<?php
require_once "common.php";

if (!empty($_POST['name'])){
	if (!empty($session['loggedin'])) {
		redirect("badnav.php");
	}else{
		if(0){
		}else{
			$result = db_fetch_assoc(db_query("SELECT COUNT(acctid) AS onlinecount FROM accounts WHERE locked=0 AND loggedin=1 AND laston>'".date("Y-m-d H:i:s",strtotime(date("r")."-".getsetting("LOGINTIMEOUT",900)." seconds"))."'"));
			$onlinecount = $result['onlinecount'];

			$sql = "SELECT * FROM accounts WHERE login = '$_POST[name]' AND password=MD5('$_POST[password]') AND locked=0";
			$result = db_query($sql);
			if (db_num_rows($result)==1){
				$session['user']=db_fetch_assoc($result);
				checkban($session['user']['login']); //check if this account is banned
				checkban(); //check if this computer is banned
				if ($session['user']['emailvalidation']!="" && substr($session['user']['emailvalidation'],0,1)!="x"){
					$session['user']=array();
					$session['message']="`4Fehler: Du musst deine E-Mail Adresse bestätigen lassen, bevor du dich einloggen kannst.";
					echo $session[message];
					//header("Location: index.php");
					exit();
				}else{
					if ($onlinecount<getsetting("maxonline",10) || getsetting("maxonline",10)==0 || $session['user']['superuser']>0){
						//loaduser($session['user']);
						$session['loggedin']=true;
						$session['output']=$session['user']['output'];
						$session['petitions'] = array();
						$session['laston']=date("Y-m-d H:i:s");
						$session['sentnotice']=0;
						$session['user']['dragonpoints']=unserialize($session['user']['dragonpoints']);
						$session['user']['prefs']=unserialize($session['user']['prefs']);
						$session['bufflist']=unserialize($session['user']['bufflist']);
						if (!is_array($session['user']['dragonpoints'])) $session['user']['dragonpoints']=array();
						if ($session['user']['loggedin']){
							$session['allowednavs']=unserialize($session['user']['allowednavs']);
							saveuser();
							header("Location: {$session['user']['restorepage']}");
							exit();
							//redirect($session['user']['page']);//"badnav.php");
						}
						db_query("UPDATE accounts SET loggedin=".true.", location=0 WHERE acctid = ".$session['user']['acctid']);
						$session['user']['loggedin']=true;
						$location = $session['user']['location'];
						$session['user']['location']=0;
						debuglog("logged in ");
						if ($session['user']['alive']==0 && $session['user']['slainby']!=""){
							//they're not really dead, they were killed in pvp.
							$session['user']['alive']=true;
						}
						if (getsetting("logdnet",0)){
							//register with LoGDnet
							@file(getsetting("logdnetserver","http://lotgd.net/")."logdnet.php?addy=".URLEncode(getsetting("serverurl","http://".$_SERVER['SERVER_NAME'].dirname($_SERVER['REQUEST_URI'])))."&desc=".URLEncode(getsetting("serverdesc","Another LoGD Server"))."&version=".URLEncode($GLOBALS['logd_version'])."");
						}
						if ($location==0){
							redirect("news.php");
						}else if($location==1){
							redirect("inn.php?op=strolldown");
						}else if($location==2){
							redirect("houses.php?op=newday");
						}else{
							saveuser();
							header("Location: {$session['user']['restorepage']}");
							exit();
						}
					}else{
						$session['user'] = array();
						$session[message]="`4Fehler: Der Server ist voll.`0";
						redirect("index.php");
					}
				}
			}else{
				$session['message']="`4Fehler: Login-Daten waren ungültig.`0";
				//now we'll log the failed attempt and begin to issue bans if there are too many, plus notify the admins.
				$sql = "DELETE FROM faillog WHERE date<'".date("Y-m-d H:i:s",strtotime(date("r")."-".(getsetting("expirecontent",180)/4)." days"))."'";
				checkban();
				db_query($sql);
				$sql = "SELECT acctid FROM accounts WHERE login='{$_POST['name']}'";
				$result = db_query($sql);
				if (db_num_rows($result)>0){ // just in case there manage to be multiple accounts on this name.
					while (($row=db_fetch_assoc($result))){
						$lgi = !empty($_COOKIE['lgi']) ? $_COOKIE['lgi'] : '';
						$sql = "INSERT INTO faillog VALUES (0,now(),'".addslashes(serialize($_POST))."','{$_SERVER['REMOTE_ADDR']}','{$row['acctid']}','$lgi')";
						db_query($sql);
						$sql = "SELECT faillog.*,accounts.superuser,name,login FROM faillog INNER JOIN accounts ON accounts.acctid=faillog.acctid WHERE ip='{$_SERVER['REMOTE_ADDR']}' AND date>'".date("Y-m-d H:i:s",strtotime(date("r")."-1 day"))."'";
						$result2 = db_query($sql);
						$c=0;
						$alert="";
						$su=false;
						while (($row2=db_fetch_assoc($result2))) {
							if ($row2['superuser']>0) {$c+=1; $su=true;}
							$c+=1;
							$alert.="`3{$row2['date']}`7: Failed attempt from `&{$row2['ip']}`7 [`3{$row2['id']}`7] to log on to `^{$row2['login']}`7 ({$row2['name']}`7)`n";
						}
						if ($c>=10){ // 5 failed attempts for superuser, 10 for regular user
							$sql = "INSERT INTO bans VALUES ('{$_SERVER['REMOTE_ADDR']}','','".date("Y-m-d H:i:s",strtotime(date("r")."+".($c*3)." hours"))."','Automatischer Systembann: Zu viele fehlgeschlagene Loginversuche.')";
							db_query($sql);
							if ($su){ // send a system message to admins regarding this failed attempt if it includes superusers.
								$sql = "SELECT acctid FROM accounts WHERE superuser>=3";
								$result2 = db_query($sql);
								$subj = "`#{$_SERVER['REMOTE_ADDR']} failed to log in too many times!";
								for ($i=0;$i<db_num_rows($result2);$i++){
									$row2 = db_fetch_assoc($result2);
									//delete old messages that 
									$sql = "DELETE FROM mail WHERE msgto={$row2['acctid']} AND msgfrom=0 AND subject = '$subj' AND seen=0";
									db_query($sql);
									if (db_affected_rows()>0) $noemail = true; else $noemail = false;
									systemmail($row2['acctid'],"$subj","This message is generated as a result of one or more of the accounts having been a superuser account.  Log Follows:`n`n$alert",0,$noemail);
								}//end for
							}//end if($su)
						}//end if($c>=10)
					}//end while
				}else{
					
				}//end if (db_num_rows)
				redirect("index.php");
			}
		}
	}
}else if ($_GET['op']=="logout"){
	if ($session['user']['loggedin']){
	debuglog("logged out ");
	  $sql = "UPDATE accounts SET loggedin=0 WHERE acctid = ".$session['user']['acctid'];
		db_query($sql) or die(sql_error($sql));
	}
	$session=array();
	redirect("index.php");
}
// If you enter an empty username, don't just say oops.. do something useful.
$session=array();
$session[message]="`4Fehler: Die Login-Daten waren fehlerhaft.`0";
redirect("index.php");
?>