[squirrelmail.git] / plugins / change_password / backend / mysql.php

<?php

/**
 * MySQL change password backend
 *
 * @author Thijs Kinkhorst <kink at squirrelmail.org>
 * @copyright 2003-2018 The SquirrelMail Project Team
 * @license http://opensource.org/licenses/gpl-license.php GNU Public License
 * @version $Id$
 * @package plugins
 * @subpackage change_password
 */

/**
 * Config vars
 */

global $mysql_server, $mysql_database, $mysql_table, $mysql_userid_field,
       $mysql_password_field, $mysql_manager_id, $mysql_manager_pw,
       $mysql_saslcrypt, $mysql_unixcrypt, $cpw_mysql;

// Initialize defaults
$mysql_server = 'localhost';
$mysql_database = 'email';
$mysql_table = 'users';

// The names of the user ID and password columns
$mysql_userid_field = 'id';
$mysql_password_field ='password';

// The user to log into MySQL with (must have rights)
$mysql_manager_id = 'email_admin';
$mysql_manager_pw = 'xxxxxxx';

// saslcrypt checked first - if it is 1, UNIX crypt is not used.
$mysql_saslcrypt = 0; // use MySQL password() function
$mysql_unixcrypt = 0; // use UNIX crypt() function

// get overrides from config.
if ( isset($cpw_mysql) && is_array($cpw_mysql) && !empty($cpw_mysql) )
{
  foreach ( $cpw_mysql as $key => $value )
  {
    if ( isset(${'mysql_'.$key}) )
      ${'mysql_'.$key} = $value;
  }
}

global $squirrelmail_plugin_hooks;
$squirrelmail_plugin_hooks['change_password_dochange']['mysql'] =
        'cpw_mysql_dochange';

/**
 * This is the function that is specific to your backend. It takes
 * the current password (as supplied by the user) and the desired
 * new password. It will return an array of messages. If everything
 * was successful, the array will be empty. Else, it will contain
 * the errormessage(s).
 * Constants to be used for these messages:
 * CPW_CURRENT_NOMATCH -> "Your current password is not correct."
 * CPW_INVALID_PW -> "Your new password contains invalid characters."
 *
 * @param array data The username/currentpw/newpw data.
 * @return array Array of error messages.
 */
function cpw_mysql_dochange($data)
{
    // unfortunately, we can only pass one parameter to a hook function,
    // so we have to pass it as an array.
    $username = $data['username'];
    $curpw = $data['curpw'];
    $newpw = $data['newpw'];

    $msgs = array();

    global $mysql_server, $mysql_database, $mysql_table, $mysql_userid_field,
           $mysql_password_field, $mysql_manager_id, $mysql_manager_pw,
           $mysql_saslcrypt, $mysql_unixcrypt;

    // TODO: allow to choose between mysql_connect() and mysql_pconnect() functions.
    $ds = mysql_pconnect($mysql_server, $mysql_manager_id, $mysql_manager_pw);
    if (! $ds) {
        array_push($msgs, _("Cannot connect to Database Server, please try later!"));
        return $msgs;
    }
    if (!mysql_select_db($mysql_database, $ds)) {
        array_push($msgs, _("Database not found on server"));
        return $msgs;
    }

    $query_string = 'SELECT ' . $mysql_userid_field . ',' . $mysql_password_field
                  . ' FROM '  . $mysql_table
                  . ' WHERE ' . $mysql_userid_field . '="' . mysql_real_escape_string($username, $ds) .'"'
                  . ' AND ' . $mysql_password_field;

    if ($mysql_saslcrypt) {
        $query_string  .= '=password("'.mysql_real_escape_string($curpw, $ds).'")';
    } elseif ($mysql_unixcrypt) {
        // FIXME: why password field name is used for salting
        $query_string  .= '=encrypt("'.mysql_real_escape_string($curpw, $ds).'", '.$mysql_password_field . ')';
    } else {
        $query_string  .= '="' . mysql_real_escape_string($curpw, $ds) . '"';
    }

    $select_result = mysql_query($query_string, $ds);
    if (!$select_result) {
        array_push($msgs, _("SQL call failed, try again later."));
        return $msgs;
    }

    if (mysql_num_rows($select_result) == 0) {
        array_push($msgs, CPW_CURRENT_NOMATCH);
        return $msgs;
    }
    if (mysql_num_rows($select_result) > 1) {
        //make sure we only have 1 uid
        array_push($msgs, _("Duplicate login entries detected, cannot change password!"));
        return $msgs;
    }

    $update_string = 'UPDATE '. $mysql_table . ' SET ' . $mysql_password_field;

    if ($mysql_saslcrypt) {
        $update_string  .= '=password("'.mysql_real_escape_string($newpw, $ds).'")';
    } elseif ($mysql_unixcrypt) {
        // FIXME: use random salt when you create new password
        $update_string  .= '=encrypt("'.mysql_real_escape_string($newpw, $ds).'", '.$mysql_password_field . ')';
    } else {
        $update_string  .= '="' . mysql_real_escape_string($newpw, $ds) . '"';
    }
    $update_string .= ' WHERE ' . $mysql_userid_field . ' = "' . mysql_real_escape_string($username, $ds) . '"';

    if (!mysql_query($update_string, $ds)) {
        array_push($msgs, _("Password change was not successful!"));
    }

    return $msgs;
}
Commit	Line	Data
27663afe	1	<?php
4b4abf93	2
21b8ca51	3	/**
	4	* MySQL change password backend
	5	*
4b4abf93	6	* @author Thijs Kinkhorst <kink at squirrelmail.org>
353d074a	7	* @copyright 2003-2018 The SquirrelMail Project Team
4b4abf93	8	* @license http://opensource.org/licenses/gpl-license.php GNU Public License
21b8ca51	9	* @version $Id$
	10	* @package plugins
	11	* @subpackage change_password
27663afe	12	*/
	13
	14	/**
	15	* Config vars
	16	*/
	17
	18	global $mysql_server, $mysql_database, $mysql_table, $mysql_userid_field,
4165198d	19	$mysql_password_field, $mysql_manager_id, $mysql_manager_pw,
76063016	20	$mysql_saslcrypt, $mysql_unixcrypt, $cpw_mysql;
27663afe	21
4165198d	22	// Initialize defaults
27663afe	23	$mysql_server = 'localhost';
	24	$mysql_database = 'email';
	25	$mysql_table = 'users';
	26
	27	// The names of the user ID and password columns
	28	$mysql_userid_field = 'id';
	29	$mysql_password_field ='password';
	30
	31	// The user to log into MySQL with (must have rights)
	32	$mysql_manager_id = 'email_admin';
	33	$mysql_manager_pw = 'xxxxxxx';
	34
4165198d	35	// saslcrypt checked first - if it is 1, UNIX crypt is not used.
	36	$mysql_saslcrypt = 0; // use MySQL password() function
	37	$mysql_unixcrypt = 0; // use UNIX crypt() function
	38
76063016	39	// get overrides from config.
76063016	40	if ( isset($cpw_mysql) && is_array($cpw_mysql) && !empty($cpw_mysql) )
4165198d	41	{
76063016	42	foreach ( $cpw_mysql as $key => $value )
4165198d	43	{
	44	if ( isset(${'mysql_'.$key}) )
	45	${'mysql_'.$key} = $value;
91e0dccc	46	}
4165198d	47	}
27663afe	48
27663afe	49	global $squirrelmail_plugin_hooks;
91e0dccc	50	$squirrelmail_plugin_hooks['change_password_dochange']['mysql'] =
91e0dccc	51	'cpw_mysql_dochange';
27663afe	52
	53	/**
	54	* This is the function that is specific to your backend. It takes
	55	* the current password (as supplied by the user) and the desired
	56	* new password. It will return an array of messages. If everything
	57	* was successful, the array will be empty. Else, it will contain
	58	* the errormessage(s).
	59	* Constants to be used for these messages:
	60	* CPW_CURRENT_NOMATCH -> "Your current password is not correct."
	61	* CPW_INVALID_PW -> "Your new password contains invalid characters."
	62	*
91e0dccc	63	* @param array data The username/currentpw/newpw data.
27663afe	64	* @return array Array of error messages.
	65	*/
	66	function cpw_mysql_dochange($data)
	67	{
	68	// unfortunately, we can only pass one parameter to a hook function,
	69	// so we have to pass it as an array.
	70	$username = $data['username'];
	71	$curpw = $data['curpw'];
	72	$newpw = $data['newpw'];
	73
	74	$msgs = array();
	75
	76	global $mysql_server, $mysql_database, $mysql_table, $mysql_userid_field,
4165198d	77	$mysql_password_field, $mysql_manager_id, $mysql_manager_pw,
4165198d	78	$mysql_saslcrypt, $mysql_unixcrypt;
27663afe	79
76063016	80	// TODO: allow to choose between mysql_connect() and mysql_pconnect() functions.
27663afe	81	$ds = mysql_pconnect($mysql_server, $mysql_manager_id, $mysql_manager_pw);
	82	if (! $ds) {
	83	array_push($msgs, _("Cannot connect to Database Server, please try later!"));
4165198d	84	return $msgs;
27663afe	85	}
	86	if (!mysql_select_db($mysql_database, $ds)) {
	87	array_push($msgs, _("Database not found on server"));
4165198d	88	return $msgs;
27663afe	89	}
	90
	91	$query_string = 'SELECT ' . $mysql_userid_field . ',' . $mysql_password_field
	92	. ' FROM ' . $mysql_table
8f16b6ce	93	. ' WHERE ' . $mysql_userid_field . '="' . mysql_real_escape_string($username, $ds) .'"'
4165198d	94	. ' AND ' . $mysql_password_field;
	95
	96	if ($mysql_saslcrypt) {
8f16b6ce	97	$query_string .= '=password("'.mysql_real_escape_string($curpw, $ds).'")';
4165198d	98	} elseif ($mysql_unixcrypt) {
76063016	99	// FIXME: why password field name is used for salting
8f16b6ce	100	$query_string .= '=encrypt("'.mysql_real_escape_string($curpw, $ds).'", '.$mysql_password_field . ')';
4165198d	101	} else {
8f16b6ce	102	$query_string .= '="' . mysql_real_escape_string($curpw, $ds) . '"';
4165198d	103	}
4165198d	104
27663afe	105	$select_result = mysql_query($query_string, $ds);
	106	if (!$select_result) {
	107	array_push($msgs, _("SQL call failed, try again later."));
91e0dccc	108	return $msgs;
27663afe	109	}
	110
	111	if (mysql_num_rows($select_result) == 0) {
	112	array_push($msgs, CPW_CURRENT_NOMATCH);
	113	return $msgs;
	114	}
	115	if (mysql_num_rows($select_result) > 1) {
	116	//make sure we only have 1 uid
	117	array_push($msgs, _("Duplicate login entries detected, cannot change password!"));
	118	return $msgs;
	119	}
	120
4165198d	121	$update_string = 'UPDATE '. $mysql_table . ' SET ' . $mysql_password_field;
	122
	123	if ($mysql_saslcrypt) {
8f16b6ce	124	$update_string .= '=password("'.mysql_real_escape_string($newpw, $ds).'")';
4165198d	125	} elseif ($mysql_unixcrypt) {
76063016	126	// FIXME: use random salt when you create new password
8f16b6ce	127	$update_string .= '=encrypt("'.mysql_real_escape_string($newpw, $ds).'", '.$mysql_password_field . ')';
4165198d	128	} else {
8f16b6ce	129	$update_string .= '="' . mysql_real_escape_string($newpw, $ds) . '"';
4165198d	130	}
8f16b6ce	131	$update_string .= ' WHERE ' . $mysql_userid_field . ' = "' . mysql_real_escape_string($username, $ds) . '"';
4165198d	132
27663afe	133	if (!mysql_query($update_string, $ds)) {
	134	array_push($msgs, _("Password change was not successful!"));
	135	}
	136
	137	return $msgs;
8f16b6ce	138	}