add captcha for login forgot

WBCE · Nov 28, 2021 · 6ca63f0 · 6ca63f0
1 parent a357357
commit 6ca63f0
Show file tree

Hide file tree

Showing 9 changed files with 225 additions and 154 deletions.
diff --git a/wbce/admin/login/forgot/index.php b/wbce/admin/login/forgot/index.php
@@ -17,99 +17,117 @@
 // Include the database class file and initiate an object
 require WB_PATH . '/framework/class.admin.php';
 $admin = new admin('Start', 'start', false, false);
+require_once(WB_PATH.'/include/captcha/captcha.php');
 
 $oMsgBox = new MessageBox();
 $oMsgBox->closeBtn = '';
 
 // Check if the user has already submitted the form, otherwise show it
-if (isset($_POST['email']) and $_POST['email'] != "") {
+if (isset($_POST['email']) && $_POST['email'] != "" ) {
     $email = strip_tags($wb->get_post('email'));
-    if ($admin->validate_email($email) == false) {
-        $oMsgBox->error($MESSAGE['USERS_INVALID_EMAIL']);
+    if(isset($_POST['captcha']) AND $_POST['captcha'] != ''){
+        $ccheck = time(); $ccheck1 = time();
+        if(isset($_SESSION['captchaloginforgot'])) $ccheck1 = $_SESSION['captchaloginforgot'];
+        if(isset($_SESSION['captcha'])) $ccheck = $_SESSION['captcha'];
+        if($_POST['captcha'] != $ccheck && $_POST['captcha'] != $ccheck1) {
+            $oMsgBox->error($MESSAGE['MOD_FORM_INCORRECT_CAPTCHA']);
+            $email = '';
+        }
+    } else {
+        $oMsgBox->error($MESSAGE['MOD_FORM_INCORRECT_CAPTCHA']);
         $email = '';
     }
-
-    // Check if the email exists in the database
-    $sSql = "SELECT * FROM `{TP}users` WHERE `email` = '" . $email . "'";
-    $rRow = $database->query($sSql);
-    if ($rRow->numRows() > 0) {
-
-        // Get the id, username, email, and last_reset from the above db query
-        $aUser = $rRow->fetchRow();
-        if (strlen($aUser['signup_confirmcode']) > 25) {
-            header("Location: " . WB_URL . "/account/signup_continue_page.php?switch=wrong_inputs");
-            exit(0); // break up the script here
-        }
-
-
-        // Check if the password has been reset in the last 2 hours
-        if ((time() - intval($aUser['last_reset'])) < (2 * 3600)) {
-            // Tell the user that their password cannot be reset more than once per hour
-            $oMsgBox->error($MESSAGE['FORGOT_PASS_ALREADY_RESET']);
-        } else {
-            $sCurrentPw = $aUser['password'];
-
-            // Generate a random password then update the database with it
-            $sNewPw = '';
-            $salt = "abchefghjkmnpqrstuvwxyz0123456789";
-            srand((double)microtime() * 1000000);
-            $i = 0;
-            while ($i <= 7) {
-                $num = rand() % 33;
-                $tmp = substr($salt, $num, 1);
-                $sNewPw = $sNewPw . $tmp;
-                $i++;
+
+
+
+    if ($email != '') {
+
+            if ($admin->validate_email($email) == false) {
+                $oMsgBox->error($MESSAGE['USERS_INVALID_EMAIL']);
+            }
+
+        // Check if the email exists in the database
+        $sSql = "SELECT * FROM `{TP}users` WHERE `email`='".$database->escapeString($email)."'";
+        $rRow = $database->query($sSql);
+        if ($rRow->numRows() > 0) {
+
+            // Get the id, username, email, and last_reset from the above db query
+            $aUser = $rRow->fetchRow();
+            if (strlen($aUser['signup_confirmcode']) > 25) {
+                header("Location: " . WB_URL . "/account/signup_continue_page.php?switch=wrong_inputs");
+                exit(0); // break up the script here
             }
 
-            // update the new password in the database
-            $aUpdateUser = array(
-                'user_id' => $aUser['user_id'],
-                'password' => $wb->doPasswordEncode($sNewPw),
-                'last_reset' => time(),
-            );
-            $database->updateRow('{TP}users', 'user_id', $aUpdateUser);
-
-            if ($database->is_error()) {
-                // Error updating database
-                $oMsgBox->error($database->get_error());
-            } else {
-                // Setup email to send
-                $mail_to = $email;
-                $mail_subject = $MESSAGE['SIGNUP2_SUBJECT_LOGIN_INFO'];
-
-                // Replace placeholders from language variable with values
-                $search = array('{LOGIN_DISPLAY_NAME}', '{LOGIN_WEBSITE_TITLE}', '{LOGIN_NAME}', '{LOGIN_PASSWORD}');
-                $replace = array($aUser['display_name'], WEBSITE_TITLE, $aUser['username'], $sNewPw);
-
-                $aTokenReplace = array(
-                    '{LOGIN_DISPLAY_NAME}' => $aUser['display_name'],
-                    '{LOGIN_NAME}' => $aUser['username'],
-                    '{LOGIN_WEBSITE_TITLE}' => WEBSITE_TITLE,
-                    '{LOGIN_PASSWORD}' => $sNewPw
-                );
 
+            // Check if the password has been reset in the last 2 hours
+            if ((time() - intval($aUser['last_reset'])) < (2 * 3600)) {
+                // Tell the user that their password cannot be reset more than once per hour
+                $oMsgBox->error($MESSAGE['FORGOT_PASS_ALREADY_RESET']);
+            } else {
+                $sCurrentPw = $aUser['password'];
+
+                // Generate a random password then update the database with it
+                $sNewPw = '';
+                $salt = "abchefghjkmnpqrstuvwxyz0123456789";
+                srand((double)microtime() * 1000000);
+                $i = 0;
+                while ($i <= 7) {
+                    $num = rand() % 33;
+                    $tmp = substr($salt, $num, 1);
+                    $sNewPw = $sNewPw . $tmp;
+                    $i++;
+                }
 
-                $mail_message = strtr($MESSAGE['SIGNUP2_BODY_LOGIN_FORGOT'], $aTokenReplace);
+                // update the new password in the database
+                $aUpdateUser = array(
+                    'user_id' => $aUser['user_id'],
+                    'password' => $wb->doPasswordEncode($sNewPw),
+                    'last_reset' => time(),
+                );
+                $database->updateRow('{TP}users', 'user_id', $aUpdateUser);
 
-                // Try sending the email
-                if ($admin->mail(SERVER_EMAIL, $mail_to, $mail_subject, $mail_message)) {
-                    $oMsgBox->error($MESSAGE['FORGOT_PASS_PASSWORD_RESET']);
-                    $display_form = false;
+                if ($database->is_error()) {
+                    // Error updating database
+                    $oMsgBox->error($database->get_error());
                 } else {
-                    $aUpdateUser = array(
-                        'user_id' => $aUser['user_id'],
-                        'password' => $sCurrentPw
+                    // Setup email to send
+                    $mail_to = $email;
+                    $mail_subject = $MESSAGE['SIGNUP2_SUBJECT_LOGIN_INFO'];
+
+                    // Replace placeholders from language variable with values
+                    $search = array('{LOGIN_DISPLAY_NAME}', '{LOGIN_WEBSITE_TITLE}', '{LOGIN_NAME}', '{LOGIN_PASSWORD}');
+                    $replace = array($aUser['display_name'], WEBSITE_TITLE, $aUser['username'], $sNewPw);
+
+                    $aTokenReplace = array(
+                        '{LOGIN_DISPLAY_NAME}' => $aUser['display_name'],
+                        '{LOGIN_NAME}' => $aUser['username'],
+                        '{LOGIN_WEBSITE_TITLE}' => WEBSITE_TITLE,
+                        '{LOGIN_PASSWORD}' => $sNewPw
                     );
-                    $database->updateRow('{TP}users', 'user_id', $aUpdateUser);
-                    $oMsgBox->error($MESSAGE['FORGOT_PASS_CANNOT_EMAIL']);
+
+
+                    $mail_message = strtr($MESSAGE['SIGNUP2_BODY_LOGIN_FORGOT'], $aTokenReplace);
+
+                    // Try sending the email
+                    if ($admin->mail(SERVER_EMAIL, $mail_to, $mail_subject, $mail_message)) {
+                        $oMsgBox->error($MESSAGE['FORGOT_PASS_PASSWORD_RESET']);
+                        $display_form = false;
+                    } else {
+                        $aUpdateUser = array(
+                            'user_id' => $aUser['user_id'],
+                            'password' => $sCurrentPw
+                        );
+                        $database->updateRow('{TP}users', 'user_id', $aUpdateUser);
+                        $oMsgBox->error($MESSAGE['FORGOT_PASS_CANNOT_EMAIL']);
+                    }
                 }
             }
+        } else {
+            // Email doesn't exist, so tell the user
+            $oMsgBox->error($MESSAGE['FORGOT_PASS_EMAIL_NOT_FOUND']);
+            // and delete the wrong Email
+            $email = '';
         }
-    } else {
-        // Email doesn't exist, so tell the user
-        $oMsgBox->error($MESSAGE['FORGOT_PASS_EMAIL_NOT_FOUND']);
-        // and delete the wrong Email
-        $email = '';
     }
 } else {
     $email = '';
@@ -124,6 +142,13 @@
 $template->set_file('page', 'login_forgot.htt');
 $template->set_block('page', 'main_block', 'main');
 
+ob_start();
+call_captcha("all","",'loginforgot');
+$captcha = ob_get_contents();
+ob_end_clean();
+
+
+
 $aTemplateVars = array(
     'SECTION_FORGOT' => $MENU['FORGOT'],
     'MESSAGE_COLOR' => '', //$message_color,
@@ -143,6 +168,7 @@
     'INTERFACE_URL' => ADMIN_URL . '/interface',
     'DEFAULT_CHARSET' => defined('DEFAULT_CHARSET') ? DEFAULT_CHARSET : 'utf-8',
     'CHARSET' => isset($charset) ? $charset : 'utf-8',
+    'CAPTCHA' => $captcha
 );
 $template->set_var($aTemplateVars);