From e893e66eaa47334848f11bb85b9a472e46651a83 Mon Sep 17 00:00:00 2001 From: root Date: Wed, 7 Feb 2007 13:50:54 +0000 Subject: [PATCH] Added OTP Handling --- www/index.php | 32 +++++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/www/index.php b/www/index.php index d8fd6a9..90e89b4 100644 --- a/www/index.php +++ b/www/index.php @@ -179,6 +179,36 @@ $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or `password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0"; $res = mysql_query($query); + if(mysql_num_rows($res) <= 0) + { + $otpquery = "select * from `users` where `email`='$email' and `otphash`!='' and `otppin`!='' and + `verified`=1 and `deleted`=0 and `locked`=0"; + $otpres = mysql_query($otpquery); + if(mysql_num_rows($otpres) > 0) + { + $otp = mysql_fetch_assoc($otpres); + $otphash = $otp['otphash']; + $otppin = $otp['otppin']; + $matchperiod = 3 * 6; + $time = round(gmdate("U") / 10); + + $query = "delete from `otphashes` where UNIX_TIMESTAMP(`when`) <= UNIX_TIMESTAMP(NOW()) - 1800"; + mysql_query($query); + + $query = "select * from `otphashes` where `username`='$email' and `otp`='$pword'"; + if(mysql_num_rows(mysql_query($query)) <= 0) + { + $query = "insert into `otphashes` set `when`=NOW(), `username`='$email', `otp`='$pword'"; + mysql_query($query); + for($i = $time - $matchperiod; $i <= $time + $matchperiod * 2; $i++) + { + $md5 = substr(md5("$i$otphash$otppin"), 0, 6); + if($pword == $md5) + $res = mysql_query("select * from `users` where `email`='$email'"); + } + } + } + } if(mysql_num_rows($res) > 0) { $_SESSION['profile'] = ""; @@ -396,7 +426,7 @@ `A3`='".$_SESSION['signup']['A3']."', `A4`='".$_SESSION['signup']['A4']."', `A5`='".$_SESSION['signup']['A5']."', - `created`=NOW()"; + `created`=NOW(), `uniqueID`=SHA1(CONCAT(NOW(),'$hash'))"; mysql_query($query); $memid = mysql_insert_id(); $query = "insert into `email` set `email`='".$_SESSION['signup']['email']."',