phpBMS

root/trunk/phpbms/index.php

Revision 704, 5.1 kB (checked in by brieb, 7 months ago)
  • Fixed several SQL injection vulnerabilities
  • Fixed several XSS vulnerabilities due to PHP_SELF and REQUREST_URI
  • Fixed severa path disclosure errors
  • Property svn:keywords set to LastChangedBy LastChangedDate LastChangedRevision
Line 
1<?php
2/*
3 $Rev$ | $LastChangedBy$
4 $LastChangedDate$
5 +-------------------------------------------------------------------------+
6 | Copyright (c) 2004 - 2010, Kreotek LLC                                  |
7 | All rights reserved.                                                    |
8 +-------------------------------------------------------------------------+
9 |                                                                         |
10 | Redistribution and use in source and binary forms, with or without      |
11 | modification, are permitted provided that the following conditions are  |
12 | met:                                                                    |
13 |                                                                         |
14 | - Redistributions of source code must retain the above copyright        |
15 |   notice, this list of conditions and the following disclaimer.         |
16 |                                                                         |
17 | - Redistributions in binary form must reproduce the above copyright     |
18 |   notice, this list of conditions and the following disclaimer in the   |
19 |   documentation and/or other materials provided with the distribution.  |
20 |                                                                         |
21 | - Neither the name of Kreotek LLC nor the names of its contributore may |
22 |   be used to endorse or promote products derived from this software     |
23 |   without specific prior written permission.                            |
24 |                                                                         |
25 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS     |
26 | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT       |
27 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A |
28 | PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT      |
29 | OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,   |
30 | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT        |
31 | LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,   |
32 | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY   |
33 | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT     |
34 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE   |
35 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.    |
36 |                                                                         |
37 +-------------------------------------------------------------------------+
38*/
39        require_once("include/session.php");
40
41
42        require_once("include/login_include.php");
43
44
45        if(isset($_POST["name"]) && isset($_POST["password"])){
46
47                $login = new login($db);
48                $failed = $login->verify($_POST["name"], $_POST["password"]);
49
50        } else {
51
52                $failed = "";
53                $_POST["name"] = "";
54
55        }//endif
56
57
58        if(isset($_SESSION["userinfo"]))
59            goURL(DEFAULT_LOAD_PAGE);
60
61        $pageTitle = formatVariable(APPLICATION_NAME)." Log in";
62
63        $phpbms->cssIncludes[] = "pages/login.css";
64        $phpbms->jsIncludes[] = "common/javascript/login.js";
65
66        $phpbms->showMenu = false;
67        $phpbms->showFooter = false;
68
69        include("header.php");
70?>
71
72        <div id="loginbox" class="bodyline" >
73
74                <h1><span><?php echo APPLICATION_NAME;?></span></h1>
75                <?php if ($failed) {?><div class="standout" id="failed"><?php echo $failed?></div><?php } ?>
76
77                <noscript>
78                        <p class="standout" align="center">JavaScript is disabled.</p>
79                        <p> Please check browser requirements.</p>
80                </noscript>
81
82                <form name="form1" method="post" action="<?php echo htmlentities($_SERVER["PHP_SELF"])?>">
83
84                        <p>
85                                <label for="username">name</label><br />
86                                <input name="name" type="text" id="username" size="25" maxlength="64" value="<?php echo htmlQuotes($_POST["name"])?>" disabled="disabled"/>
87                        </p>
88
89                        <p>
90                                <label for="password">password</label><br />
91                                <input name="password" type="password" id="password" size="25" maxlength="24" disabled="disabled"/>
92                        </p>
93
94
95                        <p id="moreinfoButtonP"><button id="moreinfoButton" type="button" class="graphicButtons buttonInfo"><span>more info</span></button></p>
96                        <p id="buttonP"><button class="Buttons" type="submit" id="loginButton" disabled="disabled">Log In</button></p>
97
98                </form>
99
100
101                <div id="moreinfo" >
102
103                        <div class="box">
104
105                                <h2><a href="http://www.phpbms.org" title="phpBMS"><span class="alt">phpBMS</span></a></h2>
106
107                                <h3>Business Management Web Application</h3>
108
109                                <p class="tiny">
110                                        <a href="requirements.php">browser requirements</a> |
111                                        <a href="info.php">about phpBMS</a>
112                                </p>
113
114                        </div>
115                </div>
116        </div>
117
118
119        <?php if(DEMO_ENABLED=="true"){?>
120
121        <div id="demobox" class="bodyline">
122
123                <h2>Demonstration Mode</h2>
124
125                <p>
126                        Use the following user credentials to log into phpBMS. Each user
127                        highlights a different security access level.
128                </p>
129
130                <dl>
131                        <dt>Shipping Personnel</dt>
132                        <dd>
133                                username: shipping<br />
134                                password: shipping
135                        </dd>
136
137                        <dt>Sales Personnel</dt>
138                        <dd>
139                                username: sales<br />
140                                password: sales
141                        </dd>
142
143                        <dt>Sales Manager</dt>
144                        <dd>
145                                username: salesmanager<br />
146                                password: salesmanager
147                        </dd>
148                </dl>
149        </div>
150
151        <?php } include("footer.php")?>
Note: See TracBrowser for help on using the browser.
Copyright © 2010 Kreotek, LLC. All Rights reserved.