From 2cb1563f63386b35a69e460051aa9b4a2851d104 Mon Sep 17 00:00:00 2001
From: ftimme <ft@falkotimme.com>
Date: Wed, 30 May 2012 07:30:44 -0400
Subject: [PATCH] - Added (clickable) placeholders to client messaging function. - Added check so that the client password isn't inserted into the message (for security reasons).

---
 interface/web/login/password_reset.php |   17 ++++++++++++-----
 1 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/interface/web/login/password_reset.php b/interface/web/login/password_reset.php
index 23516f3..659859a 100644
--- a/interface/web/login/password_reset.php
+++ b/interface/web/login/password_reset.php
@@ -43,21 +43,28 @@
 
 if(isset($_POST['username']) && $_POST['username'] != '' && $_POST['email'] != '' && $_POST['username'] != 'admin') {
 	
+	if(!preg_match("/^[\w\.\-\_]{1,64}$/", $_POST['username'])) die($app->lng('user_regex_error'));
+	if(!preg_match("/^\w+[\w.-]*\w+@\w+[\w.-]*\w+\.[a-z]{2,10}$/i", $_POST['email'])) die($app->lng('email_error'));
+	
 	$username = $app->db->quote($_POST['username']);
 	$email = $app->db->quote($_POST['email']);
 	
-	$client = $app->db->queryOneRecord("SELECT * FROM client WHERE username = '$username' && email = '$email'");
+	$client = $app->db->queryOneRecord("SELECT * FROM client WHERE username = '$username' AND email = '$email'");
 	
 	if($client['client_id'] > 0) {
-		$new_password = md5 (uniqid (rand()));
-		$new_password = $app->db->quote($new_password);
+		$new_password = $app->auth->get_random_password();
+		$new_password_encrypted = $app->auth->crypt_password($new_password);
+		$new_password_encrypted = $app->db->quote($new_password_encrypted);
+		
 		$username = $app->db->quote($client['username']);
-		$app->db->query("UPDATE sys_user SET passwort = md5('$new_password') WHERE username = '$username'");
-		$app->db->query("UPDATE client SET �password� = md5('$new_password') WHERE username = '$username'");
+		$app->db->query("UPDATE sys_user SET passwort = '$new_password_encrypted' WHERE username = '$username'");
+		$app->db->query("UPDATE client SET �password� = '$new_password_encrypted' WHERE username = '$username'");
 		$app->tpl->setVar("message",$wb['pw_reset']);
 		
 		mail($client['email'],$wb['pw_reset_mail_title'],$wb['pw_reset_mail_msg'].$new_password);
 		
+		$app->plugin->raiseEvent('password_reset',true);
+		
 	} else {
 		$app->tpl->setVar("message",$wb['pw_error']);
 	}

--
Gitblit v1.9.1