sec_change_pwd

pkrawetzky · May 7, 2020, 8:05pm

Does any know why I get an error message for a missing old password (Old password: must have at least 8 characters) when I’m in the process of creating a new password after getting the lost password email? The old password field is not even visible.

I followed the link in the email which contains the act_code as a URL parameter. I’ve looked at the logic but can’t find the issue. Why are licensed users of this product continually QA’ing SC’s code? This is a pretty basic feature yet it doesn’t work.

aducom · May 7, 2020, 8:58pm

There are some issues in the generated application that you might need to fix. There’s a minimum length setting in the form which you could disable if you like. The fun part is that if you generate the modules and use a smaller default password (which is allowed funny enough) that you can run into this issue.

pkrawetzky · May 7, 2020, 8:58pm

Great! I just spent two hours trying to debug their crappy code. This is really starting to tick me off with their poor quality. Thanks I’ll see if I can fix it based on your suggestion.

pkrawetzky · May 7, 2020, 8:58pm

Oh this just gets better… I set the minimum size to zero and now I get Old Password Incorrect!

Any suggestions?

pkrawetzky · May 7, 2020, 8:58pm

Never mind I figured it out. I had to rewrite the old password check code just below the password and confirm password validation. Thanks for the help I appreciate it.

pkrawetzky · May 7, 2020, 8:58pm

In case you want replace SC’s crappy change password code with something that works, here is what I am using now.

if( (!isset({old_pswd}) || empty({old_pswd}) ) && (!isset([act_code]) || empty([act_code]) ) )
{
sc_error_message({lang_error_old_pswd});
sc_error_exit();
}

if({pswd} != {confirm_pswd})
{
sc_error_message({lang_error_pswd});
sc_error_exit();
}

$spswd = sc_sql_injection(md5({pswd}));

if (isset([act_code]) && !empty([act_code]))
{
$sold_pswd = "activation_code= ". sc_sql_injection([act_code]) . "AND pswd = ". sc_sql_injection(md5({old_pswd}));
}
else
{
$sold_pswd = " pswd = ". sc_sql_injection(md5({old_pswd}));
}
//$sold_pswd = ( isset([act_code]) && !empty([act_code]) ) ? "activation_code= ". sc_sql_injection([act_code]) : " pswd = ". sc_sql_injection(md5({old_pswd}));

if((isset({old_pswd}) || !empty({old_pswd})) && (!isset([act_code]) || empty([act_code])))
{
$sql = “SELECT count(*) FROM sec_users WHERE “. $sold_pswd .” AND login = '”. [usr_login] . “’”;
sc_lookup(rs, $sql);

if({rs} === FALSE || {rs}[0][0] == 0)
{
    sc_error_message({lang_error_old_pswd});
    sc_error_exit();    
}

}
unset([act_code]);