adminerevo/adminer/include/auth.inc.php

<?php
$connection = '';

$has_token = $_SESSION["token"];
if (!$has_token) {
	$_SESSION["token"] = rand(1, 1e6); // defense against cross-site request forgery
}
$token = get_token(); ///< @var string CSRF protection

$permanent = array();
if ($_COOKIE["adminer_permanent"]) {
	foreach (explode(" ", $_COOKIE["adminer_permanent"]) as $val) {
		list($key) = explode(":", $val);
		$permanent[$key] = $val;
	}
}

function add_invalid_login() {
	global $adminer;
	$filename = get_temp_dir() . "/adminer.invalid";
	$fp = @fopen($filename, "r+"); // @ - may not exist
	if (!$fp) { // c+ is available since PHP 5.2.6
		$fp = @fopen($filename, "w"); // @ - may not be writable
		if (!$fp) {
			return;
		}
	}
	flock($fp, LOCK_EX);
	$invalids = unserialize(stream_get_contents($fp));
	$time = time();
	if ($invalids) {
		foreach ($invalids as $ip => $val) {
			if ($val[0] < $time) {
				unset($invalids[$ip]);
			}
		}
	}
	$invalid = &$invalids[$adminer->bruteForceKey()];
	if (!$invalid) {
		$invalid = array($time + 30*60, 0); // active for 30 minutes
	}
	$invalid[1]++;
	$serialized = serialize($invalids);
	rewind($fp);
	fwrite($fp, $serialized);
	ftruncate($fp, strlen($serialized));
	flock($fp, LOCK_UN);
	fclose($fp);
}

$auth = $_POST["auth"];
if ($auth) {
	$invalids = unserialize(@file_get_contents(get_temp_dir() . "/adminer.invalid")); // @ - may not exist
	$invalid = $invalids[$adminer->bruteForceKey()];
	$next_attempt = ($invalid[1] > 30 ? $invalid[0] - time() : 0); // allow 30 invalid attempts
	if ($next_attempt > 0) { //! do the same with permanent login
		auth_error(lang('Too many unsuccessful logins, try again in %d minute(s).', ceil($next_attempt / 60)));
	}
	session_regenerate_id(); // defense against session fixation
	$driver = $auth["driver"];
	$server = $auth["server"];
	$username = $auth["username"];
	$password = (string) $auth["password"];
	$db = $auth["db"];
	set_password($driver, $server, $username, $password);
	$_SESSION["db"][$driver][$server][$username][$db] = true;
	if ($auth["permanent"]) {
		$key = base64_encode($driver) . "-" . base64_encode($server) . "-" . base64_encode($username) . "-" . base64_encode($db);
		$private = $adminer->permanentLogin(true);
		$permanent[$key] = "$key:" . base64_encode($private ? encrypt_string($password, $private) : "");
		cookie("adminer_permanent", implode(" ", $permanent));
	}
	if (count($_POST) == 1 // 1 - auth
		|| DRIVER != $driver
		|| SERVER != $server
		|| $_GET["username"] !== $username // "0" == "00"
		|| DB != $db
	) {
		redirect(auth_url($driver, $server, $username, $db));
	}
	
} elseif ($_POST["logout"]) {
	if ($has_token && !verify_token()) {
		page_header(lang('Logout'), lang('Invalid CSRF token. Send the form again.'));
		page_footer("db");
		exit;
	} else {
		foreach (array("pwds", "db", "dbs", "queries") as $key) {
			set_session($key, null);
		}
		unset_permanent();
		redirect(substr(preg_replace('~\b(username|db|ns)=[^&]*&~', '', ME), 0, -1), lang('Logout successful.'));
	}
	
} elseif ($permanent && !$_SESSION["pwds"]) {
	session_regenerate_id();
	$private = $adminer->permanentLogin();
	foreach ($permanent as $key => $val) {
		list(, $cipher) = explode(":", $val);
		list($vendor, $server, $username, $db) = array_map('base64_decode', explode("-", $key));
		set_password($vendor, $server, $username, decrypt_string(base64_decode($cipher), $private));
		$_SESSION["db"][$vendor][$server][$username][$db] = true;
	}
}

function unset_permanent() {
	global $permanent;
	foreach ($permanent as $key => $val) {
		list($vendor, $server, $username, $db) = array_map('base64_decode', explode("-", $key));
		if ($vendor == DRIVER && $server == SERVER && $username == $_GET["username"] && $db == DB) {
			unset($permanent[$key]);
		}
	}
	cookie("adminer_permanent", implode(" ", $permanent));
}

function auth_error($error) {
	global $adminer, $has_token;
	$session_name = session_name();
	if (!$_COOKIE[$session_name] && $_GET[$session_name] && ini_bool("session.use_only_cookies")) {
		$error = lang('Session support must be enabled.');
	} elseif (isset($_GET["username"])) {
		if (($_COOKIE[$session_name] || $_GET[$session_name]) && !$has_token) {
			$error = lang('Session expired, please login again.');
		} else {
			add_invalid_login();
			$password = get_password();
			if ($password !== null) {
				if ($password === false) {
					$error .= '<br>' . lang('Master password expired. <a href="http://www.adminer.org/en/extension/" target="_blank">Implement</a> %s method to make it permanent.', '<code>permanentLogin()</code>');
				}
				set_password(DRIVER, SERVER, $_GET["username"], null);
			}
			unset_permanent();
		}
	}
	$params = session_get_cookie_params();
	cookie("adminer_key", ($_COOKIE["adminer_key"] ? $_COOKIE["adminer_key"] : rand_string()), $params["lifetime"]);
	page_header(lang('Login'), $error, null);
	echo "<form action='' method='post'>\n";
	$adminer->loginForm();
	echo "<div>";
	hidden_fields($_POST, array("auth")); // expired session
	echo "</div>\n";
	echo "</form>\n";
	page_footer("auth");
	exit;
}

if (isset($_GET["username"])) {
	if (!class_exists("Min_DB")) {
		unset($_SESSION["pwds"][DRIVER]);
		unset_permanent();
		page_header(lang('No extension'), lang('None of the supported PHP extensions (%s) are available.', implode(", ", $possible_drivers)), false);
		page_footer("auth");
		exit;
	}
	$connection = connect();
}

$driver = new Min_Driver($connection);

if (!is_object($connection) || !$adminer->login($_GET["username"], get_password())) {
	auth_error((is_string($connection) ? $connection : lang('Invalid credentials.')));
}

if ($auth && $_POST["token"]) {
	$_POST["token"] = $token; // reset token after explicit login
}

$error = ''; ///< @var string
if ($_POST) {
	if (!verify_token()) {
		$ini = "max_input_vars";
		$max_vars = ini_get($ini);
		if (extension_loaded("suhosin")) {
			foreach (array("suhosin.request.max_vars", "suhosin.post.max_vars") as $key) {
				$val = ini_get($key);
				if ($val && (!$max_vars || $val < $max_vars)) {
					$ini = $key;
					$max_vars = $val;
				}
			}
		}
		$error = (!$_POST["token"] && $max_vars
			? lang('Maximum number of allowed fields exceeded. Please increase %s.', "'$ini'")
			: lang('Invalid CSRF token. Send the form again.')
		);
	}
	
} elseif ($_SERVER["REQUEST_METHOD"] == "POST") {
	// posted form with no data means that post_max_size exceeded because Adminer always sends token at least
	$error = lang('Too big POST data. Reduce the data or increase the %s configuration directive.', "'post_max_size'");
	if (isset($_GET["sql"])) {
		$error .= ' ' . lang('You can upload a big SQL file via FTP and import it from server.');
	}
}
Decomposition New functions git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@2 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2007-07-02 05:51:26 +00:00			`<?php`
Reintegrate sqlite branch git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@1466 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2010-04-21 12:01:32 +00:00			`$connection = '';`

Protect CSRF token against BREACH 2013-10-25 02:10:50 +00:00			`$has_token = $_SESSION["token"];`
			`if (!$has_token) {`
Reintegrate sqlite branch git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@1466 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2010-04-21 12:01:32 +00:00			`$_SESSION["token"] = rand(1, 1e6); // defense against cross-site request forgery`
			`}`
Protect CSRF token against BREACH 2013-10-25 02:10:50 +00:00			`$token = get_token(); ///< @var string CSRF protection`
Reintegrate sqlite branch git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@1466 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2010-04-21 12:01:32 +00:00
Store several permanent logins 2010-05-07 14:31:14 +00:00			`$permanent = array();`
			`if ($_COOKIE["adminer_permanent"]) {`
			`foreach (explode(" ", $_COOKIE["adminer_permanent"]) as $val) {`
			`list($key) = explode(":", $val);`
			`$permanent[$key] = $val;`
			`}`
			`}`

Prevent against brute force login attempts from the same IP address 2014-03-22 05:47:34 +00:00			`function add_invalid_login() {`
			`global $adminer;`
			`$filename = get_temp_dir() . "/adminer.invalid";`
			`$fp = @fopen($filename, "r+"); // @ - may not exist`
			`if (!$fp) { // c+ is available since PHP 5.2.6`
Silence error for unwriteable file 2014-03-25 16:35:49 +00:00			`$fp = @fopen($filename, "w"); // @ - may not be writable`
Prevent against brute force login attempts from the same IP address 2014-03-22 05:47:34 +00:00			`if (!$fp) {`
			`return;`
			`}`
			`}`
			`flock($fp, LOCK_EX);`
			`$invalids = unserialize(stream_get_contents($fp));`
			`$time = time();`
			`if ($invalids) {`
			`foreach ($invalids as $ip => $val) {`
			`if ($val[0] < $time) {`
			`unset($invalids[$ip]);`
			`}`
			`}`
			`}`
			`$invalid = &$invalids[$adminer->bruteForceKey()];`
			`if (!$invalid) {`
			`$invalid = array($time + 30*60, 0); // active for 30 minutes`
			`}`
			`$invalid[1]++;`
			`$serialized = serialize($invalids);`
			`rewind($fp);`
			`fwrite($fp, $serialized);`
			`ftruncate($fp, strlen($serialized));`
			`flock($fp, LOCK_UN);`
			`fclose($fp);`
			`}`

Use namespace in login form 2012-05-14 07:08:32 +00:00			`$auth = $_POST["auth"];`
			`if ($auth) {`
Prevent against brute force login attempts from the same IP address 2014-03-22 05:47:34 +00:00			`$invalids = unserialize(@file_get_contents(get_temp_dir() . "/adminer.invalid")); // @ - may not exist`
			`$invalid = $invalids[$adminer->bruteForceKey()];`
			`$next_attempt = ($invalid[1] > 30 ? $invalid[0] - time() : 0); // allow 30 invalid attempts`
			`if ($next_attempt > 0) { //! do the same with permanent login`
			`auth_error(lang('Too many unsuccessful logins, try again in %d minute(s).', ceil($next_attempt / 60)));`
			`}`
Disable session.use_trans_sid to preserve export result Do not depend on session.use_trans_sid without cookies git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@1050 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2009-08-30 22:21:36 +00:00			`session_regenerate_id(); // defense against session fixation`
Save bytes 2013-08-11 02:11:35 +00:00			`$driver = $auth["driver"];`
			`$server = $auth["server"];`
			`$username = $auth["username"];`
SQLite: Ignore server, username and password 2014-02-21 16:53:58 +00:00			`$password = (string) $auth["password"];`
Save bytes 2013-08-11 02:11:35 +00:00			`$db = $auth["db"];`
			`set_password($driver, $server, $username, $password);`
			`$_SESSION["db"][$driver][$server][$username][$db] = true;`
Fix saving permanent login 2013-10-25 05:40:05 +00:00			`if ($auth["permanent"]) {`
Save bytes 2013-08-11 02:11:35 +00:00			`$key = base64_encode($driver) . "-" . base64_encode($server) . "-" . base64_encode($username) . "-" . base64_encode($db);`
Notify user about expired master password for permanent login 2013-06-11 09:02:17 +00:00			`$private = $adminer->permanentLogin(true);`
Save bytes 2013-08-11 02:11:35 +00:00			`$permanent[$key] = "$key:" . base64_encode($private ? encrypt_string($password, $private) : "");`
Store several permanent logins 2010-05-07 14:31:14 +00:00			`cookie("adminer_permanent", implode(" ", $permanent));`
Permanent login git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@1281 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2009-12-18 17:39:48 +00:00			`}`
Use namespace in login form 2012-05-14 07:08:32 +00:00			`if (count($_POST) == 1 // 1 - auth`
Save bytes 2013-08-11 02:11:35 +00:00			`\|\| DRIVER != $driver`
			`\|\| SERVER != $server`
			`\|\| $_GET["username"] !== $username // "0" == "00"`
			`\|\| DB != $db`
Reintegrate sqlite branch git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@1466 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2010-04-21 12:01:32 +00:00			`) {`
Save bytes 2013-08-11 02:11:35 +00:00			`redirect(auth_url($driver, $server, $username, $db));`
Disable session.use_trans_sid to preserve export result Do not depend on session.use_trans_sid without cookies git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@1050 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2009-08-30 22:21:36 +00:00			`}`
Add empty lines to source code 2013-05-02 01:28:04 +00:00
Permanent login git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@1281 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2009-12-18 17:39:48 +00:00			`} elseif ($_POST["logout"]) {`
Protect CSRF token against BREACH 2013-10-25 02:10:50 +00:00			`if ($has_token && !verify_token()) {`
Logout by POST git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@387 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2008-04-10 15:10:10 +00:00			`page_header(lang('Logout'), lang('Invalid CSRF token. Send the form again.'));`
			`page_footer("db");`
			`exit;`
			`} else {`
Store database to permanent login 2012-09-09 04:29:16 +00:00			`foreach (array("pwds", "db", "dbs", "queries") as $key) {`
Reintegrate sqlite branch git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@1466 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2010-04-21 12:01:32 +00:00			`set_session($key, null);`
Don't require login to logout git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@1223 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2009-11-02 16:13:01 +00:00			`}`
Unset wrong login from permanent logins 2012-09-09 03:54:02 +00:00			`unset_permanent();`
Use stricter regexp in URL 2013-07-03 17:34:19 +00:00			`redirect(substr(preg_replace('~\b(username\|db\|ns)=[^&]*&~', '', ME), 0, -1), lang('Logout successful.'));`
Logout by POST git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@387 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2008-04-10 15:10:10 +00:00			`}`
Add empty lines to source code 2013-05-02 01:28:04 +00:00
Rename variables to avoid conflict with Adminer 2 sessions and enabled register_globals 2010-10-15 08:58:08 +00:00			`} elseif ($permanent && !$_SESSION["pwds"]) {`
Store several permanent logins 2010-05-07 14:31:14 +00:00			`session_regenerate_id();`
Notify user about expired master password for permanent login 2013-06-11 09:02:17 +00:00			`$private = $adminer->permanentLogin();`
Store several permanent logins 2010-05-07 14:31:14 +00:00			`foreach ($permanent as $key => $val) {`
			`list(, $cipher) = explode(":", $val);`
Rename variable 2013-07-05 15:28:37 +00:00			`list($vendor, $server, $username, $db) = array_map('base64_decode', explode("-", $key));`
Prepare for crypting passwords stored in session 2013-08-11 02:06:21 +00:00			`set_password($vendor, $server, $username, decrypt_string(base64_decode($cipher), $private));`
Rename variable 2013-07-05 15:28:37 +00:00			`$_SESSION["db"][$vendor][$server][$username][$db] = true;`
Permanent login git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@1281 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2009-12-18 17:39:48 +00:00			`}`
			`}`

Unset wrong login from permanent logins 2012-09-09 03:54:02 +00:00			`function unset_permanent() {`
			`global $permanent;`
Store database to permanent login 2012-09-09 04:29:16 +00:00			`foreach ($permanent as $key => $val) {`
Rename variable 2013-07-05 15:28:37 +00:00			`list($vendor, $server, $username, $db) = array_map('base64_decode', explode("-", $key));`
			`if ($vendor == DRIVER && $server == SERVER && $username == $_GET["username"] && $db == DB) {`
Store database to permanent login 2012-09-09 04:29:16 +00:00			`unset($permanent[$key]);`
			`}`
Unset wrong login from permanent logins 2012-09-09 03:54:02 +00:00			`}`
Store database to permanent login 2012-09-09 04:29:16 +00:00			`cookie("adminer_permanent", implode(" ", $permanent));`
Unset wrong login from permanent logins 2012-09-09 03:54:02 +00:00			`}`

Prevent against brute force login attempts from the same IP address 2014-03-22 05:47:34 +00:00			`function auth_error($error) {`
			`global $adminer, $has_token;`
Session management git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@1173 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2009-10-06 15:33:48 +00:00			`$session_name = session_name();`
Reintegrate sqlite branch git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@1466 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2010-04-21 12:01:32 +00:00			`if (!$_COOKIE[$session_name] && $_GET[$session_name] && ini_bool("session.use_only_cookies")) {`
			`$error = lang('Session support must be enabled.');`
			`} elseif (isset($_GET["username"])) {`
Protect CSRF token against BREACH 2013-10-25 02:10:50 +00:00			`if (($_COOKIE[$session_name] \|\| $_GET[$session_name]) && !$has_token) {`
Reintegrate sqlite branch git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@1466 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2010-04-21 12:01:32 +00:00			`$error = lang('Session expired, please login again.');`
			`} else {`
Prevent against brute force login attempts from the same IP address 2014-03-22 05:47:34 +00:00			`add_invalid_login();`
Prepare for crypting passwords stored in session 2013-08-11 02:06:21 +00:00			`$password = get_password();`
Replace isset($var) by $var !== null 2012-05-14 06:54:07 +00:00			`if ($password !== null) {`
Notify user about expired master password for permanent login 2013-06-11 09:02:17 +00:00			`if ($password === false) {`
Simplify translation 2013-06-11 12:56:54 +00:00			`$error .= '<br>' . lang('Master password expired. <a href="http://www.adminer.org/en/extension/" target="_blank">Implement</a> %s method to make it permanent.', '<code>permanentLogin()</code>');`
Notify user about expired master password for permanent login 2013-06-11 09:02:17 +00:00			`}`
Prepare for crypting passwords stored in session 2013-08-11 02:06:21 +00:00			`set_password(DRIVER, SERVER, $_GET["username"], null);`
Reintegrate sqlite branch git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@1466 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2010-04-21 12:01:32 +00:00			`}`
Unset wrong login from permanent logins 2012-09-09 03:54:02 +00:00			`unset_permanent();`
Reintegrate sqlite branch git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@1466 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2010-04-21 12:01:32 +00:00			`}`
			`}`
Encrypt passwords stored in session by a key stored in cookie (thanks to Michal Spacek) 2013-08-11 16:26:18 +00:00			`$params = session_get_cookie_params();`
			`cookie("adminer_key", ($_COOKIE["adminer_key"] ? $_COOKIE["adminer_key"] : rand_string()), $params["lifetime"]);`
Reintegrate sqlite branch git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@1466 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2010-04-21 12:01:32 +00:00			`page_header(lang('Login'), $error, null);`
Remove eventStop() used by AJAXification in past 2012-05-14 09:16:10 +00:00			`echo "<form action='' method='post'>\n";`
Reintegrate sqlite branch git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@1466 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2010-04-21 12:01:32 +00:00			`$adminer->loginForm();`
Move Login button to customization git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@1282 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2009-12-18 17:49:21 +00:00			`echo "<div>";`
Use namespace in login form 2012-05-14 07:08:32 +00:00			`hidden_fields($_POST, array("auth")); // expired session`
Move Login button to customization git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@1282 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2009-12-18 17:49:21 +00:00			`echo "</div>\n";`
			`echo "</form>\n";`
Decomposition New functions git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@2 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2007-07-02 05:51:26 +00:00			`page_footer("auth");`
Prevent against brute force login attempts from the same IP address 2014-03-22 05:47:34 +00:00			`exit;`
PDO Abstraction git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@229 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2007-07-23 11:57:26 +00:00			`}`

Always display all drivers (bug #3097666) 2010-10-29 13:24:06 +00:00			`if (isset($_GET["username"])) {`
			`if (!class_exists("Min_DB")) {`
Unset wrong login from permanent logins 2012-09-09 03:54:02 +00:00			`unset($_SESSION["pwds"][DRIVER]);`
			`unset_permanent();`
Breadcrumb on No extension page 2010-11-03 23:12:01 +00:00			`page_header(lang('No extension'), lang('None of the supported PHP extensions (%s) are available.', implode(", ", $possible_drivers)), false);`
Always display all drivers (bug #3097666) 2010-10-29 13:24:06 +00:00			`page_footer("auth");`
			`exit;`
			`}`
Reintegrate sqlite branch git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@1466 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2010-04-21 12:01:32 +00:00			`$connection = connect();`
Access without login - accept ?username= git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@459 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2008-08-27 16:43:30 +00:00			`}`
Add empty lines to source code 2013-05-02 01:28:04 +00:00
Allow using in ->login() (bug #381) 2014-02-08 03:35:26 +00:00			`$driver = new Min_Driver($connection);`

Add sefeguard agains null 2014-01-10 19:16:36 +00:00			`if (!is_object($connection) \|\| !$adminer->login($_GET["username"], get_password())) {`
Prevent against brute force login attempts from the same IP address 2014-03-22 05:47:34 +00:00			`auth_error((is_string($connection) ? $connection : lang('Invalid credentials.')));`
Decomposition New functions git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@2 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2007-07-02 05:51:26 +00:00			`}`
Trust user-supplied token with login git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@1248 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2009-11-20 17:29:35 +00:00
Use namespace in login form 2012-05-14 07:08:32 +00:00			`if ($auth && $_POST["token"]) {`
Reintegrate sqlite branch git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@1466 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2010-04-21 12:01:32 +00:00			`$_POST["token"] = $token; // reset token after explicit login`
Reset token after explicit login git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@1325 7c3ca157-0c34-0410-bff1-cbf682f78f5c 2010-02-24 11:59:25 +00:00			`}`
Handle max_input_vars and generalize Suhosin compatibility 2013-04-02 01:45:26 +00:00
			`$error = ''; ///< @var string`
			`if ($_POST) {`
Protect CSRF token against BREACH 2013-10-25 02:10:50 +00:00			`if (!verify_token()) {`
Handle max_input_vars and generalize Suhosin compatibility 2013-04-02 01:45:26 +00:00			`$ini = "max_input_vars";`
			`$max_vars = ini_get($ini);`
			`if (extension_loaded("suhosin")) {`
			`foreach (array("suhosin.request.max_vars", "suhosin.post.max_vars") as $key) {`
			`$val = ini_get($key);`
			`if ($val && (!$max_vars \|\| $val < $max_vars)) {`
			`$ini = $key;`
			`$max_vars = $val;`
			`}`
			`}`
			`}`
			`$error = (!$_POST["token"] && $max_vars`
			`? lang('Maximum number of allowed fields exceeded. Please increase %s.', "'$ini'")`
			`: lang('Invalid CSRF token. Send the form again.')`
			`);`
			`}`
Add empty lines to source code 2013-05-02 01:28:04 +00:00
Handle max_input_vars and generalize Suhosin compatibility 2013-04-02 01:45:26 +00:00			`} elseif ($_SERVER["REQUEST_METHOD"] == "POST") {`
			`// posted form with no data means that post_max_size exceeded because Adminer always sends token at least`
			`$error = lang('Too big POST data. Reduce the data or increase the %s configuration directive.', "'post_max_size'");`
Suggest using adminer.sql 2013-06-24 13:12:13 +00:00			`if (isset($_GET["sql"])) {`
			`$error .= ' ' . lang('You can upload a big SQL file via FTP and import it from server.');`
			`}`
Handle max_input_vars and generalize Suhosin compatibility 2013-04-02 01:45:26 +00:00			`}`