X-Git-Url: https://git.nubati.net/cgi-bin/gitweb.cgi?p=e-DoKo.git;a=blobdiff_plain;f=include%2Fpreferences.php;h=f0b33daeb7e2b98e3e1ff191e380ee264636aee4;hp=20b8eb5d5f04a041bdce98fe6e8f9b85ad46bf2a;hb=5116d22ed84db0f15a7f583bcbe243ee2cd606e1;hpb=4281c9e477f9aafff66f8b9dd6912a2495b0e853 diff --git a/include/preferences.php b/include/preferences.php index 20b8eb5..f0b33da 100644 --- a/include/preferences.php +++ b/include/preferences.php @@ -1,5 +1,5 @@ +/* Copyright 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013 Arun Persaud * * This file is part of e-DoKo. * @@ -51,6 +51,7 @@ display_user_menu($myid); $PREF = DB_get_PREF($myid); /* set language chosen in preferences, will become active on the next reload (see index.php)*/ $_SESSION['language'] = $PREF['language']; +set_language($PREF['language']); $timezone = DB_get_user_timezone($myid); DB_update_user_timestamp($myid); @@ -91,11 +92,11 @@ if(myisset('vacation_start','vacation_stop','vacation_comment') && if($_REQUEST['vacation_start'] == $_REQUEST['vacation_stop']) { $result = DB_query("DELETE FROM User_Prefs". - " WHERE user_id='$myid' AND pref_key='vacation start'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation start'" ); $result = DB_query("DELETE FROM User_Prefs". - " WHERE user_id='$myid' AND pref_key='vacation stop'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation stop'" ); $result = DB_query("DELETE FROM User_Prefs". - " WHERE user_id='$myid' AND pref_key='vacation comment'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation comment'" ); $changed_vacation = 1; } /* change in database if format is ok */ @@ -105,12 +106,12 @@ if(myisset('vacation_start','vacation_stop','vacation_comment') && if($vacation_start!=$PREF['vacation_start']) { $result = DB_query("SELECT * from User_Prefs". - " WHERE user_id='$myid' AND pref_key='vacation start'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation start'" ); if( DB_fetch_array($result)) $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($vacation_start). - " WHERE user_id='$myid' AND pref_key='vacation start'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation start'" ); else - $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','vacation start',". + $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'vacation start',". DB_quote_smart($vacation_start).")"); $changed_vacation = 1; @@ -120,12 +121,12 @@ if(myisset('vacation_start','vacation_stop','vacation_comment') && if($vacation_stop!=$PREF['vacation_stop']) { $result = DB_query("SELECT * from User_Prefs". - " WHERE user_id='$myid' AND pref_key='vacation stop'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation stop'" ); if( DB_fetch_array($result)) $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($vacation_stop). - " WHERE user_id='$myid' AND pref_key='vacation stop'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation stop'" ); else - $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','vacation stop',". + $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'vacation stop',". DB_quote_smart($vacation_stop).")"); $changed_vacation = 1; @@ -135,12 +136,12 @@ if(myisset('vacation_start','vacation_stop','vacation_comment') && if($vacation_comment!=$PREF['vacation_comment']) { $result = DB_query("SELECT * from User_Prefs". - " WHERE user_id='$myid' AND pref_key='vacation comment'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation comment'" ); if( DB_fetch_array($result)) $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($vacation_comment). - " WHERE user_id='$myid' AND pref_key='vacation comment'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation comment'" ); else - $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','vacation comment',". + $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'vacation comment',". DB_quote_smart($vacation_comment).")"); $changed_vacation = 1; @@ -166,12 +167,12 @@ if(myisset("cards")) { /* check if we already have an entry for the user, if so change it, if not create new one */ $result = DB_query("SELECT * from User_Prefs". - " WHERE user_id='$myid' AND pref_key='cardset'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='cardset'" ); if( DB_fetch_array($result)) $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($cards). - " WHERE user_id='$myid' AND pref_key='cardset'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='cardset'" ); else - $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','cardset',". + $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'cardset',". DB_quote_smart($cards).")"); $changed_cards = 1; } @@ -184,12 +185,12 @@ if(myisset("notify")) { /* check if we already have an entry for the user, if so change it, if not create new one */ $result = DB_query("SELECT * from User_Prefs". - " WHERE user_id='$myid' AND pref_key='email'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='email'" ); if( DB_fetch_array($result)) $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($notify). - " WHERE user_id='$myid' AND pref_key='email'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='email'" ); else - $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','email',". + $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'email',". DB_quote_smart($notify).")"); $changed_notify=1; } @@ -202,12 +203,12 @@ if(myisset("digest")) { /* check if we already have an entry for the user, if so change it, if not create new one */ $result = DB_query("SELECT * from User_Prefs". - " WHERE user_id='$myid' AND pref_key='digest'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='digest'" ); if( DB_fetch_array($result)) $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($digest). - " WHERE user_id='$myid' AND pref_key='digest'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='digest'" ); else - $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','digest',". + $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'digest',". DB_quote_smart($digest).")"); $changed_digest=1; } @@ -220,12 +221,12 @@ if(myisset("autosetup")) { /* check if we already have an entry for the user, if so change it, if not create new one */ $result = DB_query("SELECT * from User_Prefs". - " WHERE user_id='$myid' AND pref_key='autosetup'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='autosetup'" ); if( DB_fetch_array($result)) $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($autosetup). - " WHERE user_id='$myid' AND pref_key='autosetup'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='autosetup'" ); else - $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','autosetup',". + $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'autosetup',". DB_quote_smart($autosetup).")"); $changed_autosetup=1; } @@ -238,12 +239,12 @@ if(myisset("sorting")) { /* check if we already have an entry for the user, if so change it, if not create new one */ $result = DB_query("SELECT * from User_Prefs". - " WHERE user_id='$myid' AND pref_key='sorting'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='sorting'" ); if( DB_fetch_array($result)) $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($sorting). - " WHERE user_id='$myid' AND pref_key='sorting'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='sorting'" ); else - $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','sorting',". + $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'sorting',". DB_quote_smart($sorting).")"); $changed_sorting=1; } @@ -256,12 +257,12 @@ if(myisset("open_for_games")) { /* check if we already have an entry for the user, if so change it, if not create new one */ $result = DB_query("SELECT * from User_Prefs". - " WHERE user_id='$myid' AND pref_key='open for games'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='open for games'" ); if( DB_fetch_array($result)) $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($openforgames). - " WHERE user_id='$myid' AND pref_key='open for games'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='open for games'" ); else - $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','open for games',". + $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'open for games',". DB_quote_smart($openforgames).")"); $changed_openforgames=1; } @@ -273,9 +274,9 @@ if(myisset("password0","password1","password2") && $_REQUEST["password0"]!="" & $changed_password = 1; /* check if old password matches */ - $oldpasswd = md5($_REQUEST["password0"]); - $password = DB_get_passwd_by_userid($myid); - if(!( ($password == $oldpasswd) || DB_check_recovery_passwords($oldpasswd,$email) )) + $result = verify_password($email, $_REQUEST["password0"]); + + if( $result!=0 ) $changed_password = -1; /* check if new password has been typed in correctly */ @@ -288,8 +289,19 @@ if(myisset("password0","password1","password2") && $_REQUEST["password0"]!="" & if($changed_password==1) { - DB_query("UPDATE User SET password='".md5($_REQUEST["password1"]). + // create a password hash using the crypt function, need php 5.3 for this + // create and random salt + $salt = substr(str_replace('+', '.', base64_encode(sha1(microtime(true), true))), 0, 22); + // hash incoming password using 12 rounds of blowfish + $hash = crypt($_REQUEST["password1"], '$2y$12$' . $salt); + + DB_query("UPDATE User SET password='".$hash. "' WHERE id=".DB_quote_smart($myid)); + + /* in case this was done using a recovery password delete that password */ + $tmppasswd = md5($_REQUEST["password0"]); + if(DB_check_recovery_passwords($tmppasswd,$email)) + DB_delete_recovery_passwords($myid); } /* error output below */ } @@ -307,12 +319,12 @@ if(myisset("language")) { /* check if we already have an entry for the user, if so change it, if not create new one */ $result = DB_query("SELECT * from User_Prefs". - " WHERE user_id='$myid' AND pref_key='language'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='language'" ); if( DB_fetch_array($result)) $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($language). - " WHERE user_id='$myid' AND pref_key='language'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='language'" ); else - $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','language',". + $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'language',". DB_quote_smart($language).")"); $changed_language = 1; } @@ -329,7 +341,7 @@ $timezone = DB_get_user_timezone($myid); echo "
\n"; echo "
\n"; -echo '

'._('Your settings are')."

\n"; +echo '

'._('Your settings')."

\n"; echo "
\n"; echo ' '._('Game-related')."\n"; echo " \n"; @@ -460,16 +472,7 @@ echo " \n"; echo ' \n"; @@ -546,14 +549,7 @@ echo "\n"; // add jquery date picker if html5 is not available ?>
'.('Card set').": \n"; echo " "; if($changed_cards) echo _('changed'); echo "