summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorcanyonknight <canyonknight@gmail.com>2012-05-23 21:30:21 +0200
committerLukas Fleischer <archlinux@cryptocrack.de>2012-07-06 11:27:00 +0200
commit82d234c4d559a80ab33b682e004e5991f65a8017 (patch)
tree6e4031d3148a49e56d36aa6da48a76b543f231e0
parentf93f1a652ffec5cca0f9bdfb7895a5439382bd2a (diff)
downloadaur-82d234c4d559a80ab33b682e004e5991f65a8017.tar.gz
aur-82d234c4d559a80ab33b682e004e5991f65a8017.tar.xz
passreset.php: Pull out DB code
* Move DB code in passreset.php to new functions in acctfuncs.inc.php * Centralization of DB code important in a future transition to PDO interface Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
-rw-r--r--web/html/passreset.php25
-rw-r--r--web/lib/acctfuncs.inc.php34
2 files changed, 37 insertions, 22 deletions
diff --git a/web/html/passreset.php b/web/html/passreset.php
index 69324d1f..cb88e5ab 100644
--- a/web/html/passreset.php
+++ b/web/html/passreset.php
@@ -30,25 +30,10 @@ if (isset($_GET['resetkey'], $_POST['email'], $_POST['password'], $_POST['confir
}
if (empty($error)) {
- $dbh = db_connect();
$salt = generate_salt();
$hash = salted_hash($password, $salt);
- # The query below won't affect any records unless the ResetKey
- # and Email combination is correct and ResetKey is nonempty
- $q = "UPDATE Users
- SET Passwd = '$hash',
- Salt = '$salt',
- ResetKey = ''
- WHERE ResetKey != ''
- AND ResetKey = '".db_escape_string($resetkey)."'
- AND Email = '".db_escape_string($email)."'";
- $result = db_query($q, $dbh);
- if (!mysql_affected_rows($dbh)) {
- $error = __('Invalid e-mail and reset key combination.');
- } else {
- header('Location: passreset.php?step=complete');
- exit();
- }
+
+ $error = password_reset($hash, $salt, $resetkey, $email);
}
} elseif (isset($_POST['email'])) {
$email = $_POST['email'];
@@ -56,11 +41,7 @@ if (isset($_GET['resetkey'], $_POST['email'], $_POST['password'], $_POST['confir
if ($uid != NULL && $uid != 'None') {
# We (ab)use new_sid() to get a random 32 characters long string
$resetkey = new_sid();
- $dbh = db_connect();
- $q = "UPDATE Users
- SET ResetKey = '" . $resetkey . "'
- WHERE ID = " . $uid;
- db_query($q, $dbh);
+ create_resetkey($resetkey, $uid);
# Send email with confirmation link
$body = __('A password reset request was submitted for the account '.
'associated with your e-mail address. If you wish to reset '.
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index ecb9f99c..31c43dbf 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -580,6 +580,40 @@ function add_tu_proposal($agenda, $user, $votelength, $submitteruid, $dbh=NULL)
}
+# Add a reset key for a specific user
+function create_resetkey($resetkey, $uid, $dbh=NULL) {
+ if(!$dbh) {
+ $dbh = db_connect();
+ }
+ $q = "UPDATE Users ";
+ $q.= "SET ResetKey = '" . $resetkey . "' ";
+ $q.= "WHERE ID = " . $uid;
+ db_query($q, $dbh);
+}
+
+# Change a password and save the salt only if reset key and email are correct
+function password_reset($hash, $salt, $resetkey, $email, $dbh=NULL) {
+ if(!$dbh) {
+ $dbh = db_connect();
+ }
+ $q = "UPDATE Users ";
+ $q.= "SET Passwd = '$hash', ";
+ $q.= "Salt = '$salt', ";
+ $q.= "ResetKey = '' ";
+ $q.= "WHERE ResetKey != '' ";
+ $q.= "AND ResetKey = '".db_escape_string($resetkey)."' ";
+ $q.= "AND Email = '".db_escape_string($email)."'";
+ $result = db_query($q, $dbh);
+
+ if (!mysql_affected_rows($dbh)) {
+ $error = __('Invalid e-mail and reset key combination.');
+ return $error;
+ } else {
+ header('Location: passreset.php?step=complete');
+ exit();
+ }
+}
+
function good_passwd($passwd) {
if ( strlen($passwd) >= PASSWD_MIN_LEN ) {
return true;