function userLoginResetPassword($params) { if (isset($params['view']) && $params['view'] == 'resetPasswordChange' || isset($params['action']) && $params['action'] == 'resetPasswordChange') { //validate IWP reset password link, before showing the form or saving new password $result = resetPasswordLinkValidate(array('resetHash' => $params['resetHash'], 'transID' => $params['transID'])); if ($result['isValidLink'] == true && $result['isExpired'] == true) { header("Location: login.php?errorMsg=resetPasswordLinkExpired"); exit; } elseif ($result['isValidLink'] == false) { $errorMsg = 'resetPasswordLinkInvalid'; header("Location: login.php?errorMsg=resetPasswordLinkInvalid"); exit; } //if above if conditions fails, then it all good, allow to load reset password form } if (isset($params['action']) && $params['action'] == 'resetPasswordChange') { //above code should validate the resetHash and transID if (!isset($params['newPassword']) || empty($params['newPassword'])) { header('Location: login.php?view=resetPasswordChange&resetHash=' . $params['resetHash'] . '&transID=' . $params['transID'] . '&errorMsg=resetPasswordInvalidPassword'); exit; } $isUpdated = DB::update("?:users", array("password" => sha1($params['newPassword']), "resetPassword" => serialize(array())), "sha1(email) = '" . $params['transID'] . "' "); if ($isUpdated) { header('Location: login.php?successMsg=resetPasswordChanged'); exit; } else { header('Location: login.php?view=resetPasswordChange&resetHash=' . $params['resetHash'] . '&transID=' . $params['transID'] . '&errorMsg=resetPasswordFailed'); exit; } } elseif (isset($params['action']) && $params['action'] == 'resetPasswordSendMail') { $params["email"] = DB::realEscapeString($params['email']); $userDets = DB::getRow("?:users", "userID", "email = '" . $params["email"] . "'"); $isUserExists = !empty($userDets["userID"]) ? true : false; if (!$isUserExists) { header('Location: login.php?view=resetPassword&errorMsg=resetPasswordEmailNotFound'); exit; } $hashValue = serialize(array('hashCode' => 'resetPassword', 'uniqueTime' => microtime(true), 'userPin' => $userDets['userID'])); $resetHash = sha1($hashValue); DB::update("?:users", array("resetPassword" => serialize(array("resetHash" => $resetHash, "validity" => time() + 86400))), "userID = '" . $userDets['userID'] . "' "); $verificationURL = APP_FULL_URL . "login.php?view=resetPasswordChange&resetHash=" . $resetHash . "&transID=" . sha1($params["email"]); $isSent = sendAppMail(array('userID' => $userDets["userID"], 'verificationURL' => $verificationURL), '/templates/email/resetPassword.tpl.php'); if (!empty($isSent)) { header('Location: login.php?successMsg=resetPasswordMailSent'); exit; } else { header('Location: login.php?view=resetPassword&errorMsg=resetPasswordMailError'); exit; } } }
public static function loadSiteProcessor($siteIDs, $params) { $timeout = DEFAULT_MAX_CLIENT_REQUEST_TIMEOUT; //$siteID = reset($siteIDs); $siteID = $_REQUEST['siteID']; if (empty($siteID)) { echo 'Invalid Site ID'; } //$where = $params['where'] ? $params['where'].".php" : ''; $where = $_REQUEST['where'] ? $_REQUEST['where'] . ".php" : ''; $loadSiteVars = array(); if (isset($_REQUEST['var_0'])) { for ($i = 0; $i < 5; $i++) { if (isset($_REQUEST['var_' . $i]) && strpos($_REQUEST['var_' . $i], '__IWPVAR__') !== false) { $temp = explode('__IWPVAR__', $_REQUEST['var_' . $i]); $loadSiteVars[$temp[0]] = $temp[1]; } } } //if(!empty($params['vars']) && is_array($params['vars'])){ // $loadSiteVars = $params['vars']; // } $siteData = DB::getRow("?:sites", "*", "siteID=" . DB::realEscapeString($siteID)); if (empty($siteData)) { echo 'Invalid Site ID'; } $type = 'site'; $action = 'load'; $events = 1; $historyData = array('siteID' => $siteData['siteID'], 'actionID' => Reg::get('currentRequest.actionID'), 'userID' => $GLOBALS['userID'], 'type' => $type, 'action' => $action, 'events' => $events, 'URL' => $siteData['URL'], 'status' => 'completed', 'timeout' => $timeout); $historyAdditionalData[] = array('detailedAction' => 'loadSite', 'uniqueName' => 'loadSite', 'status' => 'success'); $historyID = addHistory($historyData, $historyAdditionalData); $signature = signData($where . $historyID, $siteData['isOpenSSLActive'], $siteData['privateKey'], $siteData['randomSignature']); $URLQueryArray = array('auto_login' => 1, 'iwp_goto' => $where, 'signature' => base64_encode($signature), 'message_id' => $historyID, 'username' => $siteData['adminUsername']); //signature urlencode will be taken care by httpBuildURLCustom() if (!empty($loadSiteVars) && is_array($loadSiteVars)) { $URLQueryArray = array_merge($URLQueryArray, $loadSiteVars); } $adminURLArray = parse_url($siteData['adminURL']); if (!empty($adminURLArray['query'])) { $parsedQuery = array(); parse_str($adminURLArray['query'], $parsedQuery); if (!empty($parsedQuery) && is_array($parsedQuery)) { $URLQueryArray = array_merge($parsedQuery, $URLQueryArray); } } $adminURLArray['query'] = $URLQueryArray; $adminURLArray['path'] .= $where ? $where : ''; $URL = httpBuildURLCustom($adminURLArray); $argSeparator = ini_get('arg_separator.output'); if ($argSeparator == "&" || $argSeparator == "&") { $URL = str_replace($argSeparator, "&", $URL); } //$URL .='&signature='.$tempSignature; //$URL = $siteData['adminURL'].$where.'?'."auto_login=1&iwp_goto=".$where."&signature=".urlencode(base64_encode($signature))."&message_id=".$historyID."&username="******"Location: " . $URL); exit; }
function filterParameters($array, $DBEscapeString = true) { if (is_array($array)) { foreach ($array as $key => $value) { $array[$key] = filterParameters($array[$key]); } } elseif (is_string($array)) { if (get_magic_quotes_gpc()) { $array = stripslashes($array); } if ($DBEscapeString) { $array = DB::realEscapeString($array); } } return $array; }