New area to report status messages and errors

[misc/kostenrechnung] / lib / login.php

<?php

function passwd($login,$pass)
{
  return md5(md5($pass).$login);
}

function check_passwd()
{
  if (empty($_POST['login']) || empty($_POST['passwd']))
    return false;

  $sql = sprintf("SELECT * FROM sys_user WHERE login = '%s' AND passwd = '%s'",
                 pg_escape_string($_POST['login']), passwd($_POST['login'], $_POST['passwd']));

  $sth = pg_query($sql);

  if ($sth === false) return false;

  if (substr($_SERVER['HTTP_REFERER'],-12) != '/?login=true'
      || substr($_SERVER['SCRIPT_FILENAME'],-10) != '/index.php') {
    error_log('Wrong referrer or wrong request uri');
    return false;
  }

  if ($row = pg_fetch_assoc($sth)) {
    $_SESSION['sys'] = array('uid' => $row['id'],
                             'login' => $row['login'],
                             'name' => $row['name'],
                             'email' => $row['email'],
                             'basedir' => substr($_SERVER['SCRIPT_FILENAME'],0,-9));
    return true;
  }

  error_log('Failed login attempt for user ' . $_POST['login']);
  return false;
}

function mask_login()
{
  $ret = '<div class="login">';

  $ret .= '<div align="center">';
  $ret .= '<form action="index.php" method="POST">';
  $ret .= '<table class="login" cellpadding="5">';
  $ret .= '<tr><th align="left" colspan="2" style="background: #BBD9EE;">Anmeldung</th></tr>';

  $ret .= '<tr><th align="right">Login</th><td><input type="text" name="login" size="15"></td></tr>';
  $ret .= '<tr><th align="right">Passwort</th><td><input type="password" name="passwd" size="15"></td></tr>';

  $ret .= '<tr><td colspan="2" align="center"><input type="submit" value="Anmelden"></td></tr>';

  $ret .= '</table>';
  $ret .= '</form>';
  $ret .= '</div>';
  $ret .= '</div>';

  return $ret;
}

?>