forked from science-ation/science-ation
Hash passwords in database without affecting program functionality
This commit is contained in:
parent
c6f9271654
commit
93554bd67a
@ -3397,9 +3397,9 @@ CREATE TABLE `users` (
|
||||
`lastname` varchar(32) NOT NULL DEFAULT '',
|
||||
`sex` enum('male','female') DEFAULT NULL,
|
||||
`username` varchar(128) NOT NULL DEFAULT '',
|
||||
`password` varchar(32) NOT NULL DEFAULT '',
|
||||
`password` varchar(60) NOT NULL DEFAULT '',
|
||||
`passwordset` date DEFAULT NULL,
|
||||
`oldpassword` varchar(32) NOT NULL,
|
||||
`oldpassword` varchar(60) NOT NULL,
|
||||
`email` varchar(128) NOT NULL DEFAULT '',
|
||||
`year` int(11) NOT NULL,
|
||||
`phonehome` varchar(32) NOT NULL DEFAULT '',
|
||||
@ -3432,9 +3432,8 @@ CREATE TABLE `users` (
|
||||
LOCK TABLES `users` WRITE;
|
||||
/*!40000 ALTER TABLE `users` DISABLE KEYS */;
|
||||
INSERT INTO `users` VALUES
|
||||
(1,1,'fair','','','',NULL,'kvGbxRTM','5kyYcbBAmf4Y','0000-00-00','','',2025,'','','','','','0000-00-00','','2009-10-22 12:56:09','0000-00-00 00:00:00','','','','','','no','no','no',NULL),
|
||||
(2,2,'fair','','','',NULL,'k5HPLPGm','EUuqF2J5HbGD','0000-00-00','','',2025,'','','','','','0000-00-00','','2009-10-22 12:56:09','0000-00-00 00:00:00','','','','','','no','no','no',NULL),
|
||||
(3,3,'committee','','Superuser','Account',NULL,'contact@science-ation.ca','admin','2024-10-16','hpqSaPCggQes','contact@science-ation.ca',2025,'','','','','','0000-00-00','','2024-10-16 04:38:47','0000-00-00 00:00:00','','','','','','no','no','no',NULL);
|
||||
(1,1,'fair','','','',NULL,'kvGbxRTM','$2y$10$OYeIx.U53utmuzyZkVTqtukGB0ELi5piz62KtbaYj0uEPN7fD6NtS','0000-00-00','','',2025,'','','','','','0000-00-00','','2009-10-22 12:56:09','0000-00-00 00:00:00','','','','','','no','no','no',NULL),
|
||||
(2,2,'committee','','Superuser','Account',NULL,'contact@science-ation.ca','$2y$10$LlhOxjkJD3F0of.W75a4UuyiRci4PnPa8koxi4RknfSh38nxoYLXG','2024-10-16','','contact@science-ation.ca',2025,'','','','','','0000-00-00','','2024-10-16 04:38:47','0000-00-00 00:00:00','','','','','','no','no','no',NULL);
|
||||
/*!40000 ALTER TABLE `users` ENABLE KEYS */;
|
||||
UNLOCK TABLES;
|
||||
|
||||
|
||||
@ -32,8 +32,8 @@ switch (get_value_from_array($_GET, 'action')) {
|
||||
case 'check':
|
||||
$fairs_id = intval($_GET['fairs_id']);
|
||||
|
||||
$q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id'");
|
||||
$q->execute();
|
||||
$q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
|
||||
$q->execute([$fairs_id]);
|
||||
$fair = $q->fetch(PDO::FETCH_ASSOC);
|
||||
if (!($fair['username'] && $fair['password'])) {
|
||||
echo error(i18n("Username and Password are not set for source '%1'. Please set them in the SFIAB Configuration/External Award Sources editor first", array($r->name)));
|
||||
@ -174,7 +174,7 @@ switch (get_value_from_array($_GET, 'action')) {
|
||||
AND year='$year'
|
||||
");
|
||||
$q->execute();
|
||||
echo $q->errorInfo();
|
||||
show_pdo_errors_if_any($pdo);
|
||||
|
||||
// update the prizes
|
||||
$prizes = $award['prizes'];
|
||||
|
||||
@ -30,7 +30,7 @@ user_auth_required('committee', 'admin');
|
||||
// function get_cwsf_award_winners()
|
||||
function get_winners($awardid, $fairs_id)
|
||||
{
|
||||
global $config;
|
||||
global $config, $pdo;
|
||||
|
||||
/* Mappings of the name we want => to the column name returned in MYSQL */
|
||||
$school_fields = array('schoolname' => 'school',
|
||||
@ -125,7 +125,7 @@ function get_winners($awardid, $fairs_id)
|
||||
awards_prizes_id='$pid' AND
|
||||
winners.year='{$config['FAIRYEAR']}'");
|
||||
$wq->execute();
|
||||
echo $pdo->erroInfo();
|
||||
show_pdo_errors_if_any($pdo);
|
||||
/* Get all projects assigned to this prize */
|
||||
$prizewinners = array();
|
||||
while ($project = $wq->fetch(PDO::FETCH_ASSOC)) {
|
||||
@ -185,7 +185,7 @@ function get_winners($awardid, $fairs_id)
|
||||
|
||||
function count_winners($awardid, $fairs_id)
|
||||
{
|
||||
global $config;
|
||||
global $config, $pdo;
|
||||
$count = 0;
|
||||
$awards = array();
|
||||
if ($awardid == -1) {
|
||||
@ -237,7 +237,7 @@ function count_winners($awardid, $fairs_id)
|
||||
|
||||
function load_server_cats_divs($fairs_id)
|
||||
{
|
||||
global $config;
|
||||
global $config, $pdo;
|
||||
|
||||
$q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id'");
|
||||
$q->execute();
|
||||
@ -302,7 +302,7 @@ switch (get_value_from_array($_GET, 'action')) {
|
||||
|
||||
$q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id}'");
|
||||
$q->execute();
|
||||
$fair = $q->fetch(PDO::FETCH_ASSOC);;
|
||||
$fair = $q->fetch(PDO::FETCH_ASSOC);
|
||||
|
||||
echo '<br />';
|
||||
|
||||
|
||||
@ -27,14 +27,17 @@ require_once ('../user.inc.php');
|
||||
|
||||
function get_cwsf_award_winners()
|
||||
{
|
||||
global $config;
|
||||
global $config, $pdo;
|
||||
$winners = array();
|
||||
|
||||
$q = $pdo->prepare("SELECT * FROM award_awards WHERE cwsfaward='1' AND year='" . $config['FAIRYEAR'] . "'");
|
||||
$q->execute();
|
||||
$q = $pdo->prepare("SELECT * FROM award_awards WHERE cwsfaward='1' AND year=?");
|
||||
$q->execute([$config['FAIRYEAR']]);
|
||||
|
||||
if ($q->rowCount() == 1) {
|
||||
$award = $q->fetch(PDO::FETCH_OBJ);
|
||||
$pq = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id='$award->id'");
|
||||
$pq = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id=?");
|
||||
$pq->execute([$award->id]);
|
||||
|
||||
while ($prize = $pq->fetch(PDO::FETCH_OBJ)) {
|
||||
$wq = $pdo->prepare("SELECT
|
||||
projects.id,
|
||||
@ -50,16 +53,18 @@ function get_cwsf_award_winners()
|
||||
projects
|
||||
WHERE
|
||||
winners.projects_id=projects.id AND
|
||||
awards_prizes_id='$prize->id' AND
|
||||
winners.year='" . $config['FAIRYEAR'] . "'");
|
||||
$wq->execute();
|
||||
|
||||
awards_prizes_id=? AND
|
||||
winners.year=?");
|
||||
$wq->execute([$prize->id, $config['FAIRYEAR']]);
|
||||
show_pdo_errors_if_any($pdo);
|
||||
|
||||
while ($project = $wq->fetch(PDO::FETCH_OBJ)) {
|
||||
$sq = $pdo->prepare("SELECT * FROM students WHERE registrations_id='$project->registrations_id' AND year='" . $config['FAIRYEAR'] . "'");
|
||||
$sq->execute();
|
||||
$sq = $pdo->prepare("SELECT * FROM students WHERE registrations_id=? AND year=?");
|
||||
$sq->execute([$project->registrations_id, $config['FAIRYEAR']]);
|
||||
|
||||
$students = array();
|
||||
$cwsf_agecategory = 0;
|
||||
|
||||
while ($s = $sq->fetch(PDO::FETCH_OBJ)) {
|
||||
if ($s->grade >= 7 && $s->grade <= 8) {
|
||||
if ($cwsf_agecategory < 1)
|
||||
@ -122,8 +127,8 @@ echo '<br />';
|
||||
|
||||
if (count(get_value_from_array($_POST, 'cwsfdivision', []))) {
|
||||
foreach ($_POST['cwsfdivision'] AS $p => $d) {
|
||||
$q = $pdo->prepare("UPDATE projects SET cwsfdivisionid='$d' WHERE id='$p'");
|
||||
$q->execute();
|
||||
$q = $pdo->prepare("UPDATE projects SET cwsfdivisionid=? WHERE id=?");
|
||||
$q->execute([$d, $p]);
|
||||
}
|
||||
echo happy(i18n('CWSF Project Divisions saved'));
|
||||
}
|
||||
@ -178,8 +183,8 @@ if ($ysc_region_password == '') {
|
||||
}
|
||||
|
||||
if ($ok) {
|
||||
$q = $pdo->prepare("SELECT * FROM award_awards WHERE cwsfaward='1' AND year='" . $config['FAIRYEAR'] . "'");
|
||||
$q->execute();
|
||||
$q = $pdo->prepare("SELECT * FROM award_awards WHERE cwsfaward='1' AND year=?");
|
||||
$q->execute([$config['FAIRYEAR']]);
|
||||
if (!$q->rowCount()) {
|
||||
echo error(i18n('Cannot find an award that is specified as the Canada-Wide Science Fair Award'));
|
||||
echo i18n('Please go to the awards manager and select which award identifies your CWSF students');
|
||||
@ -248,8 +253,8 @@ if ($ok) {
|
||||
|
||||
echo '</td><td>';
|
||||
|
||||
$t = $q->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' AND id='" . $winner['projectdivisions_id'] . "'");
|
||||
$t->execute();
|
||||
$t = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? AND id=?");
|
||||
$t->execute([$config['FAIRYEAR'], $winner['projectdivisions_id']]);
|
||||
$tr = $t->fetch(PDO::FETCH_OBJ);
|
||||
echo $tr->division;
|
||||
echo '<br />';
|
||||
|
||||
@ -11,15 +11,15 @@ while ($i = $q->fetch(PDO::FETCH_OBJ)) {
|
||||
echo "Autocompleting Judge {$i->email}<br />";
|
||||
$id = $i->id;
|
||||
|
||||
$p = generatePassword(12);
|
||||
$stmt = $pdo->prepare("UPDATE judges SET password='$p',complete='yes'");
|
||||
$stmt->execute();
|
||||
$p = password_hash(generatePassword(), PASSWORD_BCRYPT);
|
||||
$stmt = $pdo->prepare("UPDATE judges SET password=?,complete=?");
|
||||
$stmt->execute([$p, 'yes']);
|
||||
show_pdo_errors_if_any($pdo);
|
||||
$stmt = $pdo->prepare("DELETE FROM judges_years WHERE judges_id='$id'");
|
||||
$stmt->execute();
|
||||
$stmt = $pdo->prepare("DELETE FROM judges_years WHERE judges_id=?");
|
||||
$stmt->execute([$id]);
|
||||
show_pdo_errors_if_any($pdo);
|
||||
$stmt = $pdo->prepare("INSERT INTO judges_years (`judges_id`,`year`) VALUES ('$id','{$config['FAIRYEAR']}')");
|
||||
$stmt->execute();
|
||||
$stmt = $pdo->prepare("INSERT INTO judges_years (`judges_id`,`year`) VALUES (?, ?)");
|
||||
$stmt->execute([$id, $config['FAIRYEAR']]);
|
||||
show_pdo_errors_if_any($pdo);
|
||||
}
|
||||
|
||||
|
||||
@ -34,14 +34,15 @@ send_header('Invite Judges',
|
||||
'Judges' => 'admin/judges.php'));
|
||||
echo '<br />';
|
||||
if ($_POST['action'] == 'invite' && $_POST['email']) {
|
||||
$q = $pdo->prepare("SELECT id FROM judges WHERE email='" . $_POST['email'] . "'");
|
||||
$q->execute();
|
||||
$q = $pdo->prepare("SELECT id FROM judges WHERE email=?");
|
||||
$q->execute([$_POST['email']]);
|
||||
if ($q->rowCount()) {
|
||||
echo error(i18n('A judge already exists with that email address'));
|
||||
} else {
|
||||
$pass = generatePassword();
|
||||
$pdo->prepare("INSERT INTO judges (email,password) VALUES ('" . stripslashes($_POST['email'])) . "','$pass')";
|
||||
$pdo->execute();
|
||||
$hash = password_hash($pass, PASSWORD_BCRYPT);
|
||||
$stmt = $pdo->prepare("INSERT INTO judges (email,password) VALUES (?, ?)");
|
||||
$stmt->execute([$_POST['email'], $hash]);
|
||||
email_send('new_judge_invite', stripslashes($_POST['email']), array('FAIRNAME' => $config['fairname']), array('FAIRNAME' => $config['fairname'], 'EMAIL' => stripslashes($_POST['email']), 'PASSWORD' => $pass));
|
||||
|
||||
echo happy(i18n('%1 has been invited to be a judge', array($_POST['email'])));
|
||||
|
||||
@ -69,6 +69,7 @@ function report_student_get_cheque_date_format($report, $field, $text)
|
||||
|
||||
function report_student_safety_question($report, $field, $text)
|
||||
{
|
||||
global $pdo;
|
||||
/* Field is 'safetyquestion_x', registration_id is passed in $text */
|
||||
$q_ord = intval(substr($field, 15));
|
||||
$regid = $text;
|
||||
@ -90,6 +91,7 @@ function report_student_safety_question($report, $field, $text)
|
||||
|
||||
function reports_students_numstudents($report, $field, $text)
|
||||
{
|
||||
global $pdo;
|
||||
$year = $report['year'];
|
||||
$q = $pdo->prepare("SELECT students.id FROM students
|
||||
WHERE students.registrations_id='$text'
|
||||
@ -100,6 +102,7 @@ function reports_students_numstudents($report, $field, $text)
|
||||
|
||||
function reports_students_award_selfnom_num($report, $field, $text, $n)
|
||||
{
|
||||
global $pdo;
|
||||
$year = $report['year'];
|
||||
$q = $pdo->prepare("SELECT award_awards.name FROM
|
||||
projects
|
||||
|
||||
@ -73,7 +73,7 @@ if (get_value_from_array($_POST, 'save') == 'edit' || get_value_from_array($_POS
|
||||
if (get_value_from_array($i, 'principal_uid') > 0)
|
||||
$pl = user_load_by_uid($i['principal_uid']);
|
||||
else if ($first != '' && $last != '') {
|
||||
$pl = user_create('principal', "*$first$last" . user_generate_password());
|
||||
$pl = user_create('principal', "*$first$last" . generatePassword());
|
||||
$principal_update = "principal_uid='{$pl['uid']}',";
|
||||
} else
|
||||
$pl = false;
|
||||
@ -108,7 +108,7 @@ if (get_value_from_array($_POST, 'save') == 'edit' || get_value_from_array($_POS
|
||||
}
|
||||
$em = get_value_from_array($_POST, 'scienceheademail');
|
||||
if ($em == '' && ($first != '' || $last != ''))
|
||||
$em = "*$first$last" . user_generate_password();
|
||||
$em = "*$first$last" . generatePassword();
|
||||
|
||||
/*
|
||||
* Load existing record, or create new if there's something
|
||||
|
||||
@ -139,7 +139,7 @@ function students_save()
|
||||
$x = 1;
|
||||
while ($_POST['num'][$x]) {
|
||||
if ($_POST['id'][$x] == 0) {
|
||||
// if they use schoolpassword or singlepassword, then we need to set the school based on the school stored in the registration record. for anything else they can school the school on their own.
|
||||
// if they use schoolpassword or singlepassword, then we need to set the school based on the school stored in the registration record. for anything else they can choose the school on their own.
|
||||
if ($config['participant_registration_type'] == 'schoolpassword' || $config['participant_registration_type'] == 'invite') {
|
||||
$q = $pdo->prepare("SELECT schools_id FROM registrations WHERE id='$registrations_id' AND YEAR='{$config['FAIRYEAR']}'");
|
||||
$q->execute();
|
||||
@ -151,7 +151,7 @@ function students_save()
|
||||
}
|
||||
// INSERT new record
|
||||
$dob = $_POST['year'][$x] . '-' . $_POST['month'][$x] . '-' . $_POST['day'][$x];
|
||||
$stmt->prepare('INSERT INTO students (registrations_id,firstname,lastname,sex,email,address,city,province,postalcode,phone,dateofbirth,grade,schools_id,tshirt,medicalalert,foodreq,teachername,teacheremail,year) VALUES ('
|
||||
$stmt = $pdo->prepare('INSERT INTO students (registrations_id,firstname,lastname,sex,email,address,city,province,postalcode,phone,dateofbirth,grade,schools_id,tshirt,medicalalert,foodreq,teachername,teacheremail,year) VALUES ('
|
||||
. "'" . $registrations_id . "', "
|
||||
. "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['firstname'][$x])) . "', "
|
||||
. "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['lastname'][$x])) . "', "
|
||||
|
||||
@ -1120,20 +1120,8 @@ function email_send_new($to, $from, $subject, $body, $bodyhtml = '')
|
||||
send_footer();
|
||||
}
|
||||
|
||||
function generatePassword($pwlen = 8)
|
||||
{
|
||||
// these are good characters that are not easily confused with other characters :)
|
||||
$available = 'ABCDEFGHJKLMNPQRSTUVWXYZabcdefghjkmnpqrstuvwxyz23456789';
|
||||
$len = strlen($available) - 1;
|
||||
|
||||
$key = '';
|
||||
for ($x = 0; $x < $pwlen; $x++)
|
||||
$key .= $available[rand(0, $len)];
|
||||
return $key;
|
||||
}
|
||||
|
||||
// config specific warning
|
||||
function config_warnings() {}
|
||||
// config specific warning
|
||||
function config_warnings() {}
|
||||
|
||||
// admin specific warnings
|
||||
function admin_warnings() {}
|
||||
|
||||
@ -53,7 +53,7 @@ switch (get_value_from_array($_GET, 'action')) {
|
||||
$fairs_id = intval($u['fairs_id']);
|
||||
if ($fairs_id == 0) {
|
||||
$stmt = $pdo->prepare("INSERT INTO fairs ('id', 'name') VALUES('', 'new entry')");
|
||||
$stmt->execute([$id, $name]);
|
||||
$stmt->execute();
|
||||
$id = $pdo->lastInsertId();
|
||||
} else {
|
||||
$id = intval($fairs_id);
|
||||
@ -65,8 +65,8 @@ switch (get_value_from_array($_GET, 'action')) {
|
||||
$website = $pdo->quote($_POST['website']);
|
||||
|
||||
$type = array_key_exists($_POST['type'], $fair_type) ? $_POST['type'] : '';
|
||||
$username = $pdo->prepare(stripslashes($_POST['username']));
|
||||
$password = $pdo->prepare(stripslashes($_POST['password']));
|
||||
$username = $pdo->quote(stripslashes($_POST['username']));
|
||||
$password = $pdo->quote(stripslashes(password_hash($_POST['password'], PASSWORD_BCRYPT)));
|
||||
|
||||
$enable_stats = ($_POST['enable_stats'] == 'yes') ? 'yes' : 'no';
|
||||
$enable_awards = ($_POST['enable_awards'] == 'yes') ? 'yes' : 'no';
|
||||
|
||||
10
remote.php
10
remote.php
@ -492,20 +492,20 @@ if ($u == false) {
|
||||
}
|
||||
if (!is_array($u) || $u['password'] == '') {
|
||||
$response['error'] = 1;
|
||||
$response['message'] = 'Authentication Failed2';
|
||||
$response['message'] = 'Authentication Failed';
|
||||
echo json_encode($response);
|
||||
exit;
|
||||
}
|
||||
|
||||
if ($u['password'] != $password) {
|
||||
if (!password_verify($password, $u['password'])) {
|
||||
$response['error'] = 1;
|
||||
$response['message'] = 'Authentication Failed3';
|
||||
$response['message'] = 'Authentication Failed';
|
||||
echo json_encode($response);
|
||||
exit;
|
||||
}
|
||||
|
||||
$q = $pdo->prepare("SELECT * FROM fairs WHERE id='{$u['fairs_id']}'");
|
||||
$q->execute();
|
||||
$q = $pdo->prepare("SELECT * FROM fairs WHERE id='?'");
|
||||
$q->execute([$u['fairs_id']]);
|
||||
$fair = $q->fetch(PDO::FETCH_ASSOC);
|
||||
|
||||
$response = array();
|
||||
|
||||
@ -38,7 +38,7 @@ if (get_value_from_array($_SESSION, 'schoolid') && $_SESSION['schoolaccesscode']
|
||||
list($first, $last) = explode(' ', $_POST['sciencehead'], 2);
|
||||
$em = $_POST['scienceheademail'];
|
||||
if ($em == '' && ($first != '' || $last != ''))
|
||||
$em = "*$first$last" . user_generate_password();
|
||||
$em = "*$first$last" . generatePassword();
|
||||
|
||||
/*
|
||||
* Load existing record, or create new if there's something
|
||||
|
||||
@ -33,6 +33,7 @@ require_once ('../config_editor.inc.php');
|
||||
|
||||
function roll($currentfairyear, $newfairyear, $table, $fields)
|
||||
{
|
||||
global $pdo;
|
||||
$q = $pdo->prepare("SELECT * FROM $table WHERE year='$currentfairyear'");
|
||||
$q->execute();
|
||||
show_pdo_errors_if_any($pdo);
|
||||
|
||||
@ -76,7 +76,7 @@
|
||||
echo " <th>".i18n("Action")."</th>";
|
||||
echo "</tr>\n";
|
||||
$total=0;
|
||||
while($sr=$sq->fetch(PDO::FETCH-OBJ)) {
|
||||
while($sr=$sq->fetch(PDO::FETCH_OBJ)) {
|
||||
echo "<tr id=\"donations_$sr->id\" class=\"fundraising{$sr->status}\">";
|
||||
echo "<td>$sr->name</td>\n";
|
||||
echo "<td>$sr->status</td>";
|
||||
|
||||
44
user.inc.php
44
user.inc.php
@ -54,14 +54,10 @@ function user_valid_type($type)
|
||||
return true;
|
||||
}
|
||||
|
||||
/*
|
||||
* Duplicate of common.inc.php:generatePassword, which will be deleted
|
||||
* eventually when ALL users are handled through this file
|
||||
*/
|
||||
function user_generate_password($pwlen = 8)
|
||||
|
||||
function generatePassword($pwlen = 16)
|
||||
{
|
||||
// these are good characters that are not easily confused with other characters :)
|
||||
$available = 'ABCDEFGHJKLMNPQRSTUVWXYZabcdefghjkmnpqrstuvwxyz23456789';
|
||||
$available = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
|
||||
$len = strlen($available) - 1;
|
||||
|
||||
$key = '';
|
||||
@ -69,7 +65,6 @@ function user_generate_password($pwlen = 8)
|
||||
$key .= $available[rand(0, $len)];
|
||||
return $key;
|
||||
}
|
||||
|
||||
/*
|
||||
* Separate user_load_type functions, these could make additional database
|
||||
* calls if required
|
||||
@ -92,6 +87,7 @@ function user_load_student(&$u)
|
||||
|
||||
function user_load_judge(&$u)
|
||||
{
|
||||
global $pdo;
|
||||
$u['judge_active'] = ($u['judge_active'] == 'yes') ? 'yes' : 'no';
|
||||
$u['judge_complete'] = ($u['judge_complete'] == 'yes') ? 'yes' : 'no';
|
||||
$u['years_school'] = intval($u['years_school']);
|
||||
@ -318,6 +314,7 @@ function user_load_by_uid($uid)
|
||||
|
||||
function user_load_by_email($email)
|
||||
{
|
||||
global $pdo;
|
||||
/* Find the most recent uid for the email, regardless of deleted status */
|
||||
$e = $email;
|
||||
$q = $pdo->prepare("SELECT uid FROM users WHERE email='$e' OR username='$e' ORDER BY year DESC LIMIT 1");
|
||||
@ -331,8 +328,9 @@ function user_load_by_email($email)
|
||||
|
||||
function user_load_by_uid_year($uid, $year)
|
||||
{
|
||||
$q = $pdo->prepare("SELECT id FROM users WHERE uid='$uid' AND year <= '$year'");
|
||||
$q->execute();
|
||||
global $pdo;
|
||||
$q = $pdo->prepare("SELECT id FROM users WHERE uid=? AND year <= ?");
|
||||
$q->execute([$uid, $year]);
|
||||
if (!$q->rowCount())
|
||||
return false;
|
||||
$i = $q->fetch(PDO::FETCH_ASSOC);
|
||||
@ -345,11 +343,11 @@ function user_set_password($id, $password = NULL)
|
||||
/* pass $u by reference so we can update it */
|
||||
$save_old = false;
|
||||
if ($password == NULL) {
|
||||
$q = $pdo->prepare("SELECT passwordset FROM users WHERE id='$id'");
|
||||
$q->execute();
|
||||
$q = $pdo->prepare("SELECT passwordset FROM users WHERE id=?");
|
||||
$q->execute([$id]);
|
||||
$u = $q->fetch(PDO::FETCH_ASSOC);
|
||||
/* Generate a new password */
|
||||
$password = user_generate_password(12);
|
||||
$password = generatePassword();
|
||||
/* save the old password only if it's not an auto-generated one */
|
||||
if ($u['passwordset'] != '0000-00-00')
|
||||
$save_old = true;
|
||||
@ -362,10 +360,12 @@ function user_set_password($id, $password = NULL)
|
||||
}
|
||||
|
||||
$p = $password;
|
||||
$set = ($save_old == true) ? 'oldpassword=password, ' : '';
|
||||
$set .= "password='$p', passwordset=$save_set ";
|
||||
|
||||
$query = "UPDATE users SET $set WHERE id='$id'";
|
||||
$set = ($save_old == true) ? 'oldpassword=password, ' : '';
|
||||
$set .= "password='" . password_hash($p, PASSWORD_BCRYPT) . "', passwordset=$save_set ";
|
||||
|
||||
////FIXME This one may be tricky
|
||||
$query = "UPDATE users SET $set WHERE id=$id";
|
||||
$stmt = $pdo->prepare($query);
|
||||
$stmt->execute();
|
||||
show_pdo_errors_if_any($pdo);
|
||||
@ -474,8 +474,8 @@ function user_save(&$u)
|
||||
exit;
|
||||
}
|
||||
// give em a record, the primary key on the table takes care of uniqueness
|
||||
$q = $pdo->prepare("INSERT INTO users_$t (users_id) VALUES ('{$u['id']}')");
|
||||
$q->execute();
|
||||
$q = $pdo->prepare("INSERT INTO users_$t (users_id) VALUES (?)");
|
||||
$q->execute([$u['id']]);
|
||||
}
|
||||
|
||||
$fields = array('salutation', 'firstname', 'lastname', 'username',
|
||||
@ -503,13 +503,14 @@ function user_save(&$u)
|
||||
// print_r($u);
|
||||
// echo "</pre>";
|
||||
if ($set != '') {
|
||||
$query = "UPDATE users SET $set WHERE id='{$u['id']}'";
|
||||
$query = "UPDATE users SET $set WHERE id=?";
|
||||
$stmt = $pdo->prepare($query);
|
||||
$stmt->execute();
|
||||
$stmt->execute([$u['id']]);
|
||||
// echo "query=[$query]";
|
||||
show_pdo_errors_if_any($pdo);
|
||||
}
|
||||
|
||||
|
||||
/* Save the password if it changed */
|
||||
if ($u['password'] != $u['orig']['password'])
|
||||
user_set_password($u['id'], $u['password']);
|
||||
@ -811,14 +812,15 @@ function user_create($type, $username, $u = NULL)
|
||||
$stmt->execute();
|
||||
show_pdo_errors_if_any($pdo);
|
||||
$uid = $pdo->lastInsertId();
|
||||
|
||||
if (user_valid_email($username)) {
|
||||
$stmt = $pdo->prepare("UPDATE users SET email='$username' WHERE id='$uid'");
|
||||
$stmt->execute();
|
||||
}
|
||||
|
||||
$stmt = $pdo->prepare("UPDATE users SET uid='$uid' WHERE id='$uid'");
|
||||
$stmt->execute();
|
||||
show_pdo_errors_if_any($pdo);
|
||||
user_set_password($uid, NULL);
|
||||
|
||||
/*
|
||||
* Since the user already has a type, user_save won't create this
|
||||
|
||||
@ -196,11 +196,14 @@ if (get_value_from_array($_POST, 'action', '') && get_value_from_array($_POST, '
|
||||
$u = user_create($type, $email);
|
||||
$u['email'] = $email;
|
||||
user_save($u);
|
||||
|
||||
$password = user_set_password($u['id'], NULL);
|
||||
|
||||
email_send("{$type}_new_invite", $u['email'],
|
||||
array('FAIRNAME' => $config['fairname']),
|
||||
array('FAIRNAME' => $config['fairname'],
|
||||
'EMAIL' => $u['email'],
|
||||
'PASSWORD' => $u['password']));
|
||||
'PASSWORD' => $password));
|
||||
echo happy(i18n('%1 has been invited to be a %2', array($u['email'], $user_what[$type])));
|
||||
echo happy(i18n('An email has been sent to %1', array($u['email'])));
|
||||
break;
|
||||
|
||||
@ -41,21 +41,13 @@ function try_login($user, $pass)
|
||||
* in the username field
|
||||
*/
|
||||
|
||||
/*
|
||||
* FIXME: this should be user_valid_email, but can't be yet, because
|
||||
* we copy the usernames from the email field, and that field may
|
||||
* contain a name too
|
||||
*/
|
||||
if (!isEmailAddress($user)) {
|
||||
/* See if the user email or username is valid */
|
||||
if (!user_valid_email($user) || !user_valid_user($user)) {
|
||||
/* It's possible that it's a username */
|
||||
if (!user_valid_user($user))
|
||||
return false;
|
||||
return false;
|
||||
}
|
||||
|
||||
// we cannot check for a valid_password here, because converted users dont enforce password length of 6 which user_valid_password does.
|
||||
// all we can do is check if its a length >0
|
||||
// $x = user_valid_password($pass);
|
||||
if (!strlen($pass))
|
||||
|
||||
if (!user_valid_password($pass))
|
||||
return false;
|
||||
|
||||
$q = $pdo->prepare("SELECT id, username, password, year, deleted
|
||||
@ -65,8 +57,8 @@ function try_login($user, $pass)
|
||||
ORDER BY year DESC LIMIT 1");
|
||||
|
||||
$q->bindParam(':username', $user, PDO::PARAM_STR);
|
||||
|
||||
$q->execute();
|
||||
|
||||
if ($q->rowCount() < 1)
|
||||
return false;
|
||||
|
||||
@ -77,11 +69,11 @@ function try_login($user, $pass)
|
||||
if ($r->deleted == 'yes')
|
||||
return false;
|
||||
|
||||
/* See if the password matches */
|
||||
// ///// FIXME Use hash passwords
|
||||
|
||||
if ($r->password != $pass)
|
||||
/* See if the password matches */
|
||||
if (!password_verify($pass, $r->password)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
/* Login successful */
|
||||
return $r->id;
|
||||
@ -246,8 +238,8 @@ if (get_value_from_array($_POST, 'action') == 'login') {
|
||||
}
|
||||
|
||||
$q = $pdo->prepare("UPDATE users SET lastlogin=NOW()
|
||||
WHERE id={$u['id']}");
|
||||
$q->execute();
|
||||
WHERE id=?");
|
||||
$q->execute([$u['id']]);
|
||||
|
||||
/*
|
||||
* Setup multirole so a multirole user can switch if they want to
|
||||
@ -352,16 +344,17 @@ if (get_value_from_array($_POST, 'action') == 'login') {
|
||||
if (user_valid_email($email)) {
|
||||
/* valid email address */
|
||||
$e = $email;
|
||||
$q = $pdo->prepare("SELECT * FROM users WHERE (username='$e' OR email='$e') ORDER BY year DESC LIMIT 1");
|
||||
$q->execute();
|
||||
$q = $pdo->prepare("SELECT * FROM users WHERE (username=? OR email=?) ORDER BY year DESC LIMIT 1");
|
||||
$q->execute([$e, $e]);
|
||||
$r = $q->fetch(PDO::FETCH_OBJ);
|
||||
|
||||
if ($r) {
|
||||
$fn = trim($_POST['fn']);
|
||||
$ln = trim($_POST['ln']);
|
||||
|
||||
/* Check name match */
|
||||
if (strcasecmp($r->firstname, $fn) != 0 || strcasecmp($r->lastname, $ln) != 0) {
|
||||
message_push(error(i18n('The name you entered does not match the one in your account')));
|
||||
message_push(notice(i18n('If you credentials match, your new password has been sent to your email address.')));
|
||||
header("Location: user_login.php?type=$type");
|
||||
exit;
|
||||
}
|
||||
@ -369,6 +362,7 @@ if (get_value_from_array($_POST, 'action') == 'login') {
|
||||
/* Reset the password, and force it to expire */
|
||||
$password = user_set_password($r->id, NULL);
|
||||
|
||||
|
||||
/* volunteer_recover_password, judge_recover_password, student_recover_password,
|
||||
committee_recover_password */
|
||||
email_send("{$type}_recover_password",
|
||||
@ -377,11 +371,11 @@ if (get_value_from_array($_POST, 'action') == 'login') {
|
||||
array('PASSWORD' => $password,
|
||||
'EMAIL' => $email));
|
||||
|
||||
message_push(notice(i18n('Your password has been sent to your email address')));
|
||||
message_push(notice(i18n('If you credentials match, your new password has been sent to your email address.')));
|
||||
header("Location: user_login.php?type=$type");
|
||||
exit;
|
||||
} else {
|
||||
message_push(error(i18n('Could not find your email address for recovery')));
|
||||
message_push(notice(i18n('If you credentials match, your new password has been sent to your email address.')));
|
||||
header("Location: user_login.php?type=$type");
|
||||
exit;
|
||||
}
|
||||
|
||||
@ -124,8 +124,8 @@ switch ($action) {
|
||||
}
|
||||
|
||||
/* See if this email already exists */
|
||||
$q = $pdo->prepare("SELECT id,types,MAX(year) AS year,deleted FROM users WHERE (email='$sql_email' OR username='$sql_email' )");
|
||||
$q->execute();
|
||||
$q = $pdo->prepare("SELECT id,types,MAX(year) AS year,deleted FROM users WHERE (email=? OR username=? )");
|
||||
$q->execute([$sql_email, $sql_email]);
|
||||
// select *, max(year) from users where username=sql_email
|
||||
// if deleted and year = current yera - just undelete
|
||||
// if deleted and year != current yera - proceed normally and recreate the user
|
||||
|
||||
@ -62,11 +62,11 @@ $password_expiry_days = get_value_from_array($config, "{$type}_password_expiry_d
|
||||
if (get_value_from_array($_POST, 'action') == 'save') {
|
||||
$pass = $_POST['pass1'];
|
||||
// first, lets see if they choosed the same password again (bad bad bad)
|
||||
$q = $pdo->prepare("SELECT password FROM users WHERE
|
||||
id='{$_SESSION['users_id']}'
|
||||
AND password='$pass'");
|
||||
$q->execute();
|
||||
if ($q->rowCount())
|
||||
$q = $pdo->prepare("SELECT password FROM users WHERE id=?");
|
||||
$q->execute([$_SESSION['users_id']]);
|
||||
$hash = $q->fetch(PDO::FETCH_ASSOC)['password'];
|
||||
|
||||
if (password_verify($pass, $hash))
|
||||
message_push(error(i18n('You cannot choose the same password again. Please choose a different password')));
|
||||
else if (!$_POST['pass1'])
|
||||
message_push(error(i18n('New Password is required')));
|
||||
|
||||
@ -40,7 +40,6 @@ $user_personal_fields = array(
|
||||
'lastname' => array('name' => 'Last Name'),
|
||||
'email' => array('name' => 'Email Address'),
|
||||
'username' => array('name' => 'Username'),
|
||||
'password' => array('name' => 'Password'),
|
||||
'address' => array('name' => 'Address 1'),
|
||||
'address2' => array('name' => 'Address 2'),
|
||||
'city' => array('name' => 'City'),
|
||||
@ -98,12 +97,6 @@ foreach ($u['types'] as $t) {
|
||||
user_personal_required_fields($t));
|
||||
}
|
||||
|
||||
if (committee_auth_has_access('super')) {
|
||||
/* If the editer is super, let them see/edit/save the user/pass */
|
||||
$fields[] = 'username';
|
||||
$fields[] = 'password';
|
||||
}
|
||||
|
||||
switch (get_value_from_array($_GET, 'action')) {
|
||||
case 'save':
|
||||
$users_id = intval($_POST['users_id']);
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user