<?php
+
/**
* MySQL change password backend
*
- * @author Thijs Kinkhorst <kink@squirrelmail.org>
+ * @author Thijs Kinkhorst <kink at squirrelmail.org>
+ * @copyright 2003-2014 The SquirrelMail Project Team
+ * @license http://opensource.org/licenses/gpl-license.php GNU Public License
* @version $Id$
* @package plugins
* @subpackage change_password
global $mysql_server, $mysql_database, $mysql_table, $mysql_userid_field,
$mysql_password_field, $mysql_manager_id, $mysql_manager_pw,
- $mysql_saslcrypt, $mysql_unixcrypt, $mysql;
+ $mysql_saslcrypt, $mysql_unixcrypt, $cpw_mysql;
// Initialize defaults
$mysql_server = 'localhost';
$mysql_saslcrypt = 0; // use MySQL password() function
$mysql_unixcrypt = 0; // use UNIX crypt() function
-if ( isset($mysql) && is_array($mysql) && !empty($mysql) )
+// get overrides from config.
+if ( isset($cpw_mysql) && is_array($cpw_mysql) && !empty($cpw_mysql) )
{
- foreach ( $mysql as $key => $value )
+ foreach ( $cpw_mysql as $key => $value )
{
if ( isset(${'mysql_'.$key}) )
${'mysql_'.$key} = $value;
}
}
-// NO NEED TO CHANGE ANYTHING BELOW THIS LINE
-
global $squirrelmail_plugin_hooks;
$squirrelmail_plugin_hooks['change_password_dochange']['mysql'] =
'cpw_mysql_dochange';
$mysql_password_field, $mysql_manager_id, $mysql_manager_pw,
$mysql_saslcrypt, $mysql_unixcrypt;
+ // TODO: allow to choose between mysql_connect() and mysql_pconnect() functions.
$ds = mysql_pconnect($mysql_server, $mysql_manager_id, $mysql_manager_pw);
if (! $ds) {
array_push($msgs, _("Cannot connect to Database Server, please try later!"));
$query_string = 'SELECT ' . $mysql_userid_field . ',' . $mysql_password_field
. ' FROM ' . $mysql_table
- . ' WHERE ' . $mysql_userid_field . '="' . mysql_escape_string($username) .'"'
+ . ' WHERE ' . $mysql_userid_field . '="' . mysql_real_escape_string($username, $ds) .'"'
. ' AND ' . $mysql_password_field;
if ($mysql_saslcrypt) {
- $query_string .= '=password("'.mysql_escape_string($curpw).'")';
+ $query_string .= '=password("'.mysql_real_escape_string($curpw, $ds).'")';
} elseif ($mysql_unixcrypt) {
- $query_string .= '=encrypt("'.mysql_escape_string($curpw).'", '.$mysql_password_field . ')';
+ // FIXME: why password field name is used for salting
+ $query_string .= '=encrypt("'.mysql_real_escape_string($curpw, $ds).'", '.$mysql_password_field . ')';
} else {
- $query_string .= '="' . mysql_escape_string($curpw) . '"';
+ $query_string .= '="' . mysql_real_escape_string($curpw, $ds) . '"';
}
$select_result = mysql_query($query_string, $ds);
$update_string = 'UPDATE '. $mysql_table . ' SET ' . $mysql_password_field;
if ($mysql_saslcrypt) {
- $update_string .= '=password("'.mysql_escape_string($newpw).'")';
+ $update_string .= '=password("'.mysql_real_escape_string($newpw, $ds).'")';
} elseif ($mysql_unixcrypt) {
- $update_string .= '=encrypt("'.mysql_escape_string($newpw).'", '.$mysql_password_field . ')';
+ // FIXME: use random salt when you create new password
+ $update_string .= '=encrypt("'.mysql_real_escape_string($newpw, $ds).'", '.$mysql_password_field . ')';
} else {
- $update_string .= '="' . mysql_escape_string($newpw) . '"';
+ $update_string .= '="' . mysql_real_escape_string($newpw, $ds) . '"';
}
- $update_string .= ' WHERE ' . $mysql_userid_field . ' = "' . mysql_escape_string($username) . '"';
+ $update_string .= ' WHERE ' . $mysql_userid_field . ' = "' . mysql_real_escape_string($username, $ds) . '"';
if (!mysql_query($update_string, $ds)) {
array_push($msgs, _("Password change was not successful!"));
}
return $msgs;
-}
\ No newline at end of file
+}