2007-07-02 05:51:26 +00:00
< ? php
if ( isset ( $_POST [ " server " ])) {
2009-08-30 22:21:36 +00:00
session_regenerate_id (); // defense against session fixation
$_SESSION [ " usernames " ][ $_POST [ " server " ]] = $_POST [ " username " ];
$_SESSION [ " passwords " ][ $_POST [ " server " ]] = $_POST [ " password " ];
2009-12-18 17:39:48 +00:00
if ( $_POST [ " permanent " ]) {
cookie ( " adminer_permanent " ,
base64_encode ( $_POST [ " server " ])
. " : " . base64_encode ( $_POST [ " username " ])
2010-01-08 17:12:03 +00:00
. " : " . base64_encode ( encrypt_string ( $_POST [ " password " ], $adminer -> permanentLogin ()))
2009-12-18 17:39:48 +00:00
);
}
2010-02-09 16:28:34 +00:00
if ( count ( $_POST ) == ( $_POST [ " permanent " ] ? 4 : 3 )) { // 3 - server, username, password
2010-01-09 23:33:41 +00:00
$location = (( string ) $_GET [ " server " ] === $_POST [ " server " ] ? remove_from_uri ( session_name ()) : preg_replace ( '~^([^?]*).*~' , '\\1' , ME ) . ( $_POST [ " server " ] != " " ? '?server=' . urlencode ( $_POST [ " server " ]) : '' ));
2010-02-09 16:28:34 +00:00
if ( SID_FORM ) {
2009-12-15 16:20:54 +00:00
$pos = strpos ( $location , '?' );
$location = ( $pos ? substr_replace ( $location , SID . " & " , $pos + 1 , 0 ) : " $location ? " . SID );
2009-05-08 05:13:51 +00:00
}
2009-09-11 18:47:35 +00:00
redirect ( $location );
2009-08-30 22:21:36 +00:00
}
2010-02-24 11:59:25 +00:00
$_GET [ " server " ] = $_POST [ " server " ]; //! used also in ME
2009-12-18 17:39:48 +00:00
} elseif ( $_POST [ " logout " ]) {
2009-11-02 16:13:01 +00:00
$token = $_SESSION [ " tokens " ][ $_GET [ " server " ]];
if ( $token && $_POST [ " token " ] != $token ) {
2008-04-10 15:10:10 +00:00
page_header ( lang ( 'Logout' ), lang ( 'Invalid CSRF token. Send the form again.' ));
page_footer ( " db " );
exit ;
} else {
2009-06-21 23:37:07 +00:00
foreach ( array ( " usernames " , " passwords " , " databases " , " tokens " , " history " ) as $val ) {
unset ( $_SESSION [ $val ][ $_GET [ " server " ]]);
}
2009-11-02 16:13:01 +00:00
if ( ! isset ( $_SESSION [ " passwords " ])) { // don't require login to logout
$_SESSION [ " passwords " ] = array ();
}
2009-12-18 17:39:48 +00:00
cookie ( " adminer_permanent " , " " );
2010-03-30 10:23:39 +00:00
redirect ( substr ( preg_replace ( '~db=[^&]*&~' , '' , ME ), 0 , - 1 ), lang ( 'Logout successful.' ));
2008-04-10 15:10:10 +00:00
}
2009-12-18 17:39:48 +00:00
} elseif ( $_COOKIE [ " adminer_permanent " ] && ! isset ( $_SESSION [ " usernames " ][ $_GET [ " server " ]])) {
list ( $server , $username , $cipher ) = array_map ( 'base64_decode' , explode ( " : " , $_COOKIE [ " adminer_permanent " ]));
2010-02-24 11:59:25 +00:00
if (( $_GET [ " server " ] == " " && ! $_POST ) || $server == $_GET [ " server " ]) {
2009-12-18 17:39:48 +00:00
session_regenerate_id (); // defense against session fixation
$_SESSION [ " usernames " ][ $server ] = $username ;
2010-01-08 17:12:03 +00:00
$_SESSION [ " passwords " ][ $server ] = decrypt_string ( $cipher , $adminer -> permanentLogin ());
2010-02-24 11:59:25 +00:00
if ( $server != $_GET [ " server " ]) {
2009-12-18 17:39:48 +00:00
redirect ( preg_replace ( '~^([^?]*).*~' , '\\1' , ME ) . '?server=' . urlencode ( $server ));
}
}
}
2009-06-03 18:35:16 +00:00
function auth_error ( $exception = null ) {
2009-11-20 17:15:33 +00:00
global $connection , $adminer ;
2009-10-06 15:33:48 +00:00
$session_name = session_name ();
2007-07-23 11:57:26 +00:00
$username = $_SESSION [ " usernames " ][ $_GET [ " server " ]];
2007-07-17 05:14:43 +00:00
unset ( $_SESSION [ " usernames " ][ $_GET [ " server " ]]);
2009-10-06 15:33:48 +00:00
page_header ( lang ( 'Login' ), ( isset ( $username ) ? h ( $exception ? $exception -> getMessage () : ( is_string ( $connection ) ? $connection : lang ( 'Invalid credentials.' )))
: ( ! $_COOKIE [ $session_name ] && $_GET [ $session_name ] && ini_get ( " session.use_only_cookies " ) ? lang ( 'Session support must be enabled.' )
: (( $_COOKIE [ $session_name ] || $_GET [ $session_name ]) && ! isset ( $_SESSION [ " passwords " ]) ? lang ( 'Session expired, please login again.' )
: " " ))), null );
2009-07-21 12:19:25 +00:00
echo " <form action='' method='post'> \n " ;
2009-07-27 11:31:54 +00:00
$adminer -> loginForm ( $username );
2009-12-18 17:49:21 +00:00
echo " <div> " ;
2009-11-20 17:15:33 +00:00
hidden_fields ( $_POST , array ( " server " , " username " , " password " )); // expired session
2009-12-18 17:49:21 +00:00
echo " </div> \n " ;
echo " </form> \n " ;
2007-07-02 05:51:26 +00:00
page_footer ( " auth " );
2007-07-23 11:57:26 +00:00
}
2008-08-27 16:43:30 +00:00
$username = & $_SESSION [ " usernames " ][ $_GET [ " server " ]];
if ( ! isset ( $username )) {
2009-06-21 23:20:32 +00:00
$username = $_GET [ " username " ]; // default username can be passed in URL
2008-08-27 16:43:30 +00:00
}
2009-09-22 10:51:40 +00:00
$connection = ( isset ( $username ) ? connect () : '' );
if ( is_string ( $connection ) || ! $adminer -> login ( $username , $_SESSION [ " passwords " ][ $_GET [ " server " ]])) {
2007-07-23 11:57:26 +00:00
auth_error ();
2007-07-02 05:51:26 +00:00
exit ;
}
2009-07-21 12:19:25 +00:00
unset ( $username );
2009-11-20 17:29:35 +00:00
if ( ! $_SESSION [ " tokens " ][ $_GET [ " server " ]]) {
2009-11-21 08:59:03 +00:00
$_SESSION [ " tokens " ][ $_GET [ " server " ]] = rand ( 1 , 1e6 ); // defense against cross-site request forgery
2009-11-20 17:29:35 +00:00
}
2010-02-24 11:59:25 +00:00
if ( isset ( $_POST [ " server " ]) && $_POST [ " token " ]) {
$_POST [ " token " ] = $_SESSION [ " tokens " ][ $_GET [ " server " ]];
}
2010-02-26 14:01:17 +00:00
$token = $_SESSION [ " tokens " ][ $_GET [ " server " ]]; ///< @var string CSRF protection
$error = ( $_POST ///< @var string
? ( $_POST [ " token " ] == $token ? " " : lang ( 'Invalid CSRF token. Send the form again.' ))
: ( $_SERVER [ " REQUEST_METHOD " ] != " POST " ? " " : lang ( 'Too big POST data. Reduce the data or increase the %s configuration directive.' , '"post_max_size"' )) // posted form with no data means that post_max_size exceeded because Adminer always sends token at least
);