/** * Verify the credentials given * @param mysqli $db * @param string $username * @param string $resettoken */ function verifyResetToken($db, $username, $resettoken) { if ($stmt = checkprepare($db, 'SELECT UNIX_TIMESTAMP()-UNIX_TIMESTAMP(`resettime`) AS `age` FROM `users` WHERE `user`=? AND `resettoken`=?')) { checkBindParam($db, $stmt, "ss", $username, $resettoken); checkBindResult($db, $stmt, $age); if (checkExecute($db, $stmt)) { $result = $stmt->fetch(); $stmt->close(); if ($result === True) { return $age < MAX_RESET_VALIDITY; } else { return False; } } $stmt->close(); return False; } }
} if (isset($_POST["user"]) && strlen($_POST["user"]) > 0) { $user = $_POST["user"]; } if (!isset($user)) { showResetScreen(); exit; } // handle the case that we got the username. $db = getAuthDb(); if ($db === NULL) { handleError("Could not connect to the database"); } $stmt = checkPrepare($db, "SELECT UNIX_TIMESTAMP()-UNIX_TIMESTAMP(`resettime`) FROM `users` WHERE `user`=?"); checkBindParam($db, $stmt, "s", $user); checkBindResult($db, $stmt, $resettime); checkExecute($db, $stmt); $result = $stmt->fetch(); if ($result === FALSE) { stmtError($db, $stmt); } elseif ($result === NULL) { $stmt->close(); $db->close(); showResetScreen("Invalid user"); exit; } $stmt->close(); if ($resettime !== NULL && $resettime < MIN_RESET_DELAY) { $db->close(); handleError("Only one reset attempt allowed per " . MIN_RESET_DELAY . "seconds"); }