// action = 'pwchange' to change password // at end we display confirmation and provide click back to home page if (isset($_POST['action']) && $_POST['action'] == 'pwchange') { /**** IMPORTANT - these are all elseif options - only if we reach the else at the end do we change the password - if we match any of the if / elseif then we don't change the password *****/ // check existing password is entered if (!isset($_POST['oldpassword'])) { print "<strong>You need to enter the existing password</strong>\n"; } elseif (!$auth->checkPassword($_POST['oldpassword'])) { print "<strong>Existing password is incorrect</strong>\n"; } elseif (!isset($_POST['newpassword'])) { print "<strong>New password cannot be left blank</strong>\n"; } elseif (strlen($_POST['newpassword']) < $min_password_chars) { print "<strong>New password is too short<br />Must be at least {$min_password_chars} characters long</strong>\n"; } elseif (!$auth->securityCheck('password', $_POST['newpassword'])) { print "<strong>New password contains inavlid characters</strong>\n"; } elseif (!isset($_POST['newpassword2']) || $_POST['newpassword'] != $_POST['newpassword2']) { print "<strong>New password is not the same as the repeated password</strong>\n"; } else { // get md5 version of password $hash_password = $auth->hashPassword($_POST['newpassword2']); // save it in the settings $settings->setSetting('admin_login_password', $hash_password); // if we changed password then we confirm back to the user with link back to main page print "<p>Password change successful</p>\n<p><a href=\"" . ADMIN_FILE . "\">Admin home page</a></p>\n"; $templates->includeTemplate('footer', 'admin'); // exit if we succesfully change // otherwise we show password change form exit(0); }
if ($settings->getSetting('admin_login_password') != '') { displayComplete($status_msg); exit(0); } // If not then are we saving existing post if (isset($_POST['action']) && $_POST['action'] == 'savesettings') { // do passwords match if ($_POST['password'] != $_POST['passwordrepeat']) { displaySettingsForm("Passwords don't match"); exit(0); } // we use the SimpleAuth class, but note we are creating with dummy username & password require_once $app_dir . "/includes/SimpleAuth.php"; $auth = new SimpleAuth('', '', 3600); // run username & password through security / valid char checks if ($auth->securityCheck('username', $_POST['username']) && $auth->securityCheck('password', $_POST['username'])) { // add details // add login / password to the settings array $quiz_settings['admin_login_username'] = $_POST['username']; $quiz_settings['admin_login_password'] = md5($_POST['password']); foreach ($quiz_settings as $key => $value) { if (!$qdb->insertSetting($key, $value)) { displayDbError("Error adding setting {$key}"); exit(0); } } $status_msg .= "\nSettings added to database<br />\n\n"; } else { displaySettingsForm("Invalid characters used in the username or password"); exit(0); }
$message = ''; require_once "adminsetup.php"; // Authentication class required for admin functions require_once $include_dir . "SimpleAuth.php"; // Array of valid goto / location entries // prefixed with a in case we want to use authentication in main quiz in future // uses the #define entries - so put after setup $locations = array('aindex' => ADMIN_FILE, 'aquestions' => ADMIN_Q_FILE, 'aupgrade' => ADMIN_UPGRADE_FILE); // create authentication object // this needs to be before we output anything as it uses sessions (cookies) $auth = new SimpleAuth($settings->getSetting('admin_login_username'), $settings->getSetting('admin_login_password'), $settings->getSetting('admin_login_expirytime')); /*** Authentication - Is this a login attempt (ie. with username & password) ***/ // note we only exit if we successfully login - otherwise we continue with showing login form if (isset($_POST['username']) && isset($_POST['password'])) { // check that they are only using valid characters if ($auth->securityCheck('username', $_POST['username']) && $auth->securityCheck('password', $_POST['password'])) { //check login is correct if ($auth->loginNow($_POST['username'], $_POST['password'])) { // do we have a valid return location - if so go there, otherwise back to admin index page if (isset($_POST['location']) && $auth->securityCheck('location', $_POST['location'], $locations)) { $goto = $_POST['location']; // goto new location header("Location: " . $locations[$goto]); exit(0); // need to stop script after redirected } else { header("Location: " . ADMIN_FILE); } exit(0); // need to stop script after redirected } else {