From: Harvie <tomas@mudrunka.cz>
Date: Tue, 15 Mar 2011 18:59:48 +0000 (+0100)
Subject: added check_login() to check passed credentials, [set_pasword] should work now
X-Git-Url: http://git.harvie.cz/?a=commitdiff_plain;h=e0946a04a8845b6e181544064f059fba1c92983e;hp=290d120f627e6db6eb33c5acfcde58c469cbd4d8;p=mirrors%2FKyberia-bloodline.git

added check_login() to check passed credentials, [set_pasword] should work now
---

diff --git a/wwwroot/inc/eventz/login.inc b/wwwroot/inc/eventz/login.inc
index 0f7bcf0..5ebb3ae 100644
--- a/wwwroot/inc/eventz/login.inc
+++ b/wwwroot/inc/eventz/login.inc
@@ -10,11 +10,10 @@ function jabberctl($command, $args) { //XXXTODO Move to some .inc file...
 	system($cmd);
 }
 
-function login() {
+function login_check($login, $password, $login_type='id') {
 
     global $db,$error,$node_id;
-    $login = mysql_real_escape_string($_POST['login']);
-    $password = $_POST['password']; // Not SQLi but be carefull
+		$login = mysql_real_escape_string($login); //Not SQLi in $password but be carefull
     $password_hash_algos=array('sha256','sha1','md5'); //List of supported algos can be obtained using: php -r 'print_r(hash_algos());'
 
     $hash_query='(';
@@ -23,7 +22,6 @@ function login() {
     }
     $hash_query.='false )';
 
-    $login_type = $_POST['login_type'];
     $referer = $_SERVER['HTTP_REFERER'];
 
     if (!session_id()) {
@@ -146,4 +144,10 @@ where node_access.user_id='$user_id' and node_bookmark='yes' order by node_name"
 //    header("Location: $referer");
     return true;
 }
-?>
+
+function login() {
+	$login = $_POST['login'];
+	$password = $_POST['password'];
+	$login_type = $_POST['login_type'];
+	return login_check($login, $password, $login_type);
+}
diff --git a/wwwroot/inc/eventz/set_password.inc b/wwwroot/inc/eventz/set_password.inc
index fce20bc..e58f874 100644
--- a/wwwroot/inc/eventz/set_password.inc
+++ b/wwwroot/inc/eventz/set_password.inc
@@ -17,19 +17,14 @@ function set_password() {
 	}
 
 	//old password check
-
-        $q="select * from users where login='$login'";
-        $set=$db->query($q);
-        $set->next();
-        if ($set->getString('password')!=md5($old_password)) {
-                $error="bad password";
+	require_once(INCLUDE_DIR."eventz/login.inc");
+	if(!login_check($user_id, $old_password)) {
+		$error="bad password";
 		return false;
 	}
 
-
 	//changing in MySQL
-	$password=md5($new_password1);
+	$password=sha1($new_password1);
 	$db->query("update users set password='$password' where user_id='$user_id'");
+	login_check($user_id, $new_password1); //znova se zalogujeme po zmene hesla (kvuli jabberu)
 }
-
-?>