projects / diogenes.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Release diogenes-0.9.22
[diogenes.git] / include / diogenes.session.inc.php
diff --git a/include/diogenes.session.inc.php b/include/diogenes.session.inc.php
index 894af75..f6c1559 100644 (file)
--- a/include/diogenes.session.inc.php
+++ b/include/diogenes.session.inc.php
@@ -55,14 +55,15 @@ class DiogenesSession extends DiogenesCoreSession {
       // remember login for a year
       setcookie('DiogenesLogin',$_REQUEST['login'],(time()+25920000));
 
-      // check response
-      $res = $globals->db->query( "SELECT user_id,password FROM {$globals->tauth['native']} WHERE username='{$_REQUEST['login']}'");
-
-      if (!list($uid,$password) = mysql_fetch_row($res)) {
+      // lookup user
+      $res = $globals->db->query("SELECT user_id,username,password,firstname,lastname,perms FROM {$globals->tauth['native']} WHERE username='{$_REQUEST['login']}'");
+      if (!list($uid,$username,$password,$firstname,$lastname,$perms) = mysql_fetch_row($res)) {
         $page->info(__("Authentication error!"));
         $this->doLogin($page);
       }
+      mysql_free_result($res);
 
+      // check response
       if ($_REQUEST['response'] != md5("{$_REQUEST['login']}:$password:{$this->challenge}"))
       {
         // log the login failure
@@ -73,8 +74,10 @@ class DiogenesSession extends DiogenesCoreSession {
       }
 
       // retrieve user info
-      $res = $globals->db->query("select user_id,username,firstname,lastname,perms from {$globals->tauth['native']} where username='{$_REQUEST['login']}'");
-      list($this->uid,$this->username,$firstname,$lastname,$perms) = mysql_fetch_row($res);
+      $this->uid = $uid;
+      $this->username = $username;
+      $this->firstname = $firstname;
+      $this->lastname = $lastname;
       $this->fullname = $firstname . ($lastname ? " $lastname" : "");
 
       // create logger
@@ -107,7 +110,7 @@ class DiogenesSession extends DiogenesCoreSession {
 
     // check credentials
     $pass = md5($pass);
-    $res = $globals->db->query("select user_id,username,perms from {$globals->tauth['native']} where username='$user' and password='$pass'");
+    $res = $globals->db->query("SELECT user_id,username,perms FROM {$globals->tauth['native']} WHERE username='$user' AND password='$pass'");
     if (!list($uid,$user,$perms) = mysql_fetch_row($res))
       return false;      
 
@@ -139,7 +142,7 @@ class DiogenesSession extends DiogenesCoreSession {
 
     if (isset($_COOKIE['DiogenesLogin']))
       $page->assign('username', $_COOKIE['DiogenesLogin']);
-    $page->assign('post',htmlentities($page->script_uri()));
+    $page->assign('post',htmlentities($page->script_uri(), ENT_COMPAT | ENT_HTML401, "ISO-8859-1"));
     $page->assign('challenge',$this->challenge);
     $page->assign('md5',$page->url("md5.js"));
     $page->display('login.tpl');
@@ -165,11 +168,9 @@ class DiogenesSession extends DiogenesCoreSession {
       }
 
       // read site specific permissions
-      $res = $globals->db->query("select perms from diogenes_perm where alias='{$alias}'".
-                         " and auth='{$this->auth}' and uid='{$this->uid}'");
-      if (mysql_num_rows($res)>0) {
+      $res = $globals->db->query("SELECT perms FROM diogenes_perm WHERE alias='{$alias}' AND auth='{$this->auth}' AND uid='{$this->uid}'");
+      if (list($tmp) = mysql_fetch_row($res)) {
         $this->perms->addflag('user');
-        list($tmp) = mysql_fetch_row($res);
         $this->perms->addflag($tmp);
       }
       mysql_free_result($res);
Diogenes