forked from Little-Ben/ChurchRota
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy patheditPassword.php
120 lines (95 loc) · 3.6 KB
/
editPassword.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
<?php
// Include files, including the database connection
include('includes/dbConfig.php');
include('includes/functions.php');
// Start the session. This checks whether someone is logged in and if not redirects them
session_start();
if (isset($_SESSION['is_logged_in']) || $_SESSION['db_is_logged_in'] == true) {
// Just continue the code
} else {
header('Location: login.php');
exit;
}
$action = $_GET['action'];
$userID = $_SESSION['userid'];
//$id = $_GET['edit'];
$id = $_GET['id'];
// If the form has been submitted, then we need to handle the data.
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$oldPassword = mysql_real_escape_string($_POST['oldpassword']);
$newPassword = mysql_real_escape_string($_POST['newpassword']);
$checkPassword = mysql_real_escape_string($_POST['checkpassword']);
$newPassword = md5($newPassword);
$oldPassword = md5($oldPassword);
$checkPassword = md5($checkPassword);
// Check the password matches the old one
//$sql = "SELECT * FROM cr_users WHERE id = '$userID' OR id = '$id'";
$sql = "SELECT * FROM cr_users WHERE id = '$id'";
$result = mysql_query($sql) or die(mysql_error());
while($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
if(($oldPassword == $row['password'])||(isAdmin())) {
if($newPassword == $checkPassword) {
$message = "Your password has been changed";
$status = "success";
} else {
$message = "Please check both the new passwords match";
}
} else {
$message = "Password incorrect, please try again";
$status = "fail";
}
$firstname = $row['firstName'];
$lastname = $row['lastName'];
}
if($status == "success") {
// Update the database rather than insert new values
//$sql = "UPDATE cr_users SET password = '$newPassword' WHERE id = '$userID'";
$sql = "UPDATE cr_users SET password = '$newPassword' WHERE id = '$id'";
//if ($debug) notifyInfo(__FILE__,"pwd_change",$userID); //only_for_testing//
if ($debug) insertStatistics("user",__FILE__,"pwd_change",$status);
if (!mysql_query($sql))
{
die('Error: ' . mysql_error());
}
}
}
else
{
//no POST -> we are in edit mode
$sql = "SELECT * FROM cr_users WHERE id = '$id'";
$result = mysql_query($sql) or die(mysql_error());
$row = mysql_fetch_array($result, MYSQL_ASSOC);
$firstname = $row['firstName'];
$lastname = $row['lastName'];
}
include('includes/header.php');
?>
<div class="elementBackground">
<h2>Edit password</h2>
<?php
if (($userID == $id)||(isAdmin())) {
?>
<p><?php echo $message; ?></p>
<form action="#" method="post" id="addUser">
<fieldset>
<?php echo $firstname . " " . $lastname . "<br>"; ?>
<label for="oldpassword" ><?php if (!isAdmin()) { echo "Old password:"; }?></label>
<input name="oldpassword" id="oldpassword" <?php if (isAdmin()) { echo "type=\"hidden\""; }else{ echo "type=\"password\""; } ?> />
<label for="newpassword">New password:</label>
<input name="newpassword" id="newpassword" type="password" />
<label for="checkpassword">Verify:</label>
<input id="checkpassword" name="checkpassword" type="password" />
<input type="submit" value="Edit Password" />
</fieldset>
</form>
<?php
}else{
notifyAttack(__FILE__,"Password Change Attack",$userID);
if ($debug) insertStatistics("system",__FILE__,"Password Change Attack");
}
?>
</div>
<div id="right">
<div class="item"><a href="addUser.php?action=edit&id=<?php echo $_SESSION['userid']; ?>">Edit my account</a></div>
</div>
<?php include('includes/footer.php'); ?>