From 91423b5baf1b067e446a009a59b5f838b6fffaf0 Mon Sep 17 00:00:00 2001
From: Christian Boltz <postfixadmin@cboltz.de>
Date: Sun, 23 Jun 2013 15:25:34 +0000
Subject: [PATCH] login.php: - use AdminHandler->login() - don't
 escape_string() username and password

git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1486 a1433add-5e2c-0410-b055-b7f2511e0802
---
 login.php | 30 +++++++-----------------------
 1 file changed, 7 insertions(+), 23 deletions(-)

diff --git a/login.php b/login.php
index 247b36f6..4858c876 100644
--- a/login.php
+++ b/login.php
@@ -37,10 +37,8 @@ if($CONF['configured'] !== true) {
 
 if ($_SERVER['REQUEST_METHOD'] == "POST")
 {
-    $fUsername = '';
-    $fPassword = '';
-    if (isset ($_POST['fUsername'])) $fUsername = escape_string ($_POST['fUsername']);
-    if (isset ($_POST['fPassword'])) $fPassword = escape_string ($_POST['fPassword']);
+    $fUsername = safepost('fUsername');
+    $fPassword = safepost('fPassword');
     $lang = safepost('lang');
 
     if ( $lang != check_language(0) ) { # only set cookie if language selection was changed
@@ -48,25 +46,8 @@ if ($_SERVER['REQUEST_METHOD'] == "POST")
         # (language preference cookie is processed even if username and/or password are invalid)
     }
 
-    # TODO: move to AdminHandler->login
-    $result = db_query ("SELECT password FROM $table_admin WHERE username='$fUsername' AND active='1'");
-    if ($result['rows'] == 1)
-    {
-        $row = db_array ($result['result']);
-        $crypt_password = pacrypt ($fPassword, $row['password']);
-        if ($row['password'] != $crypt_password) {
-            $error = 1;
-            flash_error($PALANG['pLogin_failed']);
-        }
-    }
-    else
-    {
-        $error = 1;
-        flash_error($PALANG['pLogin_failed']);
-    }
-
-    if ($error != 1)
-    {
+    $h = new AdminHandler;
+    if ( $h->login($fUsername, $fPassword) ) {
         session_regenerate_id();
         $_SESSION['sessid'] = array();
         $_SESSION['sessid']['username'] = $fUsername;
@@ -74,6 +55,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST")
         $_SESSION['sessid']['roles'][] = 'admin';
 
         // they've logged in, so see if they are a domain admin, as well.
+        # TODO: use AdminHandler and the superadmin flag
         $result = db_query ("SELECT * FROM $table_domain_admins WHERE username='$fUsername' AND domain='ALL' AND active='1'");
         if ($result['rows'] == 1)
         {
@@ -83,6 +65,8 @@ if ($_SERVER['REQUEST_METHOD'] == "POST")
         }
         header("Location: main.php");
         exit(0);
+    } else {
+        flash_error($PALANG['pLogin_failed']);
     }
 }