/** * * @param type $username * @param type $password password is passed by reference so that it can be "cleared out" * as soon as we are done with it. * @param type $provider */ function validate_user_password($username, &$password, $provider) { $ip = $_SERVER['REMOTE_ADDR']; $valid = false; $getUserSecureSQL = " SELECT " . implode(",", array(COL_ID, COL_PWD, COL_SALT)) . " FROM " . TBL_USERS_SECURE . " WHERE " . COL_UNM . "=?"; $userSecure = privQuery($getUserSecureSQL, array($username)); if (is_array($userSecure)) { $phash = password_hash($password, $userSecure[COL_SALT]); if ($phash != $userSecure[COL_PWD]) { return false; } $valid = true; } else { if (!isset($GLOBALS['password_compatibility']) || $GLOBALS['password_compatibility']) { $getUserSQL = "select id, password from users where username = ?"; $userInfo = privQuery($getUserSQL, array($username)); $dbPasswordLen = strlen($userInfo['password']); if ($dbPasswordLen == 32) { $phash = md5($password); $valid = $phash == $userInfo['password']; } else { if ($dbPasswordLen == 40) { $phash = sha1($password); $valid = $phash == $userInfo['password']; } } if ($valid) { initializePassword($username, $userInfo['id'], $password); purgeCompatabilityPassword($username, $userInfo['id']); $_SESSION['relogin'] = 1; } else { return false; } } } $getUserSQL = "select id, authorized, see_auth" . ", cal_ui, active " . " from users where username = ?"; $userInfo = privQuery($getUserSQL, array($username)); if ($userInfo['active'] != 1) { newEvent('login', $username, $provider, 0, "failure: {$ip}. user not active or not found in users table"); $password = ''; return false; } // Done with the cleartext password at this point! $password = ''; if ($valid) { if ($authGroup = privQuery("select * from groups where user=? and name=?", array($username, $provider))) { $_SESSION['authUser'] = $username; $_SESSION['authGroup'] = $authGroup['name']; $_SESSION['authUserID'] = $userInfo['id']; $_SESSION['authPass'] = $phash; $_SESSION['authProvider'] = $provider; $_SESSION['authId'] = $userInfo['id']; $_SESSION['cal_ui'] = $userInfo['cal_ui']; $_SESSION['userauthorized'] = $userInfo['authorized']; // Some users may be able to authorize without being providers: if ($userInfo['see_auth'] > '2') { $_SESSION['userauthorized'] = '1'; } newEvent('login', $username, $provider, 1, "success: {$ip}"); $valid = true; } else { newEvent('login', $username, $provider, 0, "failure: {$ip}. user not in group: {$provider}"); $valid = false; } } return $valid; }
/** * Setup or change a user's password * * @param type $activeUser ID of who is trying to make the change (either the user himself, or an administrator) * @param type $targetUser ID of what account's password is to be updated (for a new user this doesn't exist yet). * @param type $currentPwd the active user's current password * @param type $newPwd the new password for the target user * @param type $errMsg passed by reference to return any * @param type $create Are we creating a new user or * @param type $insert_sql SQL to run to create the row in "users" (and generate a new id) when needed. * @param type $new_username The username for a new user * @param type $newid Return by reference of the ID of a created user * @return boolean Was the password successfully updated/created? If false, then $errMsg will tell you why it failed. */ function update_password($activeUser, $targetUser, &$currentPwd, &$newPwd, &$errMsg, $create = false, $insert_sql = "", $new_username = null, &$newid = null) { $userSQL = "SELECT " . implode(",", array(COL_PWD, COL_SALT, COL_PWD_H1, COL_SALT_H1, COL_PWD_H2, COL_SALT_H2)) . " FROM " . TBL_USERS_SECURE . " WHERE " . COL_ID . "=?"; $userInfo = privQuery($userSQL, array($targetUser)); // Verify the active user's password $changingOwnPassword = $activeUser == $targetUser; // True if this is the current user changing their own password if ($changingOwnPassword) { if ($create) { $errMsg = xl("Trying to create user with existing username!"); return false; } // If this user is changing his own password, then confirm that they have the current password correct $hash_current = oemr_password_hash($currentPwd, $userInfo[COL_SALT]); if ($hash_current != $userInfo[COL_PWD]) { $errMsg = xl("Incorrect password!"); return false; } } else { // If this is an administrator changing someone else's password, then check that they have the password right $adminSQL = " SELECT " . implode(",", array(COL_PWD, COL_SALT)) . " FROM " . TBL_USERS_SECURE . " WHERE " . COL_ID . "=?"; $adminInfo = privQuery($adminSQL, array($activeUser)); $hash_admin = oemr_password_hash($currentPwd, $adminInfo[COL_SALT]); if ($hash_admin != $adminInfo[COL_PWD]) { $errMsg = xl("Incorrect password!"); return false; } if (!acl_check('admin', 'users')) { $errMsg = xl("Not authorized to manage users!"); return false; } } // End active user check //Test password validity if (strlen($newPwd) == 0) { $errMsg = xl("Empty Password Not Allowed"); return false; } if (!test_password_strength($newPwd, $errMsg)) { return false; } // End password validty checks if ($userInfo === false) { // No userInfo means either a new user, or an existing user who has not been migrated to blowfish yet // In these cases don't worry about password history if ($create) { privStatement($insert_sql, array()); $getUserID = " SELECT " . COL_ID . " FROM " . TBL_USERS . " WHERE " . COL_UNM . "=?"; $user_id = privQuery($getUserID, array($new_username)); initializePassword($new_username, $user_id[COL_ID], $newPwd); $newid = $user_id[COL_ID]; } else { $getUserNameSQL = "SELECT " . COL_UNM . " FROM " . TBL_USERS . " WHERE " . COL_ID . "=?"; $unm = privQuery($getUserNameSQL, array($targetUser)); if ($unm === false) { $errMsg = xl("Unknown user id:" . $targetUser); return false; } initializePassword($unm[COL_UNM], $targetUser, $newPwd); purgeCompatabilityPassword($unm[COL_UNM], $targetUser); } } else { // We are trying to update the password of an existing user if ($create) { $errMsg = xl("Trying to create user with existing username!"); return false; } $forbid_reuse = $GLOBALS['password_history'] != 0; if ($forbid_reuse) { // password reuse disallowed $hash_current = oemr_password_hash($newPwd, $userInfo[COL_SALT]); $hash_history1 = oemr_password_hash($newPwd, $userInfo[COL_SALT_H1]); $hash_history2 = oemr_password_hash($newPwd, $userInfo[COL_SALT_H2]); if ($hash_current == $userInfo[COL_PWD] || $hash_history1 == $userInfo[COL_PWD_H1] || $hash_history2 == $userInfo[COL_PWD_H2]) { $errMsg = xl("Reuse of three previous passwords not allowed!"); return false; } } // Everything checks out at this point, so update the password record $newSalt = oemr_password_salt(); $newHash = oemr_password_hash($newPwd, $newSalt); $updateParams = array(); $updateSQL = "UPDATE " . TBL_USERS_SECURE; $updateSQL .= " SET " . COL_PWD . "=?," . COL_SALT . "=?"; array_push($updateParams, $newHash); array_push($updateParams, $newSalt); if ($forbid_reuse) { $updateSQL .= "," . COL_PWD_H1 . "=?" . "," . COL_SALT_H1 . "=?"; array_push($updateParams, $userInfo[COL_PWD]); array_push($updateParams, $userInfo[COL_SALT]); $updateSQL .= "," . COL_PWD_H2 . "=?" . "," . COL_SALT_H2 . "=?"; array_push($updateParams, $userInfo[COL_PWD_H1]); array_push($updateParams, $userInfo[COL_SALT_H1]); } $updateSQL .= " WHERE " . COL_ID . "=?"; array_push($updateParams, $targetUser); privStatement($updateSQL, $updateParams); // If the user is changing their own password, we need to update the session if ($changingOwnPassword) { $_SESSION['authPass'] = $newHash; } } if ($GLOBALS['password_expiration_days'] != 0) { $exp_days = $GLOBALS['password_expiration_days']; $exp_date = date('Y-m-d', strtotime("+{$exp_days} days")); privStatement("update users set pwd_expiration_date=? where id=?", array($exp_date, $targetUser)); } return true; }
$xml_array['status'] = -2; $xml_array['reason'] = 'Username is not available'; } else { $ip = $_SERVER['REMOTE_ADDR']; $url = "http://api.ipinfodb.com/v3/ip-city/?key=53e1dbadb9c701a660a8914aeacca2bd640b56758659f3b1940de385fa97ca94&ip={$ip}&format=json"; $responce = file_get_contents($url); $responce_array = json_decode($responce); $pin1 = sha1($pin); $password1 = sha1($password); $strQuery1 = "INSERT INTO `users`(`username`, `password`, `fname`, `lname`, `phone`, `email`, `authorized`,`calendar`, `app_pin`, `create_date`, `secret_key`, `title`, `ip_address`, `country_code`, `country_name`, `state`, `city`, `zip`, `latidute`, `longitude`, `time_zone`)\n VALUES ('" . add_escape_custom($username) . "','" . add_escape_custom($password1) . "','" . add_escape_custom($firstname) . "','" . add_escape_custom($lastname) . "','" . add_escape_custom($phone) . "','" . add_escape_custom($email) . "',1,1, '" . add_escape_custom($pin1) . "', '" . $createDate . "','" . $secretKey . "','" . add_escape_custom($title) . "','" . add_escape_custom($responce_array->ipAddress) . "','" . add_escape_custom($responce_array->countryCode) . "','" . add_escape_custom($responce_array->countryName) . "','" . add_escape_custom($responce_array->regionName) . "','" . add_escape_custom($responce_array->cityName) . "','" . add_escape_custom($responce_array->zipCode) . "','" . add_escape_custom($responce_array->latitude) . "','" . add_escape_custom($responce_array->longitude) . "','" . add_escape_custom($responce_array->timeZone) . "')"; $result1 = sqlInsert($strQuery1); $last_user_id = $result1; if (getVersion()) { require_once "{$srcdir}/authentication/common_operations.php"; initializePassword($username, $last_user_id, $password); purgeCompatabilityPassword($username, $last_user_id); } $strQuery2 = "INSERT INTO `gacl_aro`(`id`, `section_value`, `value`, `order_value`, `name`) \n VALUES ('{$gacl_aro_id}', 'users', '" . add_escape_custom($username) . "', '10','" . add_escape_custom($firstname . " " . $lastname) . "')"; $result2 = sqlInsert($strQuery2); $strQuery3 = "INSERT INTO `groups`(`name`, `user`) \n VALUES ('Default', '" . add_escape_custom($username) . "')"; $result3 = sqlInsert($strQuery3); $strQuery4 = "INSERT INTO `gacl_groups_aro_map`(`group_id`, `aro_id`) \n VALUES('11', '" . add_escape_custom($gacl_aro_id) . "')"; $result4 = sqlInsert($strQuery4); $token = createToken($last_user_id, true, $device_token); if ($result1 && $result2 && $result3 && $result4 && $token) { $mail = new PHPMailer(); $mail->IsSendmail(); $body = "<html><body>\n <table>\n <tr>\n <td>You have signed up for a MedMaster account</td>\n </tr>\n <tr>\n <td>Here are the details of your account: </td>\n </tr>\n <tr>\n <td>Username: "******"</td>\n </tr>\n <tr>\n <td>Pin: " . $pin . "</td>\n </tr>\n <tr>\n <td>Thanks, <br />MedMaster Team</td>\n </tr>\n </table>\n </body></html>"; $body = eregi_replace("[\\]", '', $body); $mail->AddReplyTo("*****@*****.**", "MedMasterPro"); $mail->SetFrom('*****@*****.**', 'MedMasterPro');