diff options
author | canyonknight <canyonknight@gmail.com> | 2012-05-23 15:30:21 -0400 |
---|---|---|
committer | Lukas Fleischer <archlinux@cryptocrack.de> | 2012-07-06 11:27:00 +0200 |
commit | 82d234c4d559a80ab33b682e004e5991f65a8017 (patch) | |
tree | 6e4031d3148a49e56d36aa6da48a76b543f231e0 | |
parent | f93f1a652ffec5cca0f9bdfb7895a5439382bd2a (diff) |
passreset.php: Pull out DB code
* Move DB code in passreset.php to new functions in acctfuncs.inc.php
* Centralization of DB code important in a future transition to PDO interface
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
-rw-r--r-- | web/html/passreset.php | 25 | ||||
-rw-r--r-- | web/lib/acctfuncs.inc.php | 34 |
2 files changed, 37 insertions, 22 deletions
diff --git a/web/html/passreset.php b/web/html/passreset.php index 69324d1..cb88e5a 100644 --- a/web/html/passreset.php +++ b/web/html/passreset.php @@ -30,25 +30,10 @@ if (isset($_GET['resetkey'], $_POST['email'], $_POST['password'], $_POST['confir } if (empty($error)) { - $dbh = db_connect(); $salt = generate_salt(); $hash = salted_hash($password, $salt); - # The query below won't affect any records unless the ResetKey - # and Email combination is correct and ResetKey is nonempty - $q = "UPDATE Users - SET Passwd = '$hash', - Salt = '$salt', - ResetKey = '' - WHERE ResetKey != '' - AND ResetKey = '".db_escape_string($resetkey)."' - AND Email = '".db_escape_string($email)."'"; - $result = db_query($q, $dbh); - if (!mysql_affected_rows($dbh)) { - $error = __('Invalid e-mail and reset key combination.'); - } else { - header('Location: passreset.php?step=complete'); - exit(); - } + + $error = password_reset($hash, $salt, $resetkey, $email); } } elseif (isset($_POST['email'])) { $email = $_POST['email']; @@ -56,11 +41,7 @@ if (isset($_GET['resetkey'], $_POST['email'], $_POST['password'], $_POST['confir if ($uid != NULL && $uid != 'None') { # We (ab)use new_sid() to get a random 32 characters long string $resetkey = new_sid(); - $dbh = db_connect(); - $q = "UPDATE Users - SET ResetKey = '" . $resetkey . "' - WHERE ID = " . $uid; - db_query($q, $dbh); + create_resetkey($resetkey, $uid); # Send email with confirmation link $body = __('A password reset request was submitted for the account '. 'associated with your e-mail address. If you wish to reset '. diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index ecb9f99..31c43db 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -580,6 +580,40 @@ function add_tu_proposal($agenda, $user, $votelength, $submitteruid, $dbh=NULL) } +# Add a reset key for a specific user +function create_resetkey($resetkey, $uid, $dbh=NULL) { + if(!$dbh) { + $dbh = db_connect(); + } + $q = "UPDATE Users "; + $q.= "SET ResetKey = '" . $resetkey . "' "; + $q.= "WHERE ID = " . $uid; + db_query($q, $dbh); +} + +# Change a password and save the salt only if reset key and email are correct +function password_reset($hash, $salt, $resetkey, $email, $dbh=NULL) { + if(!$dbh) { + $dbh = db_connect(); + } + $q = "UPDATE Users "; + $q.= "SET Passwd = '$hash', "; + $q.= "Salt = '$salt', "; + $q.= "ResetKey = '' "; + $q.= "WHERE ResetKey != '' "; + $q.= "AND ResetKey = '".db_escape_string($resetkey)."' "; + $q.= "AND Email = '".db_escape_string($email)."'"; + $result = db_query($q, $dbh); + + if (!mysql_affected_rows($dbh)) { + $error = __('Invalid e-mail and reset key combination.'); + return $error; + } else { + header('Location: passreset.php?step=complete'); + exit(); + } +} + function good_passwd($passwd) { if ( strlen($passwd) >= PASSWD_MIN_LEN ) { return true; |