Mysidia Adoptables v1.3.0[Security Release]

[Hall of Famer]

Yes it does make a difference. On My pokemansion site, if you are logged in using the url http://www.pokemansion.net, your cookie does not work for http://pokemansion.net(the one without www). I'd say all old Rusnak Adoptables sites have this problem, not sure for Mysidia Adoptables though.

[SilverDragonTears]

You're sooo smart HoF :) Thank you buddy!

[Hall of Famer]

XD I figured this could be the only cause for a malfunctioning cookie. Did you manage to resolve this problem?

[SilverDragonTears]

I found where it was putting in www. so I removed it... we shall see I guess.

[SilverDragonTears]

A member is saying that forgot password is not working.

"it says my details don't match any user in the system"

[Hall of Famer]

I see, same old story with forgotpass.php lol. I will look into the codes and have it fixed soon. Thx for reporting.

[SilverDragonTears]

Will be watching for the fix :)

[Hall of Famer]

Can you post the forgotpass.php file? I will look into it and fix it for you.

[SilverDragonTears]

Code:

<?php

include("functions/functions.php");
include("functions/functions_users.php");
include("inc/rand.php");
include("inc/lang.php");

//***************//
//  START SCRIPT //
//***************//

if($isloggedin == "yes"){

//This is the one page where logged in users can't access the page
//If you are logged in, you know your damn password!

$article_title = "You are already logged in";
$article_content = "You are already logged in.  There is no need for you to be here.";

}
else{

$uname = $_GET["uname"];
$email = $_GET["email"];
$code = $_GET["code"];

if($uname != "" and $email != ""){

//We have submitted values, so we are going to make a new password reset request

if($code != ""){

//We've got an activation code, so let's check and see if we have a match in the database for this...

$stmt = $adopts->query("SELECT * FROM {$prefix}passwordresets WHERE username = '{$uname}' and email = '{$email}' and code='{$code}' ORDER BY id DESC LIMIT 1") ;
$passwordresets = $stmt->fetchObject();

if($passwordresets->username == $uname and $passwordresets->email == $email and $passwordresets->code == $code){

//We have a match, so make a new user password
$newpw = get_rand_id(12);
$newsalt = codegen(15,0);
$newpass = passencr($dbusername, $newpw, $newsalt);

//Update the database with the new password...
$stmt = $adopts->prepare("UPDATE {$prefix}users SET password='{$newpass}' WHERE username='{$dbusername}' and email='{$savedemail}'");
$stmt->execute();

//Delete the entry from the password reset table
$stmt = $adopts->prepare("DELETE FROM {$prefix}passwordresets WHERE code='{$code}'");
$stmt->execute();

$article_title = "Password Reset Successfully";
$article_content = "Dear {$passwordresets->username},<br>Your password has been reset successfully.<br><br>Here is your new password: <b>{$newpw}</b><br><br>
You may now <a href='login.php'>Log In</a> with this new password.  You can also change the password to something that is easier to remember
once you are logged in.";


}
else{
$article_title = "Incorrect activation code";
$article_content = "The activation code you entered is incorrect.  It is possible that the code is invalid.";
}

}
else{

//No code, so we're requesting a new password reset.............

//First thing we do is make sure the requested combination does indeed exist.  Then verify...

$stmt = $adopts->query("SELECT * FROM {$prefix}users WHERE username = '{$uname}' and email = '{$email}'");
$user = $stmt->fetchObject();
//Loop out code

if($num > 0 and $user->username == $uname and $user->email == $email){

//First we generate a random code that will be the reset code

$rand = get_rand_id(10);  //Get a random letter-number combination


//Then we log the user's IP address and the date

$ip = $_SERVER['REMOTE_ADDR'];
$ip = preg_replace("/[^a-zA-Z0-9.]/", "", $ip);

$date = date('Y-m-d');

//Then we insert the info into the passwordresets table in the database

$adopts->query("INSERT INTO {$prefix}passwordresets (id, username, email, code, ip, date)
VALUES ('', '{$uname}', '{$email}', '{$rand}', '{$ip}', '{$date}')");

//Then we send an email to the user with the link to the password reset

$message = "Hello there {$uname}:\n\nOur records indicate that you requested a password reset for your account.  Below is your reset code:\n
Reset Code: {$rand}\n\nTo have your password changed please visit the following URL:\n
http://www.{$domain}{$scriptpath}/forgotpass.php?uname={$uname}&email={$email}&code={$rand}\n\n
If you did NOT request a password reset then please ignore this email to keep your current password.\n\n
Thanks,\n
The {$sitename} team.";

$systememail = grabanysetting("systememail");
$headers = "From: {$systememail}";

mail($email, "Password Reset Request for ".$uname, $message, $headers);

//All done, output message to user. :)

$article_title = "Password Reset Email Sent";
$article_content = "We've sent an email to <b>{$email}</b> with instructions on how to reset your password.  Please
click the password reset link in the email to reset your password.  If you do not get the email shortly then please check
your spam or junk email folder as it may have gotten caught in there.";


}
else{

//We've got an incorrect or fraud request to reset a password...

$article_title = "There's been an error";
$article_content = "There's been an error.  The details you entered do not match any user in our system!  We cannot
reset your password at this time.";

}

}

}
else{

$article_title = "Reset Password";
$article_content = "So, you've forgotten your password?  Don't worry, it happens to the best of us.  Simply 
fill out the form below with your username and email address and we'll email you a link to reset your password.<br><br>
<form name='form1' method='get' action='forgotpass.php'>
  <p>Username: 
    <input name='uname' type='text' id='uname'>
</p>
  <p>Email Address: 
    <input name='email' type='text' id='email'>
</p>
  <p>
    <input type='submit' name='Submit' value='Request Password Reset'>
  </p>
</form>";

}


}


//***************//
//  OUTPUT PAGE  //
//***************//

echo showpage($article_title, $article_content, $date);

?>

[Hall of Famer]

You are not using the updated version of Mys v1.3.0 I uploaded on March 20th, are you? Now to fix this problem, simply get rid of this:

PHP Code:

$num > 0 and