Login via email and password

[gavu]

hi, i've been trying to find out how to tell cpg to authenticate users via e-mail and password

i have found something in /bridge/udb_base.php on lines 55 -> 63 and 770 -> 786
whaterver i do, it seems not to use the user_password table

is there a way plugin/mod/edit to do this?

[Hot Rides]

I would like to know this as well

[gavu]

this is what worked for me, hope it helpes you too
edit /bridge/coppermin.inc.php

Code Select Expand


// Login function
        function login( $email = null, $password = null, $remember = false ) {
                global $CONFIG;

                // Create the session_id from concat(cookievalue,client_id)
                $session_id = $this->session_id.$this->client_id;

                // Check if encrypted passwords are enabled
                if ($CONFIG['enable_encrypted_passwords']) {
                        $encpassword = md5($password);
                } else {
                        $encpassword = $password;
                }

                // Check for user in users table
                $sql =  "SELECT user_id, user_email, user_password FROM {$this->usertable} WHERE ";
                $sql .= "user_email = '$email' AND BINARY user_password = '$encpassword' AND user_active = 'YES'";
                $results = cpg_db_query($sql);

                // If exists update lastvisit value, session, and login
                if (mysql_num_rows($results)) {

                        // Update lastvisit value
                        $sql =  "UPDATE {$this->usertable} SET user_lastvisit = NOW() ";
                        $sql .= "WHERE user_email = '$email' AND BINARY user_password = '$encpassword' AND user_active = 'YES'";
                        cpg_db_query($sql, $this->link_id);
       
                        $USER_DATA = mysql_fetch_assoc($results);
                        mysql_free_result($results);
       
                        // If this is a 'remember me' login set the remember field to true
                        if ($remember) {
                                $remember_sql = ",remember = '1' ";
                        } else {
                                $remember_sql = '';
                        }
       
                        // Update guest session with user's information
                        $sql  = "update {$this->sessionstable} set ";
                        $sql .= "user_id={$USER_DATA['user_id']} ";
                        $sql .= $remember_sql;
                        $sql .= "where session_id=md5('$session_id');";
                        cpg_db_query($sql, $this->link_id);

                        return $USER_DATA;
                } else {

                        return false;
                }
        }


(thanks to foulu, he helped me)

[Hot Rides]

does that need to replace the login function thats already there?

[Joachim Müller]

Sure - you can't have two definitions for one function. Try for yourself if you don't believe that. You'll need to replace the existing function definition with the new one.

[Nibbler]

This mod is based on the vulnerable pre 1.4.18 code. Should be as follows to be secure:

Code Select Expand


// Login function
        function login( $email = null, $password = null, $remember = false ) {
                global $CONFIG;

                // Create the session_id from concat(cookievalue,client_id)
                $session_id = $this->session_id.$this->client_id;

                // Check if encrypted passwords are enabled
                if ($CONFIG['enable_encrypted_passwords']) {
                        $encpassword = md5($password);
                } else {
                        $encpassword = $password;
                }

                // Check for user in users table
                $sql =  "SELECT user_id, user_email, user_password FROM {$this->usertable} WHERE ";
                $sql .= "user_email = '$email' AND BINARY user_password = '$encpassword' AND user_active = 'YES'";
                $results = cpg_db_query($sql);

                // If exists update lastvisit value, session, and login
                if (mysql_num_rows($results)) {

                        // Update lastvisit value
                        $sql =  "UPDATE {$this->usertable} SET user_lastvisit = NOW() ";
                        $sql .= "WHERE user_email = '$email' AND BINARY user_password = '$encpassword' AND user_active = 'YES'";
                        cpg_db_query($sql, $this->link_id);
       
                        $USER_DATA = mysql_fetch_assoc($results);
                        mysql_free_result($results);
       
                        // If this is a 'remember me' login set the remember field to true
                        if ($remember) {
                                $remember_sql = ",remember = '1' ";
                        } else {
                                $remember_sql = '';
                        }
       
                        // Update guest session with user's information
                        $sql  = "update {$this->sessionstable} set ";
                        $sql .= "user_id={$USER_DATA['user_id']} ";
                        $sql .= $remember_sql;
                        $sql .= "where session_id = '" . md5($session_id) . "'";
                        cpg_db_query($sql, $this->link_id);

                        return $USER_DATA;
                } else {

                        return false;
                }
        }