Ovidiu

1. <?php
2.  
3. /**
4.   * SquirrelMail Change SQL Password Plugin
5.   * Copyright (C) 2001-2002 Tyler Akins
6.   *               2002 Thijs Kinkhorst <kink@users.sourceforge.net>
7.   *               2002-2005 Paul Lesneiwski <paul@openguild.net>
8.   * This program is licensed under GPL. See COPYING for details
9.   *
10.   * @package plugins
11.   * @subpackage Change SQL Password
12.   *
13.   */
14.  
15.  
16.    // Global Variables, don't touch these unless you want to break the plugin
17.    //
18.    global $csp_dsn, $password_update_queries, $lookup_password_query,
19.           $force_change_password_check_query, $password_encryption,
20.           $csp_salt_query, $csp_salt_static, $csp_secure_port,
21.           $csp_non_standard_http_port, $csp_delimiter, $csp_debug,
22.           $min_password_length, $max_password_length, $include_digit_in_password,
23.           $include_uppercase_letter_in_password, $include_lowercase_letter_in_password,
24.           $include_nonalphanumeric_in_password;
25.  
26.  
27.  
28.    // csp_dsn
29.    //
30.    // Theoretically, any SQL database supported by Pear should be supported
31.    // here.  The DSN (data source name) must contain the information needed
32.    // to connect to your database backend. A MySQL example is included below.
33.    // For more details about DSN syntax and list of supported database types,
34.    // please see:
35.    //   http://pear.php.net/manual/en/package.database.db.intro-dsn.php
36.    //
37.    $csp_dsn = 'mysql://user:password@localhost/email_users';
38.  
39.  
40.  
41.    // lookup_password_query
42.    //
43.    // This plugin will always verify the user's old password
44.    // against their login password, but an extra check can also
45.    // be done against the database for more security if you
46.    // desire.  If you do not need the extra password check,
47.    // make sure this setting is empty.
48.    //
49.    // This is a query that returns a positive value if a user
50.    // and password pair are found in the database.
51.    //
52.    // This query should return one value (one row, one column), the
53.    // value being ideally a one or a zero, simply indicating that
54.    // the user/password pair does in fact exist in the database.
55.    //
56.    //   %1 in this query will be replaced with the full username
57.    //      (including domain), such as "jose@example.com"
58.    //   %2 in this query will be replaced with the username (without
59.    //      any domain portion), such as "jose"
60.    //   %3 in this query will be replaced with the domain name,
61.    //      such as "example.com"
62.    //   %4 in this query will be replaced with the current (old)
63.    //      password in whatever encryption format is needed per other
64.    //      plugin configuration settings (Note that the syntax of
65.    //      the password will be provided depending on your encryption
66.    //      choices, so you NEVER need to provide quotes around this
67.    //      value in the query here.)
68.    //   %5 in this query will be replaced with the current (old)
69.    //      password in unencrypted plain text.  If you do not use any
70.    //      password encryption, %4 and %5 will be the same values,
71.    //      except %4 will have double quotes around it and %5 will not.
72.    //
73.    //$lookup_password_query = '';
74.    // TERRIBLE SECURITY: $lookup_password_query = 'SELECT count(*) FROM users WHERE username = "%1" AND plain_password = "%5"';
75.    $lookup_password_query = 'SELECT count(*) FROM users WHERE username = "%1" AND crypt_password = %4';
76.  
77.  
78.  
79.    // password_update_queries
80.    //
81.    // An array of SQL queries that will all be executed
82.    // whenever a password change attempt is made.
83.    //
84.    // Any number of queries may be included here.
85.    // The queries will be executed in the order given here.
86.    //
87.    //   %1 in all queries will be replaced with the full username
88.    //      (including domain), such as "jose@example.com"
89.    //   %2 in all queries will be replaced with the username (without
90.    //      any domain portion), such as "jose"
91.    //   %3 in all queries will be replaced with the domain name,
92.    //      such as "example.com"
93.    //   %4 in all queries will be replaced with the new password
94.    //      in whatever encryption format is needed per other
95.    //      plugin configuration settings (Note that the syntax of
96.    //      the password will be provided depending on your
97.    //      encryption choices, so you NEVER need to provide quotes
98.    //      around this value in the queries here.)
99.    //   %5 in all queries will be replaced with the new password
100.    //      in unencrypted plain text - BEWARE!  If you do not use
101.    //      any password encryption, %4 and %5 will be the same
102.    //      values, except %4 will have double quotes around it
103.    //      and %5 will not.
104.    //
105.    $password_update_queries = array(
106.             'UPDATE users SET crypt_password = %4 WHERE username = "%1"',
107. //            'UPDATE user_flags SET force_change_pwd = 0 WHERE username = "%1"',
108. //            'UPDATE users SET crypt_password = %4, force_change_pwd = 0 WHERE username = "%1"',
109.                                    );
110.  
111.  
112.  
113.    // force_change_password_check_query
114.    //
115.    // A query that checks for a flag that indicates if a user
116.    // should be forced to change their password.  This query
117.    // should return one value (one row, one column) which is
118.    // zero if the user does NOT need to change their password,
119.    // or one if the user should be forced to change it now.
120.    //
121.    // This setting should be an empty string if you do not wish
122.    // to enable this functionality.
123.    //
124.    //   %1 in this query will be replaced with the full username
125.    //      (including domain), such as "jose@example.com"
126.    //   %2 in this query will be replaced with the username (without
127.    //      any domain portion), such as "jose"
128.    //   %3 in this query will be replaced with the domain name,
129.    //      such as "example.com"
130.    //
131.    //$force_change_password_check_query = 'SELECT IF(force_change_pwd = "yes", 1, 0) FROM users WHERE username = "%1"';
132.    //$force_change_password_check_query = 'SELECT force_change_pwd FROM users WHERE username = "%1"';
133.    $force_change_password_check_query = '';
134.  
135.  
136.  
137.    // password_encryption
138.    //
139.    // What encryption method do you use to store passwords
140.    // in your database?  Please use one of the following,
141.    // exactly as you see it:
142.    //
143.    //   NONE          Passwords are stored as plain text only
144.    //   MYSQLPWD      Passwords are stored using the MySQL password() function
145.    //   MYSQLENCRYPT  Passwords are stored using the MySQL encrypt() function
146.    //   PHPCRYPT      Passwords are stored using the PHP crypt() function
147.    //   MD5CRYPT      Passwords are stored using encrypted MD5 algorithm
148.    //   MD5           Passwords are stored as MD5 hash
149.    //
150.    $password_encryption = 'MYSQLPWD';
151.  
152.  
153.  
154.    // csp_salt_query
155.    // csp_salt_static
156.    //
157.    // Encryption types that need a salt need to know where to get
158.    // that salt.  If you have a constant, known salt value, you
159.    // should define it in $csp_salt_static.  Otherwise, leave that
160.    // value empty and define a value for the $csp_salt_query.
161.    //
162.    // Leave both values empty if you do not need (or use) salts
163.    // to encrypt your passwords.
164.    //
165.    // The query should return one value (one row, one column) which
166.    // is the salt value for the current user's password.  This
167.    // query is ignored if $csp_salt_static is anything but empty.
168.    //
169.    //   %1 in this query will be replaced with the full username
170.    //      (including domain), such as "jose@example.com"
171.    //   %2 in this query will be replaced with the username (without
172.    //      any domain portion), such as "jose"
173.    //   %3 in this query will be replaced with the domain name,
174.    //      such as "example.com"
175.    //
176.    //$csp_salt_static = 'LEFT(crypt_password, 2)';
177.    //$csp_salt_static = '"a4"';  // use this format with MYSQLENCRYPT
178.    //$csp_salt_static = '$2$blowsomefish$';  // use this format with PHPCRYPT
179.    $csp_salt_static = '';
180.  
181.    //$csp_salt_query = 'SELECT SUBSTRING_INDEX(crypt_password, '$', 1) FROM users WHERE username = "%1"';
182.    //$csp_salt_query = 'SELECT SUBSTRING(crypt_password, (LENGTH(SUBSTRING_INDEX(crypt_password, '$', 2)) + 2)) FROM users WHERE username = "%1"';
183.    $csp_salt_query = 'SELECT salt FROM users WHERE username = "%1"';
184.    //$csp_salt_query = '';
185.  
186.  
187.  
188.    // csp_secure_port
189.    //
190.    // You may ensure that SSL encryption is used during password
191.    // change by setting this to the port that your HTTPS is served
192.    // on (443 is typical).  Set to zero if you do not wish to force
193.    // an HTTPS connection when users are changing their passwords.
194.    //
195.    // You may override this value for certain domains, users, or
196.    // service levels through the Virtual Host Login (vlogin) plugin
197.    // by setting a value(s) for $vlogin_csp_secure_port in the vlogin
198.    // configuration.
199.    //
200.    $csp_secure_port = 0;
201.    //$csp_secure_port = 443;
202.  
203.  
204.  
205.    // csp_non_standard_http_port
206.    //
207.    // If you serve standard HTTP web requests on a non-standard
208.    // port (anything other than port 80), you should specify that
209.    // port number here.  Set to zero otherwise.
210.    //
211.    // You may override this value for certain domains, users, or
212.    // service levels through the Virtual Host Login (vlogin) plugin
213.    // by setting a value(s) for $vlogin_csp_non_standard_http_port
214.    // in the vlogin configuration.
215.    //
216.    //$csp_non_standard_http_port = 8080;
217.    $csp_non_standard_http_port = 0;
218.  
219.  
220.  
221.    // min_password_length
222.    // max_password_length
223.    // include_digit_in_password
224.    // include_uppercase_letter_in_password
225.    // include_lowercase_letter_in_password
226.    // include_nonalphanumeric_in_password
227.    //
228.    // You can set the minimum and maximum password lengths that
229.    // you accept or leave those settings as zero to indicate that
230.    // no limit should be applied.
231.    //
232.    // Turn on any of the other settings here to check that the
233.    // new password contains at least one digit, upper case letter,
234.    // lower case letter and/or one non-alphanumeric character.
235.    //
236.    $min_password_length = 6;
237.    $max_password_length = 0;
238.    $include_digit_in_password = 0;
239.    $include_uppercase_letter_in_password = 0;
240.    $include_lowercase_letter_in_password = 0;
241.    $include_nonalphanumeric_in_password = 0;
242.  
243.  
244.  
245.    // csp_delimiter
246.    //
247.    // if your system has usernames with something other than
248.    // an "@" sign separating the user and domain portion,
249.    // specify that character here
250.    //
251.    //$csp_delimiter = '|';
252.    $csp_delimiter = '@';
253.    
254.  
255.  
256.    // debug mode
257.    //
258.    $csp_debug = 0;
259.  
260.  
261.  
262. ?>