}
if (!isset($_POST['action'])) {
showErrorAndTerminate('2001', 'No action requested.');
} elseif ($_POST['action'] == 'wsRead' || $_POST['action'] == 'wsUpdate' || $_POST['action'] == 'wsDelete' || $_POST['action'] == 'wsInsert' && (!isset($_POST['__address']) || $_POST['__address'] == '')) {
showErrorAndTerminate('2002', 'Address required to perform this specific action');
} elseif ((!isset($_POST['wsSessionIdentifier']) || ($_POST['wsSessionIdentifier'] = '')) && $_POST['action'] != 'wsLogin') {
showErrorAndTerminate('2003', 'Not valid session supplied.');
}
$requestedAction = 'viewUncontroled';
$pageLocation = '3_webService';
$wo = new WOOOF();
if ($_POST['action'] == 'wsLogin') {
$loginResult = FALSE;
$rowForTest = $this->db->getRowByColumn('__users', 'loginName', $wo->cleanUserInput($_POST['username']));
if (isset($rowForTest['id'])) {
$hash = $wo->getPasswordHash($_POST['password'], $rowForTest['id']);
$result = $this->db->query('select * from __users where binary loginName=\'' . $wo->cleanUserInput($rowForTest['loginName']) . '\' and binary loginPass=\'' . $hash . '\'');
if (mysqli_num_rows($result)) {
$userRow = $this->db->fetchAssoc($result);
$userRow['loginPass'] = '******';
$goOn = FALSE;
do {
$sid = 'ws' . WOOOF::randomString(38);
$new_sid_result = $this->db->query("select * from __sessions where sessionId='" . $sid . "'");
if (!mysqli_num_rows($new_sid_result)) {
$goOn = TRUE;
}
} while (!$goOn);
$result = $this->db->query("insert into __sessions (userId,sessionId,loginDateTime,lastAction,loginIP,active) values ('{$uid}','{$sid}','" . $this->dateTime . "','" . $this->dateTime . "','" . $this->cleanUserInput($_SERVER["REMOTE_ADDR"]) . "','1')");
if ($result === FALSE) {
showErrorAndTerminate('2005', 'Failed to insert new session in the data base for user `' . $userData['loginName'] . '`. Potential security breach!');
/**
*
* @param WOOOF $wo
* @param string $loginName
* @param string $newPassword
* @param string[] &$passwordErrors // return possible new password problems
* @param string $oldPassword // Optional, default '', do not verify old pass validity
* @param string $checkPassword // Optional, default true. Check new pass is ok
* @return boolean
*/
public static function changePassword(WOOOF $wo, $loginName, $newPassword, &$passwordErrors, $oldPassword = '', $checkPassword = true)
{
$passwordErrors = array();
if (!$wo->hasContent($loginName) or !$wo->hasContent($newPassword)) {
$wo->logError('7055 Both loginName and mew Password must be provided');
return false;
}
$userRes = $wo->db->query("select * from __users where loginName='{$loginName}'");
if ($userRes === FALSE) {
return FALSE;
}
$userRow = $wo->db->fetchAssoc($userRes);
if ($userRow === NULL) {
$wo->logError(self::_ECP . "0057 User with loginName [{$loginName}] was not found");
return FALSE;
}
if ($userRow['id'] == self::ID_OF_NOT_LOGGED_IN) {
$wo->logError(self::_ECP . "0059 Cannot changePassword of this user");
return FALSE;
}
if ($wo->hasContent($oldPassword)) {
$oldPassHashed = $wo->getPasswordHash($oldPassword, $userRow['id']);
if ($oldPassHashed === FALSE or $oldPassHashed != $userRow['loginPass']) {
$wo->logError(self::_ECP . "0060 Bad old password was given");
return false;
}
}
if ($checkPassword) {
if ($wo->evaluatePassword($newPassword, $newPassword, $passwordErrors) === FALSE) {
$wo->logError(self::_ECP . "0063 Password is not accepted");
return FALSE;
}
}
$newPassHashed = $wo->getPasswordHash($newPassword, $userRow['id']);
if ($newPassHashed === FALSE) {
return FALSE;
}
$newPassHashed = $wo->db->escape($newPassHashed);
$succ = $wo->db->query("update __users set loginPass = '******' where id = '{$userRow['id']}'");
if ($succ === FALSE) {
return FALSE;
}
return true;
}
