WebSVN – Applications.papyrus – Diff – /trunk/api/pear/Auth/Container/MDB.php

 <?php
-//
-// +----------------------------------------------------------------------+
-// | PHP Version 4                                                        |
-// +----------------------------------------------------------------------+
-// |                                                                      |
-// +----------------------------------------------------------------------+
-// | This source file is subject to version 2.02 of the PHP license,      |
-// | that is bundled with this package in the file LICENSE, and is        |
-// | available at through the world-wide-web at                           |
-// | http://www.php.net/license/2_02.txt.                                 |
-// | If you did not receive a copy of the PHP license and are unable to   |
-// | obtain it through the world-wide-web, please send a note to          |
-// | license@php.net so we can mail you a copy immediately.               |
+/* vim: set expandtab tabstop=4 shiftwidth=4 softtabstop=4 foldmethod=marker: */
-// +----------------------------------------------------------------------+
-// | Author: Lorenzo Alberton <l.alberton@quipo.it>                                  |
-// +----------------------------------------------------------------------+
-//
-// $Id: MDB.php,v 1.1 2005-03-30 08:50:33 jpm Exp $
-//
+/**
+ * Storage driver for use against PEAR MDB
+ *
+ * PHP versions 4 and 5
+ *
+ * LICENSE: This source file is subject to version 3.01 of the PHP license
+ * that is available through the world-wide-web at the following URI:
+ * http://www.php.net/license/3_01.txt.  If you did not receive a copy of
+ * the PHP License and are unable to obtain it through the web, please
+ * send a note to license@php.net so we can mail you a copy immediately.
+ *
+ * @category   Authentication
+ * @package    Auth
+ * @author     Lorenzo Alberton <l.alberton@quipo.it>
+ * @author     Adam Ashley <aashley@php.net>
+ * @copyright  2001-2006 The PHP Group
+ * @license    http://www.php.net/license/3_01.txt  PHP License 3.01
+ * @version    CVS: $Id: MDB.php,v 1.2 2006-12-14 15:04:28 jp_milcent Exp $
+ * @link       http://pear.php.net/package/Auth
+ * @since      File available since Release 1.2.3
+ */
+/**
+ * Include Auth_Container base class
  */
+require_once 'Auth/Container.php';
+/**
+ * Include PEAR MDB package
-require_once 'Auth/Container.php';
+ */
 require_once 'MDB.php';
 /**
  * Storage driver for fetching login data from a database
+ *
  * This storage driver can use all databases which are supported
  * by the PEAR MDB abstraction layer to fetch login data.
+ *
+ * @category   Authentication
+ * @package    Auth
+ * @author     Lorenzo Alberton <l.alberton@quipo.it>
+ * @author     Adam Ashley <aashley@php.net>
- * @author   Lorenzo Alberton <l.alberton@quipo.it>
+ * @copyright  2001-2006 The PHP Group
+ * @license    http://www.php.net/license/3_01.txt  PHP License 3.01
+ * @version    Release: 1.4.3  File: $Revision: 1.2 $
- * @package  Auth
+ * @link       http://pear.php.net/package/Auth
- * @version  $Revision: 1.1 $
+ * @since      Class available since Release 1.2.3
  */
+class Auth_Container_MDB extends Auth_Container
+{
 class Auth_Container_MDB extends Auth_Container
     // {{{ properties
     /**
      * Additional options for the storage container
      * @var array
      */
     var $options = array();
     /**
-     * DB object
+     * MDB object
      * User that is currently selected from the DB.
      * @var string
      */
     var $activeUser = '';
+    // }}}
-    // {{{ Constructor
+    // {{{ Auth_Container_MDB() [constructor]
     /**
      * Constructor of the container class
+     *
-     * Initate connection to the database via PEAR::DB
+     * Initate connection to the database via PEAR::MDB
+     *
-     * @param  string Connection data or DB object
+     * @param  string Connection data or MDB object
      * @return object Returns an error object if something went wrong
      */
     function Auth_Container_MDB($dsn)
     /**
      * Connect to database by using the given DSN string
+     *
      * @access private
-     * @param  string DSN string
+     * @param  mixed DSN string | array | mdb object
      * @return mixed  Object on error, otherwise bool
      */
     function _connect($dsn)
+    {
         if (is_string($dsn) || is_array($dsn)) {
-            $this->db =& MDB::Connect($dsn);
+            $this->db =& MDB::connect($dsn, $this->options['db_options']);
-        } elseif (get_parent_class($dsn) == "mdb_common") {
+        } elseif (is_subclass_of($dsn, 'mdb_common')) {
             $this->db = $dsn;
         } elseif (is_object($dsn) && MDB::isError($dsn)) {
             return PEAR::raiseError($dsn->getMessage(), $dsn->code);
         } else {
+        }
+        if (MDB::isError($this->db) || PEAR::isError($this->db)) {
+            return PEAR::raiseError($this->db->getMessage(), $this->db->code);
+        }
+        if ($this->options['auto_quote']) {
+            $this->options['final_table'] = $this->db->quoteIdentifier($this->options['table']);
-        if (MDB::isError($this->db) || PEAR::isError($this->db)) {
+            $this->options['final_usernamecol'] = $this->db->quoteIdentifier($this->options['usernamecol']);
-            return PEAR::raiseError($this->db->getMessage(), $this->db->code);
+            $this->options['final_passwordcol'] = $this->db->quoteIdentifier($this->options['passwordcol']);
+        } else {
+            $this->options['final_table'] = $this->options['table'];
-        } else {
+            $this->options['final_usernamecol'] = $this->options['usernamecol'];
+            $this->options['final_passwordcol'] = $this->options['passwordcol'];
+        }
             return true;
         return true;
+    }
+     *
      * This function checks if we have already opened a connection to
      * the database. If that's not the case, a new connection is opened.
+     *
      * @access private
-     * @return mixed True or a DB error object.
+     * @return mixed True or a MDB error object.
      */
     function _prepare()
+    {
+        if (is_subclass_of($this->db, 'mdb_common')) {
+            return true;
+        }
         return $this->_connect($this->options['dsn']);
+    }
     // }}}
         $this->options['usernamecol'] = 'username';
         $this->options['passwordcol'] = 'password';
         $this->options['dsn']         = '';
         $this->options['db_fields']   = '';
         $this->options['cryptType']   = 'md5';
+        $this->options['db_options']  = array();
+        $this->options['auto_quote']  = true;
+    }
     // }}}
         foreach ($array as $key => $value) {
             if (isset($this->options[$key])) {
                 $this->options[$key] = $value;
+            }
+        }
+    }
+    // }}}
+    // {{{ _quoteDBFields()
+    /**
+     * Quote the db_fields option to avoid the possibility of SQL injection.
+     *
+     * @access private
+     * @return string A properly quoted string that can be concatenated into a
+     * SELECT clause.
+     */
+    function _quoteDBFields()
-        // Include additional fields if they exist
+    {
-        if (!empty($this->options['db_fields'])) {
+        if (isset($this->options['db_fields'])) {
+            if (is_array($this->options['db_fields'])) {
+                if ($this->options['auto_quote']) {
+                    $fields = array();
+                    foreach ($this->options['db_fields'] as $field) {
+                        $fields[] = $this->db->quoteIdentifier($field);
+                    }
+                    return implode(', ', $fields);
-            if (is_array($this->options['db_fields'])) {
+                } else {
+                    return implode(', ', $this->options['db_fields']);
+                }
+            } else {
+                if (strlen($this->options['db_fields']) > 0) {
+                    if ($this->options['auto_quote']) {
+                        return $this->db->quoteIdentifier($this->options['db_fields']);
+                    } else {
+                        return $this->options['db_fields'];
+                    }
                 $this->options['db_fields'] = join($this->options['db_fields'], ', ');
-            }
             $this->options['db_fields'] = ', ' . $this->options['db_fields'];
+        }
         return '';
+    }
      * and password is found, the function returns true.
      * Otherwise it returns false.
+     *
      * @param   string Username
      * @param   string Password
+     * @param   boolean If true password is secured using a md5 hash
+     *                  the frontend and auth are responsible for making sure the container supports
+     *                  challenge response password authentication
      * @return  mixed  Error object or boolean
      */
-    function fetchData($username, $password)
+    function fetchData($username, $password, $isChallengeResponse=false)
+    {
         // Prepare for a database query
         $err = $this->_prepare();
         if ($err !== true) {
             return PEAR::raiseError($err->getMessage(), $err->getCode());
+        }
+        //Check if db_fields contains a *, if so assume all columns are selected
-        // Find if db_fileds contains a *, i so assume all col are selected
+        if (is_string($this->options['db_fields'])
-        if (strstr($this->options['db_fields'], '*')) {
+            && strstr($this->options['db_fields'], '*')) {
             $sql_from = '*';
-        } else{
+        } else {
+            $sql_from = $this->options['final_usernamecol'].
+                ", ".$this->options['final_passwordcol'];
+            if (strlen($fields = $this->_quoteDBFields()) > 0) {
+                $sql_from .= ', '.$fields;
             $sql_from = $this->options['usernamecol'] . ', '. $this->options['passwordcol'] . $this->options['db_fields'];
+        }
         $query = sprintf("SELECT %s FROM %s WHERE %s = %s",
                          $sql_from,
-                         $this->options['table'],
+                         $this->options['final_table'],
-                         $this->options['usernamecol'],
+                         $this->options['final_usernamecol'],
                          $this->db->getTextValue($username)
+        }
         if (!is_array($res)) {
             $this->activeUser = '';
             return false;
+        }
+        // Perform trimming here before the hashing
+        $password = trim($password, "\r\n");
+        $res[$this->options['passwordcol']] = trim($res[$this->options['passwordcol']], "\r\n");
+        // If using Challenge Response md5 the pass with the secret
+        if ($isChallengeResponse) {
+            $res[$this->options['passwordcol']] =
+                md5($res[$this->options['passwordcol']].$this->_auth_obj->session['loginchallenege']);
+            // UGLY cannot avoid without modifying verifyPassword
+            if ($this->options['cryptType'] == 'md5') {
+                $res[$this->options['passwordcol']] = md5($res[$this->options['passwordcol']]);
+            }
+        }
-        if ($this->verifyPassword(trim($password, "\r\n"),
+        if ($this->verifyPassword($password,
-                                  trim($res[$this->options['passwordcol']], "\r\n"),
+                                  $res[$this->options['passwordcol']],
                                   $this->options['cryptType'])) {
             // Store additional field values in the session
             foreach ($res as $key => $value) {
                 if ($key == $this->options['passwordcol'] ||
                     $key == $this->options['usernamecol']) {
                     continue;
+                }
                 // Use reference to the auth object if exists
-                // This is because the auth session variable can change so a static call to setAuthData does not make sence
+                // This is because the auth session variable can change so a static
-                if(is_object($this->_auth_obj)){
+                // call to setAuthData does not make sense
-                    $this->_auth_obj->setAuthData($key, $value);
+                $this->_auth_obj->setAuthData($key, $value);
-                } else {
-                    Auth::setAuthData($key, $value);
-                }
+            }
             return true;
+        }
         $this->activeUser = $res[$this->options['usernamecol']];
         return false;
+    }
+    // }}}
+    // {{{ listUsers()
+    /**
+     * Returns a list of users from the container
+     *
-    // }}}
+     * @return mixed array|PEAR_Error
-    // {{{ listUsers()
+     * @access public
      */
     function listUsers()
+    {
         $err = $this->_prepare();
         if ($err !== true) {
             return PEAR::raiseError($err->getMessage(), $err->getCode());
+        }
-        }
         $retVal = array();
         $retVal = array();
+        //Check if db_fields contains a *, if so assume all columns are selected
+        if (   is_string($this->options['db_fields'])
+            && strstr($this->options['db_fields'], '*')) {
+            $sql_from = '*';
+        } else {
+            $sql_from = $this->options['final_usernamecol']
-        // Find if db_fileds contains a *, i so assume all col are selected
+                .', '.$this->options['final_passwordcol'];
         if (strstr($this->options['db_fields'], '*')) {
-            $sql_from = '*';
+            if (strlen($fields = $this->_quoteDBFields()) > 0) {
-        } else{
+                $sql_from .= ', '.$fields;
             $sql_from = $this->options['db_fields'];
+        }
+     *
      * @return mixed True on success, otherwise error object
      */
     function addUser($username, $password, $additional = "")
+    {
+        $err = $this->_prepare();
+        if ($err !== true) {
+            return PEAR::raiseError($err->getMessage(), $err->getCode());
+        }
+        if (isset($this->options['cryptType']) && $this->options['cryptType'] == 'none') {
+            $cryptFunction = 'strval';
-        if (function_exists($this->options['cryptType'])) {
+        } elseif (isset($this->options['cryptType']) && function_exists($this->options['cryptType'])) {
             $cryptFunction = $this->options['cryptType'];
         } else {
             $cryptFunction = 'md5';
+        }
+        $password = $cryptFunction($password);
         $additional_key   = '';
         $additional_value = '';
+        if (is_array($additional)) {
+            foreach ($additional as $key => $value) {
+                if ($this->options['auto_quote']) {
-        if (is_array($additional)) {
+                    $additional_key   .= ', ' . $this->db->quoteIdentifier($key);
+                } else {
-            foreach ($additional as $key => $value) {
+                    $additional_key   .= ', ' . $key;
                 $additional_key   .= ', ' . $key;
                 $additional_value .= ', ' . $this->db->getTextValue($value);
+            }
         }
         $query = sprintf("INSERT INTO %s (%s, %s%s) VALUES (%s, %s%s)",
-                         $this->options['table'],
+                         $this->options['final_table'],
-                         $this->options['usernamecol'],
+                         $this->options['final_usernamecol'],
-                         $this->options['passwordcol'],
+                         $this->options['final_passwordcol'],
                          $additional_key,
                          $this->db->getTextValue($username),
-                         $this->db->getTextValue($cryptFunction($password)),
+                         $this->db->getTextValue($password),
                          $additional_value
                          );
-        $res = $this->query($query);
+        $res = $this->query($query);
         if (MDB::isError($res)) {
-            return PEAR::raiseError($res->getMessage(), $res->code);
+        if (MDB::isError($res)) {
-        } else {
+            return PEAR::raiseError($res->getMessage(), $res->code);
+     *
      * @return mixed True on success, otherwise error object
      */
     function removeUser($username)
+    {
+        $err = $this->_prepare();
+        if ($err !== true) {
+            return PEAR::raiseError($err->getMessage(), $err->getCode());
+        }
         $query = sprintf("DELETE FROM %s WHERE %s = %s",
-                         $this->options['table'],
+                         $this->options['final_table'],
-                         $this->options['usernamecol'],
+                         $this->options['final_usernamecol'],
                          $this->db->getTextValue($username)
                          );
         $res = $this->query($query);
+        if (MDB::isError($res)) {
+            return PEAR::raiseError($res->getMessage(), $res->code);
+        }
+        return true;
+    }
+    // }}}
+    // {{{ changePassword()
+    /**
+     * Change password for user in the storage container
+     *
+     * @param string Username
+     * @param string The new password (plain text)
+     */
+    function changePassword($username, $password)
+    {
+        $err = $this->_prepare();
+        if ($err !== true) {
+            return PEAR::raiseError($err->getMessage(), $err->getCode());
+        }
+        if (isset($this->options['cryptType']) && $this->options['cryptType'] == 'none') {
+            $cryptFunction = 'strval';
-        if (MDB::isError($res)) {
+        } elseif (isset($this->options['cryptType']) && function_exists($this->options['cryptType'])) {
+            $cryptFunction = $this->options['cryptType'];
+        } else {
+            $cryptFunction = 'md5';
+        }
+        $password = $cryptFunction($password);
+        $query = sprintf("UPDATE %s SET %s = %s WHERE %s = %s",
+                         $this->options['final_table'],
+                         $this->options['final_passwordcol'],
+                         $this->db->getTextValue($password),
+                         $this->options['final_usernamecol'],
+                         $this->db->getTextValue($username)
+                         );
+        $res = $this->query($query);
+        if (MDB::isError($res)) {
-           return PEAR::raiseError($res->getMessage(), $res->code);
+            return PEAR::raiseError($res->getMessage(), $res->code);
         } else {
+        return true;
+    }
+    // }}}
+    // {{{ supportsChallengeResponse()
+    /**
+     * Determine if this container supports
+     * password authentication with challenge response
+     *
+     * @return bool
+     * @access public
+     */
+    function supportsChallengeResponse()
+    {
+        return in_array($this->options['cryptType'], array('md5', 'none', ''));
+    }
+    // }}}
+    // {{{ getCryptType()
+    /**
+     * Returns the selected crypt type for this container
+     *
+     * @return string Function used to crypt the password
+     */
+    function getCryptType()
           return true;
         return $this->options['cryptType'];
+    }
     // }}}
     // }}}

Subversion Repositories Applications.papyrus

(root)/trunk/api/pear/Auth/Container/MDB.php – Rev 320 → 1173