/** * create a new password entry in the users_secure table * * @param type $username * @param type $password Passing by reference so additional copy is not created in memory */ function initializePassword($username, $userid, &$password) { $salt = password_salt(); $hash = password_hash($password, $salt); $passwordSQL = "INSERT INTO " . TBL_USERS_SECURE . " (" . implode(",", array(COL_ID, COL_UNM, COL_PWD, COL_SALT, COL_LU)) . ")" . " VALUES (?,?,?,?,NOW()) "; $params = array($userid, $username, $hash, $salt); privStatement($passwordSQL, $params); }
protected function update($id = NULL) { $this->view_data["user"] = new stdClass(); $this->view_data["user"]->username = $this->input->post('user_username'); $this->view_data["user"]->email = $this->input->post('user_email'); $this->view_data["user"]->active = $this->input->post('user_active'); $this->view_data["user"]->group_id = $this->input->post('user_group'); $this->view_data["user"]->firstname = $this->input->post('user_firstname'); $this->view_data["user"]->lastname = $this->input->post('user_lastname'); $this->view_data["user"]->address = $this->input->post('user_address'); $this->view_data["user"]->phone = $this->input->post('phone'); $this->view_data["user"]->image = $this->input->post('user_image'); $this->view_data["user"]->gender = $this->input->post('user_gender'); $this->view_data["user"]->createdTime = date("Y-m-d H:i:s", time()); $this->view_data["user"]->updatedTime = date("Y-m-d H:i:s", time()); $this->view_data["user"]->createdBy = $this->session->userdata['user_id']; if ($this->input->server('REQUEST_METHOD') == 'POST') { // Validate form. $this->load->helper('form'); $this->load->library('form_validation'); $this->form_validation->set_error_delimiters('<div class="alert alert-error"><strong>' . $this->lang->line('error') . ': </strong>', '</div>'); //add customer $rules = array(array('field' => 'user_username', 'label' => $this->lang->line('user_username'), 'rules' => 'trim|max_length[150]|required|xss_clean'), array('field' => 'user_email', 'label' => $this->lang->line('user_email'), 'rules' => 'trim|max_length[150]|xss_clean|email'), array('field' => 'user_password', 'label' => $this->lang->line('user_password'), 'rules' => 'trim|required|xss_clean'), array('field' => 'user_re_password', 'label' => $this->lang->line('user_re_password'), 'rules' => 'trim|required|xss_clean'), array('field' => 'user_active', 'label' => $this->lang->line('user_active'), 'rules' => 'required|trim|numeric|max_length[1]|xss_clean'), array('field' => 'user_group', 'label' => $this->lang->line('user_group'), 'rules' => 'trim|required|numeric|max_length[2]|xss_clean'), array('field' => 'user_gender', 'label' => $this->lang->line('user_gender'), 'rules' => 'trim|numeric|max_length[1]|xss_clean'), array('field' => 'user_image', 'label' => $this->lang->line('user_image'), 'rules' => 'trim|max_length[200]|xss_clean'), array('field' => 'phone', 'label' => $this->lang->line('phone'), 'rules' => 'trim|max_length[25]|xss_clean'), array('field' => 'user_address', 'label' => $this->lang->line('user_address'), 'rules' => 'trim|max_length[250]|xss_clean'), array('field' => 'user_lastname', 'label' => $this->lang->line('user_lastname'), 'rules' => 'trim|max_length[150]|xss_clean'), array('field' => 'user_firstname', 'label' => $this->lang->line('user_firstname'), 'rules' => 'trim|max_length[150]|xss_clean')); $password = $this->input->post("user_password"); $re_password = $this->input->post("user_re_password"); if ($password != $re_password) { $rules[] = array('field' => 'user_re_password', 'label' => $this->lang->line('user_re_password'), 'rules' => 'trim|required|max_length[100]|xss_clean'); } $this->form_validation->set_error_delimiters('<p><strong>' . $this->lang->line('error') . ' : </strong> ', ' </p>'); $this->form_validation->set_rules($rules); if ($this->form_validation->run() == TRUE) { $this->load->helper('character_helper'); $salt = password_salt(); $this->view_data["user"]->password = password_hashs(md5($password), $salt); $this->view_data["user"]->salt = $salt; if ($id) { //edit data $this->user_model->update($this->view_data["user"], $id); $logAction = '[UpdateUserSuccess] ' . $this->lang->line('update_user_success'); } else { $params = $this->user_model->create($this->view_data["user"]); $logAction = '[AddUserSuccess] ' . $this->lang->line('add_user_success'); } if ($logAction) { $this->session->set_flashdata('flash_message', $this->lang->line('update_successful')); $this->adminlog($logAction); redirect('auth/user'); } } } if ($id > 0) { $user_query = $this->user_model->find_by(array('id' => $id)); if (!isset($user_query[0])) { $this->session->set_flashdata('flash_message', $this->lang->line('not_exists')); redirect(site_url('auth/user')); exit; } } if (isset($user_query)) { $user = $user_query[0]; } else { $user = $this->view_data['user']; } $this->smarty->assign(array('user' => $user, 'group_list' => $this->group_model->get_select_box(), 'active_list' => $this->user_model->get_active_list(), 'js' => array(base_url() . 'static/templates/backend/js/main.js'), 'css' => array(), 'segment' => $this->uri->segment(4), 'validation' => validation_errors())); $this->smarty->display('auth/user/edit'); }
} echo "<html><body onload='window.print();'>" . $message . "</body></html>"; } if (isset($_REQUEST['form_save']) && $_REQUEST['form_save'] == 'SUBMIT') { require_once "{$srcdir}/authentication/rsa.php"; require_once "{$srcdir}/authentication/common_operations.php"; $pubKey = $_REQUEST['pk']; $rsa = new rsa_key_manager(); $rsa->load_from_db($pubKey); $clear_pass = $rsa->decrypt($_REQUEST['rsa_pwd']); $res = sqlStatement("SELECT * FROM patient_access_" . add_escape_custom($portalsite) . "site WHERE pid=?", array($pid)); $query_parameters = array($_REQUEST['uname']); $salt_clause = ""; if ($portalsite == 'on') { // For onsite portal create a blowfish based hash and salt. $new_salt = password_salt(); $salt_clause = ",portal_salt=? "; array_push($query_parameters, password_hash($clear_pass, $new_salt), $new_salt); } else { // For offsite portal still create and SHA1 hashed password // When offsite portal is updated to handle blowfish, then both portals can use the same execution path. array_push($query_parameters, SHA1($clear_pass)); } array_push($query_parameters, $pid); if (sqlNumRows($res)) { sqlStatement("UPDATE patient_access_" . add_escape_custom($portalsite) . "site SET portal_username=?,portal_pwd=?,portal_pwd_status=0 " . $salt_clause . " WHERE pid=?", $query_parameters); } else { sqlStatement("INSERT INTO patient_access_" . add_escape_custom($portalsite) . "site SET portal_username=?,portal_pwd=?,portal_pwd_status=0" . $salt_clause . " ,pid=?", $query_parameters); } // Create the message $message = messageCreate($_REQUEST['uname'], $clear_pass, $portalsite);
public function add_initial_user() { if ($this->execute_sql("INSERT INTO groups (id, name, user) VALUES (1,'{$this->igroup}','{$this->iuser}')") == FALSE) { $this->error_message = "ERROR. Unable to add initial user group\n" . "<p>" . mysql_error() . " (#" . mysql_errno() . ")\n"; return FALSE; } $password_hash = "NoLongerUsed"; // This is the value to insert into the password column in the "users" table. password details are now being stored in users_secure instead. $salt = password_salt(); // Uses the functions defined in library/authentication/password_hashing.php $hash = password_hash($this->iuserpass, $salt); if ($this->execute_sql("INSERT INTO users (id, username, password, authorized, lname, fname, facility_id, calendar, cal_ui) VALUES (1,'{$this->iuser}','{$password_hash}',1,'{$this->iuname}','',3,1,3)") == FALSE) { $this->error_message = "ERROR. Unable to add initial user\n" . "<p>" . mysql_error() . " (#" . mysql_errno() . ")\n"; return FALSE; } // Create the new style login credentials with blowfish and salt if ($this->execute_sql("INSERT INTO users_secure (id, username, password, salt) VALUES (1,'{$this->iuser}','{$hash}','{$salt}')") == FALSE) { $this->error_message = "ERROR. Unable to add initial user login credentials\n" . "<p>" . mysql_error() . " (#" . mysql_errno() . ")\n"; return FALSE; } // Add the official openemr users (services) if ($this->load_file($this->additional_users, "Additional Official Users") == FALSE) { return FALSE; } return TRUE; }
/** * Setup or change a user's password * * @param type $activeUser ID of who is trying to make the change (either the user himself, or an administrator) * @param type $targetUser ID of what account's password is to be updated (for a new user this doesn't exist yet). * @param type $currentPwd the active user's current password * @param type $newPwd the new password for the target user * @param type $errMsg passed by reference to return any * @param type $create Are we creating a new user or * @param type $insert_sql SQL to run to create the row in "users" (and generate a new id) when needed. * @param type $new_username The username for a new user * @param type $newid Return by reference of the ID of a created user * @return boolean Was the password successfully updated/created? If false, then $errMsg will tell you why it failed. */ function update_password($activeUser, $targetUser, &$currentPwd, &$newPwd, &$errMsg, $create = false, $insert_sql = "", $new_username = null, &$newid = null) { $userSQL = "SELECT " . implode(",", array(COL_PWD, COL_SALT, COL_PWD_H1, COL_SALT_H1, COL_PWD_H2, COL_SALT_H2)) . " FROM " . TBL_USERS_SECURE . " WHERE " . COL_ID . "=?"; $userInfo = privQuery($userSQL, array($targetUser)); // Verify the active user's password if ($activeUser == $targetUser) { if ($create) { $errMsg = xl("Trying to create user with existing username!"); return false; } // If this user is changing his own password, then confirm that they have the current password correct $hash_current = password_hash($currentPwd, $userInfo[COL_SALT]); if ($hash_current != $userInfo[COL_PWD]) { $errMsg = xl("Incorrect password"); return false; } } else { // If this is an administrator changing someone else's password, then check that they have the password right $adminSQL = " SELECT " . implode(",", array(COL_PWD, COL_SALT)) . " FROM " . TBL_USERS_SECURE . " WHERE " . COL_ID . "=?"; $adminInfo = privQuery($adminSQL, array($activeUser)); $hash_admin = password_hash($currentPwd, $adminInfo[COL_SALT]); if ($hash_admin != $adminInfo[COL_PWD]) { $errMsg = xl("Incorrect password!"); return false; } if (!acl_check('admin', 'users')) { $errMsg = xl("Not authorized to manage users!"); return false; } } // End active user check //Test password validity if (strlen($newPwd) == 0) { $errMsg = xl("Empty Password Not Allowed"); return false; } if (!test_password_strength($newPwd, $errMsg)) { return false; } // End password validty checks if ($userInfo === false) { // No userInfo means either a new user, or an existing user who has not been migrated to blowfish yet // In these cases don't worry about password history if ($create) { privStatement($insert_sql, array()); $getUserID = " SELECT " . COL_ID . " FROM " . TBL_USERS . " WHERE " . COL_UNM . "=?"; $user_id = privQuery($getUserID, array($new_username)); initializePassword($new_username, $user_id[COL_ID], $newPwd); $newid = $user_id[COL_ID]; } else { $getUserNameSQL = "SELECT " . COL_UNM . " FROM " . TBL_USERS . " WHERE " . COL_ID . "=?"; $unm = privQuery($getUserNameSQL, array($targetUser)); if ($unm === false) { $errMsg = xl("Unknown user id:" . $targetUser); return false; } initializePassword($unm[COL_UNM], $targetUser, $newPwd); purgeCompatabilityPassword($unm[COL_UNM], $targetUser); } } else { if ($create) { $errMsg = xl("Trying to create user with existing username!"); return false; } $forbid_reuse = $GLOBALS['password_history'] != 0; if ($forbid_reuse) { // password reuse disallowed $hash_current = password_hash($newPwd, $userInfo[COL_SALT]); $hash_history1 = password_hash($newPwd, $userInfo[COL_SALT_H1]); $hash_history2 = password_hash($newPwd, $userInfo[COL_SALT_H2]); if ($hash_current == $userInfo[COL_PWD] || $hash_history1 == $userInfo[COL_PWD_H1] || $hash_history2 == $userInfo[COL_PWD_H2]) { $errMsg = xl("Reuse of three previous passwords not allowed!"); return false; } } // Everything checks out at this point, so update the password record $newSalt = password_salt(); $newHash = password_hash($newPwd, $newSalt); $updateParams = array(); $updateSQL = "UPDATE " . TBL_USERS_SECURE; $updateSQL .= " SET " . COL_PWD . "=?," . COL_SALT . "=?"; array_push($updateParams, $newHash); array_push($updateParams, $newSalt); if ($forbid_reuse) { $updateSQL .= "," . COL_PWD_H1 . "=?" . "," . COL_SALT_H1 . "=?"; array_push($updateParams, $userInfo[COL_PWD]); array_push($updateParams, $userInfo[COL_SALT]); $updateSQL .= "," . COL_PWD_H2 . "=?" . "," . COL_SALT_H2 . "=?"; array_push($updateParams, $userInfo[COL_PWD_H1]); array_push($updateParams, $userInfo[COL_SALT_H1]); } $updateSQL .= " WHERE " . COL_ID . "=?"; array_push($updateParams, $targetUser); privStatement($updateSQL, $updateParams); } if ($GLOBALS['password_expiration_days'] != 0) { $exp_days = $GLOBALS['password_expiration_days']; $exp_date = date('Y-m-d', strtotime("+{$exp_days} days")); privStatement("update users set pwd_expiration_date=? where id=?", array($exp_date, $targetUser)); } return true; }
/** update the users database with a new (randomly salted) password and reset bypass mode to normal * * This updates the user record for user with user_id and stores the new password. The new * password and a new random salt are hashed together and the result is stored, together with * the new salt, overwriting the old salt and the old password hash. The bypass mode is reset * to normal and the bypass hash is reset. Return TRUE on success. * * @param int $user_id identify the user record by user_id * @param string $new_password the new password in plain text * @return bool FALSE on failure, TRUE otherwise */ function login_change_password($user_id, $new_password) { $new_salt = password_salt(); $new_hash = password_hash($new_salt, $new_password); $fields = array('salt' => $new_salt, 'password_hash' => $new_hash, 'bypass_mode' => FALSE, 'bypass_hash' => NULL, 'bypass_expiry' => NULL); $where = array('user_id' => $user_id); $num_affected = db_update('users', $fields, $where); if ($num_affected === FALSE || $num_affected != 1) { return FALSE; } return TRUE; }
header("Content-Type:text/xml"); $ignoreAuth = true; require_once 'classes.php'; $xml_string = ""; $xml_string = "<forgetpassword>"; $email = $_POST['email']; $strQuery = "SELECT id,username, password, fname, lname FROM users WHERE email= ?"; $result = sqlQuery($strQuery, array($email)); if ($result) { $xml_string .= "<status>0</status>"; $newPwd = rand_string(10); $pin = substr(uniqid(rand()), 0, 4); $pin1 = sha1($pin); if (getVersion()) { require_once "{$srcdir}/authentication/password_hashing.php"; $salt = password_salt(); $password = password_hash($newPwd, $salt); $result1 = sqlStatement("UPDATE users_secure SET password='******', salt='" . $salt . "' WHERE id = {$result["id"]}"); $strQuery1 = "UPDATE `users` SET `app_pin`='" . add_escape_custom($pin1) . "' WHERE email = ?"; $result1 = sqlStatement($strQuery1, array($email)); } else { $password1 = sha1($newPwd); $strQuery1 = "UPDATE `users` SET `password`='" . add_escape_custom($password1) . "', `app_pin`='" . add_escape_custom($pin1) . "' WHERE email = ?"; $result1 = sqlStatement($strQuery1, array($email)); } if ($result1 !== FALSE) { $mail = new PHPMailer(); $mail->IsSendmail(); $body = "<html><body>\n\t\t\t\t\t\t<table>\n\t\t\t\t\t\t\t<tr>\n\t\t\t\t\t\t\t\t<td>Your Password has been changed your new Username and Password are</td>\n\t\t\t\t\t\t\t</tr>\n\t\t\t\t\t\t\t<tr>\n\t\t\t\t\t\t\t\t<td>Here are the details of your account: </td>\n\t\t\t\t\t\t\t</tr>\n\t\t\t\t\t\t\t<tr>\n\t\t\t\t\t\t\t\t<td>Username: "******"</td>\n\t\t\t\t\t\t\t</tr>\n\t\t\t\t\t\t\t<tr>\n\t\t\t\t\t\t\t\t<td>Password: "******"</td>\n\t\t\t\t\t\t\t</tr>\n\t\t\t\t\t\t\t<tr>\n\t\t\t\t\t\t\t\t<td>Pin: " . $pin . "</td>\n\t\t\t\t\t\t\t</tr>\n\t\t\t\t\t\t\t<tr>\n\t\t\t\t\t\t\t\t<td>Thanks, <br />MedMaster Team</td>\n\t\t\t\t\t\t\t</tr>\n\t\t\t\t\t\t</table>\n\t\t\t\t\t</body></html>"; $body = eregi_replace("[\\]", '', $body); $mail->AddReplyTo("*****@*****.**", "MedMasterPro");
/** save basic properties of user account * * @param int $user_id the account to save (pkey in users table) * @uses $WAS_SCRIPT_NAME */ function user_save_basic($user_id) { global $WAS_SCRIPT_NAME; $user_id = intval($user_id); // // 2 -- validate the data // $invalid = FALSE; $dialogdef = $this->get_dialogdef_edit_user($user_id); // // 2A -- check for generic errors (string too short, number too small, etc) if (!dialog_validate($dialogdef)) { $invalid = TRUE; } // 2B -- additional check: unique username $record = db_select_single_record('users', 'user_id', array('username' => $dialogdef['username']['value'])); if ($record !== FALSE && intval($record['user_id']) != $user_id) { // Oops, a record with that username already exists and it's not us. Go flag error ++$dialogdef['username']['errors']; $fname = $this->get_fname($dialogdef['username']); $dialogdef['username']['error_messages'][] = t('validate_not_unique', '', array('{FIELD}' => $fname)); $invalid = TRUE; } // 2C -- additional check: valid password $password1 = $dialogdef['user_password1']['value']; $password2 = $dialogdef['user_password2']['value']; if (!empty($password1) || !empty($password2)) { if ($password1 != $password2) { $params = array('{FIELD1}' => $this->get_fname($dialogdef['user_password1']), '{FIELD2}' => $this->get_fname($dialogdef['user_password2'])); ++$dialogdef['user_password1']['errors']; ++$dialogdef['user_password2']['errors']; $dialogdef['user_password1']['error_messages'][] = t('validate_different_passwords', '', $params); $dialogdef['user_password1']['value'] = ''; $dialogdef['user_password2']['value'] = ''; $invalid = TRUE; } elseif (!acceptable_new_password($password1, $password2)) { $params = array('{MIN_LENGTH}' => MINIMUM_PASSWORD_LENGTH, '{MIN_LOWER}' => MINIMUM_PASSWORD_LOWERCASE, '{MIN_UPPER}' => MINIMUM_PASSWORD_UPPERCASE, '{MIN_DIGIT}' => MINIMUM_PASSWORD_DIGITS, '{FIELD}' => $this->get_fname($dialogdef['user_password1'])); ++$dialogdef['user_password1']['errors']; $dialogdef['user_password1']['error_messages'][] = t('validate_bad_password', '', $params); $params['{FIELD}'] = $this->get_fname($dialogdef['user_password2']); ++$dialogdef['user_password2']['errors']; $dialogdef['user_password1']['value'] = ''; $dialogdef['user_password2']['value'] = ''; $invalid = TRUE; } } // 2D -- if there were any errors go redo dialog while keeping data already entered if ($invalid) { foreach ($dialogdef as $k => $item) { if (isset($item['errors']) && $item['errors'] > 0) { $this->output->add_message($item['error_messages']); } } $params = $this->get_user_names($user_id); $this->output->add_content('<h2>' . t('usermanager_edit_user_header', 'admin', $params) . '</h2>'); $this->output->add_content(t('usermanager_edit_user_explanation', 'admin', $params)); $href = href($WAS_SCRIPT_NAME, $this->a_params(TASK_USER_SAVE, $user_id)); if ($dialogdef !== FALSE) { $this->output->add_content(dialog_quickform($href, $dialogdef)); $this->show_breadcrumbs_user($user_id); } else { $this->output->add_message(t('error_retrieving_data', 'admin')); $this->show_menu_user($user_id, TASK_USER_EDIT); } return; } // 3 -- Now actually save the data which we just validated $fields = array('username' => $dialogdef['username']['value'], 'bypass_mode' => FALSE, 'bypass_hash' => NULL, 'bypass_expiry' => NULL, 'full_name' => $dialogdef['user_fullname']['value'], 'email' => $dialogdef['user_email']['value'], 'is_active' => $dialogdef['user_is_active']['value'] == 1 ? TRUE : FALSE, 'redirect' => $dialogdef['user_redirect']['value'], 'language_key' => $dialogdef['user_language_key']['value'], 'editor' => $dialogdef['user_editor']['value'], 'skin' => $dialogdef['user_skin']['value']); if (!empty($password1)) { $new_salt = password_salt(); $new_password = $password1; $fields['salt'] = $new_salt; $fields['password_hash'] = password_hash($new_salt, $new_password); } $params = array('{USERNAME}' => $dialogdef['username']['value'], '{FULL_NAME}' => $dialogdef['user_fullname']['value']); if (db_update('users', $fields, array('user_id' => $user_id)) === FALSE) { $this->output->add_message(t('usermanager_save_user_failure', 'admin', $params)); logger("usermanager->user_save(): error saving data user '{$user_id}': " . db_errormessage()); } else { $this->output->add_message(t('usermanager_save_user_success', 'admin', $params)); logger("usermanager->user_save(): success saving changes to '{$user_id}' in 'users'", WLOG_DEBUG); } $this->users_overview(); return; }