2007-07-02 05:51:26 +00:00
< ? php
2010-04-21 12:01:32 +00:00
$connection = '' ;
$token = $_SESSION [ " token " ];
if ( ! $_SESSION [ " token " ]) {
$_SESSION [ " token " ] = rand ( 1 , 1e6 ); // defense against cross-site request forgery
}
2010-05-07 14:31:14 +00:00
$permanent = array ();
if ( $_COOKIE [ " adminer_permanent " ]) {
foreach ( explode ( " " , $_COOKIE [ " adminer_permanent " ]) as $val ) {
list ( $key ) = explode ( " : " , $val );
$permanent [ $key ] = $val ;
}
}
2007-07-02 05:51:26 +00:00
if ( isset ( $_POST [ " server " ])) {
2009-08-30 22:21:36 +00:00
session_regenerate_id (); // defense against session fixation
2010-10-15 08:58:08 +00:00
$_SESSION [ " pwds " ][ $_POST [ " driver " ]][ $_POST [ " server " ]][ $_POST [ " username " ]] = $_POST [ " password " ];
2010-05-07 14:31:14 +00:00
if ( $_POST [ " permanent " ]) {
$key = base64_encode ( $_POST [ " driver " ]) . " - " . base64_encode ( $_POST [ " server " ]) . " - " . base64_encode ( $_POST [ " username " ]);
$private = $adminer -> permanentLogin ();
$permanent [ $key ] = " $key : " . base64_encode ( $private ? encrypt_string ( $_POST [ " password " ], $private ) : " " );
cookie ( " adminer_permanent " , implode ( " " , $permanent ));
2009-12-18 17:39:48 +00:00
}
2010-04-21 12:01:32 +00:00
if ( count ( $_POST ) == ( $_POST [ " permanent " ] ? 5 : 4 ) // 4 - driver, server, username, password
|| DRIVER != $_POST [ " driver " ]
|| SERVER != $_POST [ " server " ]
|| $_GET [ " username " ] !== $_POST [ " username " ] // "0" == "00"
) {
2010-05-06 12:21:22 +00:00
redirect ( auth_url ( $_POST [ " driver " ], $_POST [ " server " ], $_POST [ " username " ]));
2009-08-30 22:21:36 +00:00
}
2009-12-18 17:39:48 +00:00
} elseif ( $_POST [ " logout " ]) {
2009-11-02 16:13:01 +00:00
if ( $token && $_POST [ " token " ] != $token ) {
2008-04-10 15:10:10 +00:00
page_header ( lang ( 'Logout' ), lang ( 'Invalid CSRF token. Send the form again.' ));
page_footer ( " db " );
exit ;
} else {
2010-10-15 08:58:08 +00:00
foreach ( array ( " pwds " , " dbs " , " queries " ) as $key ) {
2010-04-21 12:01:32 +00:00
set_session ( $key , null );
2009-11-02 16:13:01 +00:00
}
2010-05-07 14:31:14 +00:00
$key = base64_encode ( DRIVER ) . " - " . base64_encode ( SERVER ) . " - " . base64_encode ( $_GET [ " username " ]);
if ( $permanent [ $key ]) {
unset ( $permanent [ $key ]);
cookie ( " adminer_permanent " , implode ( " " , $permanent ));
}
2010-05-05 16:30:55 +00:00
redirect ( substr ( preg_replace ( '~(username|db|ns)=[^&]*&~' , '' , ME ), 0 , - 1 ), lang ( 'Logout successful.' ));
2008-04-10 15:10:10 +00:00
}
2010-10-15 08:58:08 +00:00
} elseif ( $permanent && ! $_SESSION [ " pwds " ]) {
2010-05-07 14:31:14 +00:00
session_regenerate_id ();
$private = $adminer -> permanentLogin (); // try to decode even if not set
foreach ( $permanent as $key => $val ) {
list (, $cipher ) = explode ( " : " , $val );
list ( $driver , $server , $username ) = array_map ( 'base64_decode' , explode ( " - " , $key ));
2010-10-15 08:58:08 +00:00
$_SESSION [ " pwds " ][ $driver ][ $server ][ $username ] = decrypt_string ( base64_decode ( $cipher ), $private );
2009-12-18 17:39:48 +00:00
}
}
2009-06-03 18:35:16 +00:00
function auth_error ( $exception = null ) {
2010-04-21 12:01:32 +00:00
global $connection , $adminer , $token ;
2009-10-06 15:33:48 +00:00
$session_name = session_name ();
2010-04-21 12:01:32 +00:00
$error = " " ;
if ( ! $_COOKIE [ $session_name ] && $_GET [ $session_name ] && ini_bool ( " session.use_only_cookies " )) {
$error = lang ( 'Session support must be enabled.' );
} elseif ( isset ( $_GET [ " username " ])) {
if (( $_COOKIE [ $session_name ] || $_GET [ $session_name ]) && ! $token ) {
$error = lang ( 'Session expired, please login again.' );
} else {
2010-10-15 08:58:08 +00:00
$password = & get_session ( " pwds " );
2010-04-21 12:01:32 +00:00
if ( isset ( $password )) {
$error = h ( $exception ? $exception -> getMessage () : ( is_string ( $connection ) ? $connection : lang ( 'Invalid credentials.' )));
2010-05-06 12:21:22 +00:00
$password = null ;
2010-04-21 12:01:32 +00:00
}
}
}
page_header ( lang ( 'Login' ), $error , null );
2009-07-21 12:19:25 +00:00
echo " <form action='' method='post'> \n " ;
2010-04-21 12:01:32 +00:00
$adminer -> loginForm ();
2009-12-18 17:49:21 +00:00
echo " <div> " ;
2010-04-21 12:01:32 +00:00
hidden_fields ( $_POST , array ( " driver " , " server " , " username " , " password " , " permanent " )); // expired session
2009-12-18 17:49:21 +00:00
echo " </div> \n " ;
echo " </form> \n " ;
2007-07-02 05:51:26 +00:00
page_footer ( " auth " );
2007-07-23 11:57:26 +00:00
}
2010-10-29 13:24:06 +00:00
if ( isset ( $_GET [ " username " ])) {
if ( ! class_exists ( " Min_DB " )) {
2010-11-03 23:12:01 +00:00
unset ( $_SESSION [ " pwds " ][ DRIVER ]); //! remove also from adminer_permanent
page_header ( lang ( 'No extension' ), lang ( 'None of the supported PHP extensions (%s) are available.' , implode ( " , " , $possible_drivers )), false );
2010-10-29 13:24:06 +00:00
page_footer ( " auth " );
exit ;
}
2010-04-21 12:01:32 +00:00
$connection = connect ();
2008-08-27 16:43:30 +00:00
}
2010-10-15 08:58:08 +00:00
if ( is_string ( $connection ) || ! $adminer -> login ( $_GET [ " username " ], get_session ( " pwds " ))) {
2007-07-23 11:57:26 +00:00
auth_error ();
2007-07-02 05:51:26 +00:00
exit ;
}
2009-11-20 17:29:35 +00:00
2010-04-21 12:01:32 +00:00
$token = $_SESSION [ " token " ]; ///< @var string CSRF protection
2010-02-24 11:59:25 +00:00
if ( isset ( $_POST [ " server " ]) && $_POST [ " token " ]) {
2010-04-21 12:01:32 +00:00
$_POST [ " token " ] = $token ; // reset token after explicit login
2010-02-24 11:59:25 +00:00
}
2010-02-26 14:01:17 +00:00
$error = ( $_POST ///< @var string
? ( $_POST [ " token " ] == $token ? " " : lang ( 'Invalid CSRF token. Send the form again.' ))
: ( $_SERVER [ " REQUEST_METHOD " ] != " POST " ? " " : lang ( 'Too big POST data. Reduce the data or increase the %s configuration directive.' , '"post_max_size"' )) // posted form with no data means that post_max_size exceeded because Adminer always sends token at least
);