More improvements to security
Change-Id: Ib864df3b2d36f22a1e070829aabbaa8c1ce7bd4c
diff --git a/php/change_password.php b/php/change_password.php
index 50eb9c1..17d64bd 100644
--- a/php/change_password.php
+++ b/php/change_password.php
@@ -1,6 +1,9 @@
<?php
require '../credentials.php';
require 'utils.php';
+ require (dirname(__FILE__)."/security.php");
+
+ Security::checkIsSignedIn();
$credentials = new Credentials();
$usersdb = $credentials->usersdb;
@@ -11,15 +14,15 @@
if ($_POST['password'] != $_POST['confirmation']) {
header("Location: /main.php?wrongconfirmation=1");
exit();
+ } else if ($_POST['password'] == '') {
+ header("Location: /main.php");
+ exit();
} else {
// Execute query to change password
$spassword = mysqli_real_escape_string($conn, password_hash($_POST["password"], PASSWORD_DEFAULT));
- $update_password = "UPDATE $usersdb SET password=\"".$spassword."\" WHERE id=".(int)$_POST['userid'];
+ $update_password = "UPDATE $usersdb SET password=\"".$spassword."\" WHERE id=".(int)$_SESSION['id'];
if(!$result = query($update_password)) die("<script>window.location.href = '../main.php?errordb=1'</script>");
-
- // Sign in
- $_SESSION["id"] = (int)$_POST['userid'];
-
+
// Go back to main page
header("Location: /main.php?successpassword=1");
exit();