This is a secure password change script meant for Shaiya private servers.
I noticed a lot of private servers do not allow regular users to change passwords. Be warned, this script is a double-edged sword in a way, ESPECIALLY since most servers do not allow for password recovery via email or some other method. By implementing this script players who have shared their account credentials with other players can now get their password changed unknowingly (and thus their account is now "stolen"). It is up to you to determine how to handle this.
I put the CAPTCHA in this to prevent other players from using a bot to brute-force passwords from other accounts.
Also some error messages are purposely generic to prevent users from verifiably guess account names from this script.
I commented these scripts fairly verbosely, so please read the comments! They are meant to tell you useful stuff.
There are seven scripts you will need to make this work:
changepassword.php
changepassword.view.php
success.view.php
db.php
db.config.php
recaptchalib.config.php
recaptchalib.php (From Google:
)
You can get success.view.php, db.php, db.config.php, recaptchalib.config.php, and recaptchalib.php from this post:
[changepassword.php] (Edit the SQL in this file if needed)
Code:
<?php
require_once('recaptchalib.config.php');
require_once('recaptchalib.php');
require_once('db.config.php');
$username = isset($_POST['username']) ? mssql_escape_string(trim($_POST['username'])) : '';
$password = isset($_POST['password']) ? mssql_escape_string(trim($_POST['password'])) : '';
$newpassword = isset($_POST['newpassword']) ? mssql_escape_string(trim($_POST['newpassword'])) : '';
$newpassword2 = isset($_POST['newpassword2']) ? mssql_escape_string(trim($_POST['newpassword2'])) : '';
$errors = array();
$success = false;
if(isset($_POST) && !empty($_POST)){
require_once('db.php');
// Validate user name and password.
$result = @mssql_query("SELECT UserID FROM PS_UserData.dbo.Users_Master WHERE UserID = '{$username}' AND Pw = '{$password}'") or die('Failed to verify is the provided user named already exists.');
if(!mssql_num_rows($result)){
$errors[] = 'Invalid user name and/or password.';
}
// Validate new passwords.
if(empty($newpassword)){
$errors[] = 'Please provide a new password.';
}else if(strlen($newpassword) < 3 || strlen($newpassword) > 16){
$errors[] = 'New password must be between 3 and 16 characters in length.';
}else if($newpassword != $newpassword2){
$errors[] = 'New passwords do not match.';
}
// Validate reCAPTCHA. This is to prevent someone brute force guessing passwords with a bot.
$response = recaptcha_check_answer($recaptcha_private_key,$_SERVER['REMOTE_ADDR'],$_POST['recaptcha_challenge_field'],$_POST['recaptcha_response_field']);
if(!$response->is_valid){
if($response->error == 'incorrect-captcha-sol'){
$errors['recaptcha'] = 'Incorrect answer to reCAPTCHA';
}else{
$errors['recaptcha'] = $response->error;
}
}
// Persist the new password to the database if no previous errors occured.
if(count($errors) == 0){
$sql = "UPDATE PS_UserData.dbo.Users_Master
SET Pw = '{$newpassword}'
WHERE UserID = '{$username}'";
// Remove the @ symbol here to see what the SQL error message is when running the above query in $sql.
if($result = @mssql_query($sql)){
$success = "Password for {$username} successfully changed!";
}else{
// This means the update statement is probably not valid for your database. Fix the query or fix your database, your choice ;)
$errors[] = 'Failed to change password, please try again later';
}
}
}
// Determine which view to show.
if($success === false){
require_once('changepass.view.php');
}else{
require_once('success.view.php');
}
?>
[changepassword.view.php] (Re-style the display in this file)
Code:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Shaiya Generic Change Password Page</title>
<meta http-equiv="content-type" content="text/html;charset=utf-8" />
<meta http-equiv="Content-Style-Type" content="text/css" />
<style type="text/css">#error {color:#ff0000; list-style:none;}</style>
<script type="text/javascript">var RecaptchaOptions = {theme:'clean'};</script>
</head>
<body>
<h3>Change Password</h3>
<?php if(count($errors)){ ?>
<ul id="error">
<?php foreach($errors as $error){ ?>
<li><?php echo $error; ?></li>
<?php } ?>
</ul>
<?php } ?>
<form action="changepass.php" method="post">
<div style="width:436px; border:1px solid #000000; padding:16px;">
User Name
<input name="username" value="<?php if(isset($_POST['username'])){ echo $_POST['username']; } ?>" style="width:100%;" />
<div style="height: 5px;"> </div>
Current Password
<input name="password" type="password" value="<?php if(isset($_POST['password'])){ echo $_POST['password']; } ?>" style="width:100%;" />
<div style="height: 5px;"> </div>
New Password
<input name="newpassword" type="password" value="<?php if(isset($_POST['newpassword'])){ echo $_POST['newpassword']; } ?>" style="width:100%;" />
<div style="height: 5px;"> </div>
Confirm Password
<input name="newpassword2" type="password" value="<?php if(isset($_POST['newpassword2'])){ echo $_POST['newpassword2']; } ?>" style="width:100%;" />
<div style="height: 5px;"> </div>
Please type this in the text box below to prove you are human
<?php echo recaptcha_get_html($recaptcha_public_key); ?>
<div style="height: 5px;"> </div>
<input type="submit" value="Change Password" />
</div>
</form>
</body>
</html>