Add username check to reset pass

This feels slightly more secure - Can be direct session username (change password while logged on) - Generate key, link it to username, email key for verification of lost password
2024-12-21 09:42:40 +00:00 · 2013-07-26 23:47:51 -05:00 · 2013-07-26 23:47:51 -05:00 · 5b33d2a443
commit 5b33d2a443
parent 688a56d184
2 changed files with 4 additions and 3 deletions
--- a/api.backend.php
+++ b/api.backend.php
@ -361,7 +361,7 @@ class api{
 		return "APIKey reset. Key: $key";
 	}

-	function resetPass($apidb, $apikey, $udb, $email, $newpass){
+	function resetPass($apidb, $apikey, $udb, $username, $email, $newpass){
 		$apisql = "SELECT * FROM `users` WHERE `key` = '$apikey' LIMIT 1;";
 		if(!$result = $apidb->query($apisql)) return 'ERROR: ['.$apidb->error.']';
 		if($row = $result->fetch_assoc()){
@ -374,7 +374,7 @@ class api{
 			if(!$result = $apidb->query($apisql)) return 'ERROR: ['.$apidb->error.']';
 		}
 		
-		$sql = "SELECT * FROM `users` WHERE `email` = '$email'";
+		$sql = "SELECT * FROM `users` WHERE `email` = '$email' AND `username` = '$username' LIMIT 1;";
 		if(!$result = $udb->query($sql)) return 'ERROR: ['.$udb->error.']';

 		$iterations = mt_rand(11, 51);
--- a/api.test.php
+++ b/api.test.php
@ -15,6 +15,7 @@ $unpsAPI = new api();
 //echo $unpsAPI->regUser($apidb, '580658027', $udb, 'David', 'password123', 'tehfoxy.c0de@gmail.com'); // Register users
 //echo $unpsAPI->regAPI($apidb, '580658027', 'UnPS-GAMA Link Shortener', 'tehfoxy.c0de@gmail.com', '1,0,0,0'); // Register API user

-echo $unpsAPI->resetAPI($apidb, '580658027', 'UnPS-GAMA Link Shortener', 'tehfoxy.c0de@gmail.com', '279qit9');
+//echo $unpsAPI->resetAPI($apidb, '580658027', 'UnPS-GAMA Link Shortener', 'tehfoxy.c0de@gmail.com', '279qit9'); // test reset api key
+echo $unpsAPI->resetPass($apidb, '580658027', $udb, 'David', 'tefoxy.c0de@gmail.com', 'password1234s'); // Test change password

 ?>