| 1 | <?php |
|---|
| 2 | /* |
|---|
| 3 | * Copyright(c) 2000-2007 LOCKON CO.,LTD. All Rights Reserved. |
|---|
| 4 | * |
|---|
| 5 | * http://www.lockon.co.jp/ |
|---|
| 6 | */ |
|---|
| 7 | require_once("../require.php"); |
|---|
| 8 | |
|---|
| 9 | // ÉÔÀµ¤ÊURL¤¬POST¤µ¤ì¤¿¾ì¹ç¤Ï¥¨¥é¡¼É½¼¨ |
|---|
| 10 | if (isset($_POST['url']) && lfIsValidURL() !== true) { |
|---|
| 11 | gfPrintLog('invalid access :login_check.php $POST["url"]=' . $_POST['url']); |
|---|
| 12 | sfDispSiteError(PAGE_ERROR); |
|---|
| 13 | } |
|---|
| 14 | |
|---|
| 15 | $objCustomer = new SC_Customer(); |
|---|
| 16 | // ¥¯¥Ã¥¡¼´ÉÍý¥¯¥é¥¹ |
|---|
| 17 | $objCookie = new SC_Cookie(COOKIE_EXPIRE); |
|---|
| 18 | // ¥Ñ¥é¥á¡¼¥¿´ÉÍý¥¯¥é¥¹ |
|---|
| 19 | $objFormParam = new SC_FormParam(); |
|---|
| 20 | // ¥Ñ¥é¥á¡¼¥¿¾ðÊó¤Î½é´ü²½ |
|---|
| 21 | lfInitParam(); |
|---|
| 22 | // POSTÃͤμèÆÀ |
|---|
| 23 | $objFormParam->setParam($_POST); |
|---|
| 24 | |
|---|
| 25 | switch($_POST['mode']) { |
|---|
| 26 | case 'login': |
|---|
| 27 | $objFormParam->toLower('login_email'); |
|---|
| 28 | $arrErr = $objFormParam->checkError(); |
|---|
| 29 | $arrForm = $objFormParam->getHashArray(); |
|---|
| 30 | // ¥¯¥Ã¥¡¼ÊݸȽÄê |
|---|
| 31 | if ($arrForm['login_memory'] == "1" && $arrForm['login_email'] != "") { |
|---|
| 32 | $objCookie->setCookie('login_email', $_POST['login_email']); |
|---|
| 33 | } else { |
|---|
| 34 | $objCookie->setCookie('login_email', ''); |
|---|
| 35 | } |
|---|
| 36 | |
|---|
| 37 | if(count($arrErr) == 0) { |
|---|
| 38 | if($objCustomer->getCustomerDataFromEmailPass($arrForm['login_pass'], $arrForm['login_email'])) { |
|---|
| 39 | header("Location: " . $_POST['url']); |
|---|
| 40 | exit; |
|---|
| 41 | } else { |
|---|
| 42 | $objQuery = new SC_Query; |
|---|
| 43 | $where = "email ILIKE ? AND status = 1 AND del_flg = 0"; |
|---|
| 44 | $ret = $objQuery->count("dtb_customer", $where, array($arrForm['login_email'])); |
|---|
| 45 | |
|---|
| 46 | if($ret > 0) { |
|---|
| 47 | sfDispSiteError(TEMP_LOGIN_ERROR); |
|---|
| 48 | } else { |
|---|
| 49 | sfDispSiteError(SITE_LOGIN_ERROR); |
|---|
| 50 | } |
|---|
| 51 | } |
|---|
| 52 | } else { |
|---|
| 53 | // ÆþÎÏ¥¨¥é¡¼¤Î¾ì¹ç¡¢¸µ¤Î¥¢¥É¥ì¥¹¤ËÌ᤹¡£ |
|---|
| 54 | header("Location: " . $_POST['url']); |
|---|
| 55 | exit; |
|---|
| 56 | } |
|---|
| 57 | break; |
|---|
| 58 | case 'logout': |
|---|
| 59 | // ¥í¥°¥¤¥ó¾ðÊó¤Î²òÊü |
|---|
| 60 | $objCustomer->EndSession(); |
|---|
| 61 | //¥Þ¥¤¥Ú¡¼¥¸¥í¥°¥¤¥óÃæ¤Ï¥í¥°¥¤¥ó²èÌÌ¤Ø°Ü¹Ô |
|---|
| 62 | if ( preg_match('/mypage/', $_POST['url']) ){ |
|---|
| 63 | header('Location: ' . URL_DIR . 'mypage/login.php'); |
|---|
| 64 | }else{ |
|---|
| 65 | header("Location: " . $_POST['url']); |
|---|
| 66 | } |
|---|
| 67 | exit; |
|---|
| 68 | break; |
|---|
| 69 | } |
|---|
| 70 | |
|---|
| 71 | //----------------------------------------------------------------------------------------------------------------------------------- |
|---|
| 72 | /* ¥Ñ¥é¥á¡¼¥¿¾ðÊó¤Î½é´ü²½ */ |
|---|
| 73 | function lfInitParam() { |
|---|
| 74 | global $objFormParam; |
|---|
| 75 | $objFormParam->addParam("µ²±¤¹¤ë", "login_memory", INT_LEN, "n", array("MAX_LENGTH_CHECK", "NUM_CHECK")); |
|---|
| 76 | $objFormParam->addParam("¥á¡¼¥ë¥¢¥É¥ì¥¹", "login_email", STEXT_LEN, "a", array("EXIST_CHECK", "MAX_LENGTH_CHECK")); |
|---|
| 77 | $objFormParam->addParam("¥Ñ¥¹¥ï¡¼¥É", "login_pass", STEXT_LEN, "", array("EXIST_CHECK", "MAX_LENGTH_CHECK")); |
|---|
| 78 | } |
|---|
| 79 | |
|---|
| 80 | /* POST¤µ¤ì¤ëURL¤Î¥Á¥§¥Ã¥¯*/ |
|---|
| 81 | function lfIsValidURL() { |
|---|
| 82 | $arrValidUrl = array(SSL_URL, SITE_URL, '/'); |
|---|
| 83 | $targetUrl = $_POST['url']; |
|---|
| 84 | |
|---|
| 85 | // $arrValidUrl¤Ë¥Þ¥Ã¥Á¤·¤Ê¤¤¾ì¹ç¤ÏÉÔÀµ¤ÊURL |
|---|
| 86 | $match = false; |
|---|
| 87 | foreach ($arrValidUrl as $validUrl) { |
|---|
| 88 | $pattern = sprintf('/^%s/' , preg_quote($validUrl, '/')); |
|---|
| 89 | gfPrintLog($pattern . ':' . $targetUrl); |
|---|
| 90 | if ( preg_match($pattern, $targetUrl) ) { |
|---|
| 91 | $match = true; |
|---|
| 92 | break; |
|---|
| 93 | } |
|---|
| 94 | } |
|---|
| 95 | if (!$match) return false; |
|---|
| 96 | |
|---|
| 97 | // ²þ¹Ô¥³¡¼¥É(CR¡¦LF)¡¦NULL¥Ð¥¤¥È¤ò´Þ¤à¾ì¹ç¤ÏÉÔÀµ¤ÊURL |
|---|
| 98 | $pattern = '/\r|\n|\0|%0D|%0A|%00/'; |
|---|
| 99 | if (preg_match_all($pattern, $targetUrl, $matches)) { |
|---|
| 100 | return false; |
|---|
| 101 | } |
|---|
| 102 | |
|---|
| 103 | return true; |
|---|
| 104 | } |
|---|
| 105 | |
|---|
| 106 | ?> |
|---|