Recover password function not working, XBTIT 2.5.4

  • 2 Replies
Recover password function not working, XBTIT 2.5.4
« on: April 07, 2017, 02:09:59 am »
SOLVED - See posts below...

Greetings all,

I've posted this to the github bugs report, but would like to gain some more traction with this issue.

When resetting a password in XBTIT v2.5.4, it appears that the rehashed password isn't being sent to the database. The following error flashes quickly after clicking the link in the email, before redirecting you to a success message:

Warning: mysqli_query(): Empty query in /home/site/webroot/recover.php on line 148

This results in no hash in the password column for a particular user in the xbtit_users table, and the user is unable to log in.

For example:
  • Database contains a password hash in the "password" field of the sql database for a user
  • User forgets password, so clicks Recover password
  • User receives email with link to reset password
  • User clicks link, site opens to that error above, then quickly redirects to an affirmative message.
  • User receives second email with temporary, complex password
  • User cannot log in using that password
  • Database no longer contains any password hash in the "password" field for that user

The snippet of code at line 148 is the following:

Code: [Select]
do_sqlquery("UPDATE `{$TABLE_PREFIX}users` SET `password`='".mysqli_query($GLOBALS['conn'],$multipass[$i]["rehash"])."', `salt`='".mysqli_query($GLOBALS['conn'],$multipass[$i]["salt"])."', `pass_type`='".$i."', `dupe_hash`='".mysqli_query($GLOBALS['conn'],$multipass[$i]["dupehash"])."' WHERE `id`=$id AND `random`=$random",true);I've also attached the recover.php file to this post.

Install/server details are as follows:

Fully dedicated server
CentOS 6.8, WHM, cPanel
XBTIT 2.5.4 - fresh, unmodified installation
Apache 2.4
PHP 5.6
MySQL 5.0.11
'mysqli' has been enabled with EasyApache 3 custom configuraiton
Password Hashing Algorithm set to "Classic XBTIT"

This is a migrated database from BTITracker 1.3.2 - used the provided upgrade sql scripts to manually upgrade each necessary table sequentially.

If someone knows of a way to make this code work, that would be excellent. I have installed a couple fresh versions of XBTIT to be sure it wasn't something I did to my modified site code that caused the issue - same problem. Not being able to reset passwords may cause a delay in our relaunch.

Google searches mention this error may be related to mixing mysqli queries and mysql queries. I will look back at past version codes to compare the differences, and see if anything stands out.

Please PM me directly if you think you can help, and need the site URL. We are in development mode, so I don't want the URL to be public just yet.

Thanks and cheers!

[email protected]
« Last Edit: April 15, 2017, 04:27:52 pm by [email protected] »

Re: Recover password function not working, XBTIT 2.5.4
« Reply #1 on: April 14, 2017, 05:17:42 am »
Has no one else noticed this bug?

Pretty crucial stuff. Without the recover password feature, we're pretty much dead in the water.

Please advise!

« Last Edit: April 15, 2017, 03:37:48 pm by [email protected] »

Re: Recover password function not working, XBTIT 2.5.4
« Reply #2 on: April 15, 2017, 01:26:07 pm »
This has been resolved!!

KingCobra58 (on github) has provided this fix:

Try replacing this
Code: [Select]
mysqli_query($GLOBALS['conn']to this
Code: [Select]
mysqli_real_escape_string($GLOBALS['conn']in this query
Code: [Select]
do_sqlquery("UPDATE {$TABLE_PREFIX}users SET password='".mysqli_query($GLOBALS['conn'],$multipass[$i]["rehash"])."', salt='".mysqli_query($GLOBALS['conn'],$multipass[$i]["salt"])."', pass_type='".$i."', dupe_hash='".mysqli_query($GLOBALS['conn'],$multipass[$i]["dupehash"])."' WHERE id=$id AND random=$random",true);

After this, no errors and password recovery is functional.

Thank you KingCobra58 and XBTIT dev team for the help and hard work!!


Powered by EzPortal