function passCheck($password, $username)
{
global $mysqlusername, $mysqlpassword, $mysqldatabase, $mysqllocation;
$db = new mysqli($mysqllocation, $mysqlusername, $mysqlpassword, $mysqldatabase);
$username = $db->real_escape_string($username);
$query = "SELECT password, salt, userkey, usertype FROM users WHERE userid='{$username}' LIMIT 1";
$result = $db->query($query) or die($db->error);
while ($row = $result->fetch_assoc()) {
if ($row["password"] === passHash($password, $username, $row["salt"])) {
$_SESSION["userkey"] = $row["userkey"];
$_SESSION["usertype"] = $row["usertype"];
$db->close();
return true;
}
$db->close();
return false;
}
}
function addUser($firstName, $lastName, $email, $password)
{
$db = dbConnection();
$password = passHash($password);
$rowCount = 0;
try {
$sql = 'SELECT email FROM user WHERE email=:email';
$stmt = $db->prepare($sql);
$stmt->bindValue(':email', $email, PDO::PARAM_STR);
$stmt->execute();
$stmt->setFetchMode(PDO::FETCH_ASSOC);
$stmt->closeCursor();
$rowCount = $stmt->rowCount();
} catch (PDOException $e) {
echo $message = "PDO Failure";
}
if ($rowCount == 0) {
try {
$sql = 'INSERT INTO user(firstName, lastName, email, password, location_id)
VALUES (:firstName, :lastName, :email, :password, 1)';
$stmt = $db->prepare($sql);
$stmt->bindValue(':firstName', $firstName, PDO::PARAM_STR);
$stmt->bindValue(':lastName', $lastName, PDO::PARAM_STR);
$stmt->bindValue(':email', $email, PDO::PARAM_STR);
$stmt->bindValue(':password', $password, PDO::PARAM_STR);
$result = $stmt->execute();
$stmt->closeCursor();
} catch (PDOException $e) {
echo $message = "PDO Failure";
}
if ($result) {
$_SESSION['logged_in_user'] = $email;
return TRUE;
} else {
return FALSE;
}
} else {
return 0;
}
}
session_start();
require_once "../include.php";
if (!isIn() || !isTeacher()) {
header("Location: ../");
exit;
}
$passchangeFailed = false;
if (isset($_POST["currpass"]) && isset($_POST["newpass"])) {
global $mysqlusername, $mysqlpassword, $mysqldatabase, $mysqllocation;
$db = new mysqli($mysqllocation, $mysqlusername, $mysqlpassword, $mysqldatabase);
$query = "SELECT userid FROM users WHERE userkey = " . $_SESSION["userkey"] . " LIMIT 1";
$result = $db->query($query) or die($db->error);
$row = $result->fetch_assoc();
if (passCheck($_POST["currpass"], $row["userid"])) {
$salt = generateSalt();
$password = passHash($_POST["newpass"], $row["userid"], $salt);
$salt = $db->escape_string($salt);
$query = "UPDATE users SET password='******', salt='{$salt}' WHERE userkey=" . $_SESSION["userkey"];
$db->query($query) or die($db->error);
$_SESSION["remarks"] = "<script>alert('Password changed successfully.');</script>";
header("Location: addschedule.php");
exit;
} else {
$passchangeFailed = true;
}
}
?>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
function updateUser($userName, $userPass, $newUserEmail, $newUserPass)
{
global $con;
$ret = array(0, 0);
if ($newUserEmail !== 0 || $newUserPass !== 0) {
if ($stmt = $con->prepare("SELECT userID, userEmail, userPass, userSalt FROM users WHERE userName = ? LIMIT 1")) {
$stmt->bind_param('s', $userName);
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($user_id, $user_email, $db_password, $salt);
$stmt->fetch();
if ($stmt->num_rows == 1) {
if ($db_password == passHash($salt, $userPass)) {
if ($newUserEmail !== 0 && $newUserEmail !== $user_email) {
if (isValidEmailAddress($newUserEmail)) {
if ($check_stmt = $con->prepare("SELECT userName FROM users WHERE userEmail = ? LIMIT 1")) {
$check_stmt->bind_param('s', $newUserEmail);
$check_stmt->execute();
$check_stmt->store_result();
$check_stmt->bind_result($user_name);
$check_stmt->fetch();
if ($check_stmt->num_rows == 0) {
if ($update_stmt = $con->prepare("UPDATE users SET userEmail=? WHERE userID=? LIMIT 1")) {
$update_stmt->bind_param('si', $newUserEmail, $user_id);
$update_stmt->execute();
$ret[0] = true;
} else {
$ret[0] = -3;
//problem with db
}
} else {
$ret[0] = -4;
//username or email exists
}
}
} else {
$ret[0] = -5;
//invalid email or username
}
}
if ($newUserPass !== 0) {
if ($db_password !== passHash($salt, $newUserPass)) {
$randomSalt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));
$password = passHash($randomSalt, $newUserPass);
if ($update_stmt = $con->prepare("UPDATE users SET userPass=?, userSalt=? WHERE userID=? LIMIT 1")) {
$update_stmt->bind_param('ssi', $password, $randomSalt, $user_id);
$update_stmt->execute();
$ret[1] = true;
} else {
$ret[1] = -3;
//problem with db
}
}
}
} else {
$ret[1] = -2;
//wrong pass
}
} else {
$ret[0] = -1;
//no user
}
} else {
$ret[0] = -3;
//problem with db
}
} else {
$ret[0] = -6;
//no change value given
}
return $ret;
}
function createHash($salt, $pass)
{
return hash('sha256', $salt . passHash($pass));
}
