Revision 1569
Added by darkviper over 12 years ago
| save.php | ||
|---|---|---|
| 3 | 3 |
* |
| 4 | 4 |
* @category admin |
| 5 | 5 |
* @package preferences |
| 6 |
* @author Independend-Software-Team |
|
| 7 | 6 |
* @author WebsiteBaker Project |
| 8 |
* @copyright 2004-2009, Ryan Djurovich |
|
| 9 |
* @copyright 2009-2011, Website Baker Org. e.V. |
|
| 7 |
* @copyright 2009-2012, Website Baker Org. e.V. |
|
| 10 | 8 |
* @link http://www.websitebaker2.org/ |
| 11 | 9 |
* @license http://www.gnu.org/licenses/gpl.html |
| 12 | 10 |
* @platform WebsiteBaker 2.8.x |
| ... | ... | |
| 28 | 26 |
{
|
| 29 | 27 |
global $MESSAGE; |
| 30 | 28 |
$err_msg = array(); |
| 31 |
$min_pass_length = 6;
|
|
| 29 |
$iMinPassLength = 6;
|
|
| 32 | 30 |
// first check form-tan |
| 33 | 31 |
if(!$admin->checkFTAN()){ $err_msg[] = $MESSAGE['GENERIC_SECURITY_ACCESS']; }
|
| 34 | 32 |
// Get entered values and validate all |
| ... | ... | |
| 38 | 36 |
// check that display_name is unique in whoole system (prevents from User-faking) |
| 39 | 37 |
$sql = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'users` '; |
| 40 | 38 |
$sql .= 'WHERE `user_id` <> '.(int)$admin->get_user_id().' AND `display_name` LIKE "'.$display_name.'"'; |
| 41 |
if( $database->get_one($sql) > 0 ){ $err_msg[] = $MESSAGE['USERS']['USERNAME_TAKEN']; }
|
|
| 39 |
if( $database->get_one($sql) > 0 ){ $err_msg[] = $MESSAGE['USERS_USERNAME_TAKEN']; }
|
|
| 42 | 40 |
// language must be 2 upercase letters only |
| 43 | 41 |
$language = strtoupper($admin->get_post('language'));
|
| 44 | 42 |
$language = (preg_match('/^[A-Z]{2}$/', $language) ? $language : DEFAULT_LANGUAGE);
|
| ... | ... | |
| 67 | 65 |
if( !$admin->validate_email($email) ) |
| 68 | 66 |
{
|
| 69 | 67 |
$email = ''; |
| 70 |
$err_msg[] = $MESSAGE['USERS']['INVALID_EMAIL'];
|
|
| 68 |
$err_msg[] = $MESSAGE['USERS_INVALID_EMAIL'];
|
|
| 71 | 69 |
}else {
|
| 72 | 70 |
if($email != '') {
|
| 73 | 71 |
// check that email is unique in whoole system |
| 74 | 72 |
$email = $admin->add_slashes($email); |
| 75 | 73 |
$sql = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'users` '; |
| 76 | 74 |
$sql .= 'WHERE `user_id` <> '.(int)$admin->get_user_id().' AND `email` LIKE "'.$email.'"'; |
| 77 |
if( $database->get_one($sql) > 0 ){ $err_msg[] = $MESSAGE['USERS']['EMAIL_TAKEN']; }
|
|
| 75 |
if( $database->get_one($sql) > 0 ){ $err_msg[] = $MESSAGE['USERS_EMAIL_TAKEN']; }
|
|
| 78 | 76 |
} |
| 79 | 77 |
} |
| 80 | 78 |
// receive password vars and calculate needed action |
| 81 |
$current_password = $admin->get_post('current_password');
|
|
| 82 |
$current_password = ($current_password == null ? '' : $current_password); |
|
| 83 |
$new_password_1 = $admin->get_post('new_password_1');
|
|
| 84 |
$new_password_1 = (($new_password_1 == null || $new_password_1 == '') ? '' : $new_password_1); |
|
| 85 |
$new_password_2 = $admin->get_post('new_password_2');
|
|
| 86 |
$new_password_2 = (($new_password_2 == null || $new_password_2 == '') ? '' : $new_password_2); |
|
| 87 |
if($current_password == '') |
|
| 88 |
{
|
|
| 89 |
$err_msg[] = $MESSAGE['PREFERENCES']['CURRENT_PASSWORD_INCORRECT']; |
|
| 79 |
$sCurrentPassword = $admin->get_post('current_password');
|
|
| 80 |
$sCurrentPassword = (is_null($sCurrentPassword) ? '' : $sCurrentPassword); |
|
| 81 |
$sNewPassword = $admin->get_post('new_password_1');
|
|
| 82 |
$sNewPassword = (is_null($sNewPassword) ? '' : $sNewPassword); |
|
| 83 |
$sNewPasswordRetyped = $admin->get_post('new_password_2');
|
|
| 84 |
$sNewPasswordRetyped= (is_null($sNewPasswordRetyped) ? '' : $sNewPasswordRetyped); |
|
| 85 |
// Check existing password |
|
| 86 |
$sql = 'SELECT `password` '; |
|
| 87 |
$sql .= 'FROM `'.TABLE_PREFIX.'users` '; |
|
| 88 |
$sql .= 'WHERE `user_id` = '.$admin->get_user_id(); |
|
| 89 |
if (md5($sCurrentPassword) != $database->get_one($sql)) {
|
|
| 90 |
// access denied |
|
| 91 |
$err_msg[] = $MESSAGE['PREFERENCES_CURRENT_PASSWORD_INCORRECT']; |
|
| 90 | 92 |
}else {
|
| 91 |
// if new_password is empty, still let current one |
|
| 92 |
if( $new_password_1 == '' ) |
|
| 93 |
{
|
|
| 94 |
$new_password_1 = $current_password; |
|
| 95 |
$new_password_2 = $current_password; |
|
| 93 |
// validate new password |
|
| 94 |
$sPwHashNew = false; |
|
| 95 |
if($sNewPassword != '') {
|
|
| 96 |
if(strlen($sNewPassword) < $iMinPassLength) {
|
|
| 97 |
$err_msg[] = $MESSAGE['USERS_PASSWORD_TOO_SHORT']; |
|
| 98 |
}else {
|
|
| 99 |
if($sNewPassword != $sNewPasswordRetyped) {
|
|
| 100 |
$err_msg[] = $MESSAGE['USERS_PASSWORD_MISMATCH']; |
|
| 101 |
}else {
|
|
| 102 |
$pattern = '/[^'.$admin->password_chars.']/'; |
|
| 103 |
if (preg_match($pattern, $sNewPassword)) {
|
|
| 104 |
$err_msg[] = $MESSAGE['PREFERENCES_INVALID_CHARS']; |
|
| 105 |
}else {
|
|
| 106 |
$sPwHashNew = md5($sNewPassword); |
|
| 107 |
} |
|
| 108 |
} |
|
| 109 |
} |
|
| 96 | 110 |
} |
| 97 |
|
|
| 98 |
// is password lenght matching min_pass_lenght ? |
|
| 99 |
if( $new_password_1 != $current_password ) |
|
| 111 |
// if no validation errors, try to update the database, otherwise return errormessages |
|
| 112 |
if(sizeof($err_msg) == 0) |
|
| 100 | 113 |
{
|
| 101 |
if( strlen($new_password_1) < $min_pass_length ) |
|
| 102 |
{
|
|
| 103 |
$err_msg[] = $MESSAGE['USERS']['PASSWORD_TOO_SHORT']; |
|
| 114 |
$sql = 'UPDATE `'.TABLE_PREFIX.'users` '; |
|
| 115 |
$sql .= 'SET `display_name`=\''.$display_name.'\', '; |
|
| 116 |
if($sPwHashNew) {
|
|
| 117 |
$sql .= '`password`=\''.$sPwHashNew.'\', '; |
|
| 104 | 118 |
} |
| 105 |
$pattern = '/[^'.$admin->password_chars.']/'; |
|
| 106 |
if( preg_match($pattern, $new_password_1) ) |
|
| 119 |
if($email != '') {
|
|
| 120 |
$sql .= '`email`=\''.$email.'\', '; |
|
| 121 |
} |
|
| 122 |
$sql .= '`language`=\''.$language.'\', '; |
|
| 123 |
$sql .= '`timezone`=\''.$timezone.'\', '; |
|
| 124 |
$sql .= '`date_format`=\''.$date_format.'\', '; |
|
| 125 |
$sql .= '`time_format`=\''.$time_format.'\' '; |
|
| 126 |
$sql .= 'WHERE `user_id`='.(int)$admin->get_user_id(); |
|
| 127 |
if( $database->query($sql) ) |
|
| 107 | 128 |
{
|
| 108 |
$err_msg[] = $MESSAGE['PREFERENCES']['INVALID_CHARS']; |
|
| 109 |
} |
|
| 110 |
} |
|
| 111 |
// is password lenght matching min_pass_lenght ? |
|
| 112 |
if( $new_password_1 != $current_password && strlen($new_password_1) < $min_pass_length ) |
|
| 113 |
{
|
|
| 114 |
$err_msg[] = $MESSAGE['USERS']['PASSWORD_TOO_SHORT']; |
|
| 115 |
} |
|
| 116 |
// password_1 matching password_2 ? |
|
| 117 |
if( $new_password_1 != $new_password_2 ) |
|
| 118 |
{
|
|
| 119 |
$err_msg[] = $MESSAGE['USERS']['PASSWORD_MISMATCH']; |
|
| 120 |
} |
|
| 121 |
} |
|
| 122 |
$current_password = md5($current_password); |
|
| 123 |
$new_password_1 = md5($new_password_1); |
|
| 124 |
$new_password_2 = md5($new_password_2); |
|
| 125 |
// if no validation errors, try to update the database, otherwise return errormessages |
|
| 126 |
if(sizeof($err_msg) == 0) |
|
| 127 |
{
|
|
| 128 |
$sql = 'UPDATE `'.TABLE_PREFIX.'users` '; |
|
| 129 |
$sql .= 'SET `display_name` = "'.$display_name.'", '; |
|
| 130 |
$sql .= '`password` = "'.$new_password_1.'", '; |
|
| 131 |
if($email != '') {
|
|
| 132 |
$sql .= '`email` = "'.$email.'", '; |
|
| 133 |
} |
|
| 134 |
$sql .= '`language` = "'.$language.'", '; |
|
| 135 |
$sql .= '`timezone` = "'.$timezone.'", '; |
|
| 136 |
$sql .= '`date_format` = "'.$date_format.'", '; |
|
| 137 |
$sql .= '`time_format` = "'.$time_format.'" '; |
|
| 138 |
$sql .= 'WHERE `user_id` = '.(int)$admin->get_user_id().' AND `password` = "'.$current_password.'"'; |
|
| 139 |
if( $database->query($sql) ) |
|
| 140 |
{
|
|
| 141 |
$sql_info = mysql_info($database->db_handle); |
|
| 142 |
if(preg_match('/matched: *([1-9][0-9]*)/i', $sql_info) != 1)
|
|
| 143 |
{ // if the user_id and password dosn't match
|
|
| 144 |
$err_msg[] = $MESSAGE['PREFERENCES']['CURRENT_PASSWORD_INCORRECT']; |
|
| 145 |
}else {
|
|
| 146 | 129 |
// update successfull, takeover values into the session |
| 147 | 130 |
$_SESSION['DISPLAY_NAME'] = $display_name; |
| 148 | 131 |
$_SESSION['LANGUAGE'] = $language; |
| ... | ... | |
| 164 | 147 |
$_SESSION['USE_DEFAULT_TIME_FORMAT'] = true; |
| 165 | 148 |
if(isset($_SESSION['TIME_FORMAT'])) { unset($_SESSION['TIME_FORMAT']); }
|
| 166 | 149 |
} |
| 150 |
}else {
|
|
| 151 |
$err_msg[] = 'invalid database UPDATE call in '.__FILE__.'::'.__FUNCTION__.'before line '.__LINE__; |
|
| 167 | 152 |
} |
| 168 |
}else {
|
|
| 169 |
$err_msg[] = 'invalid database UPDATE call in '.__FILE__.'::'.__FUNCTION__.'before line '.__LINE__; |
|
| 170 | 153 |
} |
| 171 | 154 |
} |
| 172 | 155 |
return ( (sizeof($err_msg) > 0) ? implode('<br />', $err_msg) : '' );
|
| ... | ... | |
| 176 | 159 |
{
|
| 177 | 160 |
// print the header |
| 178 | 161 |
$admin->print_header(); |
| 179 |
$admin->print_success($MESSAGE['PREFERENCES']['DETAILS_SAVED']);
|
|
| 162 |
$admin->print_success($MESSAGE['PREFERENCES_DETAILS_SAVED']);
|
|
| 180 | 163 |
$admin->print_footer(); |
| 181 | 164 |
}else {
|
| 182 | 165 |
// print the header |
Also available in: Unified diff
possible errors on 'save password' fixed. Minimum length of password set to 6 chars