Example #1
0
/**
 * create a new password entry in the users_secure table
 * 
 * @param type $username
 * @param type $password  Passing by reference so additional copy is not created in memory
 */
function initializePassword($username, $userid, &$password)
{
    $salt = password_salt();
    $hash = password_hash($password, $salt);
    $passwordSQL = "INSERT INTO " . TBL_USERS_SECURE . " (" . implode(",", array(COL_ID, COL_UNM, COL_PWD, COL_SALT, COL_LU)) . ")" . " VALUES (?,?,?,?,NOW()) ";
    $params = array($userid, $username, $hash, $salt);
    privStatement($passwordSQL, $params);
}
Example #2
0
 protected function update($id = NULL)
 {
     $this->view_data["user"] = new stdClass();
     $this->view_data["user"]->username = $this->input->post('user_username');
     $this->view_data["user"]->email = $this->input->post('user_email');
     $this->view_data["user"]->active = $this->input->post('user_active');
     $this->view_data["user"]->group_id = $this->input->post('user_group');
     $this->view_data["user"]->firstname = $this->input->post('user_firstname');
     $this->view_data["user"]->lastname = $this->input->post('user_lastname');
     $this->view_data["user"]->address = $this->input->post('user_address');
     $this->view_data["user"]->phone = $this->input->post('phone');
     $this->view_data["user"]->image = $this->input->post('user_image');
     $this->view_data["user"]->gender = $this->input->post('user_gender');
     $this->view_data["user"]->createdTime = date("Y-m-d H:i:s", time());
     $this->view_data["user"]->updatedTime = date("Y-m-d H:i:s", time());
     $this->view_data["user"]->createdBy = $this->session->userdata['user_id'];
     if ($this->input->server('REQUEST_METHOD') == 'POST') {
         // Validate form.
         $this->load->helper('form');
         $this->load->library('form_validation');
         $this->form_validation->set_error_delimiters('<div class="alert alert-error"><strong>' . $this->lang->line('error') . ': </strong>', '</div>');
         //add customer
         $rules = array(array('field' => 'user_username', 'label' => $this->lang->line('user_username'), 'rules' => 'trim|max_length[150]|required|xss_clean'), array('field' => 'user_email', 'label' => $this->lang->line('user_email'), 'rules' => 'trim|max_length[150]|xss_clean|email'), array('field' => 'user_password', 'label' => $this->lang->line('user_password'), 'rules' => 'trim|required|xss_clean'), array('field' => 'user_re_password', 'label' => $this->lang->line('user_re_password'), 'rules' => 'trim|required|xss_clean'), array('field' => 'user_active', 'label' => $this->lang->line('user_active'), 'rules' => 'required|trim|numeric|max_length[1]|xss_clean'), array('field' => 'user_group', 'label' => $this->lang->line('user_group'), 'rules' => 'trim|required|numeric|max_length[2]|xss_clean'), array('field' => 'user_gender', 'label' => $this->lang->line('user_gender'), 'rules' => 'trim|numeric|max_length[1]|xss_clean'), array('field' => 'user_image', 'label' => $this->lang->line('user_image'), 'rules' => 'trim|max_length[200]|xss_clean'), array('field' => 'phone', 'label' => $this->lang->line('phone'), 'rules' => 'trim|max_length[25]|xss_clean'), array('field' => 'user_address', 'label' => $this->lang->line('user_address'), 'rules' => 'trim|max_length[250]|xss_clean'), array('field' => 'user_lastname', 'label' => $this->lang->line('user_lastname'), 'rules' => 'trim|max_length[150]|xss_clean'), array('field' => 'user_firstname', 'label' => $this->lang->line('user_firstname'), 'rules' => 'trim|max_length[150]|xss_clean'));
         $password = $this->input->post("user_password");
         $re_password = $this->input->post("user_re_password");
         if ($password != $re_password) {
             $rules[] = array('field' => 'user_re_password', 'label' => $this->lang->line('user_re_password'), 'rules' => 'trim|required|max_length[100]|xss_clean');
         }
         $this->form_validation->set_error_delimiters('<p><strong>' . $this->lang->line('error') . ' : </strong> ', ' </p>');
         $this->form_validation->set_rules($rules);
         if ($this->form_validation->run() == TRUE) {
             $this->load->helper('character_helper');
             $salt = password_salt();
             $this->view_data["user"]->password = password_hashs(md5($password), $salt);
             $this->view_data["user"]->salt = $salt;
             if ($id) {
                 //edit data
                 $this->user_model->update($this->view_data["user"], $id);
                 $logAction = '[UpdateUserSuccess] ' . $this->lang->line('update_user_success');
             } else {
                 $params = $this->user_model->create($this->view_data["user"]);
                 $logAction = '[AddUserSuccess] ' . $this->lang->line('add_user_success');
             }
             if ($logAction) {
                 $this->session->set_flashdata('flash_message', $this->lang->line('update_successful'));
                 $this->adminlog($logAction);
                 redirect('auth/user');
             }
         }
     }
     if ($id > 0) {
         $user_query = $this->user_model->find_by(array('id' => $id));
         if (!isset($user_query[0])) {
             $this->session->set_flashdata('flash_message', $this->lang->line('not_exists'));
             redirect(site_url('auth/user'));
             exit;
         }
     }
     if (isset($user_query)) {
         $user = $user_query[0];
     } else {
         $user = $this->view_data['user'];
     }
     $this->smarty->assign(array('user' => $user, 'group_list' => $this->group_model->get_select_box(), 'active_list' => $this->user_model->get_active_list(), 'js' => array(base_url() . 'static/templates/backend/js/main.js'), 'css' => array(), 'segment' => $this->uri->segment(4), 'validation' => validation_errors()));
     $this->smarty->display('auth/user/edit');
 }
    }
    echo "<html><body onload='window.print();'>" . $message . "</body></html>";
}
if (isset($_REQUEST['form_save']) && $_REQUEST['form_save'] == 'SUBMIT') {
    require_once "{$srcdir}/authentication/rsa.php";
    require_once "{$srcdir}/authentication/common_operations.php";
    $pubKey = $_REQUEST['pk'];
    $rsa = new rsa_key_manager();
    $rsa->load_from_db($pubKey);
    $clear_pass = $rsa->decrypt($_REQUEST['rsa_pwd']);
    $res = sqlStatement("SELECT * FROM patient_access_" . add_escape_custom($portalsite) . "site WHERE pid=?", array($pid));
    $query_parameters = array($_REQUEST['uname']);
    $salt_clause = "";
    if ($portalsite == 'on') {
        // For onsite portal create a blowfish based hash and salt.
        $new_salt = password_salt();
        $salt_clause = ",portal_salt=? ";
        array_push($query_parameters, password_hash($clear_pass, $new_salt), $new_salt);
    } else {
        // For offsite portal still create and SHA1 hashed password
        // When offsite portal is updated to handle blowfish, then both portals can use the same execution path.
        array_push($query_parameters, SHA1($clear_pass));
    }
    array_push($query_parameters, $pid);
    if (sqlNumRows($res)) {
        sqlStatement("UPDATE patient_access_" . add_escape_custom($portalsite) . "site SET portal_username=?,portal_pwd=?,portal_pwd_status=0 " . $salt_clause . " WHERE pid=?", $query_parameters);
    } else {
        sqlStatement("INSERT INTO patient_access_" . add_escape_custom($portalsite) . "site SET portal_username=?,portal_pwd=?,portal_pwd_status=0" . $salt_clause . " ,pid=?", $query_parameters);
    }
    // Create the message
    $message = messageCreate($_REQUEST['uname'], $clear_pass, $portalsite);
Example #4
0
 public function add_initial_user()
 {
     if ($this->execute_sql("INSERT INTO groups (id, name, user) VALUES (1,'{$this->igroup}','{$this->iuser}')") == FALSE) {
         $this->error_message = "ERROR. Unable to add initial user group\n" . "<p>" . mysql_error() . " (#" . mysql_errno() . ")\n";
         return FALSE;
     }
     $password_hash = "NoLongerUsed";
     // This is the value to insert into the password column in the "users" table. password details are now being stored in users_secure instead.
     $salt = password_salt();
     // Uses the functions defined in library/authentication/password_hashing.php
     $hash = password_hash($this->iuserpass, $salt);
     if ($this->execute_sql("INSERT INTO users (id, username, password, authorized, lname, fname, facility_id, calendar, cal_ui) VALUES (1,'{$this->iuser}','{$password_hash}',1,'{$this->iuname}','',3,1,3)") == FALSE) {
         $this->error_message = "ERROR. Unable to add initial user\n" . "<p>" . mysql_error() . " (#" . mysql_errno() . ")\n";
         return FALSE;
     }
     // Create the new style login credentials with blowfish and salt
     if ($this->execute_sql("INSERT INTO users_secure (id, username, password, salt) VALUES (1,'{$this->iuser}','{$hash}','{$salt}')") == FALSE) {
         $this->error_message = "ERROR. Unable to add initial user login credentials\n" . "<p>" . mysql_error() . " (#" . mysql_errno() . ")\n";
         return FALSE;
     }
     // Add the official openemr users (services)
     if ($this->load_file($this->additional_users, "Additional Official Users") == FALSE) {
         return FALSE;
     }
     return TRUE;
 }
Example #5
0
/**
 * Setup or change a user's password
 * 
 * @param type $activeUser      ID of who is trying to make the change (either the user himself, or an administrator)
 * @param type $targetUser      ID of what account's password is to be updated (for a new user this doesn't exist yet).
 * @param type $currentPwd      the active user's current password 
 * @param type $newPwd          the new password for the target user
 * @param type $errMsg          passed by reference to return any 
 * @param type $create          Are we creating a new user or 
 * @param type $insert_sql      SQL to run to create the row in "users" (and generate a new id) when needed.
 * @param type $new_username    The username for a new user
 * @param type $newid           Return by reference of the ID of a created user
 * @return boolean              Was the password successfully updated/created? If false, then $errMsg will tell you why it failed.
 */
function update_password($activeUser, $targetUser, &$currentPwd, &$newPwd, &$errMsg, $create = false, $insert_sql = "", $new_username = null, &$newid = null)
{
    $userSQL = "SELECT " . implode(",", array(COL_PWD, COL_SALT, COL_PWD_H1, COL_SALT_H1, COL_PWD_H2, COL_SALT_H2)) . " FROM " . TBL_USERS_SECURE . " WHERE " . COL_ID . "=?";
    $userInfo = privQuery($userSQL, array($targetUser));
    // Verify the active user's password
    if ($activeUser == $targetUser) {
        if ($create) {
            $errMsg = xl("Trying to create user with existing username!");
            return false;
        }
        // If this user is changing his own password, then confirm that they have the current password correct
        $hash_current = password_hash($currentPwd, $userInfo[COL_SALT]);
        if ($hash_current != $userInfo[COL_PWD]) {
            $errMsg = xl("Incorrect password");
            return false;
        }
    } else {
        // If this is an administrator changing someone else's password, then check that they have the password right
        $adminSQL = " SELECT " . implode(",", array(COL_PWD, COL_SALT)) . " FROM " . TBL_USERS_SECURE . " WHERE " . COL_ID . "=?";
        $adminInfo = privQuery($adminSQL, array($activeUser));
        $hash_admin = password_hash($currentPwd, $adminInfo[COL_SALT]);
        if ($hash_admin != $adminInfo[COL_PWD]) {
            $errMsg = xl("Incorrect password!");
            return false;
        }
        if (!acl_check('admin', 'users')) {
            $errMsg = xl("Not authorized to manage users!");
            return false;
        }
    }
    // End active user check
    //Test password validity
    if (strlen($newPwd) == 0) {
        $errMsg = xl("Empty Password Not Allowed");
        return false;
    }
    if (!test_password_strength($newPwd, $errMsg)) {
        return false;
    }
    // End password validty checks
    if ($userInfo === false) {
        // No userInfo means either a new user, or an existing user who has not been migrated to blowfish yet
        // In these cases don't worry about password history
        if ($create) {
            privStatement($insert_sql, array());
            $getUserID = " SELECT " . COL_ID . " FROM " . TBL_USERS . " WHERE " . COL_UNM . "=?";
            $user_id = privQuery($getUserID, array($new_username));
            initializePassword($new_username, $user_id[COL_ID], $newPwd);
            $newid = $user_id[COL_ID];
        } else {
            $getUserNameSQL = "SELECT " . COL_UNM . " FROM " . TBL_USERS . " WHERE " . COL_ID . "=?";
            $unm = privQuery($getUserNameSQL, array($targetUser));
            if ($unm === false) {
                $errMsg = xl("Unknown user id:" . $targetUser);
                return false;
            }
            initializePassword($unm[COL_UNM], $targetUser, $newPwd);
            purgeCompatabilityPassword($unm[COL_UNM], $targetUser);
        }
    } else {
        if ($create) {
            $errMsg = xl("Trying to create user with existing username!");
            return false;
        }
        $forbid_reuse = $GLOBALS['password_history'] != 0;
        if ($forbid_reuse) {
            // password reuse disallowed
            $hash_current = password_hash($newPwd, $userInfo[COL_SALT]);
            $hash_history1 = password_hash($newPwd, $userInfo[COL_SALT_H1]);
            $hash_history2 = password_hash($newPwd, $userInfo[COL_SALT_H2]);
            if ($hash_current == $userInfo[COL_PWD] || $hash_history1 == $userInfo[COL_PWD_H1] || $hash_history2 == $userInfo[COL_PWD_H2]) {
                $errMsg = xl("Reuse of three previous passwords not allowed!");
                return false;
            }
        }
        // Everything checks out at this point, so update the password record
        $newSalt = password_salt();
        $newHash = password_hash($newPwd, $newSalt);
        $updateParams = array();
        $updateSQL = "UPDATE " . TBL_USERS_SECURE;
        $updateSQL .= " SET " . COL_PWD . "=?," . COL_SALT . "=?";
        array_push($updateParams, $newHash);
        array_push($updateParams, $newSalt);
        if ($forbid_reuse) {
            $updateSQL .= "," . COL_PWD_H1 . "=?" . "," . COL_SALT_H1 . "=?";
            array_push($updateParams, $userInfo[COL_PWD]);
            array_push($updateParams, $userInfo[COL_SALT]);
            $updateSQL .= "," . COL_PWD_H2 . "=?" . "," . COL_SALT_H2 . "=?";
            array_push($updateParams, $userInfo[COL_PWD_H1]);
            array_push($updateParams, $userInfo[COL_SALT_H1]);
        }
        $updateSQL .= " WHERE " . COL_ID . "=?";
        array_push($updateParams, $targetUser);
        privStatement($updateSQL, $updateParams);
    }
    if ($GLOBALS['password_expiration_days'] != 0) {
        $exp_days = $GLOBALS['password_expiration_days'];
        $exp_date = date('Y-m-d', strtotime("+{$exp_days} days"));
        privStatement("update users set pwd_expiration_date=? where id=?", array($exp_date, $targetUser));
    }
    return true;
}
/** update the users database with a new (randomly salted) password and reset bypass mode to normal
 *
 * This updates the user record for user with user_id and stores the new password. The new
 * password and a new random salt are hashed together and the result is stored, together with
 * the new salt, overwriting the old salt and the old password hash. The bypass mode is reset
 * to normal and the bypass hash is reset. Return TRUE on success.
 *
 * @param int $user_id identify the user record by user_id
 * @param string $new_password the new password in plain text
 * @return bool FALSE on failure, TRUE otherwise
 */
function login_change_password($user_id, $new_password)
{
    $new_salt = password_salt();
    $new_hash = password_hash($new_salt, $new_password);
    $fields = array('salt' => $new_salt, 'password_hash' => $new_hash, 'bypass_mode' => FALSE, 'bypass_hash' => NULL, 'bypass_expiry' => NULL);
    $where = array('user_id' => $user_id);
    $num_affected = db_update('users', $fields, $where);
    if ($num_affected === FALSE || $num_affected != 1) {
        return FALSE;
    }
    return TRUE;
}
Example #7
0
header("Content-Type:text/xml");
$ignoreAuth = true;
require_once 'classes.php';
$xml_string = "";
$xml_string = "<forgetpassword>";
$email = $_POST['email'];
$strQuery = "SELECT id,username, password, fname, lname FROM users WHERE email= ?";
$result = sqlQuery($strQuery, array($email));
if ($result) {
    $xml_string .= "<status>0</status>";
    $newPwd = rand_string(10);
    $pin = substr(uniqid(rand()), 0, 4);
    $pin1 = sha1($pin);
    if (getVersion()) {
        require_once "{$srcdir}/authentication/password_hashing.php";
        $salt = password_salt();
        $password = password_hash($newPwd, $salt);
        $result1 = sqlStatement("UPDATE users_secure SET password='******', salt='" . $salt . "' WHERE id = {$result["id"]}");
        $strQuery1 = "UPDATE `users` SET `app_pin`='" . add_escape_custom($pin1) . "' WHERE email = ?";
        $result1 = sqlStatement($strQuery1, array($email));
    } else {
        $password1 = sha1($newPwd);
        $strQuery1 = "UPDATE `users` SET `password`='" . add_escape_custom($password1) . "', `app_pin`='" . add_escape_custom($pin1) . "' WHERE email = ?";
        $result1 = sqlStatement($strQuery1, array($email));
    }
    if ($result1 !== FALSE) {
        $mail = new PHPMailer();
        $mail->IsSendmail();
        $body = "<html><body>\n\t\t\t\t\t\t<table>\n\t\t\t\t\t\t\t<tr>\n\t\t\t\t\t\t\t\t<td>Your Password has been changed your new Username and Password are</td>\n\t\t\t\t\t\t\t</tr>\n\t\t\t\t\t\t\t<tr>\n\t\t\t\t\t\t\t\t<td>Here are the details of your account: </td>\n\t\t\t\t\t\t\t</tr>\n\t\t\t\t\t\t\t<tr>\n\t\t\t\t\t\t\t\t<td>Username: "******"</td>\n\t\t\t\t\t\t\t</tr>\n\t\t\t\t\t\t\t<tr>\n\t\t\t\t\t\t\t\t<td>Password: "******"</td>\n\t\t\t\t\t\t\t</tr>\n\t\t\t\t\t\t\t<tr>\n\t\t\t\t\t\t\t\t<td>Pin: " . $pin . "</td>\n\t\t\t\t\t\t\t</tr>\n\t\t\t\t\t\t\t<tr>\n\t\t\t\t\t\t\t\t<td>Thanks, <br />MedMaster Team</td>\n\t\t\t\t\t\t\t</tr>\n\t\t\t\t\t\t</table>\n\t\t\t\t\t</body></html>";
        $body = eregi_replace("[\\]", '', $body);
        $mail->AddReplyTo("*****@*****.**", "MedMasterPro");
 /** save basic properties of user account
  *
  * @param int $user_id the account to save (pkey in users table)
  * @uses $WAS_SCRIPT_NAME
  */
 function user_save_basic($user_id)
 {
     global $WAS_SCRIPT_NAME;
     $user_id = intval($user_id);
     //
     // 2 -- validate the data
     //
     $invalid = FALSE;
     $dialogdef = $this->get_dialogdef_edit_user($user_id);
     //
     // 2A -- check for generic errors (string too short, number too small, etc)
     if (!dialog_validate($dialogdef)) {
         $invalid = TRUE;
     }
     // 2B -- additional check: unique username
     $record = db_select_single_record('users', 'user_id', array('username' => $dialogdef['username']['value']));
     if ($record !== FALSE && intval($record['user_id']) != $user_id) {
         // Oops, a record with that username already exists and it's not us. Go flag error
         ++$dialogdef['username']['errors'];
         $fname = $this->get_fname($dialogdef['username']);
         $dialogdef['username']['error_messages'][] = t('validate_not_unique', '', array('{FIELD}' => $fname));
         $invalid = TRUE;
     }
     // 2C -- additional check: valid password
     $password1 = $dialogdef['user_password1']['value'];
     $password2 = $dialogdef['user_password2']['value'];
     if (!empty($password1) || !empty($password2)) {
         if ($password1 != $password2) {
             $params = array('{FIELD1}' => $this->get_fname($dialogdef['user_password1']), '{FIELD2}' => $this->get_fname($dialogdef['user_password2']));
             ++$dialogdef['user_password1']['errors'];
             ++$dialogdef['user_password2']['errors'];
             $dialogdef['user_password1']['error_messages'][] = t('validate_different_passwords', '', $params);
             $dialogdef['user_password1']['value'] = '';
             $dialogdef['user_password2']['value'] = '';
             $invalid = TRUE;
         } elseif (!acceptable_new_password($password1, $password2)) {
             $params = array('{MIN_LENGTH}' => MINIMUM_PASSWORD_LENGTH, '{MIN_LOWER}' => MINIMUM_PASSWORD_LOWERCASE, '{MIN_UPPER}' => MINIMUM_PASSWORD_UPPERCASE, '{MIN_DIGIT}' => MINIMUM_PASSWORD_DIGITS, '{FIELD}' => $this->get_fname($dialogdef['user_password1']));
             ++$dialogdef['user_password1']['errors'];
             $dialogdef['user_password1']['error_messages'][] = t('validate_bad_password', '', $params);
             $params['{FIELD}'] = $this->get_fname($dialogdef['user_password2']);
             ++$dialogdef['user_password2']['errors'];
             $dialogdef['user_password1']['value'] = '';
             $dialogdef['user_password2']['value'] = '';
             $invalid = TRUE;
         }
     }
     // 2D -- if there were any errors go redo dialog while keeping data already entered
     if ($invalid) {
         foreach ($dialogdef as $k => $item) {
             if (isset($item['errors']) && $item['errors'] > 0) {
                 $this->output->add_message($item['error_messages']);
             }
         }
         $params = $this->get_user_names($user_id);
         $this->output->add_content('<h2>' . t('usermanager_edit_user_header', 'admin', $params) . '</h2>');
         $this->output->add_content(t('usermanager_edit_user_explanation', 'admin', $params));
         $href = href($WAS_SCRIPT_NAME, $this->a_params(TASK_USER_SAVE, $user_id));
         if ($dialogdef !== FALSE) {
             $this->output->add_content(dialog_quickform($href, $dialogdef));
             $this->show_breadcrumbs_user($user_id);
         } else {
             $this->output->add_message(t('error_retrieving_data', 'admin'));
             $this->show_menu_user($user_id, TASK_USER_EDIT);
         }
         return;
     }
     // 3 -- Now actually save the data which we just validated
     $fields = array('username' => $dialogdef['username']['value'], 'bypass_mode' => FALSE, 'bypass_hash' => NULL, 'bypass_expiry' => NULL, 'full_name' => $dialogdef['user_fullname']['value'], 'email' => $dialogdef['user_email']['value'], 'is_active' => $dialogdef['user_is_active']['value'] == 1 ? TRUE : FALSE, 'redirect' => $dialogdef['user_redirect']['value'], 'language_key' => $dialogdef['user_language_key']['value'], 'editor' => $dialogdef['user_editor']['value'], 'skin' => $dialogdef['user_skin']['value']);
     if (!empty($password1)) {
         $new_salt = password_salt();
         $new_password = $password1;
         $fields['salt'] = $new_salt;
         $fields['password_hash'] = password_hash($new_salt, $new_password);
     }
     $params = array('{USERNAME}' => $dialogdef['username']['value'], '{FULL_NAME}' => $dialogdef['user_fullname']['value']);
     if (db_update('users', $fields, array('user_id' => $user_id)) === FALSE) {
         $this->output->add_message(t('usermanager_save_user_failure', 'admin', $params));
         logger("usermanager->user_save(): error saving data user '{$user_id}': " . db_errormessage());
     } else {
         $this->output->add_message(t('usermanager_save_user_success', 'admin', $params));
         logger("usermanager->user_save(): success saving changes to '{$user_id}' in 'users'", WLOG_DEBUG);
     }
     $this->users_overview();
     return;
 }