More improvements to security
Change-Id: Ib864df3b2d36f22a1e070829aabbaa8c1ce7bd4c
diff --git a/main.php b/main.php
index ac913a3..c63556a 100644
--- a/main.php
+++ b/main.php
@@ -59,7 +59,7 @@
<body>
<div id="outter-container">
<div id="inner-container">
- <a href="./" class="goback">Canvi d'usuari</a><br />
+ <a href="/php/logout.php" class="goback">Tancar sessió</a><br />
<h2>Hola <name id="user_name"><?=Security::htmlsafe($user->nom())?></name>,</h2>
<div class="formulari_contrasenya">
diff --git a/php/change_password.php b/php/change_password.php
index 50eb9c1..17d64bd 100644
--- a/php/change_password.php
+++ b/php/change_password.php
@@ -1,6 +1,9 @@
<?php
require '../credentials.php';
require 'utils.php';
+ require (dirname(__FILE__)."/security.php");
+
+ Security::checkIsSignedIn();
$credentials = new Credentials();
$usersdb = $credentials->usersdb;
@@ -11,15 +14,15 @@
if ($_POST['password'] != $_POST['confirmation']) {
header("Location: /main.php?wrongconfirmation=1");
exit();
+ } else if ($_POST['password'] == '') {
+ header("Location: /main.php");
+ exit();
} else {
// Execute query to change password
$spassword = mysqli_real_escape_string($conn, password_hash($_POST["password"], PASSWORD_DEFAULT));
- $update_password = "UPDATE $usersdb SET password=\"".$spassword."\" WHERE id=".(int)$_POST['userid'];
+ $update_password = "UPDATE $usersdb SET password=\"".$spassword."\" WHERE id=".(int)$_SESSION['id'];
if(!$result = query($update_password)) die("<script>window.location.href = '../main.php?errordb=1'</script>");
-
- // Sign in
- $_SESSION["id"] = (int)$_POST['userid'];
-
+
// Go back to main page
header("Location: /main.php?successpassword=1");
exit();
diff --git a/php/logout.php b/php/logout.php
new file mode 100644
index 0000000..5d8f14a
--- /dev/null
+++ b/php/logout.php
@@ -0,0 +1,5 @@
+<?php
+ require_once("security.php");
+
+ Security::logout();
+ Security::goHome();