2 if ( empty ( $PHP_SELF ) && ! empty ( $_SERVER ) &&
3 ! empty ( $_SERVER['PHP_SELF'] ) ) {
4 $PHP_SELF = $_SERVER['PHP_SELF'];
6 if ( ! empty ( $PHP_SELF ) && preg_match ( "/\/includes\//", $PHP_SELF ) ) {
7 die ( "You can't access this file directly!" );
12 // Do a sanity check. Make sure we can access webcal_config table.
13 // We call this right after the first call to dbi_connect() (from
14 // either connect.php or here in validate.php).
15 function doDbSanityCheck () {
16 global $db_login, $db_host, $db_database;
17 $res = @dbi_query ( "SELECT COUNT(cal_value) FROM webcal_config",
20 if ( $row = dbi_fetch_row ( $res ) ) {
21 // Found database. All is peachy.
22 dbi_free_result ( $res );
24 // Error accessing table.
25 // User has wrong db name or has not created tables.
26 // Note: cannot translate this since we have not included
28 dbi_free_result ( $res );
30 "Error finding WebCalendar tables in database '$db_database' " .
31 "using db login '$db_login' on db server '$db_host'.<br/><br/>\n" .
32 "Have you created the database tables as specified in the " .
33 "<a href=\"docs/WebCalendar-SysAdmin.html\" target=\"other\">WebCalendar " .
34 "System Administrator's Guide</a>?" );
37 // Error accessing table.
38 // User has wrong db name or has not created tables.
39 // Note: cannot translate this since we have not included translate.php yet.
41 "Error finding WebCalendar tables in database '$db_database' " .
42 "using db login '$db_login' on db server '$db_host'.<br/><br/>\n" .
43 "Have you created the database tables as specified in the " .
44 "<a href=\"docs/WebCalendar-SysAdmin.html\" target=\"other\">WebCalendar " .
45 "System Administrator's Guide</a>?" );
49 $validate_redirect = false;
50 $session_not_found = false;
52 // Catch-all for getting the username when using HTTP-authentication
53 if ( $use_http_auth ) {
54 if ( empty ( $PHP_AUTH_USER ) ) {
55 if ( !empty ( $_SERVER ) && isset ( $_SERVER['PHP_AUTH_USER'] ) ) {
56 $PHP_AUTH_USER = $_SERVER['PHP_AUTH_USER'];
57 } else if ( !empty ( $HTTP_SERVER_VARS ) &&
58 isset ( $HTTP_SERVER_VARS['PHP_AUTH_USER'] ) ) {
59 $PHP_AUTH_USER = $HTTP_SERVER_VARS['PHP_AUTH_USER'];
60 } else if ( isset ( $REMOTE_USER ) ) {
61 $PHP_AUTH_USER = $REMOTE_USER;
62 } else if ( !empty ( $_ENV ) && isset ( $_ENV['REMOTE_USER'] ) ) {
63 $PHP_AUTH_USER = $_ENV['REMOTE_USER'];
64 } else if ( !empty ( $HTTP_ENV_VARS ) &&
65 isset ( $HTTP_ENV_VARS['REMOTE_USER'] ) ) {
66 $PHP_AUTH_USER = $HTTP_ENV_VARS['REMOTE_USER'];
67 } else if ( @getenv ( 'REMOTE_USER' ) ) {
68 $PHP_AUTH_USER = getenv ( 'REMOTE_USER' );
69 } else if ( isset ( $AUTH_USER ) ) {
70 $PHP_AUTH_USER = $AUTH_USER;
71 } else if ( !empty ( $_ENV ) && isset ( $_ENV['AUTH_USER'] ) ) {
72 $PHP_AUTH_USER = $_ENV['AUTH_USER'];
73 } else if ( !empty ( $HTTP_ENV_VARS ) &&
74 isset ( $HTTP_ENV_VARS['AUTH_USER'] ) ) {
75 $PHP_AUTH_USER = $HTTP_ENV_VARS['AUTH_USER'];
76 } else if ( @getenv ( 'AUTH_USER' ) ) {
77 $PHP_AUTH_USER = getenv ( 'AUTH_USER' );
82 if ( $single_user == "Y" ) {
83 $login = $single_user_login;
85 if ( $use_http_auth ) {
86 // HTTP server did validation for us....
87 if ( empty ( $PHP_AUTH_USER ) )
88 $session_not_found = true;
90 $login = $PHP_AUTH_USER;
92 } elseif ( substr($user_inc,0,9) == 'user-app-' ) {
93 // Use another application's authentication
94 if (! $login = user_logged_in()) app_login_screen(clean_whitespace($login_return_path));
97 if ( ! empty ( $settings['session'] ) && $settings['session'] == 'php' ) {
99 if ( ! empty ( $_SESSION['webcalendar_session'] ) ) {
100 $webcalendar_session = $_SESSION['webcalendar_session'];
103 // We can't actually check the database yet since we haven't connected
104 // to the database. That happens in connect.php.
106 // Check for session. If not found, then note it for later
107 // handling in connect.php.
108 else if ( empty ( $webcalendar_session ) && empty ( $login ) ) {
109 $session_not_found = true;
113 // Check for cookie...
114 if ( ! empty ( $webcalendar_session ) ) {
115 $encoded_login = $webcalendar_session;
116 if ( empty ( $encoded_login ) ) {
117 // invalid session cookie
118 $session_not_found = true;
120 $login_pw = split('\|', decode_string ($encoded_login));
121 $login = $login_pw[0];
122 $cryptpw = $login_pw[1];
123 // Security fix. Don't allow certain types of characters in
124 // the login. WebCalendar does not escape the login name in
125 // SQL requests. So, if the user were able to set the login
126 // name to be "x';drop table u;",
127 // they may be able to affect the database.
128 if ( ! empty ( $login ) ) {
129 if ( $login != addslashes ( $login ) ) {
130 die_miserable_death ( "Illegal characters in login " .
131 "<tt>" . htmlentities ( $login ) . "</tt>" );
134 // make sure we are connected to the database for password check
135 $c = @dbi_connect ( $db_host, $db_login, $db_password, $db_database );
137 die_miserable_death (
138 "Error connecting to database:<blockquote>" .
139 dbi_error () . "</blockquote>\n" );
143 if (!user_valid_crypt($login, $cryptpw)) {
144 do_debug ( "User not logged in; redirecting to login page" );
145 if ( empty ( $login_return_path ) )
146 do_redirect ( "login.php" );
148 do_redirect ( "login.php?return_path=$login_return_path" );
151 do_debug ( "Decoded login from cookie: $login" );