hi, i've been trying to find out how to tell cpg to authenticate users via e-mail and password
i have found something in /bridge/udb_base.php on lines 55 -> 63 and 770 -> 786
whaterver i do, it seems not to use the user_password table
is there a way plugin/mod/edit to do this?
I would like to know this as well
this is what worked for me, hope it helpes you too
edit /bridge/coppermin.inc.php
// Login function
function login( $email = null, $password = null, $remember = false ) {
global $CONFIG;
// Create the session_id from concat(cookievalue,client_id)
$session_id = $this->session_id.$this->client_id;
// Check if encrypted passwords are enabled
if ($CONFIG['enable_encrypted_passwords']) {
$encpassword = md5($password);
} else {
$encpassword = $password;
}
// Check for user in users table
$sql = "SELECT user_id, user_email, user_password FROM {$this->usertable} WHERE ";
$sql .= "user_email = '$email' AND BINARY user_password = '$encpassword' AND user_active = 'YES'";
$results = cpg_db_query($sql);
// If exists update lastvisit value, session, and login
if (mysql_num_rows($results)) {
// Update lastvisit value
$sql = "UPDATE {$this->usertable} SET user_lastvisit = NOW() ";
$sql .= "WHERE user_email = '$email' AND BINARY user_password = '$encpassword' AND user_active = 'YES'";
cpg_db_query($sql, $this->link_id);
$USER_DATA = mysql_fetch_assoc($results);
mysql_free_result($results);
// If this is a 'remember me' login set the remember field to true
if ($remember) {
$remember_sql = ",remember = '1' ";
} else {
$remember_sql = '';
}
// Update guest session with user's information
$sql = "update {$this->sessionstable} set ";
$sql .= "user_id={$USER_DATA['user_id']} ";
$sql .= $remember_sql;
$sql .= "where session_id=md5('$session_id');";
cpg_db_query($sql, $this->link_id);
return $USER_DATA;
} else {
return false;
}
}
(thanks to foulu, he helped me)
does that need to replace the login function thats already there?
Sure - you can't have two definitions for one function. Try for yourself if you don't believe that. You'll need to replace the existing function definition with the new one.
This mod is based on the vulnerable pre 1.4.18 code. Should be as follows to be secure:
// Login function
function login( $email = null, $password = null, $remember = false ) {
global $CONFIG;
// Create the session_id from concat(cookievalue,client_id)
$session_id = $this->session_id.$this->client_id;
// Check if encrypted passwords are enabled
if ($CONFIG['enable_encrypted_passwords']) {
$encpassword = md5($password);
} else {
$encpassword = $password;
}
// Check for user in users table
$sql = "SELECT user_id, user_email, user_password FROM {$this->usertable} WHERE ";
$sql .= "user_email = '$email' AND BINARY user_password = '$encpassword' AND user_active = 'YES'";
$results = cpg_db_query($sql);
// If exists update lastvisit value, session, and login
if (mysql_num_rows($results)) {
// Update lastvisit value
$sql = "UPDATE {$this->usertable} SET user_lastvisit = NOW() ";
$sql .= "WHERE user_email = '$email' AND BINARY user_password = '$encpassword' AND user_active = 'YES'";
cpg_db_query($sql, $this->link_id);
$USER_DATA = mysql_fetch_assoc($results);
mysql_free_result($results);
// If this is a 'remember me' login set the remember field to true
if ($remember) {
$remember_sql = ",remember = '1' ";
} else {
$remember_sql = '';
}
// Update guest session with user's information
$sql = "update {$this->sessionstable} set ";
$sql .= "user_id={$USER_DATA['user_id']} ";
$sql .= $remember_sql;
$sql .= "where session_id = '" . md5($session_id) . "'";
cpg_db_query($sql, $this->link_id);
return $USER_DATA;
} else {
return false;
}
}