plugins/change_password/backend/mysql.php

   1 <?php
   2
   3 /**
   4  * MySQL change password backend
   5  *
   6  * @author Thijs Kinkhorst <kink at squirrelmail.org>
   7  * @copyright 2003-2012 The SquirrelMail Project Team
   8  * @license http://opensource.org/licenses/gpl-license.php GNU Public License
   9  * @version $Id$
  10  * @package plugins
  11  * @subpackage change_password
  12  */
  13
  14 /**
  15  * Config vars
  16  */
  17
  18 global $mysql_server, $mysql_database, $mysql_table, $mysql_userid_field,
  19        $mysql_password_field, $mysql_manager_id, $mysql_manager_pw,
  20        $mysql_saslcrypt, $mysql_unixcrypt, $cpw_mysql;
  21
  22 // Initialize defaults
  23 $mysql_server = 'localhost';
  24 $mysql_database = 'email';
  25 $mysql_table = 'users';
  26
  27 // The names of the user ID and password columns
  28 $mysql_userid_field = 'id';
  29 $mysql_password_field ='password';
  30
  31 // The user to log into MySQL with (must have rights)
  32 $mysql_manager_id = 'email_admin';
  33 $mysql_manager_pw = 'xxxxxxx';
  34
  35 // saslcrypt checked first - if it is 1, UNIX crypt is not used.
  36 $mysql_saslcrypt = 0; // use MySQL password() function
  37 $mysql_unixcrypt = 0; // use UNIX crypt() function
  38
  39 // get overrides from config.
  40 if ( isset($cpw_mysql) && is_array($cpw_mysql) && !empty($cpw_mysql) )
  41 {
  42   foreach ( $cpw_mysql as $key => $value )
  43   {
  44     if ( isset(${'mysql_'.$key}) )
  45       ${'mysql_'.$key} = $value;
  46   }
  47 }
  48
  49 global $squirrelmail_plugin_hooks;
  50 $squirrelmail_plugin_hooks['change_password_dochange']['mysql'] =
  51         'cpw_mysql_dochange';
  52
  53 /**
  54  * This is the function that is specific to your backend. It takes
  55  * the current password (as supplied by the user) and the desired
  56  * new password. It will return an array of messages. If everything
  57  * was successful, the array will be empty. Else, it will contain
  58  * the errormessage(s).
  59  * Constants to be used for these messages:
  60  * CPW_CURRENT_NOMATCH -> "Your current password is not correct."
  61  * CPW_INVALID_PW -> "Your new password contains invalid characters."
  62  *
  63  * @param array data The username/currentpw/newpw data.
  64  * @return array Array of error messages.
  65  */
  66 function cpw_mysql_dochange($data)
  67 {
  68     // unfortunately, we can only pass one parameter to a hook function,
  69     // so we have to pass it as an array.
  70     $username = $data['username'];
  71     $curpw = $data['curpw'];
  72     $newpw = $data['newpw'];
  73
  74     $msgs = array();
  75
  76     global $mysql_server, $mysql_database, $mysql_table, $mysql_userid_field,
  77            $mysql_password_field, $mysql_manager_id, $mysql_manager_pw,
  78            $mysql_saslcrypt, $mysql_unixcrypt;
  79
  80     // TODO: allow to choose between mysql_connect() and mysql_pconnect() functions.
  81     $ds = mysql_pconnect($mysql_server, $mysql_manager_id, $mysql_manager_pw);
  82     if (! $ds) {
  83         array_push($msgs, _("Cannot connect to Database Server, please try later!"));
  84         return $msgs;
  85     }
  86     if (!mysql_select_db($mysql_database, $ds)) {
  87         array_push($msgs, _("Database not found on server"));
  88         return $msgs;
  89     }
  90
  91     $query_string = 'SELECT ' . $mysql_userid_field . ',' . $mysql_password_field
  92                   . ' FROM '  . $mysql_table
  93                   . ' WHERE ' . $mysql_userid_field . '="' . mysql_real_escape_string($username, $ds) .'"'
  94                   . ' AND ' . $mysql_password_field;
  95
  96     if ($mysql_saslcrypt) {
  97         $query_string  .= '=password("'.mysql_real_escape_string($curpw, $ds).'")';
  98     } elseif ($mysql_unixcrypt) {
  99         // FIXME: why password field name is used for salting
 100         $query_string  .= '=encrypt("'.mysql_real_escape_string($curpw, $ds).'", '.$mysql_password_field . ')';
 101     } else {
 102         $query_string  .= '="' . mysql_real_escape_string($curpw, $ds) . '"';
 103     }
 104
 105     $select_result = mysql_query($query_string, $ds);
 106     if (!$select_result) {
 107         array_push($msgs, _("SQL call failed, try again later."));
 108         return $msgs;
 109     }
 110
 111     if (mysql_num_rows($select_result) == 0) {
 112         array_push($msgs, CPW_CURRENT_NOMATCH);
 113         return $msgs;
 114     }
 115     if (mysql_num_rows($select_result) > 1) {
 116         //make sure we only have 1 uid
 117         array_push($msgs, _("Duplicate login entries detected, cannot change password!"));
 118         return $msgs;
 119     }
 120
 121     $update_string = 'UPDATE '. $mysql_table . ' SET ' . $mysql_password_field;
 122
 123     if ($mysql_saslcrypt) {
 124         $update_string  .= '=password("'.mysql_real_escape_string($newpw, $ds).'")';
 125     } elseif ($mysql_unixcrypt) {
 126         // FIXME: use random salt when you create new password
 127         $update_string  .= '=encrypt("'.mysql_real_escape_string($newpw, $ds).'", '.$mysql_password_field . ')';
 128     } else {
 129         $update_string  .= '="' . mysql_real_escape_string($newpw, $ds) . '"';
 130     }
 131     $update_string .= ' WHERE ' . $mysql_userid_field . ' = "' . mysql_real_escape_string($username, $ds) . '"';
 132
 133     if (!mysql_query($update_string, $ds)) {
 134         array_push($msgs, _("Password change was not successful!"));
 135     }
 136
 137     return $msgs;
 138 }