Topic: Login via email and password (Read 3694 times)

gavu · « **on:** April 07, 2008, 01:02:45 pm »

hi, i've been trying to find out how to tell cpg to authenticate users via e-mail and password

i have found something in /bridge/udb_base.php on lines 55 -> 63 and 770 -> 786
whaterver i do, it seems not to use the user_password table

is there a way plugin/mod/edit to do this?

Hot Rides · « **Reply #1 on:** April 15, 2008, 08:35:21 pm »

I would like to know this as well

gavu · « **Reply #2 on:** April 15, 2008, 09:02:31 pm »

this is what worked for me, hope it helpes you too
edit /bridge/coppermin.inc.php

Code: [Select]

// Login function
        function login( $email = null, $password = null, $remember = false ) {
                global $CONFIG;

                // Create the session_id from concat(cookievalue,client_id)
                $session_id = $this->session_id.$this->client_id;

                // Check if encrypted passwords are enabled
                if ($CONFIG['enable_encrypted_passwords']) {
                        $encpassword = md5($password);
                } else {
                        $encpassword = $password;
                }

                // Check for user in users table
                $sql =  "SELECT user_id, user_email, user_password FROM {$this->usertable} WHERE ";
                $sql .= "user_email = '$email' AND BINARY user_password = '$encpassword' AND user_active = 'YES'";
                $results = cpg_db_query($sql);

                // If exists update lastvisit value, session, and login
                if (mysql_num_rows($results)) {

                        // Update lastvisit value
                        $sql =  "UPDATE {$this->usertable} SET user_lastvisit = NOW() ";
                        $sql .= "WHERE user_email = '$email' AND BINARY user_password = '$encpassword' AND user_active = 'YES'";
                        cpg_db_query($sql, $this->link_id);
        
                        $USER_DATA = mysql_fetch_assoc($results);
                        mysql_free_result($results);
        
                        // If this is a 'remember me' login set the remember field to true
                        if ($remember) {
                                $remember_sql = ",remember = '1' ";
                        } else {
                                $remember_sql = '';
                        }
        
                        // Update guest session with user's information
                        $sql  = "update {$this->sessionstable} set ";
                        $sql .= "user_id={$USER_DATA['user_id']} ";
                        $sql .= $remember_sql;
                        $sql .= "where session_id=md5('$session_id');";
                        cpg_db_query($sql, $this->link_id);

                        return $USER_DATA;
                } else {

                        return false;
                }
        }

(thanks to foulu, he helped me)

Hot Rides · « **Reply #3 on:** April 16, 2008, 01:50:08 am »

does that need to replace the login function thats already there?

Joachim Müller · « **Reply #4 on:** April 16, 2008, 07:48:25 am »

Sure - you can't have two definitions for one function. Try for yourself if you don't believe that. You'll need to replace the existing function definition with the new one.

Nibbler · « **Reply #5 on:** April 16, 2008, 10:32:48 am »

This mod is based on the vulnerable pre 1.4.18 code. Should be as follows to be secure:

Code: [Select]

// Login function
        function login( $email = null, $password = null, $remember = false ) {
                global $CONFIG;

                // Create the session_id from concat(cookievalue,client_id)
                $session_id = $this->session_id.$this->client_id;

                // Check if encrypted passwords are enabled
                if ($CONFIG['enable_encrypted_passwords']) {
                        $encpassword = md5($password);
                } else {
                        $encpassword = $password;
                }

                // Check for user in users table
                $sql =  "SELECT user_id, user_email, user_password FROM {$this->usertable} WHERE ";
                $sql .= "user_email = '$email' AND BINARY user_password = '$encpassword' AND user_active = 'YES'";
                $results = cpg_db_query($sql);

                // If exists update lastvisit value, session, and login
                if (mysql_num_rows($results)) {

                        // Update lastvisit value
                        $sql =  "UPDATE {$this->usertable} SET user_lastvisit = NOW() ";
                        $sql .= "WHERE user_email = '$email' AND BINARY user_password = '$encpassword' AND user_active = 'YES'";
                        cpg_db_query($sql, $this->link_id);
        
                        $USER_DATA = mysql_fetch_assoc($results);
                        mysql_free_result($results);
        
                        // If this is a 'remember me' login set the remember field to true
                        if ($remember) {
                                $remember_sql = ",remember = '1' ";
                        } else {
                                $remember_sql = '';
                        }
        
                        // Update guest session with user's information
                        $sql  = "update {$this->sessionstable} set ";
                        $sql .= "user_id={$USER_DATA['user_id']} ";
                        $sql .= $remember_sql;
                        $sql .= "where session_id = '" . md5($session_id) . "'";
                        cpg_db_query($sql, $this->link_id);

                        return $USER_DATA;
                } else {

                        return false;
                }
        }

News:

Author Topic: Login via email and password (Read 3694 times)

gavu

Login via email and password

Hot Rides

Re: Login via email and password

gavu

Re: Login via email and password

Hot Rides

Re: Login via email and password

Joachim Müller

Re: Login via email and password

Nibbler

Re: Login via email and password