$pass = sanitise('currentpassword', 'p');
$newpass1 = sanitise('newpassword1', 'p');
$newpass2 = sanitise('newpassword2', 'p');
$query = "SELECT * FROM users WHERE UserID='{$user}'";
$result = mysql_query($query) or die(mysql_error());
if (mysql_num_rows($result) == 1) {
$row = mysql_fetch_array($result);
$hash = sha1($pass . $row['Salt']);
//check that they've provided the correct password:
if ($hash == $row['Password']) {
//check that provided passwords match:
if ($newpass1 == $newpass2) {
//check that new password is long enough:
if (strlen($newpass1) > 5) {
//generating some salty hashes:
$salt = generatesalt();
$hash = sha1($newpass1 . $salt);
//now we change their password...
$query = "UPDATE users SET Password='******', Salt='{$salt}' WHERE UserID='{$user}'";
$result = mysql_query($query) or die(mysql_error());
//tell the user that it has been sucessfull:
$msg = $msg . "Successfully changed your password!";
$success = True;
} else {
$msg = $msg . "New Password is too short - make sure it's at least 6 characters long. ";
$sucess = False;
}
} else {
//passwords didn't match:
$msg = $msg . "New Passwords don't match. Please try again. ";
$sucess = False;
<?php
include_once 'functions.php';
$conn = opendb();
$email = sanitise('email', 'p');
$query = "SELECT * FROM users WHERE Email='{$email}'";
$result = mysql_query($query) or die(mysql_error());
if (mysql_num_rows($result) == 1) {
$row = mysql_fetch_assoc($result);
if ($row['Validated'] == 1) {
if ($row['ResetKey'] == NULL || time() > $row['ResetTimeout']) {
$resetkey = sha1(generatesalt(64));
$timeout = time() + 604800;
//One Week
$UserID = $row['UserID'];
$query = "UPDATE users SET ResetKey='{$resetkey}', ResetTimeout='{$timeout}' WHERE Email='{$email}'";
$result = mysql_query($query) or die(mysql_error());
sendpasswordreset($email, $resetkey, $UserID);
echo "email: " . $email . " resetkey: " . $resetkey . " UserID: " . $UserID;
} else {
echo "You've already tried to reset";
}
} else {
echo "You haven't validated your account yet! Check your emails, including the spam folder";
}
} else {
echo "your email wasn't found :(";
}
$query = "INSERT INTO users (Email, Password, Salt, ValidatedTimeout, ValidationKey, PrefCurrency, PrefPaymentMethod) VALUES ('{$email}', '{$hash}', '{$salt}', '{$time}', '{$validationkey}', '£', 'Card')";
//insrt
mysql_query($query) or die(mysql_error());
$UserID = mysql_insert_id();
$query = "INSERT INTO accounts (UserID, AccountName) VALUES ('{$UserID}', 'Current')";
mysql_query($query) or die(mysql_error());
sendvalidationkey($email, $validationkey, $UserID);
$success = 1;
$msg = $msg . "Success! Before you can use your account, you'll need to validate it - we've sent you an email with a link to do that. If you can't find it, check your spam folder or click here to send it again. ";
} elseif (mysql_num_rows($result) == 1) {
$row = mysql_fetch_array($result);
if ($row['Validated'] == 0 && time() > $row['ValidatedTimeout']) {
$time = time() + 604800;
$salt = generatesalt();
$hash = sha1($pass . $salt);
$validationkey = sha1(generatesalt(64));
$query = "UPDATE users SET Password='******', Salt='{$salt}', ValidatedTimeout='{$time}', ValidationKey='{$validationkey}' WHERE Email='{$email}'";
//insrt
mysql_query($query) or die(mysql_error());
sendvalidationkey($email, $validationkey, $UserID);
$msg = $msg . "Successfully re-registered. Before you can use your account, you'll need to validate it - we've sent you an email with a link to do that. If you can't find it, check your spam folder or click <a href=\"resendvalidationkey.php\">here</a> to send it again.";
} else {
$msg = $msg . "You've already registered that email! Please validate it by clicking the link in the email you received. If you can't find the email, click <a href=\"resendvalidationkey.php\">here<a/> to resend it ";
}
}
}
if ($success == 1) {
include 'index.php';
} else {
include 'register.php';
}
