Browse code

Beachte Groß- und Kleinshreibung beim Login

Bernd Wurst authored on10/08/2012 07:33:38
Showing1 changed files
... ...
@@ -39,10 +39,16 @@ function find_role($login, $password, $i_am_admin = False)
39 39
   $uid = (int) $login;
40 40
   if ($uid == 0)
41 41
     $uid = 'NULL';
42
-  $result = db_query("SELECT passwort AS password, kundenaccount AS `primary`, status, ((SELECT acc.uid FROM system.v_useraccounts AS acc LEFT JOIN system.gruppenzugehoerigkeit USING (uid) LEFT JOIN system.gruppen AS g ON (g.gid=gruppenzugehoerigkeit.gid) WHERE g.name='admin' AND acc.uid=u.uid) IS NOT NULL) AS admin FROM system.v_useraccounts AS u LEFT JOIN system.passwoerter USING(uid) WHERE u.uid={$uid} OR username='{$login}' LIMIT 1;");
42
+  $result = db_query("SELECT username, passwort AS password, kundenaccount AS `primary`, status, ((SELECT acc.uid FROM system.v_useraccounts AS acc LEFT JOIN system.gruppenzugehoerigkeit USING (uid) LEFT JOIN system.gruppen AS g ON (g.gid=gruppenzugehoerigkeit.gid) WHERE g.name='admin' AND acc.uid=u.uid) IS NOT NULL) AS admin FROM system.v_useraccounts AS u LEFT JOIN system.passwoerter USING(uid) WHERE u.uid={$uid} OR username='{$login}' LIMIT 1;");
43 43
   if (@mysql_num_rows($result) > 0)
44 44
   {
45 45
     $entry = mysql_fetch_object($result);
46
+    if ($entry->username != $login) {
47
+      // MySQL matched (warum auch immer) ohne Beachtung der Schreibweise. Wir wollen aber case-sensitive sein.
48
+      logger(LOG_WARNING, "session/checkuser", "login", "denying login to wrong cased username »{$login}«.");
49
+      warning('Beachten Sie bei der Eingabe Ihrer Zugangsdaten bitte die Groß- und Kleinschreibung.');
50
+      return NULL;  
51
+    }
46 52
     $db_password = $entry->password;
47 53
     $hash = crypt($password, $db_password);
48 54
     if (($entry->status == 0 && $hash == $db_password) || $i_am_admin)