handle configuration error without displaying paths in error message.
[squirrelmail.git] / plugins / change_password / backend / mysql.php
CommitLineData
27663afe 1<?php
21b8ca51 2/**
3 * MySQL change password backend
4 *
5 * @author Thijs Kinkhorst <kink@squirrelmail.org>
6 * @version $Id$
7 * @package plugins
8 * @subpackage change_password
27663afe 9 */
10
11/**
12 * Config vars
13 */
14
15global $mysql_server, $mysql_database, $mysql_table, $mysql_userid_field,
4165198d 16 $mysql_password_field, $mysql_manager_id, $mysql_manager_pw,
76063016 17 $mysql_saslcrypt, $mysql_unixcrypt, $cpw_mysql;
27663afe 18
4165198d 19// Initialize defaults
27663afe 20$mysql_server = 'localhost';
21$mysql_database = 'email';
22$mysql_table = 'users';
23
24// The names of the user ID and password columns
25$mysql_userid_field = 'id';
26$mysql_password_field ='password';
27
28// The user to log into MySQL with (must have rights)
29$mysql_manager_id = 'email_admin';
30$mysql_manager_pw = 'xxxxxxx';
31
4165198d 32// saslcrypt checked first - if it is 1, UNIX crypt is not used.
33$mysql_saslcrypt = 0; // use MySQL password() function
34$mysql_unixcrypt = 0; // use UNIX crypt() function
35
76063016 36// get overrides from config.
37if ( isset($cpw_mysql) && is_array($cpw_mysql) && !empty($cpw_mysql) )
4165198d 38{
76063016 39 foreach ( $cpw_mysql as $key => $value )
4165198d 40 {
41 if ( isset(${'mysql_'.$key}) )
42 ${'mysql_'.$key} = $value;
91e0dccc 43 }
4165198d 44}
27663afe 45
27663afe 46global $squirrelmail_plugin_hooks;
91e0dccc 47$squirrelmail_plugin_hooks['change_password_dochange']['mysql'] =
48 'cpw_mysql_dochange';
27663afe 49
50/**
51 * This is the function that is specific to your backend. It takes
52 * the current password (as supplied by the user) and the desired
53 * new password. It will return an array of messages. If everything
54 * was successful, the array will be empty. Else, it will contain
55 * the errormessage(s).
56 * Constants to be used for these messages:
57 * CPW_CURRENT_NOMATCH -> "Your current password is not correct."
58 * CPW_INVALID_PW -> "Your new password contains invalid characters."
59 *
91e0dccc 60 * @param array data The username/currentpw/newpw data.
27663afe 61 * @return array Array of error messages.
62 */
63function cpw_mysql_dochange($data)
64{
65 // unfortunately, we can only pass one parameter to a hook function,
66 // so we have to pass it as an array.
67 $username = $data['username'];
68 $curpw = $data['curpw'];
69 $newpw = $data['newpw'];
70
71 $msgs = array();
72
73 global $mysql_server, $mysql_database, $mysql_table, $mysql_userid_field,
4165198d 74 $mysql_password_field, $mysql_manager_id, $mysql_manager_pw,
75 $mysql_saslcrypt, $mysql_unixcrypt;
27663afe 76
76063016 77 // TODO: allow to choose between mysql_connect() and mysql_pconnect() functions.
27663afe 78 $ds = mysql_pconnect($mysql_server, $mysql_manager_id, $mysql_manager_pw);
79 if (! $ds) {
80 array_push($msgs, _("Cannot connect to Database Server, please try later!"));
4165198d 81 return $msgs;
27663afe 82 }
83 if (!mysql_select_db($mysql_database, $ds)) {
84 array_push($msgs, _("Database not found on server"));
4165198d 85 return $msgs;
27663afe 86 }
87
88 $query_string = 'SELECT ' . $mysql_userid_field . ',' . $mysql_password_field
89 . ' FROM ' . $mysql_table
90 . ' WHERE ' . $mysql_userid_field . '="' . mysql_escape_string($username) .'"'
4165198d 91 . ' AND ' . $mysql_password_field;
92
93 if ($mysql_saslcrypt) {
94 $query_string .= '=password("'.mysql_escape_string($curpw).'")';
95 } elseif ($mysql_unixcrypt) {
76063016 96 // FIXME: why password field name is used for salting
4165198d 97 $query_string .= '=encrypt("'.mysql_escape_string($curpw).'", '.$mysql_password_field . ')';
98 } else {
99 $query_string .= '="' . mysql_escape_string($curpw) . '"';
100 }
101
27663afe 102 $select_result = mysql_query($query_string, $ds);
103 if (!$select_result) {
104 array_push($msgs, _("SQL call failed, try again later."));
91e0dccc 105 return $msgs;
27663afe 106 }
107
108 if (mysql_num_rows($select_result) == 0) {
109 array_push($msgs, CPW_CURRENT_NOMATCH);
110 return $msgs;
111 }
112 if (mysql_num_rows($select_result) > 1) {
113 //make sure we only have 1 uid
114 array_push($msgs, _("Duplicate login entries detected, cannot change password!"));
115 return $msgs;
116 }
117
4165198d 118 $update_string = 'UPDATE '. $mysql_table . ' SET ' . $mysql_password_field;
119
120 if ($mysql_saslcrypt) {
121 $update_string .= '=password("'.mysql_escape_string($newpw).'")';
122 } elseif ($mysql_unixcrypt) {
76063016 123 // FIXME: use random salt when you create new password
4165198d 124 $update_string .= '=encrypt("'.mysql_escape_string($newpw).'", '.$mysql_password_field . ')';
125 } else {
126 $update_string .= '="' . mysql_escape_string($newpw) . '"';
127 }
128 $update_string .= ' WHERE ' . $mysql_userid_field . ' = "' . mysql_escape_string($username) . '"';
129
27663afe 130 if (!mysql_query($update_string, $ds)) {
131 array_push($msgs, _("Password change was not successful!"));
132 }
133
134 return $msgs;
91e0dccc 135}