commit 13cf0cd109772eabd750d4d0bf322beb19e3bc12
author Adrià Vilanova Martínez <me@avm99963.com> Sun Nov 20 01:02:20 2022 +0100
committer Adrià Vilanova Martínez <me@avm99963.com> Sun Nov 20 01:02:20 2022 +0100
tree 89af6f70df0612e4b1c1154aa2069f6fb9df13ee
parent d3394e1accae91a2624805e4b08012483d99341f

Improve security

Change-Id: Ia98bb629c8c81f609d3a5e4d023616a95f9c4248

php/change_password.php

diff --git a/php/change_password.php b/php/change_password.php
index 819d388..50eb9c1 100644
--- a/php/change_password.php
+++ b/php/change_password.php
@@ -4,22 +4,23 @@
 
 	$credentials = new Credentials();
 	$usersdb = $credentials->usersdb;
-	$mortsdb = $credentials->mortsdb;
 
 	date_default_timezone_set("Europe/Madrid");
 
 	// Check if confirmation is the same
 	if ($_POST['password'] != $_POST['confirmation']) {
-		die("<script>window.location.href = '../main.php?wrongconfirmation=1'</script>");
+		header("Location: /main.php?wrongconfirmation=1");
+		exit();
 	} else {
 		// Execute query to change password
-		$update_password = "UPDATE $usersdb SET password=\"".md5($_POST['password'])."\" WHERE id=".$_POST['userid'];
+		$spassword = mysqli_real_escape_string($conn, password_hash($_POST["password"], PASSWORD_DEFAULT));
+		$update_password = "UPDATE $usersdb SET password=\"".$spassword."\" WHERE id=".(int)$_POST['userid'];
 		if(!$result = query($update_password)) die("<script>window.location.href = '../main.php?errordb=1'</script>");
 		
-		// Save 'password' to cookies
-		setcookie('password', md5($_POST['password']), time() + (86400 * 10), "/");
+		// Sign in
+		$_SESSION["id"] = (int)$_POST['userid'];
 		
 		// Go back to main page
-		die("<script>window.location.href = '../main.php?successpassword=1'</script>");
+		header("Location: /main.php?successpassword=1");
+		exit();
 	}
-?>