2007-07-02 05:51:26 +00:00
< ? php
2010-04-21 12:01:32 +00:00
$connection = '' ;
$token = $_SESSION [ " token " ];
if ( ! $_SESSION [ " token " ]) {
$_SESSION [ " token " ] = rand ( 1 , 1e6 ); // defense against cross-site request forgery
}
2010-05-07 14:31:14 +00:00
$permanent = array ();
if ( $_COOKIE [ " adminer_permanent " ]) {
foreach ( explode ( " " , $_COOKIE [ " adminer_permanent " ]) as $val ) {
list ( $key ) = explode ( " : " , $val );
$permanent [ $key ] = $val ;
}
}
2012-05-14 07:08:32 +00:00
$auth = $_POST [ " auth " ];
if ( $auth ) {
2009-08-30 22:21:36 +00:00
session_regenerate_id (); // defense against session fixation
2012-05-14 07:08:32 +00:00
$_SESSION [ " pwds " ][ $auth [ " driver " ]][ $auth [ " server " ]][ $auth [ " username " ]] = $auth [ " password " ];
2012-09-09 04:29:16 +00:00
$_SESSION [ " db " ][ $auth [ " driver " ]][ $auth [ " server " ]][ $auth [ " username " ]][ $auth [ " db " ]] = true ;
2012-05-14 07:08:32 +00:00
if ( $auth [ " permanent " ]) {
2012-09-09 04:29:16 +00:00
$key = base64_encode ( $auth [ " driver " ]) . " - " . base64_encode ( $auth [ " server " ]) . " - " . base64_encode ( $auth [ " username " ]) . " - " . base64_encode ( $auth [ " db " ]);
2013-06-11 09:02:17 +00:00
$private = $adminer -> permanentLogin ( true );
2012-05-14 07:08:32 +00:00
$permanent [ $key ] = " $key : " . base64_encode ( $private ? encrypt_string ( $auth [ " password " ], $private ) : " " );
2010-05-07 14:31:14 +00:00
cookie ( " adminer_permanent " , implode ( " " , $permanent ));
2009-12-18 17:39:48 +00:00
}
2012-05-14 07:08:32 +00:00
if ( count ( $_POST ) == 1 // 1 - auth
|| DRIVER != $auth [ " driver " ]
|| SERVER != $auth [ " server " ]
|| $_GET [ " username " ] !== $auth [ " username " ] // "0" == "00"
2012-05-14 07:24:23 +00:00
|| DB != $auth [ " db " ]
2010-04-21 12:01:32 +00:00
) {
2012-05-14 07:24:23 +00:00
redirect ( auth_url ( $auth [ " driver " ], $auth [ " server " ], $auth [ " username " ], $auth [ " db " ]));
2009-08-30 22:21:36 +00:00
}
2013-05-02 01:28:04 +00:00
2009-12-18 17:39:48 +00:00
} elseif ( $_POST [ " logout " ]) {
2009-11-02 16:13:01 +00:00
if ( $token && $_POST [ " token " ] != $token ) {
2008-04-10 15:10:10 +00:00
page_header ( lang ( 'Logout' ), lang ( 'Invalid CSRF token. Send the form again.' ));
page_footer ( " db " );
exit ;
} else {
2012-09-09 04:29:16 +00:00
foreach ( array ( " pwds " , " db " , " dbs " , " queries " ) as $key ) {
2010-04-21 12:01:32 +00:00
set_session ( $key , null );
2009-11-02 16:13:01 +00:00
}
2012-09-09 03:54:02 +00:00
unset_permanent ();
2013-07-03 17:34:19 +00:00
redirect ( substr ( preg_replace ( '~\b(username|db|ns)=[^&]*&~' , '' , ME ), 0 , - 1 ), lang ( 'Logout successful.' ));
2008-04-10 15:10:10 +00:00
}
2013-05-02 01:28:04 +00:00
2010-10-15 08:58:08 +00:00
} elseif ( $permanent && ! $_SESSION [ " pwds " ]) {
2010-05-07 14:31:14 +00:00
session_regenerate_id ();
2013-06-11 09:02:17 +00:00
$private = $adminer -> permanentLogin ();
2010-05-07 14:31:14 +00:00
foreach ( $permanent as $key => $val ) {
list (, $cipher ) = explode ( " : " , $val );
2012-09-09 04:29:16 +00:00
list ( $driver , $server , $username , $db ) = array_map ( 'base64_decode' , explode ( " - " , $key ));
2010-10-15 08:58:08 +00:00
$_SESSION [ " pwds " ][ $driver ][ $server ][ $username ] = decrypt_string ( base64_decode ( $cipher ), $private );
2012-09-09 04:29:16 +00:00
$_SESSION [ " db " ][ $driver ][ $server ][ $username ][ $db ] = true ;
2009-12-18 17:39:48 +00:00
}
}
2012-09-09 03:54:02 +00:00
function unset_permanent () {
global $permanent ;
2012-09-09 04:29:16 +00:00
foreach ( $permanent as $key => $val ) {
2013-04-25 01:27:18 +00:00
list ( $driver , $server , $username , $db ) = array_map ( 'base64_decode' , explode ( " - " , $key ));
if ( $driver == DRIVER && $server == SERVER && $username == $_GET [ " username " ] && $db == DB ) {
2012-09-09 04:29:16 +00:00
unset ( $permanent [ $key ]);
}
2012-09-09 03:54:02 +00:00
}
2012-09-09 04:29:16 +00:00
cookie ( " adminer_permanent " , implode ( " " , $permanent ));
2012-09-09 03:54:02 +00:00
}
2009-06-03 18:35:16 +00:00
function auth_error ( $exception = null ) {
2010-04-21 12:01:32 +00:00
global $connection , $adminer , $token ;
2009-10-06 15:33:48 +00:00
$session_name = session_name ();
2010-04-21 12:01:32 +00:00
$error = " " ;
if ( ! $_COOKIE [ $session_name ] && $_GET [ $session_name ] && ini_bool ( " session.use_only_cookies " )) {
$error = lang ( 'Session support must be enabled.' );
} elseif ( isset ( $_GET [ " username " ])) {
if (( $_COOKIE [ $session_name ] || $_GET [ $session_name ]) && ! $token ) {
$error = lang ( 'Session expired, please login again.' );
} else {
2010-10-15 08:58:08 +00:00
$password = & get_session ( " pwds " );
2012-05-14 06:54:07 +00:00
if ( $password !== null ) {
2010-04-21 12:01:32 +00:00
$error = h ( $exception ? $exception -> getMessage () : ( is_string ( $connection ) ? $connection : lang ( 'Invalid credentials.' )));
2013-06-11 09:02:17 +00:00
if ( $password === false ) {
2013-06-11 12:56:54 +00:00
$error .= '<br>' . lang ( 'Master password expired. <a href="http://www.adminer.org/en/extension/" target="_blank">Implement</a> %s method to make it permanent.' , '<code>permanentLogin()</code>' );
2013-06-11 09:02:17 +00:00
}
2010-05-06 12:21:22 +00:00
$password = null ;
2010-04-21 12:01:32 +00:00
}
2012-09-09 03:54:02 +00:00
unset_permanent ();
2010-04-21 12:01:32 +00:00
}
}
page_header ( lang ( 'Login' ), $error , null );
2012-05-14 09:16:10 +00:00
echo " <form action='' method='post'> \n " ;
2010-04-21 12:01:32 +00:00
$adminer -> loginForm ();
2009-12-18 17:49:21 +00:00
echo " <div> " ;
2012-05-14 07:08:32 +00:00
hidden_fields ( $_POST , array ( " auth " )); // expired session
2009-12-18 17:49:21 +00:00
echo " </div> \n " ;
echo " </form> \n " ;
2007-07-02 05:51:26 +00:00
page_footer ( " auth " );
2007-07-23 11:57:26 +00:00
}
2010-10-29 13:24:06 +00:00
if ( isset ( $_GET [ " username " ])) {
if ( ! class_exists ( " Min_DB " )) {
2012-09-09 03:54:02 +00:00
unset ( $_SESSION [ " pwds " ][ DRIVER ]);
unset_permanent ();
2010-11-03 23:12:01 +00:00
page_header ( lang ( 'No extension' ), lang ( 'None of the supported PHP extensions (%s) are available.' , implode ( " , " , $possible_drivers )), false );
2010-10-29 13:24:06 +00:00
page_footer ( " auth " );
exit ;
}
2010-04-21 12:01:32 +00:00
$connection = connect ();
2008-08-27 16:43:30 +00:00
}
2013-05-02 01:28:04 +00:00
2010-10-15 08:58:08 +00:00
if ( is_string ( $connection ) || ! $adminer -> login ( $_GET [ " username " ], get_session ( " pwds " ))) {
2007-07-23 11:57:26 +00:00
auth_error ();
2007-07-02 05:51:26 +00:00
exit ;
}
2009-11-20 17:29:35 +00:00
2010-04-21 12:01:32 +00:00
$token = $_SESSION [ " token " ]; ///< @var string CSRF protection
2012-05-14 07:08:32 +00:00
if ( $auth && $_POST [ " token " ]) {
2010-04-21 12:01:32 +00:00
$_POST [ " token " ] = $token ; // reset token after explicit login
2010-02-24 11:59:25 +00:00
}
2013-04-02 01:45:26 +00:00
$error = '' ; ///< @var string
if ( $_POST ) {
if ( $_POST [ " token " ] != $token ) {
$ini = " max_input_vars " ;
$max_vars = ini_get ( $ini );
if ( extension_loaded ( " suhosin " )) {
foreach ( array ( " suhosin.request.max_vars " , " suhosin.post.max_vars " ) as $key ) {
$val = ini_get ( $key );
if ( $val && ( ! $max_vars || $val < $max_vars )) {
$ini = $key ;
$max_vars = $val ;
}
}
}
$error = ( ! $_POST [ " token " ] && $max_vars
? lang ( 'Maximum number of allowed fields exceeded. Please increase %s.' , " ' $ini ' " )
: lang ( 'Invalid CSRF token. Send the form again.' )
);
}
2013-05-02 01:28:04 +00:00
2013-04-02 01:45:26 +00:00
} elseif ( $_SERVER [ " REQUEST_METHOD " ] == " POST " ) {
// posted form with no data means that post_max_size exceeded because Adminer always sends token at least
$error = lang ( 'Too big POST data. Reduce the data or increase the %s configuration directive.' , " 'post_max_size' " );
2013-06-24 13:12:13 +00:00
if ( isset ( $_GET [ " sql " ])) {
$error .= ' ' . lang ( 'You can upload a big SQL file via FTP and import it from server.' );
}
2013-04-02 01:45:26 +00:00
}