Tom - 2005-02-01 16:08:03
Hi,
in function "activate_new_password" you put the new password to the place where you find the old one. But how can you guarantee if it is the right user?
Solution Proposal: Store $_GET['id'] into $_SESSION like you do with activate and give it as parameter to function. Then compare also against the id inside function:
activate_password.php:
if (isset($_GET['activate']) && isset($_GET['id'])) { // this two variables are required for activating/updating the account/password
if ($act_password->check_activation_password($_GET['activate'], $_GET['id'])) { // the activation/validation method
$_SESSION['activation'] = $_GET['activate']; // put the activation string into a session or into a hdden field
$_SESSION['actid'] = $_GET['id']; // put the id string into a session or into a hdden field
}
}
if (isset($_POST['Submit'])) {
$act_password->activate_new_password($_POST['password'], $_SESSION['activation'], $_SESSION['actid']); // this will change the password
}
activate_new_password.php:
function activate_new_password($new_pass, $old_pass, $id) {
if (strlen($new_pass) >= 4) {
$sql_new_pass = sprintf("UPDATE %s SET pw = '%s' WHERE pw = '%s' && $id = '%s'", $this->table_name, md5($new_pass), $old_pass, $id);
if (mysql_query($sql_new_pass)) {
$this->the_msg = $this->messages(30);
$activate_new_result = mysql_query(sprintf("SELECT login FROM %s WHERE id = %s", $this->table_name, $id));
$this->user = mysql_result($activate_new_result, 0, "login");
} else {
$this->the_msg = $this->messages(14);
}
} else {
$this->the_msg = $this->messages(32);
}
}
ps.: you also need to search for username and write it into $this->user to show it correctly.
br,
TS
Olaf Lederer - 2005-02-01 19:56:29 - In reply to 
