uses('tpl'); $app->tpl->newTemplate('form.tpl.htm'); $error = ''; //* Login Form was send if(count($_POST) > 0) { //** Check variables if(!preg_match("/^[\w\.\-\_]{1,64}$/", $_POST['username'])) $error = 'Username contains unallowed characters or is longer then 64 characters.'; if(!preg_match("/^.{1,64}$/i", $_POST['passwort'])) $error = 'The password length is > 64 characters.'; //** iporting variables $ip = $app->db->quote(ip2long($_SERVER['REMOTE_ADDR'])); $username = $app->db->quote($_POST['username']); $passwort = $app->db->quote($_POST['passwort']); $loginAs = false; if($username != '' && $passwort != '' && $error == '') { /* * Check, if there is a "login as" instead of a "normal" login */ if (isset($_SESSION['s']['user']) && $_SESSION['s']['user']['active'] == 1){ /* * only the admin can "login as" so if the user is NOT a admin, we * open the startpage (after killing the old session), so the user * is logout and has to start again! */ if ($_SESSION['s']['user']['typ'] != 'admin') { /* * The actual user is NOT a admin, but maybe the admin * has logged in as "normal" user bevore... */ if (isset($_SESSION['s_old'])&& ($_SESSION['s_old']['user']['typ'] == 'admin')){ /* The "old" user is admin, so everything is ok */ } else { die("You don't have the right to 'login as'!"); } } $loginAs = true; } else { /* normal login */ $loginAs = false; } //* Check if there are already wrong logins $sql = "SELECT * FROM `attempts_login` WHERE `ip`= '{$ip}' AND `login_time` > (NOW() - INTERVAL 1 MINUTE) LIMIT 1"; $alreadyfailed = $app->db->queryOneRecord($sql); //* login to much wrong if($alreadyfailed['times'] > 5) { $error = $app->lng(1004); } else { if ($loginAs){ $sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and PASSWORT = '". $passwort. "'"; } else { $sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and ( PASSWORT = '".md5($passwort)."' or PASSWORT = password('$passwort') )"; } $user = $app->db->queryOneRecord($sql); if($user) { if($user['active'] == 1) { // User login right, so attempts can be deleted $sql = "DELETE FROM `attempts_login` WHERE `ip`='{$ip}'"; $app->db->query($sql); $user = $app->db->toLower($user); if ($loginAs) $oldSession = $_SESSION['s']; $_SESSION = array(); if ($loginAs) $_SESSION['s_old'] = $oldSession; // keep the way back! $_SESSION['s']['user'] = $user; $_SESSION['s']['user']['theme'] = isset($user['app_theme']) ? $user['app_theme'] : 'default'; $_SESSION['s']['language'] = $user['language']; $_SESSION["s"]['theme'] = $_SESSION['s']['user']['theme']; if(is_file($_SESSION['s']['user']['startmodule'].'/lib/module.conf.php')) { include_once($_SESSION['s']['user']['startmodule'].'/lib/module.conf.php'); $_SESSION['s']['module'] = $module; } echo 'HEADER_REDIRECT:'.$_SESSION['s']['module']['startpage']; exit; } else { $error = $app->lng(1003); } } else { if(!$alreadyfailed['times'] ) { //* user login the first time wrong $sql = "INSERT INTO `attempts_login` (`ip`, `times`, `login_time`) VALUES ('{$ip}', 1, NOW())"; $app->db->query($sql); } elseif($alreadyfailed['times'] >= 1) { //* update times wrong $sql = "UPDATE `attempts_login` SET `times`=`times`+1, `login_time`=NOW() WHERE `login_time` >= '{$time}' LIMIT 1"; $app->db->query($sql); } //* Incorrect login - Username and password incorrect $error = $app->lng(1002); if($app->db->errorMessage != '') $error .= '
'.$app->db->errorMessage != ''; } } } else { //* Username or password empty if($error == '') $error = $app->lng(1001); } } if($error != ''){ $error = '

Error

'.$error.'
'; } $app->tpl->setVar('error', $error); $app->tpl->setInclude('content_tpl','login/templates/index.htm'); $app->tpl_defaults(); $this->status = 'OK'; return $app->tpl->grab(); } // << end function } // << end class ?>