Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- if( isset( $_GET[ 'Change' ] ) ) {
- // Check Anti-CSRF token
- checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
- // Get input
- $pass_curr = $_GET[ 'password_current' ];
- $pass_new = $_GET[ 'password_new' ];
- $pass_conf = $_GET[ 'password_conf' ];
- // Sanitise current password input
- $pass_curr = stripslashes( $pass_curr );
- $pass_curr = mysql_real_escape_string( $pass_curr );
- $pass_curr = md5( $pass_curr );
- // Check that the current password is correct
- $data = $db->prepare( 'SELECT password FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' );
- $data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR );
- $data->bindParam( ':password', $pass_curr, PDO::PARAM_STR );
- $data->execute();
- // Do both new passwords match and does the current password match the user?
- if( ( $pass_new == $pass_conf ) && ( $data->rowCount() == 1 ) ) {
- // It does!
- $pass_new = stripslashes( $pass_new );
- $pass_new = mysql_real_escape_string( $pass_new );
- $pass_new = md5( $pass_new );
- // Update database with new password
- $data = $db->prepare( 'UPDATE users SET password = (:password) WHERE user = (:user);' );
- $data->bindParam( ':password', $pass_new, PDO::PARAM_STR );
- $data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR );
- $data->execute();
- // Feedback for the user
- $html .= "<pre>Password Changed.</pre>";
- }
- else {
- // Issue with passwords matching
- $html .= "<pre>Passwords did not match or current password incorrect.</pre>";
- }
- }
- // Generate Anti-CSRF token
- generateSessionToken();
- ?>
Add Comment
Please, Sign In to add comment