From 54ea7b7fae46bae795d72ff671c15091ae505256 Mon Sep 17 00:00:00 2001 From: Arun Persaud Date: Wed, 18 Jul 2007 23:51:23 -0700 Subject: [PATCH 1/1] BUGFIX: using the recovery password to change your password to change your password you needed your old password, the recovery password didn't work, which made it hard to change it, in case you forgot your old password... fixed --- db.php | 16 ++++++++++++++++ index.php | 3 ++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/db.php b/db.php index 03de7f4..50cc3e5 100644 --- a/db.php +++ b/db.php @@ -161,6 +161,22 @@ function DB_get_userid_by_email_and_password($email,$password) return 0; } +function DB_check_recovery_passwords($password,$email) +{ + $result = mysql_query("SELECT User.id FROM User". + " LEFT JOIN Recovery ON User.id=Recovery.user_id". + " WHERE email=".DB_quote_smart($email). + " AND Recovery.password=".DB_quote_smart($password). + " AND DATE_SUB(CURDATE(),INTERVAL 1 DAY) <= Recovery.create_date"); + $r = mysql_fetch_array($result,MYSQL_NUM); + + if($r) + return 1; + else + return 0; + +} + function DB_get_handid_by_hash($hash) { $result = mysql_query("SELECT id FROM Hand WHERE hash=".DB_quote_smart($hash)); diff --git a/index.php b/index.php index 08ae14c..fef72fd 100644 --- a/index.php +++ b/index.php @@ -1817,7 +1817,8 @@ else if( myisset("email","password") || isset($_SESSION["name"]) ) $ok = 1; /* check if old password matches */ - if($password != md5($_REQUEST["password0"])) + $oldpasswd = md5($_REQUEST["password0"]); + if(!( ($password == $oldpasswd) || DB_check_recovery_passwords($oldpasswd,$email) )) $ok = -1; /* check if new passwords are types the same twice */ if($_REQUEST["password1"] != $_REQUEST["password2"] ) -- 2.25.1