function passCheck($password, $username) { global $mysqlusername, $mysqlpassword, $mysqldatabase, $mysqllocation; $db = new mysqli($mysqllocation, $mysqlusername, $mysqlpassword, $mysqldatabase); $username = $db->real_escape_string($username); $query = "SELECT password, salt, userkey, usertype FROM users WHERE userid='{$username}' LIMIT 1"; $result = $db->query($query) or die($db->error); while ($row = $result->fetch_assoc()) { if ($row["password"] === passHash($password, $username, $row["salt"])) { $_SESSION["userkey"] = $row["userkey"]; $_SESSION["usertype"] = $row["usertype"]; $db->close(); return true; } $db->close(); return false; } }
function addUser($firstName, $lastName, $email, $password) { $db = dbConnection(); $password = passHash($password); $rowCount = 0; try { $sql = 'SELECT email FROM user WHERE email=:email'; $stmt = $db->prepare($sql); $stmt->bindValue(':email', $email, PDO::PARAM_STR); $stmt->execute(); $stmt->setFetchMode(PDO::FETCH_ASSOC); $stmt->closeCursor(); $rowCount = $stmt->rowCount(); } catch (PDOException $e) { echo $message = "PDO Failure"; } if ($rowCount == 0) { try { $sql = 'INSERT INTO user(firstName, lastName, email, password, location_id) VALUES (:firstName, :lastName, :email, :password, 1)'; $stmt = $db->prepare($sql); $stmt->bindValue(':firstName', $firstName, PDO::PARAM_STR); $stmt->bindValue(':lastName', $lastName, PDO::PARAM_STR); $stmt->bindValue(':email', $email, PDO::PARAM_STR); $stmt->bindValue(':password', $password, PDO::PARAM_STR); $result = $stmt->execute(); $stmt->closeCursor(); } catch (PDOException $e) { echo $message = "PDO Failure"; } if ($result) { $_SESSION['logged_in_user'] = $email; return TRUE; } else { return FALSE; } } else { return 0; } }
session_start(); require_once "../include.php"; if (!isIn() || !isTeacher()) { header("Location: ../"); exit; } $passchangeFailed = false; if (isset($_POST["currpass"]) && isset($_POST["newpass"])) { global $mysqlusername, $mysqlpassword, $mysqldatabase, $mysqllocation; $db = new mysqli($mysqllocation, $mysqlusername, $mysqlpassword, $mysqldatabase); $query = "SELECT userid FROM users WHERE userkey = " . $_SESSION["userkey"] . " LIMIT 1"; $result = $db->query($query) or die($db->error); $row = $result->fetch_assoc(); if (passCheck($_POST["currpass"], $row["userid"])) { $salt = generateSalt(); $password = passHash($_POST["newpass"], $row["userid"], $salt); $salt = $db->escape_string($salt); $query = "UPDATE users SET password='******', salt='{$salt}' WHERE userkey=" . $_SESSION["userkey"]; $db->query($query) or die($db->error); $_SESSION["remarks"] = "<script>alert('Password changed successfully.');</script>"; header("Location: addschedule.php"); exit; } else { $passchangeFailed = true; } } ?> <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
function updateUser($userName, $userPass, $newUserEmail, $newUserPass) { global $con; $ret = array(0, 0); if ($newUserEmail !== 0 || $newUserPass !== 0) { if ($stmt = $con->prepare("SELECT userID, userEmail, userPass, userSalt FROM users WHERE userName = ? LIMIT 1")) { $stmt->bind_param('s', $userName); $stmt->execute(); $stmt->store_result(); $stmt->bind_result($user_id, $user_email, $db_password, $salt); $stmt->fetch(); if ($stmt->num_rows == 1) { if ($db_password == passHash($salt, $userPass)) { if ($newUserEmail !== 0 && $newUserEmail !== $user_email) { if (isValidEmailAddress($newUserEmail)) { if ($check_stmt = $con->prepare("SELECT userName FROM users WHERE userEmail = ? LIMIT 1")) { $check_stmt->bind_param('s', $newUserEmail); $check_stmt->execute(); $check_stmt->store_result(); $check_stmt->bind_result($user_name); $check_stmt->fetch(); if ($check_stmt->num_rows == 0) { if ($update_stmt = $con->prepare("UPDATE users SET userEmail=? WHERE userID=? LIMIT 1")) { $update_stmt->bind_param('si', $newUserEmail, $user_id); $update_stmt->execute(); $ret[0] = true; } else { $ret[0] = -3; //problem with db } } else { $ret[0] = -4; //username or email exists } } } else { $ret[0] = -5; //invalid email or username } } if ($newUserPass !== 0) { if ($db_password !== passHash($salt, $newUserPass)) { $randomSalt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true)); $password = passHash($randomSalt, $newUserPass); if ($update_stmt = $con->prepare("UPDATE users SET userPass=?, userSalt=? WHERE userID=? LIMIT 1")) { $update_stmt->bind_param('ssi', $password, $randomSalt, $user_id); $update_stmt->execute(); $ret[1] = true; } else { $ret[1] = -3; //problem with db } } } } else { $ret[1] = -2; //wrong pass } } else { $ret[0] = -1; //no user } } else { $ret[0] = -3; //problem with db } } else { $ret[0] = -6; //no change value given } return $ret; }
function createHash($salt, $pass) { return hash('sha256', $salt . passHash($pass)); }