diff --git a/customer_email.php b/customer_email.php index ea16eb81..a924b31e 100644 --- a/customer_email.php +++ b/customer_email.php @@ -446,6 +446,9 @@ if ($page == 'overview') { } elseif ($password == '' && !(Settings::Get('panel.sendalternativemail') == 1 && validateEmail($alternative_email))) { standard_error(array('stringisempty', 'mypassword')); + } + elseif ($password == $email_full) { + standard_error('passwordshouldnotbeusername'); } else { if ($password == '') { $password = substr(md5(uniqid(microtime(), 1)), 12, 6); @@ -632,6 +635,10 @@ if ($page == 'overview') { standard_error(array('stringisempty', 'mypassword')); exit; } + elseif ($password = $result['email_full']) { + standard_error('passwordshouldnotbeusername'); + exit; + } $password = validatePassword($password); @@ -887,5 +894,3 @@ if ($page == 'overview') { } } } - -?> diff --git a/customer_extras.php b/customer_extras.php index 563a1432..badc12d8 100644 --- a/customer_extras.php +++ b/customer_extras.php @@ -133,6 +133,8 @@ if ($page == 'overview') { standard_error(array('stringisempty', 'mypassword')); } elseif ($path == '') { standard_error('patherror'); + } elseif ($_POST['directory_password'] == $username) { + standard_error('passwordshouldnotbeusername'); } else { $stmt = Database::prepare("INSERT INTO `" . TABLE_PANEL_HTPASSWDS . "` SET `customerid` = :customerid, @@ -184,6 +186,10 @@ if ($page == 'overview') { $password = crypt($_POST['directory_password']); } + if ($_POST['directory_password'] == $result['username']) { + standard_error('passwordshouldnotbeusername'); + } + $params = array( "customerid" => $userinfo['customerid'], "id" => $id diff --git a/customer_mysql.php b/customer_mysql.php index cdee83b1..5c8a0315 100644 --- a/customer_mysql.php +++ b/customer_mysql.php @@ -178,6 +178,11 @@ if ($page == 'overview') { $userinfo['mysql_lastaccountnumber'] ); + // we've checked against the password in dbm->createDatabase + if ($username == false) { + standard_error('passwordshouldnotbeusername'); + } + // Statement modified for Database description -- PH 2004-11-29 $stmt = Database::prepare('INSERT INTO `' . TABLE_PANEL_DATABASES . '` (`customerid`, `databasename`, `description`, `dbserver`) @@ -307,6 +312,10 @@ if ($page == 'overview') { // validate password $password = validatePassword($password); + if ($password == $result['databasename']) { + standard_error('passwordshouldnotbeusername'); + } + // Begin root-session Database::needRoot(true); foreach (array_map('trim', explode(',', Settings::Get('system.mysql_access_host'))) as $mysql_access_host) { diff --git a/lib/classes/database/class.DbManager.php b/lib/classes/database/class.DbManager.php index 23a9e5ad..5e078026 100644 --- a/lib/classes/database/class.DbManager.php +++ b/lib/classes/database/class.DbManager.php @@ -64,7 +64,7 @@ class DbManager { * @param string $password * @param int $last_accnumber * - * @return string $username + * @return string|bool $username if successful or false of username is equal to the password */ public function createDatabase($loginname = null, $password = null, $last_accnumber = 0) { @@ -84,6 +84,11 @@ class DbManager { $username = $loginname . Settings::Get('customer.mysqlprefix') . (intval($last_accnumber) + 1); } + // don't use a password that is the same as the username + if ($username == $password) { + return false; + } + // now create the database itself $this->getManager()->createDatabase($username); $this->_log->logAction(USR_ACTION, LOG_INFO, "created database '" . $username . "'");