summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--db.php16
-rw-r--r--index.php3
2 files changed, 18 insertions, 1 deletions
diff --git a/db.php b/db.php
index 03de7f4..50cc3e5 100644
--- a/db.php
+++ b/db.php
@@ -161,6 +161,22 @@ function DB_get_userid_by_email_and_password($email,$password)
return 0;
}
+function DB_check_recovery_passwords($password,$email)
+{
+ $result = mysql_query("SELECT User.id FROM User".
+ " LEFT JOIN Recovery ON User.id=Recovery.user_id".
+ " WHERE email=".DB_quote_smart($email).
+ " AND Recovery.password=".DB_quote_smart($password).
+ " AND DATE_SUB(CURDATE(),INTERVAL 1 DAY) <= Recovery.create_date");
+ $r = mysql_fetch_array($result,MYSQL_NUM);
+
+ if($r)
+ return 1;
+ else
+ return 0;
+
+}
+
function DB_get_handid_by_hash($hash)
{
$result = mysql_query("SELECT id FROM Hand WHERE hash=".DB_quote_smart($hash));
diff --git a/index.php b/index.php
index 08ae14c..fef72fd 100644
--- a/index.php
+++ b/index.php
@@ -1817,7 +1817,8 @@ else if( myisset("email","password") || isset($_SESSION["name"]) )
$ok = 1;
/* check if old password matches */
- if($password != md5($_REQUEST["password0"]))
+ $oldpasswd = md5($_REQUEST["password0"]);
+ if(!( ($password == $oldpasswd) || DB_check_recovery_passwords($oldpasswd,$email) ))
$ok = -1;
/* check if new passwords are types the same twice */
if($_REQUEST["password1"] != $_REQUEST["password2"] )
generated by cgit.