Chumpy's simple password changer v1.0

[chumpywumpy]

Another little addon for my simple reg page/cash shop which apparently i forgot to post here

Download-> http://www.mediafire.com/download.php?nzgjzijmnkn

Chumpy's simple password changer v1.0
=======================================

This is designed to be an addon for my simple Cabal regpage v1.0 or my
Cabal Cash Shop. It can work without them with some simple modding.

This uses the regpage stylesheet and config so if yours is modified
the password changer will have the same style.


Can you do a "i forgot my password" function?
===============================================

In a word - no. Why - security.

We have nothing but the user and current password to check the user is
actually the account owner. We have no email address or anything like
that we can use to verify with.

To explain simply imagine this:

I am a player on your server and i forgot my password. I know my login
and i want to go to a page, put in my login and get a new password.

Some of you have spotted the problem here already.

I am a player on your server and i just happen to know the login you
use to get into the game (not the pass so i can't do anything with it).
I go to the webpage and put your logon, get a new pass and i have now
stolen your account.

Don't even ask me to add this as i will not until it can be done securely.
For now those players can go to a GM, get the GM to reset their pass and
tell them what it is so they can now use the password changer to pick a
new one. This way any stolen accounts aren't my fault.


Notes
=======

It will only accept letters and numbers (upper and lower case) for logins
and passwords (same as the reg page) to help prevent SQL injections. If you
want to remove that check delete these 3 lines:

if (!ctype_alnum($login)) $msg='<h3>Invalid login name.</h3>';
if (!ctype_alnum($curpass)) $msg='<h3>Invalid current password.</h3>';
if (!ctype_alnum($newpass)) $msg='<h3>Invalid new password.</h3>';

Not allowing characters like ' and " and a bunch more will protect against
common SQL injection tricks though. Use long login and password for better
security.


Insta... err, copying
=======================

Place password.php in the same folder as the reg.php on your webserver.

If your regpage is www.mywebs.com/reg.php your password page is
www.mywebs.com/password.php. Same thing with the cash shop.

[MentaL]

[LostSpirit]

nice chumpy.
this addon already knew

[cypher]

muhaha chumpy knows about the '=;' damn, didn`t had in mind to play a lil ^^

[Akrasiel]

nice, good!

[Helvis]

I found a bug.
In the Old Password line, you can enter anything, and the password change. user who knows someone else's login may change your password.

Sorry for my bad english

[chumpywumpy]

Crap, you are right. I posted the wrong version! Updated the link.

Rather than download again open password.php and find this line:

PHP Code:

$r=mssql_query("update ".DB_ACC.".dbo.cabal_auth_table set [Password]='".md5($newpass)."' where [ID]='".$login."'"); 


Replace with:

PHP Code:

$r=mssql_query("update ".DB_ACC.".dbo.cabal_auth_table set [Password]='".md5($newpass)."' where [ID]='".$login."' and [Password]='".md5($curpass)."'"); 


Thanks for pointing it out

[cabal_br]

re upload???

[chumpywumpy]

The download has the change in it already, i just posted the change in case people didn't want to re-download.

[Venax]

link dead?

[chumpywumpy]

link dead?

Oops, i did it again!

I cleared out my mediafire account a few days ago and must have deleted the wrong copy (there were 2 in there). I did the same for one of my patches too.

I'll fix it when i get home from work.

[xxdestruxx]

Link dead? :( ;x

[cabal_br]

yes .... !!!!!!!!!!!!

[sarapao1501]

Link dead

re upload

[cypher]

go to http://mediafire.com/chumpy

[hawtkidxD]

Still dead :(

[chumpywumpy]

Link fixed.