WordPress.org
Get WordPress

Make WordPress Core

Changeset 851


Ignore:
Timestamp:
02/09/2004 10:07:27 AM (21 years ago)
Author:
saxmatt
Message:

Correctly generate new passwords, added check for email address to slow down jerks.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/wp-login.php

    r850 r851  
    162162<html xmlns="http://www.w3.org/1999/xhtml">
    163163<head>
    164     <title>WordPress > Lost password ?</title>
     164    <title>WordPress &rsaquo; Lost password ?</title>
    165165    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
    166166    <link rel="stylesheet" href="<?php echo $siteurl; ?>/wp-admin/wp-admin.css" type="text/css" />
     
    177177
    178178<div id="login">
    179 <p>Type your login here and click OK. You will receive an email with your password.</p>
     179<p>Please enter your information here. We will send you a new password. </p>
    180180<?php
    181181if ($error) echo "<div align=\"right\" style=\"padding:4px;\"><font color=\"#FF0000\">$error</font><br />&nbsp;</div>";
     
    184184<form name="" action="wp-login.php" method="post" id="lostpass">
    185185<input type="hidden" name="action" value="retrievepassword" />
    186 <label>Login: <input type="text" name="user_login" id="user_login" value="" size="12" /></label>
     186<label>Login: <input type="text" name="user_login" id="user_login" value="" size="12" /></label><br />
     187<label>Email: <input type="text" name="email" id="email" value="" size="12" /></label><br />
    187188<input type="submit" name="Submit2" value="OK" class="search">
    188189
     
    203204    $user_data = get_userdatabylogin($user_login);
    204205    $user_email = $user_data->user_email;
    205     $user_pass = $user_data->user_pass;
    206 
    207     if (!$user_email) die('Sorry, that user does not seem to exist in our database. Perhaps you have the wrong username?');
     206
     207    if (!$user_email || $user_email != $_POST['email']) die('Sorry, that user does not seem to exist in our database. Perhaps you have the wrong username or email address? <a href="wp-login.php?action=lostpassword">Try again</a>.');
     208    // Generate something random for a password... md5'ing current time with a rand salt
     209    $user_pass = substr((MD5("time" . rand(1,16000))), 0, 6);
     210    // now insert the new pass md5'd into the db
     211    $wpdb->query("UPDATE wp_users SET user_pass = MD5('$user_pass') WHERE user_login = '$user_login'");
    208212    $message  = "Login: $user_login\r\n";
    209213    $message .= "Password: $user_pass\r\n";
Note: See TracChangeset for help on using the changeset viewer.