/**
* Verify the credentials given
* @param mysqli $db
* @param string $username
* @param string $resettoken
*/
function verifyResetToken($db, $username, $resettoken)
{
if ($stmt = checkprepare($db, 'SELECT UNIX_TIMESTAMP()-UNIX_TIMESTAMP(`resettime`) AS `age` FROM `users` WHERE `user`=? AND `resettoken`=?')) {
checkBindParam($db, $stmt, "ss", $username, $resettoken);
checkBindResult($db, $stmt, $age);
if (checkExecute($db, $stmt)) {
$result = $stmt->fetch();
$stmt->close();
if ($result === True) {
return $age < MAX_RESET_VALIDITY;
} else {
return False;
}
}
$stmt->close();
return False;
}
}
}
if (isset($_POST["user"]) && strlen($_POST["user"]) > 0) {
$user = $_POST["user"];
}
if (!isset($user)) {
showResetScreen();
exit;
}
// handle the case that we got the username.
$db = getAuthDb();
if ($db === NULL) {
handleError("Could not connect to the database");
}
$stmt = checkPrepare($db, "SELECT UNIX_TIMESTAMP()-UNIX_TIMESTAMP(`resettime`) FROM `users` WHERE `user`=?");
checkBindParam($db, $stmt, "s", $user);
checkBindResult($db, $stmt, $resettime);
checkExecute($db, $stmt);
$result = $stmt->fetch();
if ($result === FALSE) {
stmtError($db, $stmt);
} elseif ($result === NULL) {
$stmt->close();
$db->close();
showResetScreen("Invalid user");
exit;
}
$stmt->close();
if ($resettime !== NULL && $resettime < MIN_RESET_DELAY) {
$db->close();
handleError("Only one reset attempt allowed per " . MIN_RESET_DELAY . "seconds");
}
