diff --git a/html/changepassword.php b/html/changepassword.php new file mode 100644 index 0000000..6177d41 --- /dev/null +++ b/html/changepassword.php @@ -0,0 +1,57 @@ + + + + + Change Password + + +
+ + + + + + + + + + + + + + +
Username
New Password
+ + +
+
+ + \ No newline at end of file diff --git a/html/form_login.php b/html/form_login.php new file mode 100644 index 0000000..2ffc681 --- /dev/null +++ b/html/form_login.php @@ -0,0 +1,17 @@ + + +SWG:Source | Login + + + + +
+
+

Username:

+

Password:

+
+
+ + diff --git a/html/images/swgsource.png b/html/images/swgsource.png new file mode 100644 index 0000000..11dc6bb Binary files /dev/null and b/html/images/swgsource.png differ diff --git a/html/logout.php b/html/logout.php new file mode 100644 index 0000000..1ea51af --- /dev/null +++ b/html/logout.php @@ -0,0 +1,9 @@ + + + + + \ No newline at end of file diff --git a/html/post_changepassword.php b/html/post_changepassword.php new file mode 100644 index 0000000..3c0e075 --- /dev/null +++ b/html/post_changepassword.php @@ -0,0 +1,58 @@ + + + + +real_escape_string($_POST['action']) : ""; +$username = $mysqli->real_escape_string($_POST['username']); +if(strcasecmp($_SESSION['username'], $usernamejson[$ln]['username']) != 0) +{ + //error - trying to update password for someone that isn't ourself + if($_SESSION['accesslevel'] != "superadmin") { + //we can continue, we are superadmin + } + else + { + echo "Error - You can only change your own password."; + die(); + } +} + +if($action=='update') { + include 'includes/db_connect.php'; + #do password hash here + function HashPassword($password) + { + $random = ''; + $salt = sha1(rand()); + $salt = substr($salt, 0, 10); + $encrypted = base64_encode(sha1($password . $salt, true) . $salt); + $hash = array("salt" => $salt, "encrypted" => $encrypted); + return $hash; + } + $passwordHash = HashPassword($_POST['realpassword']); + $passwordSalt = $passwordHash['salt']; + $passwordEncrypted = $passwordHash['encrypted']; + $query = "update user_account + set + password_hash = '".$mysqli->real_escape_string($passwordEncrypted)."', + password_salt = '".$mysqli->real_escape_string($passwordSalt)."' + WHERE username = '".$mysqli->real_escape_string($username)."'"; + + if( $mysqli->query($query) ) { + echo ''; + } + else { + printf($mysqli->error); + } + $mysqli->close(); +} +?> + diff --git a/html/post_login.php b/html/post_login.php new file mode 100644 index 0000000..996acb6 --- /dev/null +++ b/html/post_login.php @@ -0,0 +1,47 @@ +real_escape_string($_POST['username']); +$password = $mysqli->real_escape_string($_POST['password']); +$user = getUserByEmailAndPassword($username, $password); +if($user == true) { + if(isset($_SESSION['urlredirect'])) { + $_SESSION['user'] = $mysqli->real_escape_string($_POST['username']); + $redirectName = $_SESSION['urlredirect']; + echo ''; + } + else { + header("Location: index.php"); + $_SESSION['user'] = $mysqli->real_escape_string($_POST['username']); + } +} +else { + echo $mysqli->real_escape_string($_POST['username']), " does not exist or the password was incorrect"; + echo '

Log In'; +} + +function getUserByEmailAndPassword($username, $password) { + global $mysqli; + $result = $mysqli->query("SELECT * FROM user_account WHERE username = '$username'") or die(mysql_error()); + $no_of_rows = $result->num_rows; + if ($no_of_rows > 0) { + $result = $result->fetch_array(); + $salt = $result['password_salt']; + $stored_hash = $result['password_hash']; + $hashtest = checkhashSSHA($salt, $password); + if ($hashtest == $stored_hash) { + $_SESSION['accesslevel'] = $result['accesslevel']; + $_SESSION['username'] = $mysqli->real_escape_string($_POST['username']); + return true; + } + } else { + return false; + } +} +function checkhashSSHA($salt, $password) { + $hash = base64_encode(sha1($password . $salt, true) . $salt); + return $hash; +} +?>