Mercurial > hg > ywww

view user/resetEmail.php @ 16:093e42d5a874

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
minor tidy-ups on new-server install
author Henry S. Thompson <ht@inf.ed.ac.uk>
date Thu, 20 Apr 2017 18:15:34 -0400
parents 077b0a0a3e6d
children 385ddd7c4b55 a67bf725e87b
line wrap: on
line source

<?php
require "PasswordHash.php";
include "../../private/db.php"; 

// emailname and password sent from form
$userID=$_GET['userID'];
$email=$_GET['email'];
$mypassword=$_GET['pwd'];
$receiveEmail=$_GET['receiveEmail'];
$GRState=$_GET['GRState'];
$dName=$_GET['dName'];
$LocID=$_GET['loc'];

// To protect MySQL injection 
$userID = stripslashes($userID);
$userID = mysqli_real_escape_string($link,$userID);
//echo $userID;
$email = stripslashes($email);
$mypassword = stripslashes($mypassword);
$email = mysqli_real_escape_string($link,$email);
$mypassword = mysqli_real_escape_string($link,$mypassword);
$receiveEmail = stripslashes($receiveEmail);
$receiveEmail = mysqli_real_escape_string($link,$receiveEmail);
$GRState = stripslashes($GRState);
$GRState = mysqli_real_escape_string($link,$GRState);
$dName = stripslashes($dName);
$dName = mysqli_real_escape_string($link,$dName);
$LocID = stripslashes($LocID);
$LocID = mysqli_real_escape_string($link,$LocID);

	$t_hasher = new PasswordHash(8, FALSE);

	$query2 = "select Password, FirstName, Surname from user where UserID = $userID";
	$data2 = mysqli_query($link, $query2);

	while($line = mysqli_fetch_assoc($data2))
	{
		$passHash = $line['Password'];
		$firstName=$line['FirstName'];
		$surname=$line['Surname'];
	}
	$check = $t_hasher->CheckPassword($mypassword, $passHash);

	if( $check )
	{
		$hashpwd = $t_hasher->HashPassword($mypassword);
		$update="UPDATE user set Email = '$email', DisplayName = '$dName' where UserID = $userID"; 
		//echo $update;
		$run = mysqli_query($link, $update);
		
		// if successfully inserted data into database, send confirmation link to email
		if($run){
			if($dName == "")
			{
				if($firstName == "")
					$dName=$email;
				else
					$dName = $firstName;
			}	
			
			echo  $dName . ":::" . $email . ":::" . $surname . ":::" . $receiveEmail . ":::" . $GRState . ":::" . $LocID . ":::" . $userID;

			// ---------------- SEND MAIL FORM ----------------
			$to=$email;
			$subject="YourNextRead confirmation";
			$header="from: YourNextRead <noreply@YourNextRead.com>";
			$message="YourNextRead Confirmation\r\n";
			$message.="Your preferences have been changed successfully\r\n";
		}
		else {
			$to=$email;
			$subject="YourNextRead - Error changing email";
			$header="from: YourNextRead <noreply@YourNextRead.com>";
			$message="YourNextRead - Error changing email\r\n";
			$message.="Your email reset has been unsuccessful: Database Error\r\n";
		}
	}
	else
	{
			$to=$email;
			$subject="YourNextRead - Error changing email";
			$header="from: YourNextRead <noreply@YourNextRead.com>";
			$message="YourNextRead - Error changing prefs\r\n";
			$message.="Your preference change has been unsuccessful: Incorrect password provided \r\n";
			$message.="Please try again under 'Edit Preferences' and ensure you enter the correct password under 'Current Password'\r\n";
	}
	$sentmail = mail($to,$subject,$message,$header);
	
	mysqli_close($link);
?>