user_password.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * displays and handles the form where the user can change his password
   5  * linked from index.php
   6  *
   7  * @package PhpMyAdmin
   8  */
   9
  10 /**
  11  * Gets some core libraries
  12  */
  13 require_once './libraries/common.inc.php';
  14
  15 $response = PMA_Response::getInstance();
  16 $header   = $response->getHeader();
  17 $scripts  = $header->getScripts();
  18 $scripts->addFile('server_privileges.js');
  19
  20 /**
  21  * Displays an error message and exits if the user isn't allowed to use this
  22  * script
  23  */
  24 if (! $GLOBALS['cfg']['ShowChgPassword']) {
  25     $GLOBALS['cfg']['ShowChgPassword'] = $GLOBALS['dbi']->selectDb('mysql');
  26 }
  27 if ($cfg['Server']['auth_type'] == 'config' || ! $cfg['ShowChgPassword']) {
  28     PMA_Message::error(
  29         __('You don\'t have sufficient privileges to be here right now!')
  30     )->display();
  31     exit;
  32 } // end if
  33
  34 /**
  35  * If the "change password" form has been submitted, checks for valid values
  36  * and submit the query or logout
  37  */
  38 if (isset($_REQUEST['nopass'])) {
  39     if ($_REQUEST['nopass'] == '1') {
  40         $password = '';
  41     } else {
  42         $password = $_REQUEST['pma_pw'];
  43     }
  44     $change_password_message = PMA_setChangePasswordMsg();
  45     $msg = $change_password_message['msg'];
  46     if (! $change_password_message['error']) {
  47         PMA_changePassword($password, $msg, $change_password_message);
  48     } else {
  49         PMA_getChangePassMessage($change_password_message);
  50     }
  51 }
  52
  53 /**
  54  * If the "change password" form hasn't been submitted or the values submitted
  55  * aren't valid -> displays the form
  56  */
  57
  58 // Displays an error message if required
  59 if (isset($msg)) {
  60     $msg->display();
  61     unset($msg);
  62 }
  63
  64 require_once './libraries/display_change_password.lib.php';
  65 echo PMA_getHtmlForChangePassword($username, $hostname);
  66 exit;
  67
  68 /**
  69  * Send the message as an ajax request
  70  *
  71  * @param array  $change_password_message Message to display
  72  * @param string $sql_query               SQL query executed
  73  *
  74  * @return void
  75  */
  76 function PMA_getChangePassMessage($change_password_message, $sql_query = '')
  77 {
  78     if ($GLOBALS['is_ajax_request'] == true) {
  79         /**
  80          * If in an Ajax request, we don't need to show the rest of the page
  81          */
  82         $response = PMA_Response::getInstance();
  83         if ($change_password_message['error']) {
  84             $response->addJSON('message', $change_password_message['msg']);
  85             $response->isSuccess(false);
  86         } else {
  87             $sql_query = PMA_Util::getMessage(
  88                 $change_password_message['msg'],
  89                 $sql_query,
  90                 'success'
  91             );
  92             $response->addJSON('message', $sql_query);
  93         }
  94         exit;
  95     }
  96 }
  97
  98 /**
  99  * Generate the message
 100  *
 101  * @return array   error value and message
 102  */
 103 function PMA_setChangePasswordMsg()
 104 {
 105     $error = false;
 106     $message = PMA_Message::success(__('The profile has been updated.'));
 107
 108     if (($_REQUEST['nopass'] != '1')) {
 109         if (empty($_REQUEST['pma_pw']) || empty($_REQUEST['pma_pw2'])) {
 110             $message = PMA_Message::error(__('The password is empty!'));
 111             $error = true;
 112         } elseif ($_REQUEST['pma_pw'] != $_REQUEST['pma_pw2']) {
 113             $message = PMA_Message::error(__('The passwords aren\'t the same!'));
 114             $error = true;
 115         }
 116     }
 117     return array('error' => $error, 'msg' => $message);
 118 }
 119
 120 /**
 121  * Change the password
 122  *
 123  * @param string $password                New password
 124  * @param string $message                 Message
 125  * @param array  $change_password_message Message to show
 126  *
 127  * @return void
 128  */
 129 function PMA_changePassword($password, $message, $change_password_message)
 130 {
 131     global $auth_plugin;
 132
 133     $hashing_function = PMA_changePassHashingFunction();
 134     if (PMA_Util::getServerType() === 'MySQL' && PMA_MYSQL_INT_VERSION >= 50706) {
 135         $sql_query = 'ALTER USER USER() IDENTIFIED BY '
 136             . (($password == '') ? '\'\'' : '\'***\'');
 137     } else {
 138         $sql_query = 'SET password = '
 139             . (($password == '') ? '\'\'' : $hashing_function . '(\'***\')');
 140     }
 141     PMA_changePassUrlParamsAndSubmitQuery(
 142         $password, $sql_query, $hashing_function
 143     );
 144
 145     $auth_plugin->handlePasswordChange($password);
 146     PMA_getChangePassMessage($change_password_message, $sql_query);
 147     PMA_changePassDisplayPage($message, $sql_query);
 148 }
 149
 150 /**
 151  * Generate the hashing function
 152  *
 153  * @return string  $hashing_function
 154  */
 155 function PMA_changePassHashingFunction()
 156 {
 157     if (PMA_isValid($_REQUEST['pw_hash'], 'identical', 'old')) {
 158         $hashing_function = 'OLD_PASSWORD';
 159     } else {
 160         $hashing_function = 'PASSWORD';
 161     }
 162     return $hashing_function;
 163 }
 164
 165 /**
 166  * Generate the error url and submit the query
 167  *
 168  * @param string $password         Password
 169  * @param string $sql_query        SQL query
 170  * @param string $hashing_function Hashing function
 171  *
 172  * @return void
 173  */
 174 function PMA_changePassUrlParamsAndSubmitQuery(
 175     $password, $sql_query, $hashing_function
 176 ) {
 177     $err_url = 'user_password.php' . PMA_URL_getCommon();
 178     if (PMA_Util::getServerType() === 'MySQL' && PMA_MYSQL_INT_VERSION >= 50706) {
 179         $local_query = 'ALTER USER USER() IDENTIFIED BY ' . (($password == '')
 180             ? '\'\''
 181             : '\'' . PMA_Util::sqlAddSlashes($password) . '\'');
 182     } else {
 183         $local_query = 'SET password = ' . (($password == '')
 184             ? '\'\''
 185             : $hashing_function . '(\'' . PMA_Util::sqlAddSlashes($password) . '\')');
 186     }
 187     if (! @$GLOBALS['dbi']->tryQuery($local_query)) {
 188         PMA_Util::mysqlDie($GLOBALS['dbi']->getError(), $sql_query, false, $err_url);
 189     }
 190 }
 191
 192 /**
 193  * Display the page
 194  *
 195  * @param string $message   Message
 196  * @param string $sql_query SQL query
 197  *
 198  * @return void
 199  */
 200 function PMA_changePassDisplayPage($message, $sql_query)
 201 {
 202     echo '<h1>' . __('Change password') . '</h1>' . "\n\n";
 203     echo PMA_Util::getMessage(
 204         $message, $sql_query, 'success'
 205     );
 206     echo '<a href="index.php' . PMA_URL_getCommon()
 207         . ' target="_parent">' . "\n"
 208         . '<strong>' . __('Back') . '</strong></a>';
 209     exit;
 210 }