diff options
| author | andi <andi@splitbrain.org> | 2005-05-14 21:22:08 +0200 |
|---|---|---|
| committer | andi <andi@splitbrain.org> | 2005-05-14 21:22:08 +0200 |
| commit | 42ee9defc8cd47d809d5627779f9d9c867032238 (patch) | |
| tree | f717c7dfccf4c2e640611c2f06250336f5207516 /inc/auth_mysql.php | |
| parent | dc42ff597f3280d231d001acbb61c403f07d29af (diff) | |
| download | rpg-42ee9defc8cd47d809d5627779f9d9c867032238.tar.gz rpg-42ee9defc8cd47d809d5627779f9d9c867032238.tar.bz2 | |
variuous auth_mysql fixes
This patch adds mor flexibility and security to the mysql_auth backend.
You now can omit the getgroupid and addusergroup configs if you don't need
them. The default groupname is available in addusergroup and adduser now, too.
Last but not least calls to addslashes were added to avoid SQL injection.
darcs-hash:20050514192208-9977f-d970834ca68a896e725c4911639a311217dee792.gz
Diffstat (limited to 'inc/auth_mysql.php')
| -rw-r--r-- | inc/auth_mysql.php | 60 |
1 files changed, 38 insertions, 22 deletions
diff --git a/inc/auth_mysql.php b/inc/auth_mysql.php index 0bd6c0a8e..758fe3b77 100644 --- a/inc/auth_mysql.php +++ b/inc/auth_mysql.php @@ -134,33 +134,49 @@ function auth_createUser($user,$pass,$name,$mail){ global $conf; $cnf = $conf['auth']['mysql']; + //check if user exists $info = auth_getUserData($user); if ($info != false) return false; + + //get groupid of default group + if($cnf['getgroupid']){ + $sql = str_replace('%g',addslashes($conf['defaultgroup']),$cnf['getgroupid']); + $result = auth_mysql_runsql($sql); + if($result === false) return null; + if (count($result) == 1){ + $gid = $result[0]['gid']; + }else{ + msg("MySQL: Couldn't find the default group",-1); + return null; + } + } - $sql = str_replace('%g',$conf['defaultgroup'],$cnf['getgroupid']); - $result = auth_mysql_runsql($sql); - - if (count($result) == 1) { - $gid = $result[0]['gid']; - - $sql = str_replace('%u',$user,$cnf['adduser']); - $sql = str_replace('%p',auth_cryptPassword($pass),$sql); - $sql = str_replace('%n',$name,$sql); - $sql = str_replace('%e',$mail,$sql); - $uid = auth_mysql_runsql($sql); - - if ($uid != 0) { - $sql = str_replace('%uid',$uid,$cnf['addusergroup']); - $sql = str_replace('%gid',$gid,$sql); - auth_mysql_runsql($sql); - return $pass; - } else - msg("Registering of the new user '$user' failed!", -1); + //prepare the insert + $sql = str_replace('%u' ,addslashes($user),$cnf['adduser']); + $sql = str_replace('%p' ,addslashes(auth_cryptPassword($pass)),$sql); + $sql = str_replace('%n' ,addslashes($name),$sql); + $sql = str_replace('%e' ,addslashes($mail),$sql); + $sql = str_replace('%gid',addslashes($gid),$sql); + $sql = str_replace('%g' ,addslashes($conf['defaultgroup']),$sql); - } else - msg("The default group is not cleanly defined in the database!", -1); + //do the insert + $uid = auth_mysql_runsql($sql); + if($uid == 0){ + msg("Registering of the new user '$user' failed!", -1); + return null; + } + + //add to default group + if ($cnf['addusergroup']) { + $sql = str_replace('%uid',addslashes($uid),$cnf['addusergroup']); + $sql = str_replace('%u' ,addslashes($user),$sql); + $sql = str_replace('%gid',addslashes($gid),$sql); + $sql = str_replace('%g' ,addslashes($conf['defaultgroup']),$sql); + $result = auth_mysql_runsql($sql); + if($result === false) msg("MySQL: couldn't add user to the default group"); + } - return null; + return $pass; } //Setup VIM: ex: et ts=2 enc=utf-8 : |