diff --git a/Admin/database.php b/Admin/database.php
index 0ffa5ab8..d2204827 100644
--- a/Admin/database.php
+++ b/Admin/database.php
@@ -261,7 +261,7 @@ class adm_DB {
$result = mysqli_query($this->connection, $q);
// if we didn't update the database for bcrypt hashes yet...
- if (mysqli_error($this->dblink) != '') {
+ if (mysqli_error($this->connection) != '') {
// no need to select ID here, since the DB is not updated, so there will be no password conversion later
$q = "SELECT password, 0 as is_bcrypt FROM ".TB_PREFIX."users where id = ".(int) $uid." and access = ".ADMIN;
$result = mysqli_query($this->dblink,$q);
@@ -272,11 +272,16 @@ class adm_DB {
$dbarray = mysqli_fetch_array($result);
- // check if this is still md5 password hash
- if (!$dbarray['is_bcrypt']) {
+ // even if we didn't do a DB conversion for bcrypt passwords,
+ // we still need to check if this password wasn't encrypted via password_hash,
+ // since all methods were updated to use that instead of md5 and therefore
+ // new passwords in DB will be bcrypt already even without the is_bcrypt field present
+ $bcrypted = true;
+ $pwOk = password_verify($password, $dbarray['password']);
+
+ if (!$pwOk && !$dbarray['is_bcrypt']) {
$pwOk = ($dbarray['password'] == md5($password));
- } else {
- $pwOk = password_verify($password, $dbarray['password']);
+ $bcrypted = false;
}
if($pwOk) {
diff --git a/Admin/function.php b/Admin/function.php
index a17222d9..e5aab18f 100644
--- a/Admin/function.php
+++ b/Admin/function.php
@@ -127,8 +127,11 @@ class funct {
global $admin,$database;
switch($post['action']){
case "DelPlayer":
- $admin->DelPlayer($post['uid'],$post['pass']);
- header("Location: ?p=search&msg=ursdel");
+ if ($admin->DelPlayer($post['uid'],$post['pass'])) {
+ header("Location: ?p=search&msg=ursdel");
+ } else {
+ die('Invalid Admin password, cannot delete player. Please go back and retry.');
+ }
break;
case "punish":
$admin->Punish($post);
diff --git a/GameEngine/Admin/database.php b/GameEngine/Admin/database.php
index a86a1f36..23017006 100755
--- a/GameEngine/Admin/database.php
+++ b/GameEngine/Admin/database.php
@@ -246,13 +246,18 @@ class adm_DB {
$this->DelVillage($villages[$i]['wref'], 1);
}
$q = "DELETE FROM ".TB_PREFIX."hero where uid = ".(int) $uid;
- mysqli_query($this->connection,$q);
+ mysqli_query($this->connection,$q);
- $name = $database->getUserField($uid,"username",0);
- mysqli_query($this->connection,"Insert into ".TB_PREFIX."admin_log values (0,$ID,'Deleted user $name',".time().")");
- $q = "DELETE FROM ".TB_PREFIX."users WHERE `id` = ".(int) $uid;
- mysqli_query($this->connection,$q);
+ $name = $database->getUserField($uid,"username",0);
+ mysqli_query($this->connection,"Insert into ".TB_PREFIX."admin_log values (0,$ID,'Deleted user $name',".time().")");
+
+ $q = "DELETE FROM ".TB_PREFIX."users WHERE `id` = ".(int) $uid;
+ mysqli_query($this->connection,$q);
+ } else {
+ return false;
}
+
+ return true;
}
function getUserActive() {
@@ -267,10 +272,10 @@ class adm_DB {
$result = mysqli_query($this->connection, $q);
// if we didn't update the database for bcrypt hashes yet...
- if (mysqli_error($this->dblink) != '') {
+ if (mysqli_error($this->connection) != '') {
// no need to select ID here, since the DB is not updated, so there will be no password conversion later
$q = "SELECT password, 0 as is_bcrypt FROM ".TB_PREFIX."users where id = ".(int) $uid." and access = ".ADMIN;
- $result = mysqli_query($this->dblink,$q);
+ $result = mysqli_query($this->connection,$q);
$bcrypt_update_done = false;
} else {
$bcrypt_update_done = true;
@@ -278,11 +283,16 @@ class adm_DB {
$dbarray = mysqli_fetch_array($result);
- // check if this is still md5 password hash
- if (!$dbarray['is_bcrypt']) {
+ // even if we didn't do a DB conversion for bcrypt passwords,
+ // we still need to check if this password wasn't encrypted via password_hash,
+ // since all methods were updated to use that instead of md5 and therefore
+ // new passwords in DB will be bcrypt already even without the is_bcrypt field present
+ $bcrypted = true;
+ $pwOk = password_verify($password, $dbarray['password']);
+
+ if (!$pwOk && !$dbarray['is_bcrypt']) {
$pwOk = ($dbarray['password'] == md5($password));
- } else {
- $pwOk = password_verify($password, $dbarray['password']);
+ $bcrypted = false;
}
if($pwOk) {
@@ -335,6 +345,9 @@ class adm_DB {
$q = "DELETE FROM ".TB_PREFIX."movement where `from` = $wref and proc=0";
mysqli_query($this->connection, $q);
+
+ $q = "UPDATE ".TB_PREFIX."wdata SET occupied = 0 where id = $wref";
+ mysqli_query($this->connection, $q);
$getmovement = $database->getMovement(3,$wref,1);
foreach($getmovement as $movedata) {
diff --git a/GameEngine/Admin/function.php b/GameEngine/Admin/function.php
index 1e3faca6..eccf75b1 100755
--- a/GameEngine/Admin/function.php
+++ b/GameEngine/Admin/function.php
@@ -123,8 +123,11 @@ class funct {
global $admin,$database;
switch($post['action']){
case "DelPlayer":
- $admin->DelPlayer($post['uid'],$post['pass']);
- header("Location: ?p=search&msg=ursdel");
+ if ($admin->DelPlayer($post['uid'],$post['pass'])) {
+ header("Location: ?p=search&msg=ursdel");
+ } else {
+ die('Invalid Admin password, cannot delete player. Please go back and retry.');
+ }
break;
case "punish":
$admin->Punish($post);
diff --git a/todo.txt b/todo.txt
index 835aee14..d2eba04f 100644
--- a/todo.txt
+++ b/todo.txt
@@ -1,4 +1,3 @@
-- fix deleting users (need to delete their villages (+alliances/construction plans/...?) after a while)
- add PayPal listener to verify gold transactions imediatelly
- add combat Simulator link to options for a village/oasis (Centre map, Raid, Send Troops...)
- don't show Support & Taskmaster in stats
@@ -23,4 +22,5 @@
- it's possible to train 2 senators - when 1 is trained, another one is possible to be trained
- add registered date into user details in Admin
- npc shop button is missing from settlers training (palace)
-- should random attacks from Natars when building Wonder of the World be unit-less?
\ No newline at end of file
+- should random attacks from Natars when building Wonder of the World be unit-less?
+- send forum replies in a forum where a user is active also to that user's mailbox
\ No newline at end of file