Happy New Year

[squirrelmail.git] / plugins / change_password / backend / mysql.php

diff --git a/plugins/change_password/backend/mysql.php b/plugins/change_password/backend/mysql.php
index 63b0020ef918dfcf33d25a0b7df0d831a31fac6f..59da4a736f4952f566367e962aece1752403e871 100644 (file)
--- a/plugins/change_password/backend/mysql.php
+++ b/plugins/change_password/backend/mysql.php
@@ -1,8 +1,11 @@
 <?php
 <?php

+

 /**
  * MySQL change password backend
  *
 /**
  * MySQL change password backend
  *

- * @author Thijs Kinkhorst <kink@squirrelmail.org>
+ * @author Thijs Kinkhorst <kink at squirrelmail.org>
+ * @copyright 2003-2020 The SquirrelMail Project Team
+ * @license http://opensource.org/licenses/gpl-license.php GNU Public License

  * @version $Id$
  * @package plugins
  * @subpackage change_password
  * @version $Id$
  * @package plugins
  * @subpackage change_password


@@ -14,7 +17,7 @@
 
 global $mysql_server, $mysql_database, $mysql_table, $mysql_userid_field,
        $mysql_password_field, $mysql_manager_id, $mysql_manager_pw,
 
 global $mysql_server, $mysql_database, $mysql_table, $mysql_userid_field,
        $mysql_password_field, $mysql_manager_id, $mysql_manager_pw,

-       $mysql_saslcrypt, $mysql_unixcrypt, $mysql;
+       $mysql_saslcrypt, $mysql_unixcrypt, $cpw_mysql;

 
 // Initialize defaults
 $mysql_server = 'localhost';
 
 // Initialize defaults
 $mysql_server = 'localhost';


@@ -33,17 +36,16 @@ $mysql_manager_pw = 'xxxxxxx';
 $mysql_saslcrypt = 0; // use MySQL password() function
 $mysql_unixcrypt = 0; // use UNIX crypt() function
 
 $mysql_saslcrypt = 0; // use MySQL password() function
 $mysql_unixcrypt = 0; // use UNIX crypt() function
 

-if ( isset($mysql) && is_array($mysql) && !empty($mysql) )
+// get overrides from config.
+if ( isset($cpw_mysql) && is_array($cpw_mysql) && !empty($cpw_mysql) )

 {
 {

-  foreach ( $mysql as $key => $value )
+  foreach ( $cpw_mysql as $key => $value )

   {
     if ( isset(${'mysql_'.$key}) )
       ${'mysql_'.$key} = $value;
   }
 }
 
   {
     if ( isset(${'mysql_'.$key}) )
       ${'mysql_'.$key} = $value;
   }
 }
 

-// NO NEED TO CHANGE ANYTHING BELOW THIS LINE
-

 global $squirrelmail_plugin_hooks;
 $squirrelmail_plugin_hooks['change_password_dochange']['mysql'] =
         'cpw_mysql_dochange';
 global $squirrelmail_plugin_hooks;
 $squirrelmail_plugin_hooks['change_password_dochange']['mysql'] =
         'cpw_mysql_dochange';


@@ -75,6 +77,7 @@ function cpw_mysql_dochange($data)
            $mysql_password_field, $mysql_manager_id, $mysql_manager_pw,
            $mysql_saslcrypt, $mysql_unixcrypt;
 
            $mysql_password_field, $mysql_manager_id, $mysql_manager_pw,
            $mysql_saslcrypt, $mysql_unixcrypt;
 

+    // TODO: allow to choose between mysql_connect() and mysql_pconnect() functions.

     $ds = mysql_pconnect($mysql_server, $mysql_manager_id, $mysql_manager_pw);
     if (! $ds) {
         array_push($msgs, _("Cannot connect to Database Server, please try later!"));
     $ds = mysql_pconnect($mysql_server, $mysql_manager_id, $mysql_manager_pw);
     if (! $ds) {
         array_push($msgs, _("Cannot connect to Database Server, please try later!"));


@@ -87,15 +90,16 @@ function cpw_mysql_dochange($data)
 
     $query_string = 'SELECT ' . $mysql_userid_field . ',' . $mysql_password_field
                   . ' FROM '  . $mysql_table
 
     $query_string = 'SELECT ' . $mysql_userid_field . ',' . $mysql_password_field
                   . ' FROM '  . $mysql_table

-                  . ' WHERE ' . $mysql_userid_field . '="' . mysql_escape_string($username) .'"'
+                  . ' WHERE ' . $mysql_userid_field . '="' . mysql_real_escape_string($username, $ds) .'"'

                   . ' AND ' . $mysql_password_field;
 
     if ($mysql_saslcrypt) {
                   . ' AND ' . $mysql_password_field;
 
     if ($mysql_saslcrypt) {

-        $query_string  .= '=password("'.mysql_escape_string($curpw).'")';
+        $query_string  .= '=password("'.mysql_real_escape_string($curpw, $ds).'")';

     } elseif ($mysql_unixcrypt) {
     } elseif ($mysql_unixcrypt) {

-        $query_string  .= '=encrypt("'.mysql_escape_string($curpw).'", '.$mysql_password_field . ')';
+        // FIXME: why password field name is used for salting
+        $query_string  .= '=encrypt("'.mysql_real_escape_string($curpw, $ds).'", '.$mysql_password_field . ')';

     } else {
     } else {

-        $query_string  .= '="' . mysql_escape_string($curpw) . '"';
+        $query_string  .= '="' . mysql_real_escape_string($curpw, $ds) . '"';

     }
 
     $select_result = mysql_query($query_string, $ds);
     }
 
     $select_result = mysql_query($query_string, $ds);


@@ -117,17 +121,18 @@ function cpw_mysql_dochange($data)
     $update_string = 'UPDATE '. $mysql_table . ' SET ' . $mysql_password_field;
 
     if ($mysql_saslcrypt) {
     $update_string = 'UPDATE '. $mysql_table . ' SET ' . $mysql_password_field;
 
     if ($mysql_saslcrypt) {

-        $update_string  .= '=password("'.mysql_escape_string($newpw).'")';
+        $update_string  .= '=password("'.mysql_real_escape_string($newpw, $ds).'")';

     } elseif ($mysql_unixcrypt) {
     } elseif ($mysql_unixcrypt) {

-        $update_string  .= '=encrypt("'.mysql_escape_string($newpw).'", '.$mysql_password_field . ')';
+        // FIXME: use random salt when you create new password
+        $update_string  .= '=encrypt("'.mysql_real_escape_string($newpw, $ds).'", '.$mysql_password_field . ')';

     } else {
     } else {

-        $update_string  .= '="' . mysql_escape_string($newpw) . '"';
+        $update_string  .= '="' . mysql_real_escape_string($newpw, $ds) . '"';

     }
     }

-    $update_string .= ' WHERE ' . $mysql_userid_field . ' = "' . mysql_escape_string($username) . '"';
+    $update_string .= ' WHERE ' . $mysql_userid_field . ' = "' . mysql_real_escape_string($username, $ds) . '"';

 
     if (!mysql_query($update_string, $ds)) {
         array_push($msgs, _("Password change was not successful!"));
     }
 
     return $msgs;
 
     if (!mysql_query($update_string, $ds)) {
         array_push($msgs, _("Password change was not successful!"));
     }
 
     return $msgs;

-}
\ No newline at end of file
+}