From 4c288e957ec4340af93f980c65eecea6d3a789f4 Mon Sep 17 00:00:00 2001 From: msquare Date: Thu, 29 Sep 2016 11:28:42 +0200 Subject: prohibit inline control structures on includes and index --- includes/sys_auth.php | 48 ++++++++++++++++++++++++++++++------------------ 1 file changed, 30 insertions(+), 18 deletions(-) (limited to 'includes/sys_auth.php') diff --git a/includes/sys_auth.php b/includes/sys_auth.php index d4f35fa6..39f4d4b0 100644 --- a/includes/sys_auth.php +++ b/includes/sys_auth.php @@ -1,49 +1,59 @@ 0) { // User ist eingeloggt, Datensatz zur Verfügung stellen und Timestamp updaten - list ($user) = $user; + list($user) = $user; sql_query("UPDATE `User` SET " . "`lastLogIn` = '" . time() . "'" . " WHERE `UID` = '" . sql_escape($_SESSION['uid']) . "' LIMIT 1;"); - } else + } else { unset($_SESSION['uid']); + } } - + $privileges = isset($user) ? privileges_for_user($user['UID']) : privileges_for_group(- 1); } -// generate a salt (random string) of arbitrary length suitable for the use with crypt() +/** + * generate a salt (random string) of arbitrary length suitable for the use with crypt() + */ function generate_salt($length = 16) { $alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; $salt = ""; - for($i = 0; $i < $length; $i ++) { + for ($i = 0; $i < $length; $i ++) { $salt .= $alphabet[rand(0, strlen($alphabet) - 1)]; } return $salt; } -// set the password of a user +/** + * set the password of a user + */ function set_password($uid, $password) { return sql_query("UPDATE `User` SET `Passwort` = '" . sql_escape(crypt($password, CRYPT_ALG . '$' . generate_salt(16) . '$')) . "', `password_recovery_token`=NULL WHERE `UID` = " . intval($uid) . " LIMIT 1"); } -// verify a password given a precomputed salt. -// if $uid is given and $salt is an old-style salt (plain md5), we convert it automatically +/** + * verify a password given a precomputed salt. + * if $uid is given and $salt is an old-style salt (plain md5), we convert it automatically + */ function verify_password($password, $salt, $uid = false) { $correct = false; - if (substr($salt, 0, 1) == '$') // new-style crypt() + if (substr($salt, 0, 1) == '$') { // new-style crypt() $correct = crypt($password, $salt) == $salt; - elseif (substr($salt, 0, 7) == '{crypt}') // old-style crypt() with DES and static salt - not used anymore + } elseif (substr($salt, 0, 7) == '{crypt}') { // old-style crypt() with DES and static salt - not used anymore $correct = crypt($password, '77') == $salt; - elseif (strlen($salt) == 32) // old-style md5 without salt - not used anymore + } elseif (strlen($salt) == 32) { // old-style md5 without salt - not used anymore $correct = md5($password) == $salt; - + } + if ($correct && substr($salt, 0, strlen(CRYPT_ALG)) != CRYPT_ALG && $uid) { // this password is stored in another format than we want it to be. // let's update it! @@ -54,18 +64,20 @@ function verify_password($password, $salt, $uid = false) { } function privileges_for_user($user_id) { - $privileges = array (); + $privileges = []; $user_privs = sql_select("SELECT `Privileges`.`name` FROM `User` JOIN `UserGroups` ON (`User`.`UID` = `UserGroups`.`uid`) JOIN `GroupPrivileges` ON (`UserGroups`.`group_id` = `GroupPrivileges`.`group_id`) JOIN `Privileges` ON (`GroupPrivileges`.`privilege_id` = `Privileges`.`id`) WHERE `User`.`UID`='" . sql_escape($user_id) . "'"); - foreach ($user_privs as $user_priv) + foreach ($user_privs as $user_priv) { $privileges[] = $user_priv['name']; + } return $privileges; } function privileges_for_group($group_id) { - $privileges = array (); + $privileges = []; $groups_privs = sql_select("SELECT * FROM `GroupPrivileges` JOIN `Privileges` ON (`GroupPrivileges`.`privilege_id` = `Privileges`.`id`) WHERE `group_id`='" . sql_escape($group_id) . "'"); - foreach ($groups_privs as $guest_priv) + foreach ($groups_privs as $guest_priv) { $privileges[] = $guest_priv['name']; + } return $privileges; } ?> -- cgit v1.2.3-54-g00ecf