get_remote()."', null, '$messages', NOW())");
|
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
function _session_destroy($key)
|
// delete current session
|
||||||
{
|
function _destroy ($key)
|
||||||
|
{
|
||||||
mysql_query("DELETE FROM session_list WHERE session_id = '$key'");
|
mysql_query("DELETE FROM session_list WHERE session_id = '$key'");
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
function _session_gc($maxlifetime)
|
// clear old sessions (moved into a separate cron process)
|
||||||
{
|
function _gc ($maxlifetime)
|
||||||
// delete sessions older than 2 days
|
{
|
||||||
mysql_query("DELETE FROM session_list WHERE to_days(now()) - to_days(stamp) >= 2");
|
mysql_query("DELETE FROM session_list WHERE to_days(now()) - to_days(stamp) >= 7");
|
||||||
return true;
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
// end session
|
||||||
|
|
||||||
session_set_save_handler("_session_open",
|
|
||||||
"_session_close",
|
|
||||||
"_session_read",
|
|
||||||
"_session_write",
|
|
||||||
"_session_destroy",
|
|
||||||
"_session_gc");
|
|
||||||
|
|
||||||
session_register($current);
|
|
||||||
?>
|
?>
|
||||||
@@ -5,7 +5,6 @@
|
|||||||
|
|
||||||
class User {
|
class User {
|
||||||
|
|
||||||
var $link; // database connection
|
|
||||||
var $stamp;
|
var $stamp;
|
||||||
var $userid;
|
var $userid;
|
||||||
var $username;
|
var $username;
|
||||||
@@ -20,23 +19,16 @@ class User {
|
|||||||
*/
|
*/
|
||||||
function User()
|
function User()
|
||||||
{
|
{
|
||||||
$this->connect();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
function connect()
|
|
||||||
{
|
|
||||||
$this->link = opendb();
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* check if a user exists
|
* check if a user exists
|
||||||
* returns TRUE if the user exists
|
* returns TRUE if the user exists
|
||||||
*/
|
*/
|
||||||
function exists($username)
|
function exists($username)
|
||||||
{
|
{
|
||||||
$result = mysql_query("SELECT * FROM user_list WHERE username = '$username'", $this->link);
|
$result = mysql_query("SELECT * FROM user_list WHERE username = '$username'");
|
||||||
if(!$result || mysql_num_rows($result) != 1)
|
if(!$result || mysql_num_rows($result) != 1)
|
||||||
return 0;
|
return 0;
|
||||||
return 1;
|
return 1;
|
||||||
@@ -83,9 +75,9 @@ class User {
|
|||||||
$result = mysql_query("SELECT stamp, userid, username, realname, ".
|
$result = mysql_query("SELECT stamp, userid, username, realname, ".
|
||||||
"created, status, perm FROM user_list WHERE ".
|
"created, status, perm FROM user_list WHERE ".
|
||||||
"username = '$username' AND ".
|
"username = '$username' AND ".
|
||||||
"password = password('$password')", $this->link);
|
"password = password('$password')");
|
||||||
if(!$result)
|
if(!$result)
|
||||||
return "Error: ".mysql_error($this->link);
|
return "Error: ".mysql_error();
|
||||||
|
|
||||||
if(mysql_num_rows($result) == 0)
|
if(mysql_num_rows($result) == 0)
|
||||||
return "Invalid username or password";
|
return "Invalid username or password";
|
||||||
@@ -121,9 +113,9 @@ class User {
|
|||||||
{
|
{
|
||||||
$result = mysql_query("INSERT INTO user_list VALUES ( NOW(), 0, ".
|
$result = mysql_query("INSERT INTO user_list VALUES ( NOW(), 0, ".
|
||||||
"'$username', password('$password'), ".
|
"'$username', password('$password'), ".
|
||||||
"'$realname', '$email', NOW(), 0, 0)", $this->link);
|
"'$realname', '$email', NOW(), 0, 0)");
|
||||||
if(!$result)
|
if(!$result)
|
||||||
return mysql_error($this->link);
|
return mysql_error();
|
||||||
return $this->restore($username, $password);
|
return $this->restore($username, $password);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -164,10 +156,10 @@ class User {
|
|||||||
if($username == 0)
|
if($username == 0)
|
||||||
$username = $this->username;
|
$username = $this->username;
|
||||||
|
|
||||||
$result = mysql_query("DELETE FROM user_list WHERE username = '$username'", $this->link);
|
$result = mysql_query("DELETE FROM user_list WHERE username = '$username'");
|
||||||
|
|
||||||
if(!$result)
|
if(!$result)
|
||||||
return mysql_error($this->link);
|
return mysql_error();
|
||||||
if(mysql_affected_rows($result) == 0)
|
if(mysql_affected_rows($result) == 0)
|
||||||
return "No such user.";
|
return "No such user.";
|
||||||
return 0;
|
return 0;
|
||||||
@@ -176,7 +168,7 @@ class User {
|
|||||||
|
|
||||||
function done()
|
function done()
|
||||||
{
|
{
|
||||||
mysql_close($this->link);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@@ -185,7 +177,7 @@ class User {
|
|||||||
if(!$this->userid || !$key)
|
if(!$this->userid || !$key)
|
||||||
return $def;
|
return $def;
|
||||||
|
|
||||||
$result = mysql_query("SELECT * FROM user_prefs WHERE userid = $this->userid AND name = '$key'", $this->link);
|
$result = mysql_query("SELECT * FROM user_prefs WHERE userid = $this->userid AND name = '$key'");
|
||||||
if(!$result || mysql_num_rows($result) == 0)
|
if(!$result || mysql_num_rows($result) == 0)
|
||||||
return $def;
|
return $def;
|
||||||
$ob = mysql_fetch_object($result);
|
$ob = mysql_fetch_object($result);
|
||||||
@@ -213,7 +205,7 @@ class User {
|
|||||||
if(!$this->userid || !$priv)
|
if(!$this->userid || !$priv)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
$result = mysql_query("SELECT * FROM user_privs WHERE userid = $this->userid AND priv = '$priv'", $this->link);
|
$result = mysql_query("SELECT * FROM user_privs WHERE userid = $this->userid AND priv = '$priv'");
|
||||||
if(!$result)
|
if(!$result)
|
||||||
return 0;
|
return 0;
|
||||||
return mysql_num_rows($result);
|
return mysql_num_rows($result);
|
||||||
@@ -236,7 +228,7 @@ class User {
|
|||||||
}
|
}
|
||||||
|
|
||||||
$query = "SELECT * FROM appMaintainers WHERE userid = '$this->userid' AND appId = '$appId' AND versionId = '$versionId'";
|
$query = "SELECT * FROM appMaintainers WHERE userid = '$this->userid' AND appId = '$appId' AND versionId = '$versionId'";
|
||||||
$result = mysql_query($query, $this->link);
|
$result = mysql_query($query);
|
||||||
if(!$result)
|
if(!$result)
|
||||||
return 0;
|
return 0;
|
||||||
return mysql_num_rows($result);
|
return mysql_num_rows($result);
|
||||||
@@ -252,7 +244,7 @@ class User {
|
|||||||
return false;
|
return false;
|
||||||
|
|
||||||
$query = "SELECT * FROM appMaintainers WHERE userid = '$this->userid' AND appId = '$appId' AND superMaintainer = '1'";
|
$query = "SELECT * FROM appMaintainers WHERE userid = '$this->userid' AND appId = '$appId' AND superMaintainer = '1'";
|
||||||
$result = mysql_query($query, $this->link);
|
$result = mysql_query($query);
|
||||||
if(!$result)
|
if(!$result)
|
||||||
return 0;
|
return 0;
|
||||||
return mysql_num_rows($result);
|
return mysql_num_rows($result);
|
||||||
@@ -267,7 +259,7 @@ class User {
|
|||||||
if($this->checkpriv($priv))
|
if($this->checkpriv($priv))
|
||||||
return 1;
|
return 1;
|
||||||
|
|
||||||
$result = mysql_query("INSERT INTO user_privs VALUES ($this->userid, '$priv')", $this->link);
|
$result = mysql_query("INSERT INTO user_privs VALUES ($this->userid, '$priv')");
|
||||||
return $result;
|
return $result;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -277,7 +269,7 @@ class User {
|
|||||||
if(!$this->userid || !$priv)
|
if(!$this->userid || !$priv)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
$result = mysql_query("DELETE FROM user_privs WHERE userid = $this->userid AND priv = '$priv'", $this->link);
|
$result = mysql_query("DELETE FROM user_privs WHERE userid = $this->userid AND priv = '$priv'");
|
||||||
return $result;
|
return $result;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user