Is er iemand die mij een tut kan geven over hoe je een login script bouwt dat na het inloggen een blanco popup browser opent waarin er verder gewerkt kan worden in de afgesloten ruimte.
bvd
5.195 views
Zoiets?
<h1>Inloggen</h1>
<form method="post" action="<?php $_SERVER['PHP_SELF']; ?>">
<table border="0" cellspacing="5" cellpadding="0" id="table">
<tr>
<td width="100">Naam:</td>
<td><input type="text" name="Naam"></td>
</tr>
<tr>
<td>Wachtwoord:</td>
<td><input type="password" name="Wachtwoord"></td>
</tr>
<tr>
<td colspan="2"><input type="submit" value="Login" name="Login"></td>
</tr>
</table>
</form>
<?php
if (isset($_POST['Login'])) {
$server ="localhost";
$database = "";
$gebruikersnaam = "";
$wachtwoord = "";
mysql_connect($server,$gebruikersnaam,$wachtwoord) or die ("Sorry, we konden geen verbinding maken met de databaseserver! Controlleer je instellingen.");
mysql_select_db($database) or die ("We konden wel verbinding maken met de databaseserver, alleen konden we de juiste database niet vinden!");
$GebruikersNaam = mysql_real_escape_string($_POST['Naam']);
$GebruikersWachtwoord = mysql_real_escape_string($_POST['Wachtwoord']);
$GebruikersWachtwoord = md5($GebruikersWachtwoord);
$Query = mysql_query("SELECT * FROM users WHERE username = '$GebruikersNaam' AND password = '$GebruikersWachtwoord'");
$row = mysql_fetch_assoc($Query);
$DatabaseWachtwoord = $row['password'];
if ($DatabaseWachtwoord == $GebruikersWachtwoord) {
$Results = mysql_num_rows($Query);
if ($Results == '1') {
$Login = "1";
$_SESSION['Login'] = 1;
$_SESSION['GebruikersNaam'] = $row['username'];
$_SESSION['GebruikersID'] = $row['userID'];
echo "Je bent ingelogd. Klik (popupje) om verder te gaan.\n";
}else {
echo "Je gebruikersnaam of password klopt niet.\n";
}
}else{
echo "Je gebruikersnaam of password klopt niet!\n";
}
}
?>
En dan in je popupje beginnen met:
<?php
session_start();
if ($_SESSION['Login'] == '1') {
$GebruikersID = $_SESSION['GebruikersID'];
$GebruikersNaam = $_SESSION['GebruikersNaam'];
echo "Ingelogd als $GebruikersNaam";
?>
Hier komt dus je website, alhoewel je het ook op andere manieren kunt doen, bijv. éérst de error, en daaronder de website.
<?php
}else{
echo "je bent niet ingelogd!";
exit();
}
?>
Uiteraard zijn er ook andere oplossingen te verzinnen. En je zou even iemand hier moeten laten kijken naar het feit of dit wel een veilige oplossing is.
Overigens heb je hier wel een database voor nodig, weet niet of jij die tot je beschikking heb? Ik had eerst de passworden veiliger in de database staan, maar dit script kan overweg met de database van bijv. phpbb.
<h1>Inloggen</h1>
<form method="post" action="<?php $_SERVER['PHP_SELF']; ?>">
<table border="0" cellspacing="5" cellpadding="0" id="table">
<tr>
<td width="100">Naam:</td>
<td><input type="text" name="Naam"></td>
</tr>
<tr>
<td>Wachtwoord:</td>
<td><input type="password" name="Wachtwoord"></td>
</tr>
<tr>
<td colspan="2"><input type="submit" value="Login" name="Login"></td>
</tr>
</table>
</form>
<?php
if (isset($_POST['Login'])) {
$server ="localhost";
$database = "";
$gebruikersnaam = "";
$wachtwoord = "";
mysql_connect($server,$gebruikersnaam,$wachtwoord) or die ("Sorry, we konden geen verbinding maken met de databaseserver! Controlleer je instellingen.");
mysql_select_db($database) or die ("We konden wel verbinding maken met de databaseserver, alleen konden we de juiste database niet vinden!");
$GebruikersNaam = mysql_real_escape_string($_POST['Naam']);
$GebruikersWachtwoord = mysql_real_escape_string($_POST['Wachtwoord']);
$GebruikersWachtwoord = md5($GebruikersWachtwoord);
$Query = mysql_query("SELECT * FROM users WHERE username = '$GebruikersNaam' AND password = '$GebruikersWachtwoord'");
$row = mysql_fetch_assoc($Query);
$DatabaseWachtwoord = $row['password'];
if ($DatabaseWachtwoord == $GebruikersWachtwoord) {
$Results = mysql_num_rows($Query);
if ($Results == '1') {
$Login = "1";
$_SESSION['Login'] = 1;
$_SESSION['GebruikersNaam'] = $row['username'];
$_SESSION['GebruikersID'] = $row['userID'];
echo "Je bent ingelogd. Klik (popupje) om verder te gaan.\n";
}else {
echo "Je gebruikersnaam of password klopt niet.\n";
}
}else{
echo "Je gebruikersnaam of password klopt niet!\n";
}
}
?>
En dan in je popupje beginnen met:
<?php
session_start();
if ($_SESSION['Login'] == '1') {
$GebruikersID = $_SESSION['GebruikersID'];
$GebruikersNaam = $_SESSION['GebruikersNaam'];
echo "Ingelogd als $GebruikersNaam";
?>
Hier komt dus je website, alhoewel je het ook op andere manieren kunt doen, bijv. éérst de error, en daaronder de website.
<?php
}else{
echo "je bent niet ingelogd!";
exit();
}
?>
Uiteraard zijn er ook andere oplossingen te verzinnen. En je zou even iemand hier moeten laten kijken naar het feit of dit wel een veilige oplossing is.
Overigens heb je hier wel een database voor nodig, weet niet of jij die tot je beschikking heb? Ik had eerst de passworden veiliger in de database staan, maar dit script kan overweg met de database van bijv. phpbb.
Ik heb een tut gevonden op deze site:
http://www.techzine.nl/tutorial/127/2
ziet er wel netjes uit, alleen lees ik comments dat het niet erg veilig is. Ik laat dat gewoon het inlog form naar een blanco php linken
na deze inlog kom je toch nog weer bij een volgende login (omdat ik daarbij dus niet in een keer een popup kan maken)
http://www.techzine.nl/tutorial/127/2
ziet er wel netjes uit, alleen lees ik comments dat het niet erg veilig is. Ik laat dat gewoon het inlog form naar een blanco php linken
na deze inlog kom je toch nog weer bij een volgende login (omdat ik daarbij dus niet in een keer een popup kan maken)
EDIT:
heb toch mijn script kunnen aanpassen maar wil eventjes weten of het nu nog veilig is in jullie ogen:
Het werkt met deze twee scripts:
--------------
index.php
<?php
// index.php - PHProjekt Version 5.0
// copyright © 2000-2005 Albrecht Guenther [email protected]
// www.phprojekt.com
// Author: Albrecht Guenther, $Author: fgraf $
// $Id: index.php,v 1.35.2.1 2005/09/21 12:48:23 fgraf Exp $
// ***********
// preparation
// define the error level for the next lines, it will be changed in the lib
// to the desired value.
error_reporting(0);
// set some other variables
$var_ini_set = ini_set('magic_quotes_gpc', 'on');
$var_ini_set = ini_set('include_path', './');
// avoid this d... error warning since it does not affect the scritps here
$var_ini_set = ini_set('session.bug_compat_42', 1);
$var_ini_set = ini_set('session.bug_compat_warn', 0);
// authentification etc.
$path_pre = './';
$include_path = $path_pre.'lib/lib.inc.php';
include_once $include_path;
// set baseurl
$bu1 = explode('index.php', $_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']);
$_SESSION['baseurl'] = $bu1[0];
// redirect
redirect();
// ´define today
if (!$day) today();
// *******
// actions
// *******
// 1. action: logout
// logout -> login!
if ($module == 'logout') { logout(); }
// 2. action: change groups
// if change of group, set it in variable
if ($change_group) {
// is the user member of the requested group?
$result = db_query("SELECT grup_ID
FROM ".DB_PREFIX."grup_user
WHERE user_ID = '$user_ID'") or db_die();
while ($row = db_fetch_row($result)) {
$groups_[] = $row[0];
}
if (!in_array($change_group, $groups_)) {
exit;
}
$user_group = $change_group;
$sql_user_group = "(gruppe = '$user_group')";
$_SESSION['user_group'] =& $user_group;
}
// 3. action: close chat
// close chat? -> delete alivefile & chatfile
if ($chataction == 'logout') {
$alivefile = $user_group.'_alive';
$chatfile = $user_group.'_'.$chatfile;
// last personen closes the light :-)
if (file_exists('chat/'.$alivefile)) {
$lines = file('chat/'.$alivefile);
}
if (!$lines[1]) {
// save chat file only if a flag in the config is set
if ($save_chat) {
// prepare name of file to save
$datum = date("D_d_M_Hui");
$newname = $datum.'-'.$user_group.'.txt';
copy("$chatfile","$newname");
}
if (file_exists("chat/$chatfile")) {
unlink("chat/$chatfile");
}
if (file_exists("chat/$alivefile")) {
unlink("chat/$alivefile");
}
}
}
// 4. action: call frames
// define how a modules starts: with tree view open or closed and x items/per page
if (!$tree_mode) {
if ($start_tree_mode) {
$tree_mode = $start_tree_mode;
} else {
$tree_mode = 'open';
}
}
// no module chosen?
if (!$module) {
if ($startmodule <> '') {
// take the start module for the settings ...
$module = $startmodule;
} else {
// or as the default value summary
$module = 'summary';
}
}
// redirect to where the user wanted to go, except logout page
if (strlen($_REQUEST['return_path']) and !ereg('logout', $_REQUEST['return_path'])) {
$return_path = urldecode($_REQUEST['return_path']);
if($return_path == '/'){
$return_path .= 'index.php';
}
if (strpos($return_path, "/")===0) {
$url = substr($return_path, 1);
}
if(strstr($url, '?')){
$url .= '&'.SID;
}
else{
$url .= '?'.SID;
}
header('Location: '.$url);
exit;
}
if ($module != 'logout') {
header('Location: '.$module.'/'.$module.'.php?'.$_SERVER['QUERY_STRING']);
exit;
}
// ****************
// logout functions
function logout() {
global $path_pre;
track_logout();
// store settings: filter, column width, sort
save_settings();
// destroy the session - on some system the first, on some system the second function doesn't work :-|
@session_unset();
@session_destroy();
unset($user_pw, $user_name, $module);
// call the loginscreen again
include $path_pre.'lib/auth.inc.php';
}
// track logout
function track_logout() {
global $dbTSnull;
if ($GLOBALS['logs'] and $GLOBALS['logID']) {
$logID = $GLOBALS['logID'];
$result2 = db_query("UPDATE ".DB_PREFIX."logs
SET logout = '$dbTSnull'
WHERE ID = '$logID'") or db_die();
}
}
function save_settings() {
global $user_ID, $f_sort, $flist, $diropen, $tdw;
$result = db_query("SELECT settings
FROM ".DB_PREFIX."users
WHERE ID = '$user_ID'") or db_die();
$row = db_fetch_row($result);
$tmp_settings = unserialize($row[0]);
if ($f_sort) $tmp_settings['f_sort_store'] = $f_sort;
if ($flist) $tmp_settings['flist_store'] = $flist;
if ($diropen) $tmp_settings['diropen_store'] = $diropen;
if ($tdw) $tmp_settings['tdw_store'] = $tdw;
if ($_SESSION['show_read_elements']) {
$tmp_settings['show_read_elements_settings'] = $_SESSION['show_read_elements'];
}
if ($_SESSION['show_archive_elements']) {
$tmp_settings['show_archive_elements_settings'] = $_SESSION['show_archive_elements'];
}
$result = db_query("UPDATE ".DB_PREFIX."users
SET settings = '".serialize($tmp_settings)."'
WHERE ID = '$user_ID'") or db_die();
}
?>
--------
auth.inc.php
-----------
<?php
// auth.inc.php - PHProjekt Version 5.0
// copyright 2000-2005 Albrecht Guenther [email protected]
// www.phprojekt.com
// Author: Albrecht Guenther, $Author: fgraf $
// $Id: auth.inc.php,v 1.30.2.3 2005/09/21 08:29:20 fgraf Exp $
// check whether lib.inc.php has been included
if (!defined('lib_included')) die('Please use index.php!');
include($path_pre.'lib/languages.inc.php');
$fetch_uservalues = 0;
// fetch language ...
$lang_found = 0;
// no language in settings -> choose browser language
if (!isset($langua)) {
$langua = getenv('HTTP_ACCEPT_LANGUAGE');
foreach ($languages as $langua1 => $langua2) {
if (eregi($langua1,$langua)) {
$langua = $langua1;
$lang_found = 1;
}
}
if ($lang_found) {
include($path_pre.'lang/'.$langua.'.inc.php');
}
else {
$langua = 'en';
include($path_pre.'lang/en.inc.php');
}
}
// set default skin
if (!isset($skin)) {
$skin = PHPR_SKIN;
}
// check for the appropiate login field ...
if (!PHPR_LOGIN_SHORT) {
$label = __('Last name');
$field_name = 'nachname';
}
else if (PHPR_LOGIN_SHORT == '1') {
$label = __('Short name');
$field_name = 'kurz';
}
else if ((PHPR_LOGIN_SHORT == '2') || (PHPR_LDAP == '1')) {
$label=__('Login name');
$field_name = 'loginname';
}
// no values from the session or the login form?-> show login form
if (!$user_pw and !$user_name) {
set_style();
if ($logintoken) {
$token = encrypt($logintoken, $logintoken);
$query = "SELECT l.user_ID, l.valid, l.used, l.ID, u.status
FROM ".DB_PREFIX."logintoken l, ".DB_PREFIX."users u
WHERE l.token = '$token'
AND l.user_ID = u.ID
AND u.status = 0";
$result = db_query($query);
$now = time();
$row = db_fetch_row($result);
//if ($now > mktime(substr($row[1], 8, 2), substr($row[1], 10, 2), substr($row[1], 12, 2), substr($row[1], 4, 2), substr($row[1], 6, 2), substr($row[1], 0, 4))) {
if ($row[4] == '1') {
// append return path to redirect the user to where he wanted to go
$return_path = urlencode($_REQUEST['return_path'] ? '?return_path='.$_REQUEST['return_path'] : '');
die(set_page_header().__('Sorry you are not allowed to enter.')."!<br /><a href='index.php$return_path'>".__('back')."</a> ...\n</body>\n</html>\n");
}
else if ($now > $row[1]) {
// FIXME: what is the next echo good for?!
//echo "now: $now und dann: $row[1]";
die(__('Your token has already been expired.'));
}
else if ($row[2] <> '') {
die(__('Your token has already been used.<br>If it wasnt you, who used the token please contact your administrator.'));
}
else {
$fetch_uservalues = $row[0];
$query = xss("UPDATE ".DB_PREFIX."logintoken
SET used = '".date('YmdHis', $now + PHPR_TIMEZONE*3600)."'
WHERE ID = '$row[3]'");
$result = db_query($query) or db_die();
}
// end check for &pw
}
if (!$fetch_uservalues) {
// see whether a welcome screen exists
if (is_file($path_pre.'img/welcome.jpg')) $background = 'background="'.$img_path.'/welcome.jpg"';
// if not, put the logo above
else $logo_img = $path_pre.'img/logo_ng.gif';
// show form
include_once($path_pre.'lib/authform.inc.php');
exit;
}
}
// values exist -> check authentication
else {
// add additional condition if logged to the admin section
if ($file == 'admin') $admin_login = "AND acc LIKE '%a%'";
else $admin_login = '';
// use ldap?
if (PHPR_LDAP == '1') {
$includefile4 = $path_pre.'lib/ldap_auth.inc.php';
include_once $includefile4;
}
// normal authentication system
else {
$query = "SELECT ID, pw
FROM ".DB_PREFIX."users
WHERE ".qss($field_name)." = '$loginstring'
AND status = 0
$admin_login";
$result = db_query($query);
// loop through all names in the table users and check password
while ($row = db_fetch_row($result)) {
// check for password encryption and if yes, crypt the value from the form
if ($user_pwenc) {
$enc_pw = $user_pwenc;
}
else if (PHPR_PW_CRYPT && !isset($_SESSION['user_pw'])) {
$enc_pw = encrypt($user_pw, $row[1]);
}
// just the unencrypted password
else {
$enc_pw = $user_pw;
}
// great! I found an entry for you!
if ($row[1] == $enc_pw) {
// store the found user_ID
$fetch_uservalues = $row[0];
} // end check for &pw
} // end loop over all found users with the same loginstring
} // end case for non-ldap auth
} // end else bracket for authentication
// no record found? -> display error message
if (!$fetch_uservalues) {
// destroy the session - on some system the first, on some system the second function doesn't work :-))
@session_unset();
@session_destroy();
// append return path to redirect the user to where he wanted to go
$return_path = $_REQUEST['return_path'] ? '?return_path='.urlencode($_REQUEST['return_path']) : '';
if (defined('soap_request')) soapFaultDie(__('Sorry you are not allowed to enter.'), __('Sorry you are not allowed to enter.'));
die(set_page_header().__('Sorry you are not allowed to enter.')."! <br /><a href='index.php".$return_path.">".__('back')."</a> ...</body></html>\n");
}
// fetch the user values and store them in the session!
else {
// fetch the data ...
$result = db_query("SELECT ID, vorname, nachname, kurz, email, loginname,
sms, gruppe, settings, acc, sprache, pw
FROM ".DB_PREFIX."users
WHERE ID = '$fetch_uservalues'") or db_die();
$row = db_fetch_row($result);
// fill the user data into variables
if ($logintoken) {
$loginstring = $row[5];
$user_pwenc = $row[11];
}
$user_ID = $row[0];
$user_firstname = $row[1];
$user_name = $row[2];
$user_kurz = $row[3];
$user_email = $row[4];
$user_loginname = $row[5];
$user_smsnr = $row[6]; //sms nr
// overwrite the found language of the browser with the amdin setting
if ($row[10] <> '') $langua = $row[10];
// Take the default group from the data set unless the user has chosen another one during the session
if (!$user_group) $user_group = $row[7] + 0;
// fetch settings
$settings = unserialize($row[8]);
if ($settings) {
foreach($settings as $key => $value) {
if ($value <> '') $$key = $value;
}
}
/*
// do the date format stuff
require_once($path_pre.'lib/date_format.php');
$user_date_format = new PHProjekt_Date_Format($date_format);
$date_format = $user_date_format->get_user_format();
*/
// fetch access: first character is for the user status, second one for the visibility of his calendar
$user_access = $row[9];
// have a look into the group table: maybe he's the leader of the group _-> declare him as chief ;-)
if ($user_group > 0) {
$result2 = db_query("SELECT chef
FROM ".DB_PREFIX."gruppen
WHERE ID = '$user_group'") or db_die();
$row2 = db_fetch_row($result2);
if ($row2[0] == $user_ID) $user_access = 'c'.substr($user_access, 0, 1);
}
unset ($row);
include_once($path_pre.'lang/'.$langua.'.inc.php');
// set time
$dbTSnull = date('YmdHis', mktime(date('H')+PHPR_TIMEZONE, date('i'), date('s'), date('m'), date('d'), date('Y')));
// track the login
if (PHPR_LOGS and !$logID and $user_ID) {
$result2 = db_query(xss("INSERT INTO ".DB_PREFIX."logs
( ID, von, login )
VALUES ($dbIDnull, '$user_ID', '$dbTSnull')")) or db_die();
// store logID for the logout
$result2 = db_query("SELECT ID
FROM ".DB_PREFIX."logs
WHERE von = '$user_ID'
AND login = '$dbTSnull'") or db_die();
$row2 = db_fetch_row($result2);
$logID = $row2[0];
}
// crypt password in session
$user_pw = $enc_pw;
// register user variables in session
$_SESSION['user_ID'] =& $user_ID;
$_SESSION['user_name'] =& $user_name;
$_SESSION['user_firstname'] =& $user_firstname;
$_SESSION['user_pw'] =& $user_pw;
$_SESSION['user_group'] =& $user_group;
$_SESSION['user_kurz'] =& $user_kurz;
$_SESSION['user_access'] =& $user_access;
$_SESSION['user_loginname'] =& $user_loginname;
$_SESSION['user_email'] =& $user_email;
$_SESSION['langua'] =& $langua;
$_SESSION['loginstring'] =& $loginstring;
$_SESSION['user_pwenc'] =& $user_pwenc;
$_SESSION['logID'] =& $logID;
$_SESSION['user_smsnr'] =& $user_smsnr;
}
?>
----------
de tweede wordt geïnclude, daar heb ik bij het login form als target toegevoegd "_blank"
als ik het test opent hij inderdaad netjes de rest in een nieuw venster maar is dit nog link voor de veiligheid?
heb toch mijn script kunnen aanpassen maar wil eventjes weten of het nu nog veilig is in jullie ogen:
Het werkt met deze twee scripts:
--------------
index.php
<?php
// index.php - PHProjekt Version 5.0
// copyright © 2000-2005 Albrecht Guenther [email protected]
// www.phprojekt.com
// Author: Albrecht Guenther, $Author: fgraf $
// $Id: index.php,v 1.35.2.1 2005/09/21 12:48:23 fgraf Exp $
// ***********
// preparation
// define the error level for the next lines, it will be changed in the lib
// to the desired value.
error_reporting(0);
// set some other variables
$var_ini_set = ini_set('magic_quotes_gpc', 'on');
$var_ini_set = ini_set('include_path', './');
// avoid this d... error warning since it does not affect the scritps here
$var_ini_set = ini_set('session.bug_compat_42', 1);
$var_ini_set = ini_set('session.bug_compat_warn', 0);
// authentification etc.
$path_pre = './';
$include_path = $path_pre.'lib/lib.inc.php';
include_once $include_path;
// set baseurl
$bu1 = explode('index.php', $_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']);
$_SESSION['baseurl'] = $bu1[0];
// redirect
redirect();
// ´define today
if (!$day) today();
// *******
// actions
// *******
// 1. action: logout
// logout -> login!
if ($module == 'logout') { logout(); }
// 2. action: change groups
// if change of group, set it in variable
if ($change_group) {
// is the user member of the requested group?
$result = db_query("SELECT grup_ID
FROM ".DB_PREFIX."grup_user
WHERE user_ID = '$user_ID'") or db_die();
while ($row = db_fetch_row($result)) {
$groups_[] = $row[0];
}
if (!in_array($change_group, $groups_)) {
exit;
}
$user_group = $change_group;
$sql_user_group = "(gruppe = '$user_group')";
$_SESSION['user_group'] =& $user_group;
}
// 3. action: close chat
// close chat? -> delete alivefile & chatfile
if ($chataction == 'logout') {
$alivefile = $user_group.'_alive';
$chatfile = $user_group.'_'.$chatfile;
// last personen closes the light :-)
if (file_exists('chat/'.$alivefile)) {
$lines = file('chat/'.$alivefile);
}
if (!$lines[1]) {
// save chat file only if a flag in the config is set
if ($save_chat) {
// prepare name of file to save
$datum = date("D_d_M_Hui");
$newname = $datum.'-'.$user_group.'.txt';
copy("$chatfile","$newname");
}
if (file_exists("chat/$chatfile")) {
unlink("chat/$chatfile");
}
if (file_exists("chat/$alivefile")) {
unlink("chat/$alivefile");
}
}
}
// 4. action: call frames
// define how a modules starts: with tree view open or closed and x items/per page
if (!$tree_mode) {
if ($start_tree_mode) {
$tree_mode = $start_tree_mode;
} else {
$tree_mode = 'open';
}
}
// no module chosen?
if (!$module) {
if ($startmodule <> '') {
// take the start module for the settings ...
$module = $startmodule;
} else {
// or as the default value summary
$module = 'summary';
}
}
// redirect to where the user wanted to go, except logout page
if (strlen($_REQUEST['return_path']) and !ereg('logout', $_REQUEST['return_path'])) {
$return_path = urldecode($_REQUEST['return_path']);
if($return_path == '/'){
$return_path .= 'index.php';
}
if (strpos($return_path, "/")===0) {
$url = substr($return_path, 1);
}
if(strstr($url, '?')){
$url .= '&'.SID;
}
else{
$url .= '?'.SID;
}
header('Location: '.$url);
exit;
}
if ($module != 'logout') {
header('Location: '.$module.'/'.$module.'.php?'.$_SERVER['QUERY_STRING']);
exit;
}
// ****************
// logout functions
function logout() {
global $path_pre;
track_logout();
// store settings: filter, column width, sort
save_settings();
// destroy the session - on some system the first, on some system the second function doesn't work :-|
@session_unset();
@session_destroy();
unset($user_pw, $user_name, $module);
// call the loginscreen again
include $path_pre.'lib/auth.inc.php';
}
// track logout
function track_logout() {
global $dbTSnull;
if ($GLOBALS['logs'] and $GLOBALS['logID']) {
$logID = $GLOBALS['logID'];
$result2 = db_query("UPDATE ".DB_PREFIX."logs
SET logout = '$dbTSnull'
WHERE ID = '$logID'") or db_die();
}
}
function save_settings() {
global $user_ID, $f_sort, $flist, $diropen, $tdw;
$result = db_query("SELECT settings
FROM ".DB_PREFIX."users
WHERE ID = '$user_ID'") or db_die();
$row = db_fetch_row($result);
$tmp_settings = unserialize($row[0]);
if ($f_sort) $tmp_settings['f_sort_store'] = $f_sort;
if ($flist) $tmp_settings['flist_store'] = $flist;
if ($diropen) $tmp_settings['diropen_store'] = $diropen;
if ($tdw) $tmp_settings['tdw_store'] = $tdw;
if ($_SESSION['show_read_elements']) {
$tmp_settings['show_read_elements_settings'] = $_SESSION['show_read_elements'];
}
if ($_SESSION['show_archive_elements']) {
$tmp_settings['show_archive_elements_settings'] = $_SESSION['show_archive_elements'];
}
$result = db_query("UPDATE ".DB_PREFIX."users
SET settings = '".serialize($tmp_settings)."'
WHERE ID = '$user_ID'") or db_die();
}
?>
--------
auth.inc.php
-----------
<?php
// auth.inc.php - PHProjekt Version 5.0
// copyright 2000-2005 Albrecht Guenther [email protected]
// www.phprojekt.com
// Author: Albrecht Guenther, $Author: fgraf $
// $Id: auth.inc.php,v 1.30.2.3 2005/09/21 08:29:20 fgraf Exp $
// check whether lib.inc.php has been included
if (!defined('lib_included')) die('Please use index.php!');
include($path_pre.'lib/languages.inc.php');
$fetch_uservalues = 0;
// fetch language ...
$lang_found = 0;
// no language in settings -> choose browser language
if (!isset($langua)) {
$langua = getenv('HTTP_ACCEPT_LANGUAGE');
foreach ($languages as $langua1 => $langua2) {
if (eregi($langua1,$langua)) {
$langua = $langua1;
$lang_found = 1;
}
}
if ($lang_found) {
include($path_pre.'lang/'.$langua.'.inc.php');
}
else {
$langua = 'en';
include($path_pre.'lang/en.inc.php');
}
}
// set default skin
if (!isset($skin)) {
$skin = PHPR_SKIN;
}
// check for the appropiate login field ...
if (!PHPR_LOGIN_SHORT) {
$label = __('Last name');
$field_name = 'nachname';
}
else if (PHPR_LOGIN_SHORT == '1') {
$label = __('Short name');
$field_name = 'kurz';
}
else if ((PHPR_LOGIN_SHORT == '2') || (PHPR_LDAP == '1')) {
$label=__('Login name');
$field_name = 'loginname';
}
// no values from the session or the login form?-> show login form
if (!$user_pw and !$user_name) {
set_style();
if ($logintoken) {
$token = encrypt($logintoken, $logintoken);
$query = "SELECT l.user_ID, l.valid, l.used, l.ID, u.status
FROM ".DB_PREFIX."logintoken l, ".DB_PREFIX."users u
WHERE l.token = '$token'
AND l.user_ID = u.ID
AND u.status = 0";
$result = db_query($query);
$now = time();
$row = db_fetch_row($result);
//if ($now > mktime(substr($row[1], 8, 2), substr($row[1], 10, 2), substr($row[1], 12, 2), substr($row[1], 4, 2), substr($row[1], 6, 2), substr($row[1], 0, 4))) {
if ($row[4] == '1') {
// append return path to redirect the user to where he wanted to go
$return_path = urlencode($_REQUEST['return_path'] ? '?return_path='.$_REQUEST['return_path'] : '');
die(set_page_header().__('Sorry you are not allowed to enter.')."!<br /><a href='index.php$return_path'>".__('back')."</a> ...\n</body>\n</html>\n");
}
else if ($now > $row[1]) {
// FIXME: what is the next echo good for?!
//echo "now: $now und dann: $row[1]";
die(__('Your token has already been expired.'));
}
else if ($row[2] <> '') {
die(__('Your token has already been used.<br>If it wasnt you, who used the token please contact your administrator.'));
}
else {
$fetch_uservalues = $row[0];
$query = xss("UPDATE ".DB_PREFIX."logintoken
SET used = '".date('YmdHis', $now + PHPR_TIMEZONE*3600)."'
WHERE ID = '$row[3]'");
$result = db_query($query) or db_die();
}
// end check for &pw
}
if (!$fetch_uservalues) {
// see whether a welcome screen exists
if (is_file($path_pre.'img/welcome.jpg')) $background = 'background="'.$img_path.'/welcome.jpg"';
// if not, put the logo above
else $logo_img = $path_pre.'img/logo_ng.gif';
// show form
include_once($path_pre.'lib/authform.inc.php');
exit;
}
}
// values exist -> check authentication
else {
// add additional condition if logged to the admin section
if ($file == 'admin') $admin_login = "AND acc LIKE '%a%'";
else $admin_login = '';
// use ldap?
if (PHPR_LDAP == '1') {
$includefile4 = $path_pre.'lib/ldap_auth.inc.php';
include_once $includefile4;
}
// normal authentication system
else {
$query = "SELECT ID, pw
FROM ".DB_PREFIX."users
WHERE ".qss($field_name)." = '$loginstring'
AND status = 0
$admin_login";
$result = db_query($query);
// loop through all names in the table users and check password
while ($row = db_fetch_row($result)) {
// check for password encryption and if yes, crypt the value from the form
if ($user_pwenc) {
$enc_pw = $user_pwenc;
}
else if (PHPR_PW_CRYPT && !isset($_SESSION['user_pw'])) {
$enc_pw = encrypt($user_pw, $row[1]);
}
// just the unencrypted password
else {
$enc_pw = $user_pw;
}
// great! I found an entry for you!
if ($row[1] == $enc_pw) {
// store the found user_ID
$fetch_uservalues = $row[0];
} // end check for &pw
} // end loop over all found users with the same loginstring
} // end case for non-ldap auth
} // end else bracket for authentication
// no record found? -> display error message
if (!$fetch_uservalues) {
// destroy the session - on some system the first, on some system the second function doesn't work :-))
@session_unset();
@session_destroy();
// append return path to redirect the user to where he wanted to go
$return_path = $_REQUEST['return_path'] ? '?return_path='.urlencode($_REQUEST['return_path']) : '';
if (defined('soap_request')) soapFaultDie(__('Sorry you are not allowed to enter.'), __('Sorry you are not allowed to enter.'));
die(set_page_header().__('Sorry you are not allowed to enter.')."! <br /><a href='index.php".$return_path.">".__('back')."</a> ...</body></html>\n");
}
// fetch the user values and store them in the session!
else {
// fetch the data ...
$result = db_query("SELECT ID, vorname, nachname, kurz, email, loginname,
sms, gruppe, settings, acc, sprache, pw
FROM ".DB_PREFIX."users
WHERE ID = '$fetch_uservalues'") or db_die();
$row = db_fetch_row($result);
// fill the user data into variables
if ($logintoken) {
$loginstring = $row[5];
$user_pwenc = $row[11];
}
$user_ID = $row[0];
$user_firstname = $row[1];
$user_name = $row[2];
$user_kurz = $row[3];
$user_email = $row[4];
$user_loginname = $row[5];
$user_smsnr = $row[6]; //sms nr
// overwrite the found language of the browser with the amdin setting
if ($row[10] <> '') $langua = $row[10];
// Take the default group from the data set unless the user has chosen another one during the session
if (!$user_group) $user_group = $row[7] + 0;
// fetch settings
$settings = unserialize($row[8]);
if ($settings) {
foreach($settings as $key => $value) {
if ($value <> '') $$key = $value;
}
}
/*
// do the date format stuff
require_once($path_pre.'lib/date_format.php');
$user_date_format = new PHProjekt_Date_Format($date_format);
$date_format = $user_date_format->get_user_format();
*/
// fetch access: first character is for the user status, second one for the visibility of his calendar
$user_access = $row[9];
// have a look into the group table: maybe he's the leader of the group _-> declare him as chief ;-)
if ($user_group > 0) {
$result2 = db_query("SELECT chef
FROM ".DB_PREFIX."gruppen
WHERE ID = '$user_group'") or db_die();
$row2 = db_fetch_row($result2);
if ($row2[0] == $user_ID) $user_access = 'c'.substr($user_access, 0, 1);
}
unset ($row);
include_once($path_pre.'lang/'.$langua.'.inc.php');
// set time
$dbTSnull = date('YmdHis', mktime(date('H')+PHPR_TIMEZONE, date('i'), date('s'), date('m'), date('d'), date('Y')));
// track the login
if (PHPR_LOGS and !$logID and $user_ID) {
$result2 = db_query(xss("INSERT INTO ".DB_PREFIX."logs
( ID, von, login )
VALUES ($dbIDnull, '$user_ID', '$dbTSnull')")) or db_die();
// store logID for the logout
$result2 = db_query("SELECT ID
FROM ".DB_PREFIX."logs
WHERE von = '$user_ID'
AND login = '$dbTSnull'") or db_die();
$row2 = db_fetch_row($result2);
$logID = $row2[0];
}
// crypt password in session
$user_pw = $enc_pw;
// register user variables in session
$_SESSION['user_ID'] =& $user_ID;
$_SESSION['user_name'] =& $user_name;
$_SESSION['user_firstname'] =& $user_firstname;
$_SESSION['user_pw'] =& $user_pw;
$_SESSION['user_group'] =& $user_group;
$_SESSION['user_kurz'] =& $user_kurz;
$_SESSION['user_access'] =& $user_access;
$_SESSION['user_loginname'] =& $user_loginname;
$_SESSION['user_email'] =& $user_email;
$_SESSION['langua'] =& $langua;
$_SESSION['loginstring'] =& $loginstring;
$_SESSION['user_pwenc'] =& $user_pwenc;
$_SESSION['logID'] =& $logID;
$_SESSION['user_smsnr'] =& $user_smsnr;
}
?>
----------
de tweede wordt geïnclude, daar heb ik bij het login form als target toegevoegd "_blank"
als ik het test opent hij inderdaad netjes de rest in een nieuw venster maar is dit nog link voor de veiligheid?
excuus
het tweede script moet deze zijn
<?php
// authform.inc.php - PHProjekt Version 5.0
// copyright © 2000-2005 Albrecht Guenther [email protected]
// www.phprojekt.com
// Author: Albrecht Guenther, $Author: fgraf $
// $Id: authform.inc.php,v 1.24.2.1 2005/09/21 08:29:20 fgraf Exp $
if (!defined('lib_included')) die('Please use index.php!');
if (!$path_pre) $path_pre = '../';
if (!$langua) {
$langua = getenv('HTTP_ACCEPT_LANGUAGE');
$found = false;
foreach ($languages as $langua1) {
if (eregi($langua1, $langua)) {
$langua = $langua1;
$found = true;
break;
}
}
if ($found) {
include_once($lang_path.'/'.$langua.'.inc.php');
}
else {
$langua = 'en';
include_once($lang_path.'/en.inc.php');
}
}
$support_html = '';
$css_style = '';
if (!strstr($_SERVER['QUERY_STRING'], 'module=logout')) {
$return_path = urlencode('/'.$_SERVER['REQUEST_URI']);
}
else {
$return_path = 'index.php';
}
$module = "login";
echo set_page_header();
if ($_SERVER['PHP_SELF'] == '/'.PHPR_INSTALL_DIR.'index.php') {
echo '
<br /><br />
<div style="background-color:#DC6417;height:41px;width:100%;">
<img src="/'.PHPR_INSTALL_DIR.'layout/default/img/logo.png" alt="PHProjekt Logo" />
</div>
';
}
?>
<br />
<div class="center">
<div id="logo" class="center"></div>
<form action="<?php echo $path_pre; ?>index.php" method="post" name="frm">
<input type="hidden" name="loginform" value="1" />
<input type="hidden" size="100" name="return_path" value="<?php echo $return_path; ?>" />
<fieldset class="login">
<legend><?php echo __('Log in, please'); ?></legend>
<label for="loginstring" class="login"><?php echo __('Login'); ?></label>
<input class="left" type="text" tabindex="1" name="loginstring" id="loginstring" size="33" title="<?php echo __('Please enter your user name here.'); ?>" /><br />
<label for="user_pw" class="login"><?php echo __('Password'); ?></label>
<input class="left" type="password" tabindex="2" name="user_pw" id="user_pw" size="33" title="<?php echo __('Please enter your password here.'); ?>" /><br />
<input class="login" type="submit" value="<?php echo __('go'); ?>" title="<?php echo __('Click here to login.'); ?>" />
</fieldset>
</form>
</div>
<script type="text/javascript">
<!--
if (document.frm.loginstring.value == "") {
document.frm.loginstring.focus();
}
//-->
</script>
</body>
</html>
het tweede script moet deze zijn
<?php
// authform.inc.php - PHProjekt Version 5.0
// copyright © 2000-2005 Albrecht Guenther [email protected]
// www.phprojekt.com
// Author: Albrecht Guenther, $Author: fgraf $
// $Id: authform.inc.php,v 1.24.2.1 2005/09/21 08:29:20 fgraf Exp $
if (!defined('lib_included')) die('Please use index.php!');
if (!$path_pre) $path_pre = '../';
if (!$langua) {
$langua = getenv('HTTP_ACCEPT_LANGUAGE');
$found = false;
foreach ($languages as $langua1) {
if (eregi($langua1, $langua)) {
$langua = $langua1;
$found = true;
break;
}
}
if ($found) {
include_once($lang_path.'/'.$langua.'.inc.php');
}
else {
$langua = 'en';
include_once($lang_path.'/en.inc.php');
}
}
$support_html = '';
$css_style = '';
if (!strstr($_SERVER['QUERY_STRING'], 'module=logout')) {
$return_path = urlencode('/'.$_SERVER['REQUEST_URI']);
}
else {
$return_path = 'index.php';
}
$module = "login";
echo set_page_header();
if ($_SERVER['PHP_SELF'] == '/'.PHPR_INSTALL_DIR.'index.php') {
echo '
<br /><br />
<div style="background-color:#DC6417;height:41px;width:100%;">
<img src="/'.PHPR_INSTALL_DIR.'layout/default/img/logo.png" alt="PHProjekt Logo" />
</div>
';
}
?>
<br />
<div class="center">
<div id="logo" class="center"></div>
<form action="<?php echo $path_pre; ?>index.php" method="post" name="frm">
<input type="hidden" name="loginform" value="1" />
<input type="hidden" size="100" name="return_path" value="<?php echo $return_path; ?>" />
<fieldset class="login">
<legend><?php echo __('Log in, please'); ?></legend>
<label for="loginstring" class="login"><?php echo __('Login'); ?></label>
<input class="left" type="text" tabindex="1" name="loginstring" id="loginstring" size="33" title="<?php echo __('Please enter your user name here.'); ?>" /><br />
<label for="user_pw" class="login"><?php echo __('Password'); ?></label>
<input class="left" type="password" tabindex="2" name="user_pw" id="user_pw" size="33" title="<?php echo __('Please enter your password here.'); ?>" /><br />
<input class="login" type="submit" value="<?php echo __('go'); ?>" title="<?php echo __('Click here to login.'); ?>" />
</fieldset>
</form>
</div>
<script type="text/javascript">
<!--
if (document.frm.loginstring.value == "") {
document.frm.loginstring.focus();
}
//-->
</script>
</body>
</html>