X-Git-Url: https://git.nirgal.com/?p=squasher.git;a=blobdiff_plain;f=squasher.class.php;h=3879f1ce5550c0adf41be5930fe67370a007c111;hp=c845f062a920071a50e622ddb35df775d9d3380c;hb=1aead60b99ce840a499605ba545b14404efa9d9d;hpb=3c7cfdf376f3ee594ffbfc317634dafe755450eb

diff --git a/squasher.class.php b/squasher.class.php
index c845f06..3879f1c 100644
--- a/squasher.class.php
+++ b/squasher.class.php
@@ -19,28 +19,24 @@ function named_records_sort($named_recs, $order_by, $reverse=false, $flags=0)
 	return $sorted_records;
 }
 
-function validate_user($vars,$salt){
-	$creds[validated] = false;
-	$query="SELECT * FROM users";
+function validate_user($username, $password, $salt){
+	$creds['validated'] = false;
+	$query="SELECT * FROM users WHERE user_name = '".mysql_escape_string($username)."'";
 	$q_result = mysql_query($query);
 	while ($fetched_object = mysql_fetch_object($q_result)){
-		if ($fetched_object->user_name == $vars[user]){
-			if (md5($fetched_object->user_pass.$salt) == $vars[pass]){
-				//validated
-				$creds[user_id] = $fetched_object->user_id;
-				$creds[user_name] = $fetched_object->user_name;
-				$creds[user_level] = $fetched_object->user_level;
-				$creds[validated] = true;
-				$log_hash=NULL;
-				$log_hash=(isset($vars['f'])) ? $vars['f'] : $vars['h'] ;
-				if ($log_hash==NULL)$log_hash=str_repeat("0",32);
-				$q="insert into log (hash,action,user_id,user_name,ip,date) values ('{$log_hash}','login','".$creds['user_id']."','".$creds['user_name']."','".$_SERVER[REMOTE_ADDR]."',NOW())";
-				mysql_query($q);
-			}
+		if (md5($fetched_object->user_pass.$salt) == $password){
+			//validated
+			$creds['user_id'] = $fetched_object->user_id;
+			$creds['user_name'] = $fetched_object->user_name;
+			$creds['user_level'] = $fetched_object->user_level;
+			$creds['validated'] = true;
+			$log_hash=str_repeat("0",32); // File ID is always empty on login
+			$q="insert into log (hash,action,user_id,user_name,ip,date) values ('{".mysql_escape_string($log_hash)."}','login','".mysql_escape_string($creds['user_id'])."','".mysql_escape_string($creds['user_name'])."','".mysql_escape_string($_SERVER['REMOTE_ADDR'])."',NOW())";
+			mysql_query($q);
 		}
 	}
-	$_SESSION[creds] = $creds;
-	return $creds[validated];
+	$_SESSION['creds'] = $creds;
+	return $creds['validated'];
 }
 
 class squashweb {