From e0946a04a8845b6e181544064f059fba1c92983e Mon Sep 17 00:00:00 2001 From: Harvie Date: Tue, 15 Mar 2011 19:59:48 +0100 Subject: [PATCH] added check_login() to check passed credentials, [set_pasword] should work now --- wwwroot/inc/eventz/login.inc | 14 +++++++++----- wwwroot/inc/eventz/set_password.inc | 15 +++++---------- 2 files changed, 14 insertions(+), 15 deletions(-) diff --git a/wwwroot/inc/eventz/login.inc b/wwwroot/inc/eventz/login.inc index 0f7bcf0..5ebb3ae 100644 --- a/wwwroot/inc/eventz/login.inc +++ b/wwwroot/inc/eventz/login.inc @@ -10,11 +10,10 @@ function jabberctl($command, $args) { //XXXTODO Move to some .inc file... system($cmd); } -function login() { +function login_check($login, $password, $login_type='id') { global $db,$error,$node_id; - $login = mysql_real_escape_string($_POST['login']); - $password = $_POST['password']; // Not SQLi but be carefull + $login = mysql_real_escape_string($login); //Not SQLi in $password but be carefull $password_hash_algos=array('sha256','sha1','md5'); //List of supported algos can be obtained using: php -r 'print_r(hash_algos());' $hash_query='('; @@ -23,7 +22,6 @@ function login() { } $hash_query.='false )'; - $login_type = $_POST['login_type']; $referer = $_SERVER['HTTP_REFERER']; if (!session_id()) { @@ -146,4 +144,10 @@ where node_access.user_id='$user_id' and node_bookmark='yes' order by node_name" // header("Location: $referer"); return true; } -?> + +function login() { + $login = $_POST['login']; + $password = $_POST['password']; + $login_type = $_POST['login_type']; + return login_check($login, $password, $login_type); +} diff --git a/wwwroot/inc/eventz/set_password.inc b/wwwroot/inc/eventz/set_password.inc index fce20bc..e58f874 100644 --- a/wwwroot/inc/eventz/set_password.inc +++ b/wwwroot/inc/eventz/set_password.inc @@ -17,19 +17,14 @@ function set_password() { } //old password check - - $q="select * from users where login='$login'"; - $set=$db->query($q); - $set->next(); - if ($set->getString('password')!=md5($old_password)) { - $error="bad password"; + require_once(INCLUDE_DIR."eventz/login.inc"); + if(!login_check($user_id, $old_password)) { + $error="bad password"; return false; } - //changing in MySQL - $password=md5($new_password1); + $password=sha1($new_password1); $db->query("update users set password='$password' where user_id='$user_id'"); + login_check($user_id, $new_password1); //znova se zalogujeme po zmene hesla (kvuli jabberu) } - -?> -- 2.30.2