Mercurial > hg > ywww

comparison user/uk/resetPassword.php @ 6:077b0a0a3e6d

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
remaining originals according to dependency walk
author Robert Boland <robert@markup.co.uk>
date Thu, 16 Feb 2017 22:29:02 +0000
parents
children 385ddd7c4b55 a67bf725e87b
comparison
equal deleted inserted replaced
5:55445b456ad0 6:077b0a0a3e6d
1 <?php
2 require "PasswordHash.php";
3
4 include "../../private/db.php";
5 include "passGen.php";
6
7 // emailname and password sent from form
8 $userID=$_GET['userID'];
9 $email=$_GET['email'];
10 $mypassword=$_GET['pwd'];
11 $oldpass=$_GET['oldpwd'];
12
13 // To protect MySQL injection
14 $userID = stripslashes($userID);
15 $userID = mysqli_real_escape_string($link,$userID);
16 //echo $userID;
17 $email = stripslashes($email);
18 $mypassword = stripslashes($mypassword);
19 $email = mysqli_real_escape_string($link,$email);
20 $mypassword = mysqli_real_escape_string($link,$mypassword);
21
22 $forgotten = 0;
23
24 if( $mypassword == "regen" )
25 {
26 $mypassword = generatePassword(9);
27 $forgotten = 1;
28 $check = 1;
29 }
30
31 //echo $mypassword;
32 //echo $check;
33 //echo $forgotten;
34
35 if($forgotten == 1)
36 {
37 $query1 = "select UserID from user where Email = '$email'";
38 //echo $query1;
39 $data1 = mysqli_query($link, $query1);
40 if($data1){
41 $count=mysqli_num_rows($data1);
42 if($count==1){
43 $rows=mysqli_fetch_array($data1, MYSQLI_ASSOC);
44 $userID=$rows['UserID'];
45 }
46 }
47 }
48 else
49 {
50 $query1 = "select Email from user where UserID = $userID";
51 //echo $query1;
52 $data1 = mysqli_query($link, $query1);
53 if($data1){
54 $count=mysqli_num_rows($data1);
55 if($count==1){
56 $rows=mysqli_fetch_array($data1, MYSQLI_ASSOC);
57 $email=$rows['Email'];
58 }
59
60 }
61 }
62 //echo $check;
63 if ( mysqli_num_rows( $data1 ) == 1 )
64 {
65 $t_hasher = new PasswordHash(8, FALSE);
66 if($forgotten == 0)
67 {
68 $query2 = "select Password from user where UserID = $userID";
69 $data2 = mysqli_query($link, $query2);
70
71 while($line = mysqli_fetch_assoc($data2))
72 {
73 $passHash = $line['Password'];
74 }
75
76 $check = $t_hasher->CheckPassword($oldpass, $passHash);
77 }
78
79 if( $check )
80 {
81 $hashpwd = $t_hasher->HashPassword($mypassword);
82 $update="UPDATE user set Password = '$hashpwd' where UserID = $userID";
83 echo $update;
84 $run = mysqli_query($link, $update);
85
86 // if suceesfully inserted data into database, send confirmation link to email
87 if($run && $forgotten == 1){
88 // ---------------- SEND MAIL FORM ----------------
89 $to=$email;
90 $subject="BookWhack confirmation";
91 $header="from: BookWhack <noreply@bookwhack.com>";
92 $message="BookWhack Confirmation\r\n";
93 $message.="Your password has been reset to: $mypassword\r\n";
94 $message.="This can be changed once logged in";
95 }
96 else if($run && $forgotten == 0){
97 $to=$email;
98 $subject="BookWhack confirmation";
99 $header="from: BookWhack <noreply@bookwhack.com>";
100 $message="BookWhack Confirmation\r\n";
101 $message.="Your password has successfully been reset\r\n";
102 }
103 else {
104 echo "Error Updating Password";
105 }
106 }
107 else
108 {
109 $to=$email;
110 $subject="BookWhack - Error resetting password";
111 $header="from: BookWhack <noreply@bookwhack.com>";
112 $message="BookWhack - Error resetting password\r\n";
113 $message.="Your password reset has been unsuccessful: Incorrect password provided \r\n";
114 $message.="Please try again under 'Edit Preferences' and ensure you enter the correct password under 'Current Password'\r\n";
115 }
116 $sentmail = mail($to,$subject,$message,$header);
117 }
118 else
119 echo "Incorrect Email address"
120 ?>