From 93554bd67a76322db6eb455c5abed832b557303e Mon Sep 17 00:00:00 2001 From: patrick Date: Sat, 1 Feb 2025 22:04:28 +0000 Subject: [PATCH] Hash passwords in database without affecting program functionality --- .devcontainer/science-ation-blank-generic.sql | 9 ++-- admin/award_download.php | 6 +-- admin/award_upload.php | 10 ++--- admin/cwsfregister.php | 37 +++++++++------- admin/fix_judges_autocomplete.php | 14 +++--- admin/judges_invite.php | 9 ++-- admin/reports_students.inc.php | 3 ++ admin/schools.php | 4 +- admin/student_editor.php | 4 +- common.inc.php | 16 +------ fair_info.php | 6 +-- remote.php | 10 ++--- schoolaccess.php | 2 +- scripts/rolloverschools.php | 1 + sponsor_main.php | 2 +- user.inc.php | 44 ++++++++++--------- user_invite.php | 5 ++- user_login.php | 42 ++++++++---------- user_new.php | 4 +- user_password.php | 10 ++--- user_personal.php | 7 --- 21 files changed, 117 insertions(+), 128 deletions(-) diff --git a/.devcontainer/science-ation-blank-generic.sql b/.devcontainer/science-ation-blank-generic.sql index 60401a9d..30b146c8 100644 --- a/.devcontainer/science-ation-blank-generic.sql +++ b/.devcontainer/science-ation-blank-generic.sql @@ -3397,9 +3397,9 @@ CREATE TABLE `users` ( `lastname` varchar(32) NOT NULL DEFAULT '', `sex` enum('male','female') DEFAULT NULL, `username` varchar(128) NOT NULL DEFAULT '', - `password` varchar(32) NOT NULL DEFAULT '', + `password` varchar(60) NOT NULL DEFAULT '', `passwordset` date DEFAULT NULL, - `oldpassword` varchar(32) NOT NULL, + `oldpassword` varchar(60) NOT NULL, `email` varchar(128) NOT NULL DEFAULT '', `year` int(11) NOT NULL, `phonehome` varchar(32) NOT NULL DEFAULT '', @@ -3432,9 +3432,8 @@ CREATE TABLE `users` ( LOCK TABLES `users` WRITE; /*!40000 ALTER TABLE `users` DISABLE KEYS */; INSERT INTO `users` VALUES -(1,1,'fair','','','',NULL,'kvGbxRTM','5kyYcbBAmf4Y','0000-00-00','','',2025,'','','','','','0000-00-00','','2009-10-22 12:56:09','0000-00-00 00:00:00','','','','','','no','no','no',NULL), -(2,2,'fair','','','',NULL,'k5HPLPGm','EUuqF2J5HbGD','0000-00-00','','',2025,'','','','','','0000-00-00','','2009-10-22 12:56:09','0000-00-00 00:00:00','','','','','','no','no','no',NULL), -(3,3,'committee','','Superuser','Account',NULL,'contact@science-ation.ca','admin','2024-10-16','hpqSaPCggQes','contact@science-ation.ca',2025,'','','','','','0000-00-00','','2024-10-16 04:38:47','0000-00-00 00:00:00','','','','','','no','no','no',NULL); +(1,1,'fair','','','',NULL,'kvGbxRTM','$2y$10$OYeIx.U53utmuzyZkVTqtukGB0ELi5piz62KtbaYj0uEPN7fD6NtS','0000-00-00','','',2025,'','','','','','0000-00-00','','2009-10-22 12:56:09','0000-00-00 00:00:00','','','','','','no','no','no',NULL), +(2,2,'committee','','Superuser','Account',NULL,'contact@science-ation.ca','$2y$10$LlhOxjkJD3F0of.W75a4UuyiRci4PnPa8koxi4RknfSh38nxoYLXG','2024-10-16','','contact@science-ation.ca',2025,'','','','','','0000-00-00','','2024-10-16 04:38:47','0000-00-00 00:00:00','','','','','','no','no','no',NULL); /*!40000 ALTER TABLE `users` ENABLE KEYS */; UNLOCK TABLES; diff --git a/admin/award_download.php b/admin/award_download.php index a513bc2f..dbbd6830 100644 --- a/admin/award_download.php +++ b/admin/award_download.php @@ -32,8 +32,8 @@ switch (get_value_from_array($_GET, 'action')) { case 'check': $fairs_id = intval($_GET['fairs_id']); - $q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM fairs WHERE id=?"); + $q->execute([$fairs_id]); $fair = $q->fetch(PDO::FETCH_ASSOC); if (!($fair['username'] && $fair['password'])) { echo error(i18n("Username and Password are not set for source '%1'. Please set them in the SFIAB Configuration/External Award Sources editor first", array($r->name))); @@ -174,7 +174,7 @@ switch (get_value_from_array($_GET, 'action')) { AND year='$year' "); $q->execute(); - echo $q->errorInfo(); + show_pdo_errors_if_any($pdo); // update the prizes $prizes = $award['prizes']; diff --git a/admin/award_upload.php b/admin/award_upload.php index aa3f7bd7..e3dbc762 100644 --- a/admin/award_upload.php +++ b/admin/award_upload.php @@ -30,7 +30,7 @@ user_auth_required('committee', 'admin'); // function get_cwsf_award_winners() function get_winners($awardid, $fairs_id) { - global $config; + global $config, $pdo; /* Mappings of the name we want => to the column name returned in MYSQL */ $school_fields = array('schoolname' => 'school', @@ -125,7 +125,7 @@ function get_winners($awardid, $fairs_id) awards_prizes_id='$pid' AND winners.year='{$config['FAIRYEAR']}'"); $wq->execute(); - echo $pdo->erroInfo(); + show_pdo_errors_if_any($pdo); /* Get all projects assigned to this prize */ $prizewinners = array(); while ($project = $wq->fetch(PDO::FETCH_ASSOC)) { @@ -185,7 +185,7 @@ function get_winners($awardid, $fairs_id) function count_winners($awardid, $fairs_id) { - global $config; + global $config, $pdo; $count = 0; $awards = array(); if ($awardid == -1) { @@ -237,7 +237,7 @@ function count_winners($awardid, $fairs_id) function load_server_cats_divs($fairs_id) { - global $config; + global $config, $pdo; $q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id'"); $q->execute(); @@ -302,7 +302,7 @@ switch (get_value_from_array($_GET, 'action')) { $q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id}'"); $q->execute(); - $fair = $q->fetch(PDO::FETCH_ASSOC);; + $fair = $q->fetch(PDO::FETCH_ASSOC); echo '
'; diff --git a/admin/cwsfregister.php b/admin/cwsfregister.php index 04c55a17..f03f44a2 100644 --- a/admin/cwsfregister.php +++ b/admin/cwsfregister.php @@ -27,14 +27,17 @@ require_once ('../user.inc.php'); function get_cwsf_award_winners() { - global $config; + global $config, $pdo; $winners = array(); - $q = $pdo->prepare("SELECT * FROM award_awards WHERE cwsfaward='1' AND year='" . $config['FAIRYEAR'] . "'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM award_awards WHERE cwsfaward='1' AND year=?"); + $q->execute([$config['FAIRYEAR']]); + if ($q->rowCount() == 1) { $award = $q->fetch(PDO::FETCH_OBJ); - $pq = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id='$award->id'"); + $pq = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id=?"); + $pq->execute([$award->id]); + while ($prize = $pq->fetch(PDO::FETCH_OBJ)) { $wq = $pdo->prepare("SELECT projects.id, @@ -50,16 +53,18 @@ function get_cwsf_award_winners() projects WHERE winners.projects_id=projects.id AND - awards_prizes_id='$prize->id' AND - winners.year='" . $config['FAIRYEAR'] . "'"); - $wq->execute(); - + awards_prizes_id=? AND + winners.year=?"); + $wq->execute([$prize->id, $config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); + while ($project = $wq->fetch(PDO::FETCH_OBJ)) { - $sq = $pdo->prepare("SELECT * FROM students WHERE registrations_id='$project->registrations_id' AND year='" . $config['FAIRYEAR'] . "'"); - $sq->execute(); + $sq = $pdo->prepare("SELECT * FROM students WHERE registrations_id=? AND year=?"); + $sq->execute([$project->registrations_id, $config['FAIRYEAR']]); + $students = array(); $cwsf_agecategory = 0; + while ($s = $sq->fetch(PDO::FETCH_OBJ)) { if ($s->grade >= 7 && $s->grade <= 8) { if ($cwsf_agecategory < 1) @@ -122,8 +127,8 @@ echo '
'; if (count(get_value_from_array($_POST, 'cwsfdivision', []))) { foreach ($_POST['cwsfdivision'] AS $p => $d) { - $q = $pdo->prepare("UPDATE projects SET cwsfdivisionid='$d' WHERE id='$p'"); - $q->execute(); + $q = $pdo->prepare("UPDATE projects SET cwsfdivisionid=? WHERE id=?"); + $q->execute([$d, $p]); } echo happy(i18n('CWSF Project Divisions saved')); } @@ -178,8 +183,8 @@ if ($ysc_region_password == '') { } if ($ok) { - $q = $pdo->prepare("SELECT * FROM award_awards WHERE cwsfaward='1' AND year='" . $config['FAIRYEAR'] . "'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM award_awards WHERE cwsfaward='1' AND year=?"); + $q->execute([$config['FAIRYEAR']]); if (!$q->rowCount()) { echo error(i18n('Cannot find an award that is specified as the Canada-Wide Science Fair Award')); echo i18n('Please go to the awards manager and select which award identifies your CWSF students'); @@ -248,8 +253,8 @@ if ($ok) { echo ''; - $t = $q->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' AND id='" . $winner['projectdivisions_id'] . "'"); - $t->execute(); + $t = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? AND id=?"); + $t->execute([$config['FAIRYEAR'], $winner['projectdivisions_id']]); $tr = $t->fetch(PDO::FETCH_OBJ); echo $tr->division; echo '
'; diff --git a/admin/fix_judges_autocomplete.php b/admin/fix_judges_autocomplete.php index 51eaca70..91a839ac 100644 --- a/admin/fix_judges_autocomplete.php +++ b/admin/fix_judges_autocomplete.php @@ -11,15 +11,15 @@ while ($i = $q->fetch(PDO::FETCH_OBJ)) { echo "Autocompleting Judge {$i->email}
"; $id = $i->id; - $p = generatePassword(12); - $stmt = $pdo->prepare("UPDATE judges SET password='$p',complete='yes'"); - $stmt->execute(); + $p = password_hash(generatePassword(), PASSWORD_BCRYPT); + $stmt = $pdo->prepare("UPDATE judges SET password=?,complete=?"); + $stmt->execute([$p, 'yes']); show_pdo_errors_if_any($pdo); - $stmt = $pdo->prepare("DELETE FROM judges_years WHERE judges_id='$id'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM judges_years WHERE judges_id=?"); + $stmt->execute([$id]); show_pdo_errors_if_any($pdo); - $stmt = $pdo->prepare("INSERT INTO judges_years (`judges_id`,`year`) VALUES ('$id','{$config['FAIRYEAR']}')"); - $stmt->execute(); + $stmt = $pdo->prepare("INSERT INTO judges_years (`judges_id`,`year`) VALUES (?, ?)"); + $stmt->execute([$id, $config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); } diff --git a/admin/judges_invite.php b/admin/judges_invite.php index b81f2e5f..ddfd3443 100644 --- a/admin/judges_invite.php +++ b/admin/judges_invite.php @@ -34,14 +34,15 @@ send_header('Invite Judges', 'Judges' => 'admin/judges.php')); echo '
'; if ($_POST['action'] == 'invite' && $_POST['email']) { - $q = $pdo->prepare("SELECT id FROM judges WHERE email='" . $_POST['email'] . "'"); - $q->execute(); + $q = $pdo->prepare("SELECT id FROM judges WHERE email=?"); + $q->execute([$_POST['email']]); if ($q->rowCount()) { echo error(i18n('A judge already exists with that email address')); } else { $pass = generatePassword(); - $pdo->prepare("INSERT INTO judges (email,password) VALUES ('" . stripslashes($_POST['email'])) . "','$pass')"; - $pdo->execute(); + $hash = password_hash($pass, PASSWORD_BCRYPT); + $stmt = $pdo->prepare("INSERT INTO judges (email,password) VALUES (?, ?)"); + $stmt->execute([$_POST['email'], $hash]); email_send('new_judge_invite', stripslashes($_POST['email']), array('FAIRNAME' => $config['fairname']), array('FAIRNAME' => $config['fairname'], 'EMAIL' => stripslashes($_POST['email']), 'PASSWORD' => $pass)); echo happy(i18n('%1 has been invited to be a judge', array($_POST['email']))); diff --git a/admin/reports_students.inc.php b/admin/reports_students.inc.php index de98d63a..55398d64 100644 --- a/admin/reports_students.inc.php +++ b/admin/reports_students.inc.php @@ -69,6 +69,7 @@ function report_student_get_cheque_date_format($report, $field, $text) function report_student_safety_question($report, $field, $text) { + global $pdo; /* Field is 'safetyquestion_x', registration_id is passed in $text */ $q_ord = intval(substr($field, 15)); $regid = $text; @@ -90,6 +91,7 @@ function report_student_safety_question($report, $field, $text) function reports_students_numstudents($report, $field, $text) { + global $pdo; $year = $report['year']; $q = $pdo->prepare("SELECT students.id FROM students WHERE students.registrations_id='$text' @@ -100,6 +102,7 @@ function reports_students_numstudents($report, $field, $text) function reports_students_award_selfnom_num($report, $field, $text, $n) { + global $pdo; $year = $report['year']; $q = $pdo->prepare("SELECT award_awards.name FROM projects diff --git a/admin/schools.php b/admin/schools.php index 008984f9..93df26f0 100644 --- a/admin/schools.php +++ b/admin/schools.php @@ -73,7 +73,7 @@ if (get_value_from_array($_POST, 'save') == 'edit' || get_value_from_array($_POS if (get_value_from_array($i, 'principal_uid') > 0) $pl = user_load_by_uid($i['principal_uid']); else if ($first != '' && $last != '') { - $pl = user_create('principal', "*$first$last" . user_generate_password()); + $pl = user_create('principal', "*$first$last" . generatePassword()); $principal_update = "principal_uid='{$pl['uid']}',"; } else $pl = false; @@ -108,7 +108,7 @@ if (get_value_from_array($_POST, 'save') == 'edit' || get_value_from_array($_POS } $em = get_value_from_array($_POST, 'scienceheademail'); if ($em == '' && ($first != '' || $last != '')) - $em = "*$first$last" . user_generate_password(); + $em = "*$first$last" . generatePassword(); /* * Load existing record, or create new if there's something diff --git a/admin/student_editor.php b/admin/student_editor.php index 762252bb..014f9ffd 100644 --- a/admin/student_editor.php +++ b/admin/student_editor.php @@ -139,7 +139,7 @@ function students_save() $x = 1; while ($_POST['num'][$x]) { if ($_POST['id'][$x] == 0) { - // if they use schoolpassword or singlepassword, then we need to set the school based on the school stored in the registration record. for anything else they can school the school on their own. + // if they use schoolpassword or singlepassword, then we need to set the school based on the school stored in the registration record. for anything else they can choose the school on their own. if ($config['participant_registration_type'] == 'schoolpassword' || $config['participant_registration_type'] == 'invite') { $q = $pdo->prepare("SELECT schools_id FROM registrations WHERE id='$registrations_id' AND YEAR='{$config['FAIRYEAR']}'"); $q->execute(); @@ -151,7 +151,7 @@ function students_save() } // INSERT new record $dob = $_POST['year'][$x] . '-' . $_POST['month'][$x] . '-' . $_POST['day'][$x]; - $stmt->prepare('INSERT INTO students (registrations_id,firstname,lastname,sex,email,address,city,province,postalcode,phone,dateofbirth,grade,schools_id,tshirt,medicalalert,foodreq,teachername,teacheremail,year) VALUES (' + $stmt = $pdo->prepare('INSERT INTO students (registrations_id,firstname,lastname,sex,email,address,city,province,postalcode,phone,dateofbirth,grade,schools_id,tshirt,medicalalert,foodreq,teachername,teacheremail,year) VALUES (' . "'" . $registrations_id . "', " . "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['firstname'][$x])) . "', " . "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['lastname'][$x])) . "', " diff --git a/common.inc.php b/common.inc.php index bca42e98..ea1acf98 100644 --- a/common.inc.php +++ b/common.inc.php @@ -1120,20 +1120,8 @@ function email_send_new($to, $from, $subject, $body, $bodyhtml = '') send_footer(); } - function generatePassword($pwlen = 8) - { - // these are good characters that are not easily confused with other characters :) - $available = 'ABCDEFGHJKLMNPQRSTUVWXYZabcdefghjkmnpqrstuvwxyz23456789'; - $len = strlen($available) - 1; - - $key = ''; - for ($x = 0; $x < $pwlen; $x++) - $key .= $available[rand(0, $len)]; - return $key; - } - - // config specific warning - function config_warnings() {} +// config specific warning +function config_warnings() {} // admin specific warnings function admin_warnings() {} diff --git a/fair_info.php b/fair_info.php index e387698e..30486d52 100644 --- a/fair_info.php +++ b/fair_info.php @@ -53,7 +53,7 @@ switch (get_value_from_array($_GET, 'action')) { $fairs_id = intval($u['fairs_id']); if ($fairs_id == 0) { $stmt = $pdo->prepare("INSERT INTO fairs ('id', 'name') VALUES('', 'new entry')"); - $stmt->execute([$id, $name]); + $stmt->execute(); $id = $pdo->lastInsertId(); } else { $id = intval($fairs_id); @@ -65,8 +65,8 @@ switch (get_value_from_array($_GET, 'action')) { $website = $pdo->quote($_POST['website']); $type = array_key_exists($_POST['type'], $fair_type) ? $_POST['type'] : ''; - $username = $pdo->prepare(stripslashes($_POST['username'])); - $password = $pdo->prepare(stripslashes($_POST['password'])); + $username = $pdo->quote(stripslashes($_POST['username'])); + $password = $pdo->quote(stripslashes(password_hash($_POST['password'], PASSWORD_BCRYPT))); $enable_stats = ($_POST['enable_stats'] == 'yes') ? 'yes' : 'no'; $enable_awards = ($_POST['enable_awards'] == 'yes') ? 'yes' : 'no'; diff --git a/remote.php b/remote.php index 7c3e36e3..71310813 100644 --- a/remote.php +++ b/remote.php @@ -492,20 +492,20 @@ if ($u == false) { } if (!is_array($u) || $u['password'] == '') { $response['error'] = 1; - $response['message'] = 'Authentication Failed2'; + $response['message'] = 'Authentication Failed'; echo json_encode($response); exit; } -if ($u['password'] != $password) { +if (!password_verify($password, $u['password'])) { $response['error'] = 1; - $response['message'] = 'Authentication Failed3'; + $response['message'] = 'Authentication Failed'; echo json_encode($response); exit; } -$q = $pdo->prepare("SELECT * FROM fairs WHERE id='{$u['fairs_id']}'"); -$q->execute(); +$q = $pdo->prepare("SELECT * FROM fairs WHERE id='?'"); +$q->execute([$u['fairs_id']]); $fair = $q->fetch(PDO::FETCH_ASSOC); $response = array(); diff --git a/schoolaccess.php b/schoolaccess.php index 89111aa3..19da60e4 100644 --- a/schoolaccess.php +++ b/schoolaccess.php @@ -38,7 +38,7 @@ if (get_value_from_array($_SESSION, 'schoolid') && $_SESSION['schoolaccesscode'] list($first, $last) = explode(' ', $_POST['sciencehead'], 2); $em = $_POST['scienceheademail']; if ($em == '' && ($first != '' || $last != '')) - $em = "*$first$last" . user_generate_password(); + $em = "*$first$last" . generatePassword(); /* * Load existing record, or create new if there's something diff --git a/scripts/rolloverschools.php b/scripts/rolloverschools.php index cc4857a0..7537e296 100644 --- a/scripts/rolloverschools.php +++ b/scripts/rolloverschools.php @@ -33,6 +33,7 @@ require_once ('../config_editor.inc.php'); function roll($currentfairyear, $newfairyear, $table, $fields) { + global $pdo; $q = $pdo->prepare("SELECT * FROM $table WHERE year='$currentfairyear'"); $q->execute(); show_pdo_errors_if_any($pdo); diff --git a/sponsor_main.php b/sponsor_main.php index 0dcb3eb6..857cd3ff 100644 --- a/sponsor_main.php +++ b/sponsor_main.php @@ -76,7 +76,7 @@ echo " ".i18n("Action").""; echo "\n"; $total=0; - while($sr=$sq->fetch(PDO::FETCH-OBJ)) { + while($sr=$sq->fetch(PDO::FETCH_OBJ)) { echo "id\" class=\"fundraising{$sr->status}\">"; echo "$sr->name\n"; echo "$sr->status"; diff --git a/user.inc.php b/user.inc.php index d51616dd..968f9562 100644 --- a/user.inc.php +++ b/user.inc.php @@ -54,14 +54,10 @@ function user_valid_type($type) return true; } -/* - * Duplicate of common.inc.php:generatePassword, which will be deleted - * eventually when ALL users are handled through this file - */ -function user_generate_password($pwlen = 8) + +function generatePassword($pwlen = 16) { - // these are good characters that are not easily confused with other characters :) - $available = 'ABCDEFGHJKLMNPQRSTUVWXYZabcdefghjkmnpqrstuvwxyz23456789'; + $available = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; $len = strlen($available) - 1; $key = ''; @@ -69,7 +65,6 @@ function user_generate_password($pwlen = 8) $key .= $available[rand(0, $len)]; return $key; } - /* * Separate user_load_type functions, these could make additional database * calls if required @@ -92,6 +87,7 @@ function user_load_student(&$u) function user_load_judge(&$u) { + global $pdo; $u['judge_active'] = ($u['judge_active'] == 'yes') ? 'yes' : 'no'; $u['judge_complete'] = ($u['judge_complete'] == 'yes') ? 'yes' : 'no'; $u['years_school'] = intval($u['years_school']); @@ -318,6 +314,7 @@ function user_load_by_uid($uid) function user_load_by_email($email) { + global $pdo; /* Find the most recent uid for the email, regardless of deleted status */ $e = $email; $q = $pdo->prepare("SELECT uid FROM users WHERE email='$e' OR username='$e' ORDER BY year DESC LIMIT 1"); @@ -331,8 +328,9 @@ function user_load_by_email($email) function user_load_by_uid_year($uid, $year) { - $q = $pdo->prepare("SELECT id FROM users WHERE uid='$uid' AND year <= '$year'"); - $q->execute(); + global $pdo; + $q = $pdo->prepare("SELECT id FROM users WHERE uid=? AND year <= ?"); + $q->execute([$uid, $year]); if (!$q->rowCount()) return false; $i = $q->fetch(PDO::FETCH_ASSOC); @@ -345,11 +343,11 @@ function user_set_password($id, $password = NULL) /* pass $u by reference so we can update it */ $save_old = false; if ($password == NULL) { - $q = $pdo->prepare("SELECT passwordset FROM users WHERE id='$id'"); - $q->execute(); + $q = $pdo->prepare("SELECT passwordset FROM users WHERE id=?"); + $q->execute([$id]); $u = $q->fetch(PDO::FETCH_ASSOC); /* Generate a new password */ - $password = user_generate_password(12); + $password = generatePassword(); /* save the old password only if it's not an auto-generated one */ if ($u['passwordset'] != '0000-00-00') $save_old = true; @@ -362,10 +360,12 @@ function user_set_password($id, $password = NULL) } $p = $password; - $set = ($save_old == true) ? 'oldpassword=password, ' : ''; - $set .= "password='$p', passwordset=$save_set "; - $query = "UPDATE users SET $set WHERE id='$id'"; + $set = ($save_old == true) ? 'oldpassword=password, ' : ''; + $set .= "password='" . password_hash($p, PASSWORD_BCRYPT) . "', passwordset=$save_set "; + + ////FIXME This one may be tricky + $query = "UPDATE users SET $set WHERE id=$id"; $stmt = $pdo->prepare($query); $stmt->execute(); show_pdo_errors_if_any($pdo); @@ -474,8 +474,8 @@ function user_save(&$u) exit; } // give em a record, the primary key on the table takes care of uniqueness - $q = $pdo->prepare("INSERT INTO users_$t (users_id) VALUES ('{$u['id']}')"); - $q->execute(); + $q = $pdo->prepare("INSERT INTO users_$t (users_id) VALUES (?)"); + $q->execute([$u['id']]); } $fields = array('salutation', 'firstname', 'lastname', 'username', @@ -503,13 +503,14 @@ function user_save(&$u) // print_r($u); // echo ""; if ($set != '') { - $query = "UPDATE users SET $set WHERE id='{$u['id']}'"; + $query = "UPDATE users SET $set WHERE id=?"; $stmt = $pdo->prepare($query); - $stmt->execute(); + $stmt->execute([$u['id']]); // echo "query=[$query]"; show_pdo_errors_if_any($pdo); } + /* Save the password if it changed */ if ($u['password'] != $u['orig']['password']) user_set_password($u['id'], $u['password']); @@ -811,14 +812,15 @@ function user_create($type, $username, $u = NULL) $stmt->execute(); show_pdo_errors_if_any($pdo); $uid = $pdo->lastInsertId(); + if (user_valid_email($username)) { $stmt = $pdo->prepare("UPDATE users SET email='$username' WHERE id='$uid'"); $stmt->execute(); } + $stmt = $pdo->prepare("UPDATE users SET uid='$uid' WHERE id='$uid'"); $stmt->execute(); show_pdo_errors_if_any($pdo); - user_set_password($uid, NULL); /* * Since the user already has a type, user_save won't create this diff --git a/user_invite.php b/user_invite.php index 42196ec8..d4c0c68f 100644 --- a/user_invite.php +++ b/user_invite.php @@ -196,11 +196,14 @@ if (get_value_from_array($_POST, 'action', '') && get_value_from_array($_POST, ' $u = user_create($type, $email); $u['email'] = $email; user_save($u); + + $password = user_set_password($u['id'], NULL); + email_send("{$type}_new_invite", $u['email'], array('FAIRNAME' => $config['fairname']), array('FAIRNAME' => $config['fairname'], 'EMAIL' => $u['email'], - 'PASSWORD' => $u['password'])); + 'PASSWORD' => $password)); echo happy(i18n('%1 has been invited to be a %2', array($u['email'], $user_what[$type]))); echo happy(i18n('An email has been sent to %1', array($u['email']))); break; diff --git a/user_login.php b/user_login.php index 4b269ca1..1f26f850 100644 --- a/user_login.php +++ b/user_login.php @@ -41,21 +41,13 @@ function try_login($user, $pass) * in the username field */ - /* - * FIXME: this should be user_valid_email, but can't be yet, because - * we copy the usernames from the email field, and that field may - * contain a name too - */ - if (!isEmailAddress($user)) { + /* See if the user email or username is valid */ + if (!user_valid_email($user) || !user_valid_user($user)) { /* It's possible that it's a username */ - if (!user_valid_user($user)) - return false; + return false; } - - // we cannot check for a valid_password here, because converted users dont enforce password length of 6 which user_valid_password does. - // all we can do is check if its a length >0 - // $x = user_valid_password($pass); - if (!strlen($pass)) + + if (!user_valid_password($pass)) return false; $q = $pdo->prepare("SELECT id, username, password, year, deleted @@ -65,8 +57,8 @@ function try_login($user, $pass) ORDER BY year DESC LIMIT 1"); $q->bindParam(':username', $user, PDO::PARAM_STR); - $q->execute(); + if ($q->rowCount() < 1) return false; @@ -77,11 +69,11 @@ function try_login($user, $pass) if ($r->deleted == 'yes') return false; - /* See if the password matches */ - // ///// FIXME Use hash passwords - if ($r->password != $pass) + /* See if the password matches */ + if (!password_verify($pass, $r->password)) { return false; + } /* Login successful */ return $r->id; @@ -246,8 +238,8 @@ if (get_value_from_array($_POST, 'action') == 'login') { } $q = $pdo->prepare("UPDATE users SET lastlogin=NOW() - WHERE id={$u['id']}"); - $q->execute(); + WHERE id=?"); + $q->execute([$u['id']]); /* * Setup multirole so a multirole user can switch if they want to @@ -352,16 +344,17 @@ if (get_value_from_array($_POST, 'action') == 'login') { if (user_valid_email($email)) { /* valid email address */ $e = $email; - $q = $pdo->prepare("SELECT * FROM users WHERE (username='$e' OR email='$e') ORDER BY year DESC LIMIT 1"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM users WHERE (username=? OR email=?) ORDER BY year DESC LIMIT 1"); + $q->execute([$e, $e]); $r = $q->fetch(PDO::FETCH_OBJ); + if ($r) { $fn = trim($_POST['fn']); $ln = trim($_POST['ln']); /* Check name match */ if (strcasecmp($r->firstname, $fn) != 0 || strcasecmp($r->lastname, $ln) != 0) { - message_push(error(i18n('The name you entered does not match the one in your account'))); + message_push(notice(i18n('If you credentials match, your new password has been sent to your email address.'))); header("Location: user_login.php?type=$type"); exit; } @@ -369,6 +362,7 @@ if (get_value_from_array($_POST, 'action') == 'login') { /* Reset the password, and force it to expire */ $password = user_set_password($r->id, NULL); + /* volunteer_recover_password, judge_recover_password, student_recover_password, committee_recover_password */ email_send("{$type}_recover_password", @@ -377,11 +371,11 @@ if (get_value_from_array($_POST, 'action') == 'login') { array('PASSWORD' => $password, 'EMAIL' => $email)); - message_push(notice(i18n('Your password has been sent to your email address'))); + message_push(notice(i18n('If you credentials match, your new password has been sent to your email address.'))); header("Location: user_login.php?type=$type"); exit; } else { - message_push(error(i18n('Could not find your email address for recovery'))); + message_push(notice(i18n('If you credentials match, your new password has been sent to your email address.'))); header("Location: user_login.php?type=$type"); exit; } diff --git a/user_new.php b/user_new.php index b085312d..4617c18e 100644 --- a/user_new.php +++ b/user_new.php @@ -124,8 +124,8 @@ switch ($action) { } /* See if this email already exists */ - $q = $pdo->prepare("SELECT id,types,MAX(year) AS year,deleted FROM users WHERE (email='$sql_email' OR username='$sql_email' )"); - $q->execute(); + $q = $pdo->prepare("SELECT id,types,MAX(year) AS year,deleted FROM users WHERE (email=? OR username=? )"); + $q->execute([$sql_email, $sql_email]); // select *, max(year) from users where username=sql_email // if deleted and year = current yera - just undelete // if deleted and year != current yera - proceed normally and recreate the user diff --git a/user_password.php b/user_password.php index cf6a0ee1..66876c5b 100644 --- a/user_password.php +++ b/user_password.php @@ -62,11 +62,11 @@ $password_expiry_days = get_value_from_array($config, "{$type}_password_expiry_d if (get_value_from_array($_POST, 'action') == 'save') { $pass = $_POST['pass1']; // first, lets see if they choosed the same password again (bad bad bad) - $q = $pdo->prepare("SELECT password FROM users WHERE - id='{$_SESSION['users_id']}' - AND password='$pass'"); - $q->execute(); - if ($q->rowCount()) + $q = $pdo->prepare("SELECT password FROM users WHERE id=?"); + $q->execute([$_SESSION['users_id']]); + $hash = $q->fetch(PDO::FETCH_ASSOC)['password']; + + if (password_verify($pass, $hash)) message_push(error(i18n('You cannot choose the same password again. Please choose a different password'))); else if (!$_POST['pass1']) message_push(error(i18n('New Password is required'))); diff --git a/user_personal.php b/user_personal.php index 7abd1cf3..86491ded 100644 --- a/user_personal.php +++ b/user_personal.php @@ -40,7 +40,6 @@ $user_personal_fields = array( 'lastname' => array('name' => 'Last Name'), 'email' => array('name' => 'Email Address'), 'username' => array('name' => 'Username'), - 'password' => array('name' => 'Password'), 'address' => array('name' => 'Address 1'), 'address2' => array('name' => 'Address 2'), 'city' => array('name' => 'City'), @@ -98,12 +97,6 @@ foreach ($u['types'] as $t) { user_personal_required_fields($t)); } -if (committee_auth_has_access('super')) { - /* If the editer is super, let them see/edit/save the user/pass */ - $fields[] = 'username'; - $fields[] = 'password'; -} - switch (get_value_from_array($_GET, 'action')) { case 'save': $users_id = intval($_POST['users_id']);