mt-admin Files · include/admin.inc.php

Merge pull request #16 from mt-admin dbal...

Merge pull request #16 from mt-admin dbal Convert to Doctrine DBAL

darkmorford - - Load All Authors

File last commit:

03778752b7d9

17cb6fd19dbb

Download file

             admin.inc.php
        
                    159 lines
            
             | 5.0 KiB
            
                | text/x-php
            
             |
                PhpLexer
            
             / include / admin.inc.php
          
                    History
                
                 |
                  Source
                 | Raw
                 |Copy content

     darkmorford
  
Add most necessary files for admin interface.

              r1
            
      <?php

      /* Megatokyo Website Administration */

      require_once('../LocalSettings.php');

     darkmorford
  
Rework login function to use DBAL.

              r22
            
      require(__DIR__ . '/../vendor/autoload.php');

     darkmorford
  
Add most necessary files for admin interface.

              r1
            
      // Core lib

      require_once('html.php');

      require_once('cookies.php');

      require_once('functions.php');

      require_once('error.php');

      require_once('uploads.php');

      require_once('nonce.php');

      // Objects

      require_once('rants.php');

      require_once('user.php');

      require_once('strip.php');

      require_once('transcript.php');

      require_once('type.php');

      require_once('pages.php');

      require_once('extra.php');

      require_once('twitter.php');

      require_once('tumblr.php');

      require_once('images.php');

      require_once('rss.php');

      require_once('twitteroauth/twitteroauth.php');

     darkmorford
  
Rework login function to use DBAL.

              r22
            
      // Initialize a connection to the database

      $dbConfig = new \Doctrine\DBAL\Configuration();

      $dbParams = array(

      	'dbname'   => DB_NAME,

      	'user'     => DB_WRITE_USER,

      	'password' => DB_WRITE_PASS,

      	'host'     => DB_SERVER,

     darkmorford
  
Use PDO MySQL driver instead of MySQLi.

              r23
            
      	'driver'   => 'pdo_mysql',

     darkmorford
  
Rework login function to use DBAL.

              r22
            
      	'charset'  => 'utf8mb4'

      );

      $dbConnection = \Doctrine\DBAL\DriverManager::getConnection($dbParams, $dbConfig);

     darkmorford
  
Default to FETCH_OBJ fetch mode on the DB connection.

              r24
            
      $dbConnection->setFetchMode(PDO::FETCH_OBJ);

     darkmorford
  
Rework login function to use DBAL.

              r22
            
     darkmorford
  
Add most necessary files for admin interface.

              r1
            
      /* TODO: Move these definitions to LocalSettings.php */

      if ( !defined('RANTIMG') )

      	define('RANTIMG', '../rantimgs/');

      define('USING_TIDY', false);

      /* These function are all for core authentication. */

      function mt_hash_password($password) {

     darkmorford
  
Hash passwords in PHP instead of asking MySQL to do it.

              r21
            
      	return sha1($password);

     darkmorford
  
Add most necessary files for admin interface.

              r1
            
      }

     darkmorford
  
Rework login function to use DBAL.

              r22
            
      // Remove invalid characters from username. Permit only alpha, underscore, period, at, hyphen

     darkmorford
  
Add most necessary files for admin interface.

              r1
            
      function sanitize_username( $username ) {

      	return preg_replace('|[^a-z_.@-]|i', '', $username);

      }

      // Attempt to login with a username and password. If from cookies, set already_hashed = true.

      function mt_login($username, $password, $already_hashed = false) {

     darkmorford
  
Default to FETCH_OBJ fetch mode on the DB connection.

              r24
            
      	global $error, $dbConnection;

     darkmorford
  
Add most necessary files for admin interface.

              r1
            
     darkmorford
  
Rework login function to use DBAL.

              r22
            
      	// Fail login if either user or pass is blank

     darkmorford
  
Add most necessary files for admin interface.

              r1
            
      	if ( '' == $username )

      		return false;

      	if ( '' == $password ) {

      		$error = ('<strong>ERROR</strong>: The password field is empty.');

      		return false;

      	}

      	$username = sanitize_username( $username );

     darkmorford
  
Use PDO MySQL driver instead of MySQLi.

              r23
            
     darkmorford
  
Rework login function to use DBAL.

              r22
            
      	// Get user info from the database

      	$sql = 'SELECT * FROM contributor WHERE name LIKE ?';

      	$stmt = $dbConnection->executeQuery($sql, array($username));

     darkmorford
  
Default to FETCH_OBJ fetch mode on the DB connection.

              r24
            
      	$login = $stmt->fetch();

     darkmorford
  
Add most necessary files for admin interface.

              r1
            
      	if (!$login) {

      		$error = ('<strong>ERROR</strong>: Invalid username or password.');

      		adminlog("Failed login attempt from ".$_SERVER['REMOTE_ADDR']." for $username.", MTS_LOGIN, MTA_CHANGE);

      		//logthis ('AUTH: Failed login attempt from ' . $_SERVER["REMOTE_ADDR"], var_export( $_SERVER, true ) );

      		return false;

      	} else {

      		// If the password is already_md5, it has been double hashed.

      		// Otherwise, it is plain text.

      		if ( $already_hashed && $username == $login->name && $login->password == $password) {

      			global $currentuser;

      			$currentuser=$login;

      			return true;

      		}

      		if (!$already_hashed) {

      			$passhash = mt_hash_password($password);

      			if( $username == $login->name && $passhash == $login->password ) {

      				global $currentuser;

      				$currentuser=$login;

      				return true;

      			}

      		}

      		$error = ('<strong>ERROR</strong>: Invalid username or password.');

      		adminlog("Failed login attempt from ".$_SERVER['REMOTE_ADDR']." for $username.", MTS_LOGIN, MTA_CHANGE);

      		//logthis ('AUTH: Failed login attempt from ' . $_SERVER["REMOTE_ADDR"], var_export( $_SERVER, true ) );

      		return false;

      	}

      }

      // Attempt to login using cookies with failback to HTTP Basic Auth.  If that fails, return a 401 to the browser.

      function auth_basic() {

      	if ( !empty($_COOKIE[USER_COOKIE]) && mt_login($_COOKIE[USER_COOKIE], $_COOKIE[PASS_COOKIE], true) )

      		return;

      	// Either there is no cookie or the cookie is not valid

      	if (!isset($_SERVER['PHP_AUTH_USER']) || !mt_login($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) ) {

      		header('WWW-Authenticate: Basic realm="My Realm"');

      		header('HTTP/1.0 401 Unauthorized');

      		die('You do not have permission to view this page.');

      	}

      }

      // Attempt to login using cookies. If that fails, redirect to login.php to get credentials.

      function auth_redirect($showloginui=true) {

      	// Checks if a user is logged in, if not redirects them to the login page

      	if ( (!empty($_COOKIE[USER_COOKIE]) &&

      				!mt_login($_COOKIE[USER_COOKIE], $_COOKIE[PASS_COOKIE], true)) ||

      			 (empty($_COOKIE[USER_COOKIE])) ) {

      		nocache_headers();

      		if($showloginui) _redirect( ADMIN_PATH . '/login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI']));

      		die('You do not have permission to view this page.');

      	}

      }

      // Safe redirect, defaults to Temporary

      function _redirect($location, $status = 302) {

      	$location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%]|i', '', $location);

      	$strip = array('%0d', '%0a');

      	$location = str_replace($strip, '', $location);

      	if ( substr(php_sapi_name(), 0, 3) != 'cgi' )

      		header('Status: '.$status); // This causes problems on IIS and some FastCGI setups

     darkmorford
  
Update include/*.php to use mysqli_* functions.

              r4
            
     darkmorford
  
Add most necessary files for admin interface.

              r1
            
      	header("Location: $location");

      	die();

      }

      // When doing redirect to login form, ensure headers are never cached.

      function nocache_headers() {

      	@ header('Expires: Wed, 11 Jan 1984 05:00:00 GMT');

      	@ header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');

      	@ header('Cache-Control: no-cache, must-revalidate, max-age=0');

      	@ header('Pragma: no-cache');

      }

      ?>

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings

darkmorford Add most necessary files for admin interface.	r1	<?php

		/* Megatokyo Website Administration */
		require_once('../LocalSettings.php');
darkmorford Rework login function to use DBAL.	r22	require(__DIR__ . '/../vendor/autoload.php');
darkmorford Add most necessary files for admin interface.	r1
		// Core lib
		require_once('html.php');
		require_once('cookies.php');
		require_once('functions.php');
		require_once('error.php');

		require_once('uploads.php');
		require_once('nonce.php');

		// Objects
		require_once('rants.php');
		require_once('user.php');
		require_once('strip.php');
		require_once('transcript.php');
		require_once('type.php');
		require_once('pages.php');
		require_once('extra.php');
		require_once('twitter.php');
		require_once('tumblr.php');
		require_once('images.php');
		require_once('rss.php');

		require_once('twitteroauth/twitteroauth.php');

darkmorford Rework login function to use DBAL.	r22	// Initialize a connection to the database
		$dbConfig = new \Doctrine\DBAL\Configuration();
		$dbParams = array(
		'dbname' => DB_NAME,
		'user' => DB_WRITE_USER,
		'password' => DB_WRITE_PASS,
		'host' => DB_SERVER,
darkmorford Use PDO MySQL driver instead of MySQLi.	r23	'driver' => 'pdo_mysql',
darkmorford Rework login function to use DBAL.	r22	'charset' => 'utf8mb4'
		);
		$dbConnection = \Doctrine\DBAL\DriverManager::getConnection($dbParams, $dbConfig);
darkmorford Default to FETCH_OBJ fetch mode on the DB connection.	r24	$dbConnection->setFetchMode(PDO::FETCH_OBJ);
darkmorford Rework login function to use DBAL.	r22
darkmorford Add most necessary files for admin interface.	r1	/* TODO: Move these definitions to LocalSettings.php */
		if ( !defined('RANTIMG') )
		define('RANTIMG', '../rantimgs/');

		define('USING_TIDY', false);



		/* These function are all for core authentication. */

		function mt_hash_password($password) {
darkmorford Hash passwords in PHP instead of asking MySQL to do it.	r21	return sha1($password);
darkmorford Add most necessary files for admin interface.	r1	}

darkmorford Rework login function to use DBAL.	r22	// Remove invalid characters from username. Permit only alpha, underscore, period, at, hyphen
darkmorford Add most necessary files for admin interface.	r1	function sanitize_username( $username ) {
		return preg_replace('\|[^a-z_.@-]\|i', '', $username);
		}

		// Attempt to login with a username and password. If from cookies, set already_hashed = true.
		function mt_login($username, $password, $already_hashed = false) {
darkmorford Default to FETCH_OBJ fetch mode on the DB connection.	r24	global $error, $dbConnection;
darkmorford Add most necessary files for admin interface.	r1
darkmorford Rework login function to use DBAL.	r22	// Fail login if either user or pass is blank
darkmorford Add most necessary files for admin interface.	r1	if ( '' == $username )
		return false;

		if ( '' == $password ) {
		$error = ('<strong>ERROR</strong>: The password field is empty.');
		return false;
		}

		$username = sanitize_username( $username );
darkmorford Use PDO MySQL driver instead of MySQLi.	r23
darkmorford Rework login function to use DBAL.	r22	// Get user info from the database
		$sql = 'SELECT * FROM contributor WHERE name LIKE ?';
		$stmt = $dbConnection->executeQuery($sql, array($username));
darkmorford Default to FETCH_OBJ fetch mode on the DB connection.	r24	$login = $stmt->fetch();
darkmorford Add most necessary files for admin interface.	r1
		if (!$login) {
		$error = ('<strong>ERROR</strong>: Invalid username or password.');
		adminlog("Failed login attempt from ".$_SERVER['REMOTE_ADDR']." for $username.", MTS_LOGIN, MTA_CHANGE);
		//logthis ('AUTH: Failed login attempt from ' . $_SERVER["REMOTE_ADDR"], var_export( $_SERVER, true ) );
		return false;
		} else {
		// If the password is already_md5, it has been double hashed.
		// Otherwise, it is plain text.
		if ( $already_hashed && $username == $login->name && $login->password == $password) {
		global $currentuser;
		$currentuser=$login;
		return true;
		}

		if (!$already_hashed) {
		$passhash = mt_hash_password($password);
		if( $username == $login->name && $passhash == $login->password ) {
		global $currentuser;
		$currentuser=$login;
		return true;
		}
		}
		$error = ('<strong>ERROR</strong>: Invalid username or password.');
		adminlog("Failed login attempt from ".$_SERVER['REMOTE_ADDR']." for $username.", MTS_LOGIN, MTA_CHANGE);
		//logthis ('AUTH: Failed login attempt from ' . $_SERVER["REMOTE_ADDR"], var_export( $_SERVER, true ) );
		return false;
		}
		}

		// Attempt to login using cookies with failback to HTTP Basic Auth. If that fails, return a 401 to the browser.
		function auth_basic() {
		if ( !empty($_COOKIE[USER_COOKIE]) && mt_login($_COOKIE[USER_COOKIE], $_COOKIE[PASS_COOKIE], true) )
		return;

		// Either there is no cookie or the cookie is not valid
		if (!isset($_SERVER['PHP_AUTH_USER']) \|\| !mt_login($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) ) {
		header('WWW-Authenticate: Basic realm="My Realm"');
		header('HTTP/1.0 401 Unauthorized');
		die('You do not have permission to view this page.');
		}
		}

		// Attempt to login using cookies. If that fails, redirect to login.php to get credentials.
		function auth_redirect($showloginui=true) {
		// Checks if a user is logged in, if not redirects them to the login page
		if ( (!empty($_COOKIE[USER_COOKIE]) &&
		!mt_login($_COOKIE[USER_COOKIE], $_COOKIE[PASS_COOKIE], true)) \|\|
		(empty($_COOKIE[USER_COOKIE])) ) {
		nocache_headers();

		if($showloginui) _redirect( ADMIN_PATH . '/login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI']));
		die('You do not have permission to view this page.');
		}
		}

		// Safe redirect, defaults to Temporary
		function _redirect($location, $status = 302) {
		$location = preg_replace('\|[^a-z0-9-~+_.?#=&;,/:%]\|i', '', $location);
		$strip = array('%0d', '%0a');
		$location = str_replace($strip, '', $location);

		if ( substr(php_sapi_name(), 0, 3) != 'cgi' )
		header('Status: '.$status); // This causes problems on IIS and some FastCGI setups
darkmorford Update include/.php to use mysqli_ functions.	r4
darkmorford Add most necessary files for admin interface.	r1	header("Location: $location");
		die();
		}

		// When doing redirect to login form, ensure headers are never cached.
		function nocache_headers() {
		@ header('Expires: Wed, 11 Jan 1984 05:00:00 GMT');
		@ header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
		@ header('Cache-Control: no-cache, must-revalidate, max-age=0');
		@ header('Pragma: no-cache');
		}

		?>