Revision 420
Added by Matthias almost 18 years ago
trunk/wb/framework/class.login.php | ||
---|---|---|
103 | 103 |
// User has been "remembered" |
104 | 104 |
// Get the users password |
105 | 105 |
$database = new database(); |
106 |
$query_details = $database->query("SELECT * FROM ".$this->USERS_TABLE." WHERE user_id = '".substr($_COOKIE['REMEMBER_KEY'], 0, 11)."' LIMIT 1");
|
|
106 |
$query_details = $database->query("SELECT * FROM ".$this->USERS_TABLE." WHERE user_id = '".$this->get_safe_remember_key()."' LIMIT 1");
|
|
107 | 107 |
$fetch_details = $query_details->fetchRow(); |
108 | 108 |
$this->username = $fetch_details['username']; |
109 | 109 |
$this->password = $fetch_details['password']; |
... | ... | |
287 | 287 |
if(isset($_COOKIE['REMEMBER_KEY']) AND $_COOKIE['REMEMBER_KEY'] != '') { |
288 | 288 |
// Check if the remember key is correct |
289 | 289 |
$database = new database(); |
290 |
$check_query = $database->query("SELECT user_id FROM ".$this->USERS_TABLE." WHERE remember_key = '".$_COOKIE['REMEMBER_KEY']."' LIMIT 1");
|
|
290 |
$check_query = $database->query("SELECT user_id FROM ".$this->USERS_TABLE." WHERE remember_key = '".$this->get_safe_remember_key()."' LIMIT 1");
|
|
291 | 291 |
if($check_query->numRows() > 0) { |
292 | 292 |
$check_fetch = $check_query->fetchRow(); |
293 | 293 |
$user_id = $check_fetch['user_id']; |
... | ... | |
370 | 370 |
$template->pparse('output', 'page'); |
371 | 371 |
} |
372 | 372 |
} |
373 |
|
|
374 |
// convert "REMEMBER_KEY" to a number and then repad |
|
375 |
// any non numeric character will cause intval to return null thus returning 11 0's |
|
376 |
function get_safe_remember_key() { |
|
377 |
return str_pad(intval(substr($_COOKIE['REMEMBER_KEY'],0,11)),11,"0",STR_PAD_LEFT); // SQL Injection prevention |
|
378 |
} |
|
373 | 379 |
|
374 | 380 |
// Warn user that they have had to many login attemps |
375 | 381 |
function warn() { |
Also available in: Unified diff
Fixed "REMEMBER_KEY" Cookie SQL Injection security issue (#376)