} if (!isset($_POST['action'])) { showErrorAndTerminate('2001', 'No action requested.'); } elseif ($_POST['action'] == 'wsRead' || $_POST['action'] == 'wsUpdate' || $_POST['action'] == 'wsDelete' || $_POST['action'] == 'wsInsert' && (!isset($_POST['__address']) || $_POST['__address'] == '')) { showErrorAndTerminate('2002', 'Address required to perform this specific action'); } elseif ((!isset($_POST['wsSessionIdentifier']) || ($_POST['wsSessionIdentifier'] = '')) && $_POST['action'] != 'wsLogin') { showErrorAndTerminate('2003', 'Not valid session supplied.'); } $requestedAction = 'viewUncontroled'; $pageLocation = '3_webService'; $wo = new WOOOF(); if ($_POST['action'] == 'wsLogin') { $loginResult = FALSE; $rowForTest = $this->db->getRowByColumn('__users', 'loginName', $wo->cleanUserInput($_POST['username'])); if (isset($rowForTest['id'])) { $hash = $wo->getPasswordHash($_POST['password'], $rowForTest['id']); $result = $this->db->query('select * from __users where binary loginName=\'' . $wo->cleanUserInput($rowForTest['loginName']) . '\' and binary loginPass=\'' . $hash . '\''); if (mysqli_num_rows($result)) { $userRow = $this->db->fetchAssoc($result); $userRow['loginPass'] = '******'; $goOn = FALSE; do { $sid = 'ws' . WOOOF::randomString(38); $new_sid_result = $this->db->query("select * from __sessions where sessionId='" . $sid . "'"); if (!mysqli_num_rows($new_sid_result)) { $goOn = TRUE; } } while (!$goOn); $result = $this->db->query("insert into __sessions (userId,sessionId,loginDateTime,lastAction,loginIP,active) values ('{$uid}','{$sid}','" . $this->dateTime . "','" . $this->dateTime . "','" . $this->cleanUserInput($_SERVER["REMOTE_ADDR"]) . "','1')"); if ($result === FALSE) { showErrorAndTerminate('2005', 'Failed to insert new session in the data base for user `' . $userData['loginName'] . '`. Potential security breach!');
/** * * @param WOOOF $wo * @param string $loginName * @param string $newPassword * @param string[] &$passwordErrors // return possible new password problems * @param string $oldPassword // Optional, default '', do not verify old pass validity * @param string $checkPassword // Optional, default true. Check new pass is ok * @return boolean */ public static function changePassword(WOOOF $wo, $loginName, $newPassword, &$passwordErrors, $oldPassword = '', $checkPassword = true) { $passwordErrors = array(); if (!$wo->hasContent($loginName) or !$wo->hasContent($newPassword)) { $wo->logError('7055 Both loginName and mew Password must be provided'); return false; } $userRes = $wo->db->query("select * from __users where loginName='{$loginName}'"); if ($userRes === FALSE) { return FALSE; } $userRow = $wo->db->fetchAssoc($userRes); if ($userRow === NULL) { $wo->logError(self::_ECP . "0057 User with loginName [{$loginName}] was not found"); return FALSE; } if ($userRow['id'] == self::ID_OF_NOT_LOGGED_IN) { $wo->logError(self::_ECP . "0059 Cannot changePassword of this user"); return FALSE; } if ($wo->hasContent($oldPassword)) { $oldPassHashed = $wo->getPasswordHash($oldPassword, $userRow['id']); if ($oldPassHashed === FALSE or $oldPassHashed != $userRow['loginPass']) { $wo->logError(self::_ECP . "0060 Bad old password was given"); return false; } } if ($checkPassword) { if ($wo->evaluatePassword($newPassword, $newPassword, $passwordErrors) === FALSE) { $wo->logError(self::_ECP . "0063 Password is not accepted"); return FALSE; } } $newPassHashed = $wo->getPasswordHash($newPassword, $userRow['id']); if ($newPassHashed === FALSE) { return FALSE; } $newPassHashed = $wo->db->escape($newPassHashed); $succ = $wo->db->query("update __users set loginPass = '******' where id = '{$userRow['id']}'"); if ($succ === FALSE) { return FALSE; } return true; }