-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaccount-recover.php
117 lines (101 loc) · 3.9 KB
/
account-recover.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
<?php
//
// TorrentTrader v2.x
// $LastChangedDate: 2011-10-30 02:20:54 +0000 (Sun, 30 Oct 2011) $
// $LastChangedBy: dj-howarth1 $
//
// http://www.torrenttrader.org
//
//
require_once("backend/functions.php");
dbconn(false);
$kind = "0";
if (is_valid_id($_POST["id"]) && strlen($_POST["secret"]) == 32) {
$password = $_POST["password"];
$password1 = $_POST["password1"];
if (empty($password) || empty($password1)) {
$kind = T_("ERROR");
$msg = T_("NO_EMPTY_FIELDS");
} elseif ($password != $password1) {
$kind = T_("ERROR");
$msg = T_("PASSWORD_NO_MATCH");
} else {
$n = get_row_count("users", "WHERE `id`=".intval($_POST["id"])." AND MD5(`secret`) = ".sqlesc($_POST["secret"]));
if ($n != 1)
show_error_msg(T_("ERROR"), T_("NO_SUCH_USER"));
$newsec = sqlesc(mksecret());
SQL_Query_exec("UPDATE `users` SET `password` = '".passhash($password)."', `secret` = $newsec WHERE `id`=".intval($_POST['id'])." AND MD5(`secret`) = ".sqlesc($_POST["secret"]));
$kind = T_("SUCCESS");
$msg = T_("PASSWORD_CHANGED_OK");
}
}
if ($_SERVER["REQUEST_METHOD"] == "POST" && $_GET["take"] == 1) {
$email = trim($_POST["email"]);
if (!validemail($email)) {
$msg = T_("EMAIL_ADDRESS_NOT_VAILD");
$kind = T_("ERROR");
}else{
$res = SQL_Query_exec("SELECT id, username, email FROM users WHERE email=" . sqlesc($email) . " LIMIT 1");
$arr = mysql_fetch_assoc($res);
if (!$arr) {
$msg = T_("EMAIL_ADDRESS_NOT_FOUND");
$kind = T_("ERROR");
}
if ($arr) {
$sec = mksecret();
$secmd5 = md5($sec);
$id = $arr['id'];
$body = "Someone from " . $_SERVER["REMOTE_ADDR"] . ", hopefully you, requested that the account details for the account associated with this email address ($email) be mailed back. \r\n\r\n Here is the information we have on file for this account: \r\n\r\n User name: ".$arr["username"]." \r\n To change your password, you have to follow this link:\n\n$site_config[SITEURL]/account-recover.php?id=$id&secret=$secmd5\n\n\n".$site_config["SITENAME"]."\r\n";
@sendmail($arr["email"], "Your account details", $body, "", "-f".$site_config['SITEEMAIL']);
$res2 = SQL_Query_exec("UPDATE `users` SET `secret` = ".sqlesc($sec)." WHERE `email`= ". sqlesc($email) ." LIMIT 1");
$msg = sprintf(T_('MAIL_RECOVER'), htmlspecialchars($email));
$kind = T_("SUCCESS");
}
}
}
stdhead();
begin_frame(T_("RECOVER_ACCOUNT"));
if ($kind != "0") {
show_error_msg("Notice", "$kind: $msg", 0);
}
if (is_valid_id($_GET["id"]) && strlen($_GET["secret"]) == 32) {?>
<form method="post" action="account-recover.php">
<table border="0" cellspacing="0" cellpadding="5">
<tr>
<td>
<b><?php echo T_("NEW_PASSWORD"); ?></b>:
</td>
<td>
<input type="hidden" name="secret" value="<?php echo $_GET['secret']; ?>" />
<input type="hidden" name="id" value="<?php echo $_GET['id']; ?>" />
<input type="password" size="40" name="password" />
</td>
</tr>
<tr>
<td>
<b><?php echo T_("REPEAT"); ?></b>:
</td>
<td>
<input type="password" size="40" name="password1" />
</td>
</tr>
<tr>
<td> </td>
<td><input type="submit" value="<?php echo T_("SUBMIT"); ?>" /></td>
</tr>
</table>
</form>
<?php } else { echo T_("USE_FORM_FOR_ACCOUNT_DETAILS"); ?>
<form method="post" action="account-recover.php?take=1">
<table border="0" cellspacing="0" cellpadding="5">
<tr>
<td><b><?php echo T_("EMAIL_ADDRESS"); ?>:</b></td>
<td><input type="text" size="40" name="email" /> <input type="submit" value="<?php echo T_("SUBMIT");?>" /></td>
</tr>
</table>
</form>
<?php
}
end_frame();
stdfoot();
?>