From 58c7dfe2c88a192545a4638c26e35709a790558b Mon Sep 17 00:00:00 2001
From: johnnyq <johnny@pittpc.com>
Date: Wed, 27 Dec 2023 22:06:19 -0500
Subject: [PATCH] Fix Client Self Service Password Reset due to new mail queue
 system change

---
 portal/login_reset.php | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/portal/login_reset.php b/portal/login_reset.php
index 41975630..604afcbb 100644
--- a/portal/login_reset.php
+++ b/portal/login_reset.php
@@ -57,7 +57,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
         $row = mysqli_fetch_assoc($sql);
 
         $id = intval($row['contact_id']);
-        $name = $row['contact_name'];
+        $name = sanitizeInput($row['contact_name']);
         $client = intval($row['contact_client_id']);
 
         if ($row['contact_email'] == $email) {
@@ -68,8 +68,8 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
 
 
             // Send reset email
-            $subject = "Password reset for $company_name ITFlow Portal";
-            $body    = "Hello, $name<br><br>Someone (probably you) has requested a new password for your account on $company_name's ITFlow Client Portal. <br><br><b>Please <a href='$url'>click here</a> to reset your password.</b> <br><br>Alternatively, copy and paste this URL into your browser:<br> $url<br><br><i>If you didn't request this change, you can safely ignore this email.</i><br><br>~<br>$company_name<br>Support Department<br>$config_mail_from_email";
+            $subject = mysqli_real_escape_string($mysqli, "Password reset for $company_name ITFlow Portal");
+            $body    = mysqli_real_escape_string($mysqli, "Hello, $name<br><br>Someone (probably you) has requested a new password for your account on $company_name's ITFlow Client Portal. <br><br><b>Please <a href='$url'>click here</a> to reset your password.</b> <br><br>Alternatively, copy and paste this URL into your browser:<br> $url<br><br><i>If you didn't request this change, you can safely ignore this email.</i><br><br>~<br>$company_name<br>Support Department<br>$config_mail_from_email");
 
             $data = [
                 [
@@ -113,19 +113,19 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
         $sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' AND contact_password_reset_token = '$token' AND contact_client_id = $client AND contact_auth_method = 'local' LIMIT 1");
         $contact_row = mysqli_fetch_array($sql);
         $contact_id = intval($contact_row['contact_id']);
-        $name = $contact_row['contact_name'];
+        $name = sanitizeInput($contact_row['contact_name']);
 
         // Ensure the token is correct
         if (sha1($contact_row['contact_password_reset_token']) == sha1($token)) {
 
             // Set password, invalidate token, logging
-            $password = mysqli_real_escape_string($mysqli, password_hash($_POST['new_password'], PASSWORD_DEFAULT));
+            $password = password_hash($_POST['new_password'], PASSWORD_DEFAULT);
             mysqli_query($mysqli, "UPDATE contacts SET contact_password_hash = '$password', contact_password_reset_token = NULL WHERE contact_id = $contact_id LIMIT 1");
             mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = 'Reset portal password for $email.', log_ip = '$ip', log_user_agent = '$user_agent', log_client_id = $client");
 
             // Send confirmation email
-            $subject = "Password reset confirmation for $company_name ITFlow Portal";
-            $body    = "Hello, $name<br><br>Your password for your account on $company_name's ITFlow Client Portal was successfully reset. You should be all set! <br><br><b>If you didn't reset your password, please get in touch ASAP.</b><br><br>~<br>$company_name<br>Support Department<br>$config_mail_from_email";
+            $subject = mysqli_real_escape_string($mysqli, "Password reset confirmation for $company_name ITFlow Portal");
+            $body    = mysqli_real_escape_string($mysqli, "Hello, $name<br><br>Your password for your account on $company_name's ITFlow Client Portal was successfully reset. You should be all set! <br><br><b>If you didn't reset your password, please get in touch ASAP.</b><br><br>~<br>$company_name<br>Support Department<br>$config_mail_from_email");
 
 
             $data = [
@@ -137,7 +137,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
                     'subject' => $subject,
                     'body' => $body
                 ]
-                ];
+            ];
 
             $mail = addToMailQueue($mysqli, $data); 
 
@@ -156,7 +156,6 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
             $_SESSION['login_message'] = WORDING_ERROR;
         }
 
-
     }