-
Notifications
You must be signed in to change notification settings - Fork 0
/
password-reset.php
183 lines (151 loc) · 6.15 KB
/
password-reset.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
<?php
error_reporting(0);
require 'helpers/database-connection.php';
require 'helpers/email-helper.php';
$errorList = array();
$em = $_GET['em'];
$vs = $_GET['vs'];
// Create database connection
if (!($link = GetConnection())) {
// Database connection error occurred
array_push($errorList, 200);
} else {
if (isset($em) && isset($vs)) {
// Request has originated from valid link
if (isset($_POST['resetPassword'])) {
// 'Reset Password' button pressed
// Server-side validation
// Validate email
$em = mysqli_real_escape_string($link, stripslashes($em));
if (preg_match('/^$|\s+/', $em)) {
// Email address not entered
array_push($errorList, 402);
} elseif (!preg_match('/^([\w\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$/', $em)) {
// Email address not valid
array_push($errorList, 403);
}
// Validate random string
$vs = mysqli_real_escape_string($link, stripslashes($vs));
if (!preg_match('/^[a-zA-Z0-9]{13}$/', $vs)) {
// Verification string not valid
array_push($errorList, 401);
}
// Validate password
$password = mysqli_real_escape_string($link, stripslashes($_POST['password']));
if (preg_match('/^$|\s+/', $password)) {
// Password not entered
array_push($errorList, 303);
} elseif (strlen($password) < 8) {
// Password must be at least 8 characters long
array_push($errorList, 306);
}
// Get user details
$user = GetUserByEmail($link, $em);
// Generate verification string
$vsDb = crypt($user['ID'] . $user['DATE_REGISTERED'], $user['NAME']);
if (!count($errorList) > 0) {
// Verify random string
if ($vs === $vsDb) {
// Verification string is correct
// Generate new password and salt
$salt = openssl_random_pseudo_bytes(16);
$password = crypt($password, $salt);
$salt = mysqli_real_escape_string($link, stripslashes($salt));
// Save new password in database
if (ResetPassword($link, $user['ID'], $password, $salt)) {
// Successfully reset
// Close connection
CloseConnection($link);
} else {
// Database error occurred
array_push($errorList, 201);
}
} else {
// Verification string not valid
array_push($errorList, 401);
}
}
// Check for and display any errors
if (count($errorList) > 0) {
// Errors
$output = '<p class="alert error">There was an error processing the request. Error code(s):';
for ($i = 0; $i < count($errorList); $i++) {
if ($i > 0) $output .= ',';
$output .= ' ' . $errorList[$i] . '';
}
$output .= '.</p>';
} else {
// No errors
$output = '<p class="alert success">Password successfully changed, now try logging in with your new password.</p>';
// Send password reset confirmation email
$body = '<p>' . $user['NAME'] . ',</p>
<p>Your password has been successfully changed, now try logging in with your new password.</p>
<p>Reply to this email immediately if you did not make this request yourself.</p>';
SendEmail($em, 'RunAce Password Reset Confirmation', $body);
}
}
} else {
// Link not valid
$output = '<p class="alert error">You followed an invalid link, please try again.</p>';
}
}
?>
<?php echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"; ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb">
<head>
<title>RunAce - Reset Password</title>
<?php include 'head.php'; ?>
<script type="text/javascript">
<!--
// Client-side form validation
// Function to display any error messages on form submit
/**
* @return {boolean}
*/
function ValidateForm() {
var isValid = true;
// Validate password
if (ValidatePassword(document.getElementById('password').value) != '') isValid = false;
return isValid;
}
// Function to validate the password
function ValidatePassword(password) {
var output;
if (/^$|\s+/.test(password)) {
output = 'Password not entered';
} else if (password.length < 8) {
output = 'Password must be at least 8 characters long';
} else {
output = '';
}
document.getElementById('passwordValidation').innerHTML = output;
return output;
}
//-->
</script>
</head>
<body>
<?php include 'page-header.php'; ?>
<?php echo $output; ?>
<h3>Password Reset</h3>
<p>
Enter a new password below.
</p>
<form action="password-reset.php?em=<?php echo $em; ?>&vs=<?php echo $vs; ?>" method="post"
id="passwordReset">
<div class="row">
<div class="six columns">
<label for="password">New password</label>
<input id="password" name="password" type="password" maxlength="50" onkeyup="ValidatePassword(this.value);"
onblur="ValidatePassword(this.value);" class="u-full-width"/>
<span id="passwordValidation" class="validation-error"></span>
</div>
</div>
<div class="row">
<input type="submit" value="Reset Password" name="resetPassword" onclick="return ValidateForm();"/>
</div>
</form>
<?php include 'page-footer.php'; ?>
</body>
</html>