Mercurial > hg > ywww

view user/resetEmail.php @ 43:dbc006408d2b

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
ASSUMES we have SetEnv PHP_VALUE "include_path =.:/var/test/private:/var/test/ywww:/usr/share/php" in apache2/.../test.conf use dl(...) for debug logging, defined in dlog.php use doAmazonRequest in amazonBookSearch use ../private/web.php (q.v., not in mercurial) for Aserver and Aassociates Started by updating from 40:c24ae74bf6d5, i.e. just before the bug on the main line
author Charlie Root
date Sat, 05 Jan 2019 18:00:10 -0500
parents 077b0a0a3e6d
children 385ddd7c4b55 a67bf725e87b
line wrap: on
line source

<?php
require "PasswordHash.php";
include "../../private/db.php"; 

// emailname and password sent from form
$userID=$_GET['userID'];
$email=$_GET['email'];
$mypassword=$_GET['pwd'];
$receiveEmail=$_GET['receiveEmail'];
$GRState=$_GET['GRState'];
$dName=$_GET['dName'];
$LocID=$_GET['loc'];

// To protect MySQL injection 
$userID = stripslashes($userID);
$userID = mysqli_real_escape_string($link,$userID);
//echo $userID;
$email = stripslashes($email);
$mypassword = stripslashes($mypassword);
$email = mysqli_real_escape_string($link,$email);
$mypassword = mysqli_real_escape_string($link,$mypassword);
$receiveEmail = stripslashes($receiveEmail);
$receiveEmail = mysqli_real_escape_string($link,$receiveEmail);
$GRState = stripslashes($GRState);
$GRState = mysqli_real_escape_string($link,$GRState);
$dName = stripslashes($dName);
$dName = mysqli_real_escape_string($link,$dName);
$LocID = stripslashes($LocID);
$LocID = mysqli_real_escape_string($link,$LocID);

	$t_hasher = new PasswordHash(8, FALSE);

	$query2 = "select Password, FirstName, Surname from user where UserID = $userID";
	$data2 = mysqli_query($link, $query2);

	while($line = mysqli_fetch_assoc($data2))
	{
		$passHash = $line['Password'];
		$firstName=$line['FirstName'];
		$surname=$line['Surname'];
	}
	$check = $t_hasher->CheckPassword($mypassword, $passHash);

	if( $check )
	{
		$hashpwd = $t_hasher->HashPassword($mypassword);
		$update="UPDATE user set Email = '$email', DisplayName = '$dName' where UserID = $userID"; 
		//echo $update;
		$run = mysqli_query($link, $update);
		
		// if successfully inserted data into database, send confirmation link to email
		if($run){
			if($dName == "")
			{
				if($firstName == "")
					$dName=$email;
				else
					$dName = $firstName;
			}	
			
			echo  $dName . ":::" . $email . ":::" . $surname . ":::" . $receiveEmail . ":::" . $GRState . ":::" . $LocID . ":::" . $userID;

			// ---------------- SEND MAIL FORM ----------------
			$to=$email;
			$subject="YourNextRead confirmation";
			$header="from: YourNextRead <noreply@YourNextRead.com>";
			$message="YourNextRead Confirmation\r\n";
			$message.="Your preferences have been changed successfully\r\n";
		}
		else {
			$to=$email;
			$subject="YourNextRead - Error changing email";
			$header="from: YourNextRead <noreply@YourNextRead.com>";
			$message="YourNextRead - Error changing email\r\n";
			$message.="Your email reset has been unsuccessful: Database Error\r\n";
		}
	}
	else
	{
			$to=$email;
			$subject="YourNextRead - Error changing email";
			$header="from: YourNextRead <noreply@YourNextRead.com>";
			$message="YourNextRead - Error changing prefs\r\n";
			$message.="Your preference change has been unsuccessful: Incorrect password provided \r\n";
			$message.="Please try again under 'Edit Preferences' and ensure you enter the correct password under 'Current Password'\r\n";
	}
	$sentmail = mail($to,$subject,$message,$header);
	
	mysqli_close($link);
?>