From 70305da5fde8258dc78d7bbac7fbf93fecb554ff Mon Sep 17 00:00:00 2001
From: Thies Mueller <git@td00.de>
Date: Tue, 12 Jan 2021 17:42:16 +0100
Subject: [PATCH] "commented" forgotpass.php & resetpass.php

---
 forgotpass.php | 11 ++++++++---
 resetpass.php  | 10 ++++++++--
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/forgotpass.php b/forgotpass.php
index b404f9a..cb85e48 100644
--- a/forgotpass.php
+++ b/forgotpass.php
@@ -7,6 +7,11 @@
 </head> 
 <body>
 <?php 
+/*
+this is basically the same as "activaion.php"
+
+some differences will be documented, the rest not.
+*/
 include 'db.inc.php';
  
 function random_string() {
@@ -30,7 +35,7 @@ function random_string() {
 $showForm = true;
  
 if(isset($_GET['send']) ) {
- if(!isset($_POST['email']) || empty($_POST['email'])) {
+ if(!isset($_POST['email']) || empty($_POST['email'])) { //here we wanna know more about the user, cause we cant get those infos from the session
  $error = "<b>Enter your email address</b>";
  } else {
  $statement = $pdo->prepare("SELECT * FROM users WHERE email = :email");
@@ -47,8 +52,8 @@ if(isset($_GET['send']) ) {
  
  $mailrcpt = $user['email'];
  $mailsubject = "New password for your User";
- $from = "From: Password Reset Service <resetmypw@".$_SERVER['HTTP_HOST'].">"; //place a real address if we use this in production
- $url_passwordcode = 'https://'.$_SERVER['HTTP_HOST'].'/resetpass.php?userid='.$user['id'].'&code='.$passwordcode; //this shouldnt be my domain in prod..
+ $from = "From: Password Reset Service <resetmypw@".$_SERVER['HTTP_HOST'].">"; 
+ $url_passwordcode = 'https://'.$_SERVER['HTTP_HOST'].'/resetpass.php?userid='.$user['id'].'&code='.$passwordcode; 
  $text = 'Hallo '.$user['username'].',
 please use the following URL to change your password in the next 24h:
 '.$url_passwordcode.'
diff --git a/resetpass.php b/resetpass.php
index b2eda09..04342d9 100644
--- a/resetpass.php
+++ b/resetpass.php
@@ -9,6 +9,12 @@
 <?php
 include 'db.inc.php';
  
+/*
+more or less the same as activate.php
+
+but some minor differences, find the documentation over there
+
+*/
 if(!isset($_GET['userid']) || !isset($_GET['code'])) {
  die('<div class="alert alert-warning" role="alert">No code delivered. nothing to do here.</div>');
 }
@@ -43,7 +49,7 @@ if(sha1($code) != $user['passwordcode']) {
  
 if(isset($_GET['send'])) {
  $password = $_POST['password'];
- $password_confirm = $_POST['password_confirm'];
+ $password_confirm = $_POST['password_confirm']; //we need to do the whole "is your password secure enough" thingy again here:
   //regexes for passvalidation:
     $REuppercase = preg_match('@[A-Z]@', $password);
     $RElowercase = preg_match('@[a-z]@', $password);
@@ -60,7 +66,7 @@ if(isset($_GET['send'])) {
  $passwordhash = password_hash($password, PASSWORD_DEFAULT);
  $statement = $pdo->prepare("UPDATE users SET password = :passwordhash, passwordcode = NULL, passwordcode_time = NULL WHERE id = :userid");
  $result = $statement->execute(array('passwordhash' => $passwordhash, 'userid'=> $userid ));
- 
+ //done. the rest is the same
  if($result) {
  die('Changed password. Going to <a href="login.php">login</a> now.<meta http-equiv="refresh" content="1; URL=login.php">');
  }