Improve security
Change-Id: Ia98bb629c8c81f609d3a5e4d023616a95f9c4248
diff --git a/php/change_password.php b/php/change_password.php
index 819d388..50eb9c1 100644
--- a/php/change_password.php
+++ b/php/change_password.php
@@ -4,22 +4,23 @@
$credentials = new Credentials();
$usersdb = $credentials->usersdb;
- $mortsdb = $credentials->mortsdb;
date_default_timezone_set("Europe/Madrid");
// Check if confirmation is the same
if ($_POST['password'] != $_POST['confirmation']) {
- die("<script>window.location.href = '../main.php?wrongconfirmation=1'</script>");
+ header("Location: /main.php?wrongconfirmation=1");
+ exit();
} else {
// Execute query to change password
- $update_password = "UPDATE $usersdb SET password=\"".md5($_POST['password'])."\" WHERE id=".$_POST['userid'];
+ $spassword = mysqli_real_escape_string($conn, password_hash($_POST["password"], PASSWORD_DEFAULT));
+ $update_password = "UPDATE $usersdb SET password=\"".$spassword."\" WHERE id=".(int)$_POST['userid'];
if(!$result = query($update_password)) die("<script>window.location.href = '../main.php?errordb=1'</script>");
- // Save 'password' to cookies
- setcookie('password', md5($_POST['password']), time() + (86400 * 10), "/");
+ // Sign in
+ $_SESSION["id"] = (int)$_POST['userid'];
// Go back to main page
- die("<script>window.location.href = '../main.php?successpassword=1'</script>");
+ header("Location: /main.php?successpassword=1");
+ exit();
}
-?>