Commits

Anonymous committed f08be80

Change hidden hash variable into constant

By changing the hash variable into a constant:

1. We can get rid of some of the global definitions (constants are global regardless).

2. We avoid anyone accidentally changing the value elsewhere in the code.

3. We can use defined() to check whether the value has been set, because !$var will be true when $var = ''.

Comments (0)

Files changed (2)

website/account/user.inc

 
 $feedback = '';
 
-if (!$hidden_hash_var) {
+if (!defined('HIDDEN_HASH_VAR')) {
     trigger_error("ERROR: include config.php first, and make sure it has values in", E_USER_ERROR);
 }
 
     unset($LOGGED_IN);
 
     function user_isloggedin() {
-            global $user_name,$id_hash,$hidden_hash_var,$LOGGED_IN;
+            global $user_name,$id_hash,$LOGGED_IN;
 
             if (!$user_name)
                 $user_name=mysql_escape_string($_COOKIE["user_name"]);
                 return $LOGGED_IN;
             }
             if ($user_name && $id_hash) {
-                    $hash=md5($user_name.$hidden_hash_var);
+                    $hash=md5($user_name.HIDDEN_HASH_VAR);
                 #    print "hash $hash idhash $id_hash";
                     if ($hash == $id_hash) {
                             $LOGGED_IN=true;
 }
 
 function user_set_tokens($user_name_in) {
-	global $hidden_hash_var,$user_name,$id_hash;
+	global $user_name,$id_hash;
 	if (!$user_name_in) {
 		$feedback .=  ' User name missing when setting tokens. ';
 		return false;
 	}
 	$user_name=strtolower($user_name_in);
-	$id_hash= md5($user_name.$hidden_hash_var);
+	$id_hash= md5($user_name.HIDDEN_HASH_VAR);
 
 	setcookie('user_name',$user_name,(time()+2592000),'/','',0);
 	setcookie('id_hash',$id_hash,(time()+2592000),'/','',0);
 		account confirmation email
 	*/
 
-	global $feedback,$hidden_hash_var;
+	global $feedback;
 
 	//verify that they didn't tamper with the email address
-	$new_hash=md5($email.$hidden_hash_var);
+	$new_hash=md5($email.HIDDEN_HASH_VAR);
 	if ($new_hash && ($new_hash==$hash)) {
 		//find this record in the db
 		$sql="SELECT * FROM pw_dyn_user WHERE confirm_hash='$hash' order by is_confirmed";
 }
 
 function user_lost_password ($email,$user_name) {
-	global $feedback,$hidden_hash_var;
+	global $feedback;
 	if ($email && $user_name) {
 		$user_name=strtolower($user_name);
 		$sql="SELECT * FROM pw_dyn_user WHERE user_name='$user_name' AND email='$email'";
 			return false;
 		} else {
 			//create a secure, new password
-			$new_pass=strtolower(substr(md5(time().$user_name.$hidden_hash_var),1,14));
+			$new_pass=strtolower(substr(md5(time().$user_name.HIDDEN_HASH_VAR),1,14));
 
 			//update the database to include the new password
 			$sql="UPDATE pw_dyn_user SET password='". md5($new_pass) ."' WHERE user_name='$user_name'";
 }
 
 function user_change_email ($password1,$new_email,$user_name) {
-	global $feedback,$hidden_hash_var;
+	global $feedback;
 	if (pw_validate_email($new_email)) {
-		$hash=md5($new_email.$hidden_hash_var);
+		$hash=md5($new_email.HIDDEN_HASH_VAR);
 		//change the confirm hash in the db but not the email - 
 		//send out a new confirm email with a new hash
 		$user_name=strtolower($user_name);
 }
 
 function user_register($user_name,$password1,$password2,$email,$real_name) {
-	global $feedback,$hidden_hash_var;
+	global $feedback;
 	//all vars present and passwords match?
 	if (!$user_name )
         {
 				return false;
 			} else {
 				//create a new hash to insert into the db and the confirmation email
-				$hash=md5($email.$hidden_hash_var);
+				$hash=md5($email.HIDDEN_HASH_VAR);
 				$sql="INSERT INTO pw_dyn_user
                                 (user_name,real_name,password,email,remote_addr,confirm_hash,is_confirmed, reg_date, confirm_return_url) ".
 					"VALUES ('$user_name','$real_name','".  md5($password1) ."','$email','" . getenv('REMOTE_ADDR') . "','$hash','0',NOW(),'".mysql_escape_string($_POST['r'])."')";

website/config.php.incvs

 # Authentication value - only needed for publicwhip.org.uk itself
 $hidden_hash_var=''; 
 
+define('HIDDEN_HASH_VAR', $hidden_hash_var);
+
 ?>
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.