View Single Post
  #15  
Old 10th September 2019, 18:34
LeeHowarth's Avatar
LeeHowarth LeeHowarth is offline
TT
 
Join Date: Nov 2008
Posts: 100
Default
Quote:
Originally Posted by BamBam0077 View Post
PHP Code:
<?php 

require_once("include/bittorrent.php"); 

if (!
mkglobal("username:password")) 
    die(); 

dbconn(); 

function 
bark($text "Username or password incorrect"

  
stderr("<center>Login failed !</center>"$text); 


$res mysql_query("SELECT id, passhash, secret, enabled FROM users WHERE username = " sqlesc($username) . " AND status = 'confirmed'"); 
$row mysql_fetch_array($res); 

if (!
$row
    
bark(); 

if (
$row["passhash"] != md5($row["secret"] . $password $row["secret"])) 
    
bark(); 

if (
$row["enabled"] == "no"
    
bark("<center>This account has been disabled.</center>"); 

// ADN MOD  PERMANENT LOGIN 
$expires = (int) $_POST["expires"]; 

if (!
$expires or $expires <= or $expires 31556926) { 
 
$expires 0x7fffffff
} else { 
 
$expires time() + $expires


logincookie($row["id"], $row["passhash"], 1$expires);   
// END MOD  PERMANENT LOGIN 

/// and mod login return  
if (!empty($_POST["returnto"])) {  
 
header("Location: $BASEURL$_POST[returnto]"); 
} else {  
 
$successful true;  
 if(
$successful === true){   
   echo 
"<div style='background-color: #353939;border: 1px solid #666;color:green;'>  
           <text>Successful Message</text>  
           </div> <div style='padding: 0.1em;'></div>  
           <text>Thank You!, Accessing Account </text>   
            
           <script>  
            setTimeout(function () { window.location.href= 'my.php'; // the redirect goes here   
},5000); // 5 seconds   
</script>"
;   
} else {    
 
header("Location: $BASEURL/my.php");  

///* end mod login return 
?>
https://www.bvlist.com/showthread.php?t=9784
That code is not secure. On older versions of PHP a header injection will be possible e.g:

%0DLocation:%20http://google.com/%0D

Last edited by LeeHowarth; 10th September 2019 at 18:40. Reason: Typo
Reply With Quote
The Following User Says Thank You to LeeHowarth For This Useful Post:
BamBam0077 (11th September 2019)