2007-07-02 05:51:26 +00:00
< ? php
2008-01-08 13:55:52 +00:00
$ignore = array ( " server " , " username " , " password " );
2009-06-03 18:35:16 +00:00
$session_name = session_name ();
if ( ini_get ( " session.use_trans_sid " ) && isset ( $_POST [ $session_name ])) {
$ignore [] = $session_name ;
2007-07-11 05:54:36 +00:00
}
2007-07-02 05:51:26 +00:00
if ( isset ( $_POST [ " server " ])) {
2009-06-03 18:35:16 +00:00
if ( isset ( $_COOKIE [ $session_name ]) || isset ( $_POST [ $session_name ])) {
2009-06-21 23:20:32 +00:00
session_regenerate_id (); // defense against session fixation
2007-07-10 15:09:07 +00:00
$_SESSION [ " usernames " ][ $_POST [ " server " ]] = $_POST [ " username " ];
$_SESSION [ " passwords " ][ $_POST [ " server " ]] = $_POST [ " password " ];
2009-06-21 23:20:32 +00:00
$_SESSION [ " tokens " ][ $_POST [ " server " ]] = rand ( 1 , 1e6 ); // defense against cross-site request forgery
2007-07-11 05:54:36 +00:00
if ( count ( $_POST ) == count ( $ignore )) {
2008-07-10 15:39:24 +00:00
$location = (( string ) $_GET [ " server " ] === $_POST [ " server " ] ? remove_from_uri () : preg_replace ( '~^[^?]*/([^?]*).*~' , '\\1' , $_SERVER [ " REQUEST_URI " ]) . ( strlen ( $_POST [ " server " ]) ? '?server=' . urlencode ( $_POST [ " server " ]) : '' ));
2009-06-03 18:35:16 +00:00
if ( ! isset ( $_COOKIE [ $session_name ])) {
2007-07-10 15:09:07 +00:00
$location .= ( strpos ( $location , " ? " ) === false ? " ? " : " & " ) . SID ;
}
header ( " Location: " . ( strlen ( $location ) ? $location : " . " ));
exit ;
}
2009-05-08 05:13:51 +00:00
if ( $_POST [ " token " ]) {
$_POST [ " token " ] = $_SESSION [ " tokens " ][ $_POST [ " server " ]];
}
2007-07-06 15:24:49 +00:00
}
$_GET [ " server " ] = $_POST [ " server " ];
2008-04-10 15:10:10 +00:00
} elseif ( isset ( $_POST [ " logout " ])) {
2009-05-08 05:13:51 +00:00
if ( $_POST [ " token " ] != $_SESSION [ " tokens " ][ $_GET [ " server " ]]) {
2008-04-10 15:10:10 +00:00
page_header ( lang ( 'Logout' ), lang ( 'Invalid CSRF token. Send the form again.' ));
page_footer ( " db " );
exit ;
} else {
2009-06-21 23:37:07 +00:00
foreach ( array ( " usernames " , " passwords " , " databases " , " tokens " , " history " ) as $val ) {
unset ( $_SESSION [ $val ][ $_GET [ " server " ]]);
}
2009-07-30 08:12:54 +00:00
redirect ( substr ( ME , 0 , - 1 ), lang ( 'Logout successful.' ));
2008-04-10 15:10:10 +00:00
}
2007-07-02 05:51:26 +00:00
}
2009-06-03 18:35:16 +00:00
function auth_error ( $exception = null ) {
2009-07-27 11:25:37 +00:00
global $ignore , $dbh , $adminer ;
2007-07-23 11:57:26 +00:00
$username = $_SESSION [ " usernames " ][ $_GET [ " server " ]];
2007-07-17 05:14:43 +00:00
unset ( $_SESSION [ " usernames " ][ $_GET [ " server " ]]);
2009-07-28 16:20:50 +00:00
page_header ( lang ( 'Login' ), ( isset ( $username ) ? h ( $exception ? $exception -> getMessage () : ( is_string ( $dbh ) ? $dbh : lang ( 'Invalid credentials.' ))) : ( isset ( $_POST [ " server " ]) ? lang ( 'Sessions must be enabled.' ) : ( $_POST ? lang ( 'Session expired, please login again.' ) : " " ))), null );
2009-07-21 12:19:25 +00:00
echo " <form action='' method='post'> \n " ;
2009-07-27 11:31:54 +00:00
$adminer -> loginForm ( $username );
2009-07-21 12:19:25 +00:00
echo " <p> \n " ;
2008-10-03 13:15:58 +00:00
hidden_fields ( $_POST , $ignore ); // expired session
2007-07-09 06:12:22 +00:00
foreach ( $_FILES as $key => $val ) {
2009-07-28 16:20:50 +00:00
echo '<input type="hidden" name="files[' . h ( $key ) . ']" value="' . ( $val [ " error " ] ? $val [ " error " ] : base64_encode ( file_get_contents ( $val [ " tmp_name " ]))) . '">' ;
2007-07-09 06:12:22 +00:00
}
2009-07-21 15:25:05 +00:00
echo " <input type='submit' value=' " . lang ( 'Login' ) . " '> \n </form> \n " ;
2007-07-02 05:51:26 +00:00
page_footer ( " auth " );
2007-07-23 11:57:26 +00:00
}
2008-08-27 16:43:30 +00:00
$username = & $_SESSION [ " usernames " ][ $_GET [ " server " ]];
if ( ! isset ( $username )) {
2009-06-21 23:20:32 +00:00
$username = $_GET [ " username " ]; // default username can be passed in URL
2008-08-27 16:43:30 +00:00
}
2009-06-03 18:35:16 +00:00
$dbh = ( isset ( $username ) ? connect () : '' );
2009-07-27 11:25:37 +00:00
if ( is_string ( $dbh ) || ! $adminer -> login ( $username , $_SESSION [ " passwords " ][ $_GET [ " server " ]])) {
2007-07-23 11:57:26 +00:00
auth_error ();
2007-07-02 05:51:26 +00:00
exit ;
}
2009-07-21 12:19:25 +00:00
unset ( $username );