LoGD Standardrelease steht hier zum Download zur Verfügung!
Zeige Source: /login.php
Hier klicken für den Source, ODER
Weitere Dateien, von denen du den Quelltext sehen kannst:
(Das Lesen des Source, um sich spielerische Vorteile zu verschaffen, ist nicht erlaubt.
Solltest du Schwachstellen oder Fehler entdecken, bist du als Spieler verpflichtet, diese zu melden.)
<?php
/*
info: if anything gets changed, add comments! or I'll punch you in the face over the internet !!!
changes:
-
modification:
2013-09-19 aragon - added: logoff for grotto ... shameless copied from codes, written for arania-logd
2014-03-22 aragon - password > wird jetzt anders gespeichert
2023-05-18 aragon - php8 fixes
2024-05-04 aragon fix login
2024-05-19 aragon update login behavior, deactivated lotgd.net access through timeout-errors since site is not available anymore
*/
require_once "common.php";
require_once "lib/logd_pw.php";
$name = $_POST['name'] ?? "";
$password = $_POST['password'] ?? "";
$op = $_GET['op'] ?? "";
$num = 0;
$session['message'] = $session['message'] ?? "";
if ($session['message'] != "") {
$session['message'] = "";
}
if ($name != "") {
if ($session['loggedin'] ?? false) {
redirect("badnav.php");
} else {
$sql = "SELECT COUNT(acctid) AS onlinecount
FROM accounts
WHERE locked=0
AND loggedin=1
AND laston>'" . date("Y-m-d H:i:s", strtotime("-" . getsetting("LOGINTIMEOUT", 900) . " seconds")) . "'";
$result = db_fetch_assoc(db_query($sql));
$onlinecount = $result['onlinecount'];
// password will not get MD5 encrypted anymore, so we check account
#$sql = "SELECT * FROM accounts WHERE login = '$_POST[name]' AND password=MD5('$_POST[password]') AND locked=0";
$sql = "SELECT * FROM accounts WHERE login = '" . $name . "' AND locked=0";
$result = db_query($sql);
$num = db_num_rows($result);
if ($num == 1) {
$row = db_fetch_assoc($result);
$num = 0;
// 2022-09-22 - aragon - change of password function behavior, php8 caused problems
$one = false; //logdPwLegacy($password, $row['password']);
$two = logd_pw_verify($password, $row['password']); // should now work correctly, because verify(md5(passwd), row[passwd])
if ($one || $two) {
$num = 1;
}
}
if ($num == 1) {
$session['user'] = $row;
checkban($session['user']['login']); //check if this account is banned
checkban(); //check if this computer is banned
if ($session['user']['emailvalidation'] != "" && substr($session['user']['emailvalidation'], 0, 1) != "x") {
$session['user'] = array();
$session['message'] = "`4Fehler: Du musst deine E-Mail Adresse bestätigen lassen, bevor du dich einloggen kannst.";
header("Location: index.php");
exit();
} elseif ($session['user']['activated'] == 0 && getsetting("needadminactivation", 0) == 1) {
$session['user'] = array();
$session['message'] = "`4Fehler: Dein Account muss von einem Admin freigeschaltet werden, bevor du dich einloggen kannst.";
header("Location: index.php");
exit;
} else {
if ($onlinecount < getsetting("maxonline", 10) || getsetting("maxonline", 10) == 0 || $session['user']['superuser'] > 0) {
//loaduser($session['user']);
$session['loggedin'] = true;
$session['output'] = gettexts('output');
$session['lastlogoff'] = $session['user']['laston'];
$session['petitions'] = array();
$session['todolist'] = array();
$session['laston'] = date("Y-m-d H:i:s");
$session['sentnotice'] = 0;
$session['dragonpoints'] = unserialize(gettexts('dragonpoints'));
$session['prefs'] = unserialize(gettexts('prefs'));
$session['bufflist'] = unserialize(gettexts('bufflist'));
if (!is_array($session['dragonpoints'])) {
$session['dragonpoints'] = array();
}
if ($session['user']['loggedin']) {
debuglog("logged in after timeout ");
$session['allowednavs'] = unserialize(gettexts('allowednavs'));
saveuser();
header("Location: {$session['user']['restorepage']}");
exit();
//redirect($session['user']['page']);//"badnav.php");
}
db_query("UPDATE accounts SET loggedin=" . true . ", location=0 WHERE acctid = " . $session['user']['acctid']);
$session['user']['loggedin'] = true;
$location = $session['user']['location'];
$session['user']['location'] = 0;
debuglog("logged in ");
if (getsetting("logdnet", 0)) {
//register with LoGDnet
// @file(getsetting("logdnetserver", "http://lotgd.net/") . "logdnet.php?addy=" . URLEncode(getsetting("serverurl", "http://" . $_SERVER['SERVER_NAME'] . dirname($_SERVER['REQUEST_URI']))) . "&desc=" . URLEncode(getsetting("serverdesc", "Another LoGD Server")) . "&version=" . URLEncode($logd_version) . "");
}
if ($location == 0) {
redirect("news.php");
} elseif ($location == 1) {
redirect("inn.php?op=strolldown");
} elseif ($location == 2) {
redirect("houses.php?op=newday"); // altes Wohnviertel ... wg. kompatibilität zu bisher, weils neue noch nicht fertig ist
} elseif ($location == 4) {;
redirect("questlager.php");
} elseif ($location == 9) {
redirect("jail.php");
} elseif ($location == 100) { // ** 2013-09-19 ... grotto-logoff
redirect("superuser.php");
} else {
saveuser();
header("Location: {" . $session['user']['restorepage'] . "}");
exit();
}
} else {
$session['user'] = array();
$session['message'] = "`4Fehler: Der Server ist voll.`0";
redirect("index.php");
}
}
} else {
$session['message'] .= "`4Fehler: Dein Login war falsch oder dein Account ist gesperrt.`0";
//now we'll log the failed attempt and begin to issue bans if there are too many, plus notify the admins.
$sql = "DELETE FROM faillog WHERE date<'" . date("Y-m-d H:i:s", strtotime("-" . (getsetting("expirecontent", 180) / 4) . " days")) . "'";
checkban();
db_query($sql);
$sql = "SELECT acctid FROM accounts WHERE login='{$name}'";
$result = db_query($sql);
if (db_num_rows($result) > 0) { // just in case there manage to be multiple accounts on this name.
while ($row = db_fetch_assoc($result)) {
$sql = "INSERT INTO faillog VALUES (0,now(),'" . addslashes(serialize($name)) . "','" . $_SERVER['REMOTE_ADDR'] . "','" . $row['acctid'] . "','" . $_COOKIE['lgi'] . "')";
db_query($sql);
$sql = "SELECT faillog.*,accounts.superuser,name,login FROM faillog INNER JOIN accounts ON accounts.acctid=faillog.acctid WHERE ip='{$_SERVER['REMOTE_ADDR']}' AND date>'" . date("Y-m-d H:i:s", strtotime("-1 day")) . "'";
$result2 = db_query($sql);
$c = 0;
$alert = "";
$su = false;
while ($row2 = db_fetch_assoc($result2)) {
if ($row2['superuser'] > 0) {
$c += 1;
$su = true;
}
$c += 1;
$alert .= "`3{$row2['date']}`7: Failed attempt from `&{$row2['ip']}`7 [`3{$row2['id']}`7] to log on to `^{$row2['login']}`7 ({$row2['name']}`7)`n";
}
if ($c >= 10) { // 5 failed attempts for superuser, 10 for regular user
$sql = "INSERT INTO bans VALUES ('{$_SERVER['REMOTE_ADDR']}','','" . date("Y-m-d H:i:s", strtotime("+" . ($c * 3) . " hours")) . "','Automatic System Ban: Too many failed login attempts.')";
db_query($sql);
if ($su) { // send a system message to admins regarding this failed attempt if it includes superusers.
$sql = "SELECT acctid FROM accounts WHERE superuser>=3";
$result2 = db_query($sql);
$subj = "`#{$_SERVER['REMOTE_ADDR']} failed to log in too many times!";
for ($i = 0; $i < db_num_rows($result2); $i++) {
$row2 = db_fetch_assoc($result2);
//delete old messages that
$sql = "DELETE FROM mail WHERE msgto={$row2['acctid']} AND msgfrom=0 AND subject = '$subj' AND seen=0";
db_query($sql);
if (db_affected_rows() > 0) {
$noemail = true;
} else {
$noemail = false;
}
systemmail($row2['acctid'], "$subj", "This message is generated as a result of one or more of the accounts having been a superuser account. Log Follows:`n`n$alert", 0, $noemail);
} //end for
} //end if($su)
} //end if($c>=10)
} //end while
} //end if (db_num_rows)
redirect("index.php");
}
}
} elseif ($op == "logout") {
if ($session['user']['loggedin']) {
debuglog("logged out ");
$sql = "UPDATE accounts SET loggedin=0 AND whereis='' WHERE acctid = " . $session['user']['acctid'];
db_query($sql) or die(sql_error($sql));
}
$session = array();
redirect("index.php");
}
// If you enter an empty username, don't just say oops.. do something useful.
$session = array();
$session['message'] = "`4Fehler: Dein Login war falsch. (login fehlgeschlagen)`0";
redirect("index.php");