Optimized user lookup, cleanups
authorJean-Michel Vourgère <jvourger@greenpeace.org>
Thu, 23 Feb 2017 18:02:46 +0000 (07:02 +1300)
committerJean-Michel Vourgère <jvourger@greenpeace.org>
Thu, 23 Feb 2017 20:43:25 +0000 (09:43 +1300)
index.php
squasher.class.php

index 569a184fd28d33d0d87f7c0b365d469b528fdeba..10c7e195548a4cac1df08d0d542ccccc9d40d814 100644 (file)
--- a/index.php
+++ b/index.php
@@ -4,29 +4,26 @@ require_once("include/connect.inc.php");
 
 require_once("squasher.class.php");
 
-//login info
-$vars[user]=$_POST[user];
-$vars[pass]=$_POST[pass];
-$vars[debug]=$_GET[debug];
-$vars[newtpl]=$_GET[newtpl];
-$tools=$_GET[tools];
+$vars['debug']=$_GET['debug'];
+$vars['newtpl']=$_GET['newtpl'];
+$tools=$_GET['tools'];
 
 foreach($_POST AS $key => $value) $submitted[$key]=$value;
 
-$salt=md5($_SERVER[REMOTE_ADDR]."|".$_SERVER[HTTP_USER_AGENT]);
+$salt=md5($_SERVER['REMOTE_ADDR']."|".$_SERVER['HTTP_USER_AGENT']);
 
 if ($tools=="logout"){
        session_destroy();
-       $_SESSION[creds][validated]=false;
+       $_SESSION['creds']['validated']=false;
        header( 'Location: '.$_SERVER['PHP_SELF'] ) ;
 }
 
-if (!$_SESSION[creds][validated]){
-       validate_user($vars,$salt);
+if (!$_SESSION['creds']['validated']){
+       validate_user($_POST['user'], $_POST['pass'], $salt);
 }
 
-if ($_SESSION[creds][validated] || isset($_GET['f'])){ 
-//if ($_SESSION[creds][validated]){
+if ($_SESSION['creds']['validated'] || isset($_GET['f'])){     
+//if ($_SESSION['creds']['validated']){
 //load squasher
        include("squasher.php");
 }else{
index c845f062a920071a50e622ddb35df775d9d3380c..3879f1ce5550c0adf41be5930fe67370a007c111 100644 (file)
@@ -19,28 +19,24 @@ function named_records_sort($named_recs, $order_by, $reverse=false, $flags=0)
        return $sorted_records;
 }
 
-function validate_user($vars,$salt){
-       $creds[validated] = false;
-       $query="SELECT * FROM users";
+function validate_user($username, $password, $salt){
+       $creds['validated'] = false;
+       $query="SELECT * FROM users WHERE user_name = '".mysql_escape_string($username)."'";
        $q_result = mysql_query($query);
        while ($fetched_object = mysql_fetch_object($q_result)){
-               if ($fetched_object->user_name == $vars[user]){
-                       if (md5($fetched_object->user_pass.$salt) == $vars[pass]){
-                               //validated
-                               $creds[user_id] = $fetched_object->user_id;
-                               $creds[user_name] = $fetched_object->user_name;
-                               $creds[user_level] = $fetched_object->user_level;
-                               $creds[validated] = true;
-                               $log_hash=NULL;
-                               $log_hash=(isset($vars['f'])) ? $vars['f'] : $vars['h'] ;
-                               if ($log_hash==NULL)$log_hash=str_repeat("0",32);
-                               $q="insert into log (hash,action,user_id,user_name,ip,date) values ('{$log_hash}','login','".$creds['user_id']."','".$creds['user_name']."','".$_SERVER[REMOTE_ADDR]."',NOW())";
-                               mysql_query($q);
-                       }
+               if (md5($fetched_object->user_pass.$salt) == $password){
+                       //validated
+                       $creds['user_id'] = $fetched_object->user_id;
+                       $creds['user_name'] = $fetched_object->user_name;
+                       $creds['user_level'] = $fetched_object->user_level;
+                       $creds['validated'] = true;
+                       $log_hash=str_repeat("0",32); // File ID is always empty on login
+                       $q="insert into log (hash,action,user_id,user_name,ip,date) values ('{".mysql_escape_string($log_hash)."}','login','".mysql_escape_string($creds['user_id'])."','".mysql_escape_string($creds['user_name'])."','".mysql_escape_string($_SERVER['REMOTE_ADDR'])."',NOW())";
+                       mysql_query($q);
                }
        }
-       $_SESSION[creds] = $creds;
-       return $creds[validated];
+       $_SESSION['creds'] = $creds;
+       return $creds['validated'];
 }
 
 class squashweb {