diff --git a/security/Security.php b/security/Security.php index 5922805..bd332ae 100644 --- a/security/Security.php +++ b/security/Security.php @@ -43,8 +43,44 @@ class Security { return ($advancedResult ? $result->next() : self::REGISTER_OK); } + + public static function changePassword(\SYSTEM\DB\DBInfo $dbinfo, $username, $password_sha_old, $password_sha_new){ + + $con = new \SYSTEM\DB\Connection($dbinfo); + if(\SYSTEM\system::isSystemDbInfoPG()){ + $result = $con->prepare('', + 'SELECT id FROM '.\SYSTEM\DBD\UserTable::NAME_PG. + ' WHERE lower('.\SYSTEM\DBD\UserTable::FIELD_USERNAME.') LIKE lower($1)'. + ' AND '.\SYSTEM\DBD\UserTable::FIELD_PASSWORD_SHA.' = $2;', + array($username, $password_sha_old) ); + + }else{ + return 'MySQL Query not implemented!'; + } + + + $row = $result->next(); + if(!$row){ + return 0; // old password wrong + } + + $userID = $row['id']; + if(\SYSTEM\system::isSystemDbInfoPG()){ + $result = $con->prepare('', + 'UPDATE '.\SYSTEM\DBD\UserTable::NAME_PG. + ' SET "password_sha" = $1 WHERE '.\SYSTEM\DBD\UserTable::FIELD_ID.' = $2;', + array($password_sha_new, $userID) ); + }else{ + return 'MySQL Query not implemented!'; + } + + + return 1; + } + + - public static function login(\SYSTEM\DB\DBInfo $dbinfo, $username, $password_sha, $password_md5, $locale=NULL, $advancedResult=false){ + public static function login(\SYSTEM\DB\DBInfo $dbinfo, $username, $password_sha, $password_md5, $locale=NULL, $advancedResult=false, $password_sha_new=NULL){ self::startSession(); if(!isset($password_sha)){ @@ -58,8 +94,9 @@ class Security { $result = $con->prepare('loginAccountStmt', 'SELECT * FROM '.\SYSTEM\DBD\UserTable::NAME_PG. ' WHERE lower('.\SYSTEM\DBD\UserTable::FIELD_USERNAME.') LIKE lower($1)'. - ' AND ('.\SYSTEM\DBD\UserTable::FIELD_PASSWORD_SHA.' = $2 OR '.\SYSTEM\DBD\UserTable::FIELD_PASSWORD_MD5.' = $3 );', - array($username, $password_sha, $password_md5) ); + ' AND ('.\SYSTEM\DBD\UserTable::FIELD_PASSWORD_SHA.' = $2 OR + '.\SYSTEM\DBD\UserTable::FIELD_PASSWORD_SHA.' = $3 OR '.\SYSTEM\DBD\UserTable::FIELD_PASSWORD_MD5.' = $4 );', + array($username, $password_sha, $password_sha_new, $password_md5) ); } else { $result = $con->prepare('loginAccountStmt', 'SELECT * FROM '.\SYSTEM\DBD\UserTable::NAME_MYS. @@ -72,8 +109,9 @@ class Security { $result = $con->prepare('loginAccountStmtSHA', 'SELECT * FROM '.\SYSTEM\DBD\UserTable::NAME_PG. ' WHERE lower('.\SYSTEM\DBD\UserTable::FIELD_USERNAME.') LIKE lower($1)'. - ' AND '.\SYSTEM\DBD\UserTable::FIELD_PASSWORD_SHA.' = $2;', - array($username, $password_sha) ); + ' AND '.\SYSTEM\DBD\UserTable::FIELD_PASSWORD_SHA.' = $2 OR + '.\SYSTEM\DBD\UserTable::FIELD_PASSWORD_SHA.' = $3 ;', + array($username, $password_sha, $password_sha_new) ); } else { $result = $con->prepare('loginAccountStmtSHA', 'SELECT * FROM '.\SYSTEM\DBD\UserTable::NAME_MYS. @@ -95,11 +133,18 @@ class Security { $_SESSION['user'] = NULL; return self::LOGIN_FAIL;} - // set password_sha if it is empty - if(!$row[\SYSTEM\DBD\UserTable::FIELD_PASSWORD_SHA]){ + // set password_sha if it is empty or if it length is < 40 -> SHA1 Androidappbugfix + if(!$row[\SYSTEM\DBD\UserTable::FIELD_PASSWORD_SHA] ||strlen($row[\SYSTEM\DBD\UserTable::FIELD_PASSWORD_SHA]) < 40){ + + if($password_sha_new != NULL){ + $pw = $password_sha_new; + }else{ + $pw = $password_sha; + } + $res = $con->prepare( 'updatePasswordSHAStmt', - 'UPDATE '.\SYSTEM\DBD\UserTable::NAME.' SET '.\SYSTEM\DBD\UserTable::FIELD_PASSWORD_SHA.' = $1 WHERE '.\SYSTEM\DBD\UserTable::FIELD_ID.' = $2'.' RETURNING '.\SYSTEM\DBD\UserTable::FIELD_PASSWORD_SHA.';', - array($password_sha,$row[\SYSTEM\DBD\UserTable::FIELD_ID])); + 'UPDATE '.\SYSTEM\DBD\UserTable::NAME_PG.' SET '.\SYSTEM\DBD\UserTable::FIELD_PASSWORD_SHA.' = $1 WHERE '.\SYSTEM\DBD\UserTable::FIELD_ID.' = $2'.' RETURNING '.\SYSTEM\DBD\UserTable::FIELD_PASSWORD_SHA.';', + array($pw,$row[\SYSTEM\DBD\UserTable::FIELD_ID])); $res = $res->next(); $row[\SYSTEM\DBD\UserTable::FIELD_PASSWORD_SHA] = $res[\SYSTEM\DBD\UserTable::FIELD_PASSWORD_SHA]; }