external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

passreset.php: Pull out DB code

Browse source 
* Move DB code in passreset.php to new functions in acctfuncs.inc.php
* Centralization of DB code important in a future transition to PDO interface

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This commit is contained in:
canyonknight 2012-05-23 15:30:21 -04:00 committed by Lukas Fleischer
parent f93f1a652f
commit 82d234c4d5
2 changed files with 37 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
web/html/passreset.php
View file

@ -30,25 +30,10 @@ if (isset($_GET['resetkey'], $_POST['email'], $_POST['password'], $_POST['confir
} }
if (empty($error)) { if (empty($error)) {
$dbh = db_connect();
$salt = generate_salt(); $salt = generate_salt();
$hash = salted_hash($password, $salt); $hash = salted_hash($password, $salt);
# The query below won't affect any records unless the ResetKey
# and Email combination is correct and ResetKey is nonempty $error = password_reset($hash, $salt, $resetkey, $email);
$q = "UPDATE Users
SET Passwd = '$hash',
Salt = '$salt',
ResetKey = ''
WHERE ResetKey != ''
AND ResetKey = '".db_escape_string($resetkey)."'
AND Email = '".db_escape_string($email)."'";
$result = db_query($q, $dbh);
if (!mysql_affected_rows($dbh)) {
$error = __('Invalid e-mail and reset key combination.');
} else {
header('Location: passreset.php?step=complete');
exit();
}
} }
} elseif (isset($_POST['email'])) { } elseif (isset($_POST['email'])) {
$email = $_POST['email']; $email = $_POST['email'];
@ -56,11 +41,7 @@ if (isset($_GET['resetkey'], $_POST['email'], $_POST['password'], $_POST['confir
if ($uid != NULL && $uid != 'None') { if ($uid != NULL && $uid != 'None') {
# We (ab)use new_sid() to get a random 32 characters long string # We (ab)use new_sid() to get a random 32 characters long string
$resetkey = new_sid(); $resetkey = new_sid();
$dbh = db_connect(); create_resetkey($resetkey, $uid);
$q = "UPDATE Users
SET ResetKey = '" . $resetkey . "'
WHERE ID = " . $uid;
db_query($q, $dbh);
# Send email with confirmation link # Send email with confirmation link
$body = __('A password reset request was submitted for the account '. $body = __('A password reset request was submitted for the account '.
'associated with your e-mail address. If you wish to reset '. 'associated with your e-mail address. If you wish to reset '.

34
web/lib/acctfuncs.inc.php
View file

@ -580,6 +580,40 @@ function add_tu_proposal($agenda, $user, $votelength, $submitteruid, $dbh=NULL)
} }
# Add a reset key for a specific user
function create_resetkey($resetkey, $uid, $dbh=NULL) {
if(!$dbh) {
$dbh = db_connect();
}
$q = "UPDATE Users ";
$q.= "SET ResetKey = '" . $resetkey . "' ";
$q.= "WHERE ID = " . $uid;
db_query($q, $dbh);
}
# Change a password and save the salt only if reset key and email are correct
function password_reset($hash, $salt, $resetkey, $email, $dbh=NULL) {
if(!$dbh) {
$dbh = db_connect();
}
$q = "UPDATE Users ";
$q.= "SET Passwd = '$hash', ";
$q.= "Salt = '$salt', ";
$q.= "ResetKey = '' ";
$q.= "WHERE ResetKey != '' ";
$q.= "AND ResetKey = '".db_escape_string($resetkey)."' ";
$q.= "AND Email = '".db_escape_string($email)."'";
$result = db_query($q, $dbh);
if (!mysql_affected_rows($dbh)) {
$error = __('Invalid e-mail and reset key combination.');
return $error;
} else {
header('Location: passreset.php?step=complete');
exit();
}
}
function good_passwd($passwd) { function good_passwd($passwd) {
if ( strlen($passwd) >= PASSWD_MIN_LEN ) { if ( strlen($passwd) >= PASSWD_MIN_LEN ) {
return true; return true;