Added SQL Injection prevention

The hash does not work with most email clients, needs more testing
root 16 years ago
parent a8ca38dcaf
commit 16d7b35bae

@ -117,7 +117,7 @@
$_SESSION['_config']['errmsg'] = sprintf(_("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored %s points out of 6."), $score);
} else {
$query = "update `users` set `password`=sha1('".$_SESSION['lostpw']['pw1']."')
where `id`='".$_SESSION['lostpw']['user']['id']."'";
where `id`='".intval($_SESSION['lostpw']['user']['id'])."'";
mysql_query($query) || die(mysql_error());
showheader(_("Welcome to"));
echo _("Your Pass Phrase has been updated and your primary email account has been notified of the change.");
@ -538,7 +538,7 @@
$body = _("Thanks for signing up with, below is the link you need to open to verify your account. Once your account is verified you will be able to start issuing certificates till your hearts' content!")."\n\n";
$body .= "http://".$_SESSION['_config']['normalhostname']."/verify.php?type=email&emailid=$emailid&hash=$hash&lang=".$_SESSION['_config']['language']."\n\n";
$body .= "http://".$_SESSION['_config']['normalhostname']."/verify.php?type=email&emailid=$emailid&hash=$hash\n\n"; //."&"."lang=".$_SESSION['_config']['language']."\n\n";
$body .= _("Best regards")."\n"._(" Support!");
sendmail($_SESSION['signup']['email'], "[] "._("Mail Probe"), $body, "", "", "", "CAcert Support");