From bec02fa2979878be7521d06f48671d853215ebd7 Mon Sep 17 00:00:00 2001 From: Thies Mueller <git@td00.de> Date: Fri, 8 Jan 2021 21:09:12 +0100 Subject: [PATCH] maybe sometime else --- passwordchange.php | 79 -------------------------------------------- secondauth.php | 81 ---------------------------------------------- 2 files changed, 160 deletions(-) delete mode 100644 passwordchange.php delete mode 100644 secondauth.php diff --git a/passwordchange.php b/passwordchange.php deleted file mode 100644 index 2ff0423..0000000 --- a/passwordchange.php +++ /dev/null @@ -1,79 +0,0 @@ -<!DOCTYPE html> -<html> -<head> -<link rel="stylesheet" href="ressources/css/bootstrap.min.css" crossorigin="anonymous"> - - <title>Change Password</title> -</head> -<body> -<?php -$pdo = new PDO('mysql:host=localhost;dbname=usertable', 'usertable', 'password'); - -if(!isset($_GET['userid']) || !isset($_GET['code'])) { - die('No code delivered. nothing to do here.<meta http-equiv="refresh" content="1; URL=secondauth.php">'); -} - -$userid = $_GET['userid']; -$code = $_GET['code']; - - -$statement = $pdo->prepare("SELECT * FROM users WHERE id = :userid"); -$result = $statement->execute(array('userid' => $userid)); -$user = $statement->fetch(); - -//check if theres a code for the user delivered -if($user === null || $user['passwordcode'] === null) { - die('No User matching your request.<meta http-equiv="refresh" content="1; URL=profile.php">'); -} - -if($user['passwordcode_time'] === null || strtotime($user['passwordcode_time']) < (time()-24*3600) ) { - die('Ooops. This code isnt valid anymore.<meta http-equiv="refresh" content="1; URL=profile.php">'); -} - - - -if(sha1($code) != $user['passwordcode']) { - die('<meta http-equiv="refresh" content="0; URL=/">'); -} - - - -if(isset($_GET['send'])) { - $password = $_POST['password']; - $password_confirm = $_POST['password_confirm']; - //regexes for passvalidation: - $REuppercase = preg_match('@[A-Z]@', $password); - $RElowercase = preg_match('@[a-z]@', $password); - $REnumber = preg_match('@[0-9]@', $password); - $REspecialChars = preg_match('@[^\w]@', $password); - if($password != $password_confirm) { - echo "password or confirmed password wrong"; - } - if(!$REuppercase || !$RElowercase || !$REnumber || !$REspecialChars || strlen($password) < 8) { - echo '<color="red">Password needs to be more complex.</color><br />'; - echo '<i>Please implement at least 8 chars, upper & downer caser, one number & one special char.</i><br />'; - $error = true; -} else { - $passwordhash = password_hash($password, PASSWORD_DEFAULT); - $statement = $pdo->prepare("UPDATE users SET password = :passwordhash, passwordcode = NULL, passwordcode_time = NULL WHERE id = :userid"); - $result = $statement->execute(array('passwordhash' => $passwordhash, 'userid'=> $userid )); - - if($result) { - die('Changed password. Going to <a href="login.php">login</a> now.<meta http-equiv="refresh" content="1; URL=login.php?userid='.$user['id'].'&code='.$passwordcode">'); - } - } -} -?> - <script src="ressources/js/bootstrap.min.js"></script> -<h1>Set new password</h1> -<form action="?send=1&userid=<?php echo htmlentities($userid); ?>&code=<?php echo htmlentities($code); ?>" method="post"> -<div class="form-group"> -<label for="password">New Password</label> -<input type="password" id="password" class="form-control" name="password"><br><br> - </div> - <div class=form-group> - <label for="password_confirm">Confirm new Password</label> -<input type="password" id="password" class="form-control" name="password_confirm"><br><br> - </div> - <button type="submit" class="btn btn-primary">Submit new password</button> -</form> \ No newline at end of file diff --git a/secondauth.php b/secondauth.php deleted file mode 100644 index 66c5289..0000000 --- a/secondauth.php +++ /dev/null @@ -1,81 +0,0 @@ -<?php -session_start(); -$pdo = new PDO('mysql:host=localhost;dbname=usertable', 'usertable', 'password'); - -function random_string() { - if(function_exists('random_bytes')) { - $bytes = random_bytes(16); - $str = bin2hex($bytes); - } else if(function_exists('openssl_random_pseudo_bytes')) { - $bytes = openssl_random_pseudo_bytes(16); - $str = bin2hex($bytes); - } else if(function_exists('mcrypt_create_iv')) { - $bytes = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM); - $str = bin2hex($bytes); - } else { - //this should be a unique string. if we use this in prod we should change this. - $str = md5(uniqid('thisisnotreallyrandombutthisstringheresomakethislongandmaybewith12345numberskthxbye', true)); - } - return $str; - } - - $passwordcode = random_string(); - $statement = $pdo->prepare("UPDATE users SET passwordcode = :passwordcode, passwordcode_time = NOW() WHERE id = :userid"); - $result = $statement->execute(array('passwordcode' => sha1($passwordcode), 'userid' => $user['id'])); - - -if(isset($_GET['login'])) { - $username = $_POST['username']; - $password = $_POST['password']; - - $statement = $pdo->prepare("SELECT * FROM users WHERE username = :username"); - $result = $statement->execute(array('username' => $username)); - $user = $statement->fetch(); - - if ($user !== false && password_verify($password, $user['password'])) { - $_SESSION['userid'] = $user['id']; - $_SESSION['email'] = $user['email']; - $_SESSION['username'] = $user['username']; - $_SESSION['givenName'] = $user['givenName']; - $_SESSION['lastName'] = $user['lastName']; - die('successfull. please wait. youll be forwarded! <meta http-equiv="refresh" content="0; URL=passwordchange.php">'); - } else { - $errorMessage = "somethings wrong (maybe wrong password or invalid session)<br>"; - } - -} -?> -<!DOCTYPE html> -<html> -<head> -<link rel="stylesheet" href="ressources/css/bootstrap.min.css" crossorigin="anonymous"> - - <title>2nd Auth</title> -</head> -<body> - -<?php -if(isset($errorMessage)) { - echo $errorMessage; -} -?> - - <script src="ressources/js/bootstrap.min.js"></script> -<h3 class="display-5">You want to change your password? Please prove that you know your old password first!</h5> -<form action="?login=1" method="post"> -<div class="form-group"> -<label for="username">Username</label> -<input type="text" class="form-control" size="40" id="username" placeholder="Username" name="username" ><br><br> -</div> - <div class="form-group"> -<label for="password">Password</label> -<input type="password" class="form-control" size="40" id="password" placeholder="Password" name="password"><br> - </div> - <button type="submit" class="btn btn-primary">Login</button> -</form> -<br /> -<br /> -<a href="forgotpass.php"><button class="btn btn-warning">I forgot my password</button></a> -<br /> <br /> -</body> -</html>