From e538ce3f3720230d66eab20925a0be3bf90f50c9 Mon Sep 17 00:00:00 2001 From: Carson Fleming Date: Mon, 12 Dec 2022 06:36:57 -0800 Subject: Try and add a captcha to the forgot password form too --- forgot.php | 61 ++++++++++++++++++++++++++++++++++++++++--------------------- 1 file changed, 40 insertions(+), 21 deletions(-) (limited to 'forgot.php') diff --git a/forgot.php b/forgot.php index 41625f2..03ddf9d 100644 --- a/forgot.php +++ b/forgot.php @@ -3,25 +3,30 @@ require('inc/common.php'); if ($b_user['id'] > 0) loggedin(); if (!empty($_POST['email'])) { - $db = new bdb() or fatal('No database connection!'); - $token = uniqid('fp', true); - $result = $db->query('SELECT id FROM users WHERE email = \''.$db->escape_string($_POST['email']).'\'') or fatal($db->error); - if ($result->num_rows > 0) { - $row = $result->fetch_assoc(); - $newpass = pwgen(10); - $db->query('UPDATE users SET password = \''.bulletin_hash($newpass).'\' WHERE id = '.$row['id']) or fatal($db->error); - if ($db->affected_rows < 1) fatal('Could not affect the database'); - $result->free(); - $db->close(); - bulletin_mail($_POST['email'], 'Recover Your Bulletin Account', tpl(array( - 'newpass' => htmlentities($newpass), -), 'forgot.tpl')) or fatal('Could not send out the recovery email, we apologize for the inconvenience.'); - fatal('A recovery email has been sent to the address you supplied. You can use this email to restore access to your account.', $b_config['base_url'].'login.php'); + if (!empty($b_config['recaptcha_api_key']) && !recaptcha_verify($_POST['g-recaptcha-response'])) { + $e = 2; + $e_msg = 'Your CAPTCHA solution was not valid.'; } else { - $result->free(); - $db->close(); - $e = 1; - $e_msg = 'That email address is not listed in our database.'; + $db = new bdb() or fatal('No database connection!'); + $token = uniqid('fp', true); + $result = $db->query('SELECT id FROM users WHERE email = \''.$db->escape_string($_POST['email']).'\'') or fatal($db->error); + if ($result->num_rows > 0) { + $row = $result->fetch_assoc(); + $newpass = pwgen(10); + $db->query('UPDATE users SET password = \''.bulletin_hash($newpass).'\' WHERE id = '.$row['id']) or fatal($db->error); + if ($db->affected_rows < 1) fatal('Could not affect the database'); + $result->free(); + $db->close(); + bulletin_mail($_POST['email'], 'Recover Your Bulletin Account', tpl(array( + 'newpass' => htmlentities($newpass) + ), 'forgot.tpl')) or fatal('Could not send out the recovery email, we apologize for the inconvenience.'); + fatal('A recovery email has been sent to the address you supplied. You can use this email to restore access to your account.', $b_config['base_url'].'login.php'); + } else { + $result->free(); + $db->close(); + $e = 1; + $e_msg = 'That email address is not listed in our database.'; + } } } ?> @@ -32,6 +37,7 @@ if (!empty($_POST['email'])) { Forgot Password / Bulletin +