"); echo("ROOT.index: " . basename($CFG->wwwroot)); foreach($_POST as $n=>$v){ echo("La var " . $n . " vaut: " . $v . "
"); } die(); */ /* form has been submitted, check if it the user login information is correct */ if (isset($_POST["login"]) && !empty($_POST)) { /* Regular expression check, just in case of... */ if(!ereg("^[a-zA-Z0-9]+$",$_POST['username'])) { $errormsg = "Nom d'utilisateur ou mot de passe erroné."; include("$CFG->templatedir/header.php"); include("$CFG->templatedir/login_form.php"); include("$CFG->templatedir/footer.php"); die; } /* Check that the login/pw is OK */ $user = verify_login($_POST['username'], md5($_POST['password'])); /* Check that the user has been cleared */ /* IF the user login/password is OK and the user is cleared */ if ($user && $user["cleared"]=='1') { $ip = get_remote_address(); $browser = get_user_agent(); session_register("user"); session_register("ip"); session_register("browser"); if(!isset($_COOKIE['username'])) { setcookie("username",$_POST['username'], time()+31536000); } if(isset($_COOKIE['username']) && ($_POST['username'] != $_COOKIE['username'])) { setcookie("username",$_POST['username'], time()+31536000); } /* if wantsurl is set, that means we came from a page that required * log in, so lets go back there. otherwise go back to the main page */ if(empty($_SESSION['wantsurl'])) { if(empty($_SERVER['HTTP_REFERER'])) { //If no referer, go to home page $goto = $photosud."index.php?PHPSESSID=".$_REQUEST['PHPSESSID']; } else { //If referer exists, go to referer page if($_SERVER['HTTP_REFERER'] == "http://www.photosud.com/" || $_SERVER['HTTP_REFERER'] == "http://www.photosud.com/index.php") { //If referer is home page without PHPSESSID $goto = $photosud."index.php?PHPSESSID=".$_REQUEST['PHPSESSID']; } else { $goto = $_SERVER['HTTP_REFERER']; } } } else { $goto = $_SESSION['wantsurl']."?PHPSESSID=".$_REQUEST['PHPSESSID']; } /* Record the lastvisit date */ $username = $_POST["username"]; mysql_query("UPDATE users SET lastvisit = now() WHERE username = '$username'"); /* Redirect the user */ header("Location: $goto"); die; /* IF the user info is OK but the user is not cleared or account is freezed, and so on... * Note: 1=cleared, ''or 0=default, 6=freezed (5 login attempts failed), 9=freezed (other, like unpaid invoice...) */ // } elseif ($user && ($user["cleared"]=='' || $user["cleared"]=='0')) { // $errormsg = "Votre compte n'a pas encore été validé par Photosud."; // $frm["username"] = $_POST['username']; } elseif ($user && $user["cleared"]=='6') { $errormsg = "Votre compte a été temporairement bloqué suite à un trop grand nombre de tentatives infructueuses d'identification. Veuillez nous contacter pour plus de détails."; $frm["username"] = $_POST['username']; } elseif ($user && $user["cleared"]=='9') { $errormsg = "Votre compte a été temporairement bloqué suite à un litige. Veuillez nous contacter pour plus de détails."; $frm["username"] = $_POST['username']; /* IF number of failed login attempts is 4, display warning message */ } elseif(isset($_SESSION['failed_attempts']) && $_SESSION['failed_attempts'] == 4) { $errormsg = "Nom d'utilisateur ou mot de passe erroné."; $errormsg2 = "Attention! Par mesure de sécurité, votre compte sera temporairement bloqué si vous échouez de nouveau!"; /* IF number of failed login attempts is 5, display message noticing that account has been freezed */ } elseif(isset($_SESSION['failed_attempts']) && $_SESSION['failed_attempts'] == 5) { $errormsg = "Nom d'utilisateur ou mot de passe erroné."; $errormsg3 = "Attention! Ce compte a été temporairement bloqué!"; $user_to_freeze = $_POST['username']; mysql_query("UPDATE users SET cleared='6' WHERE username='$user_to_freeze'"); /* IF the user info is not OK */ } elseif (!($user)){ $errormsg = "Nom d'utilisateur ou mot de passe erroné."; $frm["username"] = $_POST['username']; } } include("$CFG->templatedir/header.php"); include("$CFG->templatedir/login_form.php"); include("$CFG->templatedir/footer.php"); /****************************************************************************** * FUNCTIONS *****************************************************************************/ function verify_login($username, $password) { /* verify the username and password. if it is a valid login, return an array * with the username, firstname, lastname, email, address, etc... of the user */ $empty_array = array(); /* For the magic quotes thing * Note: this is just for safety reasons, there will be no quote in username/pw */ if(get_magic_quotes_gpc() == '0'){ $username = AddSlashes($username); $password = AddSlashes($password); } /* Check that login exists */ $login_exists = db_query("SELECT username from users where username='$username'"); if(mysql_num_rows($login_exists)== 0) { //The login is not OK return $empty_array; } else { //Login is OK, now we will match the posted password with the db one $db_password = mysql_fetch_array(db_query("SELECT password from users where username='$username'")); if($password == $db_password["password"]) { //Password is OK $qid = db_query(" SELECT username, title, firstname, lastname, priv, cleared, field, company, address, address2, postalcode, city, country, del_address, del_address2, del_postalcode, del_city, del_country, phone, fax, email, mobil FROM users WHERE username = '$username' "); return db_fetch_array($qid); } else { //Password not OK, return empty array //The session var 'failed attempts' is used to freeze an account when a user fails to provide the password 5 times in a row (using the same login!) if(!isset($_SESSION['failed_username'])) { $_SESSION['failed_username'] = $username; } //First failed attempt if($_SESSION['failed_username'] == $username) { //Failed_username represents here the username provided on the previous failed attempt if(!isset($_SESSION['failed_attempts'])) { $_SESSION['failed_attempts'] = 1; } else { $_SESSION['failed_attempts']++; } } else { $_SESSION['failed_username'] = $username; //Username different than on previous attempt, so update session var $_SESSION['failed_attempts'] = 1; //Initialize the number of failed attempts } return $empty_array; } } } ?>