From bf2c7356d0a434a37989c3496e5c0b9d969316e2 Mon Sep 17 00:00:00 2001
From: mischa <mischa@rx.high5.nl>
Date: Sun, 4 Sep 2022 10:10:27 +0000
Subject: [PATCH] refactored login.php

---
 admin/list-domain.php  |  2 +-
 admin/list-virtual.php |  2 +-
 functions.inc.php      | 25 ----------------------
 languages/en.lang      |  3 +--
 login.php              | 48 +++++++++++++++++++++---------------------
 templates/login.tpl    |  6 +++---
 6 files changed, 30 insertions(+), 56 deletions(-)

diff --git a/admin/list-domain.php b/admin/list-domain.php
index 560f8c6..2134f1b 100644
--- a/admin/list-domain.php
+++ b/admin/list-domain.php
@@ -13,7 +13,7 @@
 //
 // list_domains
 //
-// Form GET Variables:
+// Form POST \ GET Variables:
 //
 // username
 //
diff --git a/admin/list-virtual.php b/admin/list-virtual.php
index 0f84ada..c9e4606 100644
--- a/admin/list-virtual.php
+++ b/admin/list-virtual.php
@@ -14,7 +14,7 @@
 // list_alias
 // list_mailbox
 //
-// Form GET Variables:
+// Form POST \ GET Variables:
 //
 // domain
 // offset
diff --git a/functions.inc.php b/functions.inc.php
index 27076b6..6c5ec0a 100644
--- a/functions.inc.php
+++ b/functions.inc.php
@@ -398,31 +398,6 @@ function db_array($result) {
 	return $row;
 }
 
-// db_assoc
-// Action: Returns a row from a table
-// Call: db_assoc(int result)
-//
-function db_assoc($result) {
-	global $CONF;
-	$row = "";
-	if ($CONF['database_type'] == "mysqli") $row = mysqli_fetch_assoc($result);
-	return $row;
-}
-
-//
-// db_delete
-// Action: Deletes a row from a specified table
-// Call: db_delete(string table, string where, string delete)
-//
-function db_delete($table,$where,$delete) {
-	$result = db_query("DELETE FROM $table WHERE $where='$delete'");
-	if ($result['rows'] >= 1) {
-		return $result['rows'];
-	} else {
-		return true;
-	}
-}
-
 // logging
 // Action: Logs actions from admin
 // Call: logging(string username, string domain, string action, string data)
diff --git a/languages/en.lang b/languages/en.lang
index 2fed86b..ecfb976 100644
--- a/languages/en.lang
+++ b/languages/en.lang
@@ -15,8 +15,7 @@ $LANG['Login_welcome'] = 'Mail admins login here to administer your domain.';
 $LANG['Login_username'] = 'Login (email)';
 $LANG['Login_password'] = 'Password';
 $LANG['Login_button'] = 'Login';
-$LANG['Login_username_incorrect'] = '<span class="error_msg">Your login is not correct. Make sure that you login with your email address.</span>';
-$LANG['Login_password_incorrect'] = '<span class="error_msg">Your password is not correct.</span>';
+$LANG['Login_incorrect'] = '<span class="error_msg">Your login or password is not correct.</span>';
 $LANG['Login_login_users'] = 'Users click here to login to the user section.';
 
 $LANG['Menu_overview'] = 'Overview';
diff --git a/login.php b/login.php
index 23672c8..e7d9084 100644
--- a/login.php
+++ b/login.php
@@ -11,44 +11,44 @@
 //
 // Template variables:
 //
-//  tMessage
-//  tUsername
+//  message
+//  username
 //
 // GET / POST variables:  
 //
-//  fUsername
-//  fPassword
+//  username
+//  password
 //
-require("./variables.inc.php");
-require("./config.inc.php");
-require("./functions.inc.php");
-include("./languages/" . check_language () . ".lang");
+require_once './functions.inc.php';
+include './languages/' . check_language () . '.lang';
  
 if ($_SERVER['REQUEST_METHOD'] == "POST") {
-	$fUsername = escape_string ($_POST['fUsername']);
-	$fPassword = escape_string ($_POST['fPassword']);
+	$username = filter_input(INPUT_POST, 'username', FILTER_VALIDATE_EMAIL);
+	$password = filter_input(INPUT_POST, 'password', FILTER_DEFAULT);
 
-	$result = db_query("SELECT password FROM admin WHERE username='$fUsername' AND active='1'");
-	if ($result['rows'] == 1) {
-		$row = db_array($result['result']);
-		if (!password_verify($fPassword, $row['assword'])) {
-			$error = 1;
-			$tMessage = $LANG['Login_password_incorrect'];
-			$tUsername = $fUsername;
+	if (!empty($username) && !empty($password)) {
+		$dbh = connect_db();
+		$sth = $dbh->prepare("SELECT password FROM admin WHERE username=?");
+		$sth->bindParam(1, $username, PDO::PARAM_STR);
+		$sth->execute();
+		$row = $sth->fetch(PDO::FETCH_COLUMN);
+	}
+	if (!empty($row)) {
+		if (!password_verify($password, $row)) {
+			$message = $LANG['Login_incorrect'];
 		}
 	} else {
-		$error = 1;
-		$tMessage = $LANG['Login_username_incorrect'];
+		$message = $LANG['Login_incorrect'];
 	}
 
-	if ($error != 1) {
+	if (empty($message)) {
 		session_start();
-		$_SESSION['sessid']['username'] = $fUsername;
+		$_SESSION['sessid']['username'] = $username;
 		header("Location: main.php");
 		exit;
 	}
 } 
-include("./templates/header.tpl");
-include("./templates/login.tpl");
-include("./templates/footer.tpl");
+include './templates/header.tpl';
+include './templates/login.tpl';
+include './templates/footer.tpl';
 ?>
diff --git a/templates/login.tpl b/templates/login.tpl
index dc50f05..6b88d83 100644
--- a/templates/login.tpl
+++ b/templates/login.tpl
@@ -6,17 +6,17 @@
 	</tr>
 	<tr>
 		<td><?php echo $LANG['Login_username'] . ":"; ?></td>
-		<td><input class="flat" type="text" name="fUsername" value="<?php echo $tUsername; ?>" /></td>
+		<td><input class="flat" type="text" name="username" value="<?php echo $username ?? ''; ?>" /></td>
 	</tr>
 	<tr>
 		<td><?php echo $LANG['Login_password'] . ":"; ?></td>
-		<td><input class="flat" type="password" name="fPassword" /></td>
+		<td><input class="flat" type="password" name="password" /></td>
 	</tr>
 	<tr>
 		<td colspan="2" class="hlp_center"><input class="button" type="submit" name="submit" value="<?php echo $LANG['Login_button']; ?>" /></td>
 	</tr>
 	<tr>
-		<td colspan="2" class="standout"><?php echo $tMessage; ?></td>
+		<td colspan="2" class="standout"><?php echo $message ?? '&nbsp;'; ?></td>
 	</tr>
 	<tr>
 		<td colspan="2"><a href="users/"><?php echo $LANG['Login_login_users']; ?></a></td>