27663afe |
1 | <?php |
4b4abf93 |
2 | |
21b8ca51 |
3 | /** |
4 | * MySQL change password backend |
5 | * |
4b4abf93 |
6 | * @author Thijs Kinkhorst <kink at squirrelmail.org> |
47ccfad4 |
7 | * @copyright © 2003-2006 The SquirrelMail Project Team |
4b4abf93 |
8 | * @license http://opensource.org/licenses/gpl-license.php GNU Public License |
21b8ca51 |
9 | * @version $Id$ |
10 | * @package plugins |
11 | * @subpackage change_password |
27663afe |
12 | */ |
13 | |
14 | /** |
15 | * Config vars |
16 | */ |
17 | |
18 | global $mysql_server, $mysql_database, $mysql_table, $mysql_userid_field, |
4165198d |
19 | $mysql_password_field, $mysql_manager_id, $mysql_manager_pw, |
76063016 |
20 | $mysql_saslcrypt, $mysql_unixcrypt, $cpw_mysql; |
27663afe |
21 | |
4165198d |
22 | // Initialize defaults |
27663afe |
23 | $mysql_server = 'localhost'; |
24 | $mysql_database = 'email'; |
25 | $mysql_table = 'users'; |
26 | |
27 | // The names of the user ID and password columns |
28 | $mysql_userid_field = 'id'; |
29 | $mysql_password_field ='password'; |
30 | |
31 | // The user to log into MySQL with (must have rights) |
32 | $mysql_manager_id = 'email_admin'; |
33 | $mysql_manager_pw = 'xxxxxxx'; |
34 | |
4165198d |
35 | // saslcrypt checked first - if it is 1, UNIX crypt is not used. |
36 | $mysql_saslcrypt = 0; // use MySQL password() function |
37 | $mysql_unixcrypt = 0; // use UNIX crypt() function |
38 | |
76063016 |
39 | // get overrides from config. |
40 | if ( isset($cpw_mysql) && is_array($cpw_mysql) && !empty($cpw_mysql) ) |
4165198d |
41 | { |
76063016 |
42 | foreach ( $cpw_mysql as $key => $value ) |
4165198d |
43 | { |
44 | if ( isset(${'mysql_'.$key}) ) |
45 | ${'mysql_'.$key} = $value; |
91e0dccc |
46 | } |
4165198d |
47 | } |
27663afe |
48 | |
27663afe |
49 | global $squirrelmail_plugin_hooks; |
91e0dccc |
50 | $squirrelmail_plugin_hooks['change_password_dochange']['mysql'] = |
51 | 'cpw_mysql_dochange'; |
27663afe |
52 | |
53 | /** |
54 | * This is the function that is specific to your backend. It takes |
55 | * the current password (as supplied by the user) and the desired |
56 | * new password. It will return an array of messages. If everything |
57 | * was successful, the array will be empty. Else, it will contain |
58 | * the errormessage(s). |
59 | * Constants to be used for these messages: |
60 | * CPW_CURRENT_NOMATCH -> "Your current password is not correct." |
61 | * CPW_INVALID_PW -> "Your new password contains invalid characters." |
62 | * |
91e0dccc |
63 | * @param array data The username/currentpw/newpw data. |
27663afe |
64 | * @return array Array of error messages. |
65 | */ |
66 | function cpw_mysql_dochange($data) |
67 | { |
68 | // unfortunately, we can only pass one parameter to a hook function, |
69 | // so we have to pass it as an array. |
70 | $username = $data['username']; |
71 | $curpw = $data['curpw']; |
72 | $newpw = $data['newpw']; |
73 | |
74 | $msgs = array(); |
75 | |
76 | global $mysql_server, $mysql_database, $mysql_table, $mysql_userid_field, |
4165198d |
77 | $mysql_password_field, $mysql_manager_id, $mysql_manager_pw, |
78 | $mysql_saslcrypt, $mysql_unixcrypt; |
27663afe |
79 | |
76063016 |
80 | // TODO: allow to choose between mysql_connect() and mysql_pconnect() functions. |
27663afe |
81 | $ds = mysql_pconnect($mysql_server, $mysql_manager_id, $mysql_manager_pw); |
82 | if (! $ds) { |
83 | array_push($msgs, _("Cannot connect to Database Server, please try later!")); |
4165198d |
84 | return $msgs; |
27663afe |
85 | } |
86 | if (!mysql_select_db($mysql_database, $ds)) { |
87 | array_push($msgs, _("Database not found on server")); |
4165198d |
88 | return $msgs; |
27663afe |
89 | } |
90 | |
91 | $query_string = 'SELECT ' . $mysql_userid_field . ',' . $mysql_password_field |
92 | . ' FROM ' . $mysql_table |
93 | . ' WHERE ' . $mysql_userid_field . '="' . mysql_escape_string($username) .'"' |
4165198d |
94 | . ' AND ' . $mysql_password_field; |
95 | |
96 | if ($mysql_saslcrypt) { |
97 | $query_string .= '=password("'.mysql_escape_string($curpw).'")'; |
98 | } elseif ($mysql_unixcrypt) { |
76063016 |
99 | // FIXME: why password field name is used for salting |
4165198d |
100 | $query_string .= '=encrypt("'.mysql_escape_string($curpw).'", '.$mysql_password_field . ')'; |
101 | } else { |
102 | $query_string .= '="' . mysql_escape_string($curpw) . '"'; |
103 | } |
104 | |
27663afe |
105 | $select_result = mysql_query($query_string, $ds); |
106 | if (!$select_result) { |
107 | array_push($msgs, _("SQL call failed, try again later.")); |
91e0dccc |
108 | return $msgs; |
27663afe |
109 | } |
110 | |
111 | if (mysql_num_rows($select_result) == 0) { |
112 | array_push($msgs, CPW_CURRENT_NOMATCH); |
113 | return $msgs; |
114 | } |
115 | if (mysql_num_rows($select_result) > 1) { |
116 | //make sure we only have 1 uid |
117 | array_push($msgs, _("Duplicate login entries detected, cannot change password!")); |
118 | return $msgs; |
119 | } |
120 | |
4165198d |
121 | $update_string = 'UPDATE '. $mysql_table . ' SET ' . $mysql_password_field; |
122 | |
123 | if ($mysql_saslcrypt) { |
124 | $update_string .= '=password("'.mysql_escape_string($newpw).'")'; |
125 | } elseif ($mysql_unixcrypt) { |
76063016 |
126 | // FIXME: use random salt when you create new password |
4165198d |
127 | $update_string .= '=encrypt("'.mysql_escape_string($newpw).'", '.$mysql_password_field . ')'; |
128 | } else { |
129 | $update_string .= '="' . mysql_escape_string($newpw) . '"'; |
130 | } |
131 | $update_string .= ' WHERE ' . $mysql_userid_field . ' = "' . mysql_escape_string($username) . '"'; |
132 | |
27663afe |
133 | if (!mysql_query($update_string, $ds)) { |
134 | array_push($msgs, _("Password change was not successful!")); |
135 | } |
136 | |
137 | return $msgs; |
91e0dccc |
138 | } |