Mercurial > hg > ywww
view user/uk/resetPassword.php @ 28:b058736bc9ad
fix old :-( preg bug
| author | Robert Boland <robert@markup.co.uk> |
|---|---|
| date | Fri, 04 Jan 2019 08:48:00 -0500 |
| parents | 077b0a0a3e6d |
| children | 385ddd7c4b55 a67bf725e87b |
line wrap: on
line source
<?php require "PasswordHash.php"; include "../../private/db.php"; include "passGen.php"; // emailname and password sent from form $userID=$_GET['userID']; $email=$_GET['email']; $mypassword=$_GET['pwd']; $oldpass=$_GET['oldpwd']; // To protect MySQL injection $userID = stripslashes($userID); $userID = mysqli_real_escape_string($link,$userID); //echo $userID; $email = stripslashes($email); $mypassword = stripslashes($mypassword); $email = mysqli_real_escape_string($link,$email); $mypassword = mysqli_real_escape_string($link,$mypassword); $forgotten = 0; if( $mypassword == "regen" ) { $mypassword = generatePassword(9); $forgotten = 1; $check = 1; } //echo $mypassword; //echo $check; //echo $forgotten; if($forgotten == 1) { $query1 = "select UserID from user where Email = '$email'"; //echo $query1; $data1 = mysqli_query($link, $query1); if($data1){ $count=mysqli_num_rows($data1); if($count==1){ $rows=mysqli_fetch_array($data1, MYSQLI_ASSOC); $userID=$rows['UserID']; } } } else { $query1 = "select Email from user where UserID = $userID"; //echo $query1; $data1 = mysqli_query($link, $query1); if($data1){ $count=mysqli_num_rows($data1); if($count==1){ $rows=mysqli_fetch_array($data1, MYSQLI_ASSOC); $email=$rows['Email']; } } } //echo $check; if ( mysqli_num_rows( $data1 ) == 1 ) { $t_hasher = new PasswordHash(8, FALSE); if($forgotten == 0) { $query2 = "select Password from user where UserID = $userID"; $data2 = mysqli_query($link, $query2); while($line = mysqli_fetch_assoc($data2)) { $passHash = $line['Password']; } $check = $t_hasher->CheckPassword($oldpass, $passHash); } if( $check ) { $hashpwd = $t_hasher->HashPassword($mypassword); $update="UPDATE user set Password = '$hashpwd' where UserID = $userID"; echo $update; $run = mysqli_query($link, $update); // if suceesfully inserted data into database, send confirmation link to email if($run && $forgotten == 1){ // ---------------- SEND MAIL FORM ---------------- $to=$email; $subject="BookWhack confirmation"; $header="from: BookWhack <noreply@bookwhack.com>"; $message="BookWhack Confirmation\r\n"; $message.="Your password has been reset to: $mypassword\r\n"; $message.="This can be changed once logged in"; } else if($run && $forgotten == 0){ $to=$email; $subject="BookWhack confirmation"; $header="from: BookWhack <noreply@bookwhack.com>"; $message="BookWhack Confirmation\r\n"; $message.="Your password has successfully been reset\r\n"; } else { echo "Error Updating Password"; } } else { $to=$email; $subject="BookWhack - Error resetting password"; $header="from: BookWhack <noreply@bookwhack.com>"; $message="BookWhack - Error resetting password\r\n"; $message.="Your password reset has been unsuccessful: Incorrect password provided \r\n"; $message.="Please try again under 'Edit Preferences' and ensure you enter the correct password under 'Current Password'\r\n"; } $sentmail = mail($to,$subject,$message,$header); } else echo "Incorrect Email address" ?>