mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-08-06 16:56:44 +02:00
Code Issues Releases Wiki Activity

#i42

Browse Source 
new password hashing mechanism for storing passwords


git-svn-id: file:///svn/phpbb/trunk@8139 89ea8834-ac86-4346-8a33-228a782c2dd0
This commit is contained in:
Meik Sievertsen
2007-10-04 18:50:25 +00:00
parent c208556578
commit 760fe6bc66
13 changed files with 1491 additions and 1219 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
phpBB/includes/auth/auth_apache.php
View File

@@ -194,7 +194,7 @@ function user_row_apache($username, $password)
// generate user account data
return array(
'username' => $username,
'user_password' => md5($password),
'user_password' => phpbb_hash($password),
'user_email' => '',
'group_id' => (int) $row['group_id'],
'user_type' => USER_NORMAL,

23
phpBB/includes/auth/auth_db.php
View File

@@ -125,15 +125,17 @@ function login_db(&$username, &$password)
// cp1252 is phpBB2's default encoding, characters outside ASCII range might work when converted into that encoding
if (md5($password_old_format) == $row['user_password'] || md5(utf8_to_cp1252($password_old_format)) == $row['user_password'])
{
$hash = phpbb_hash($password_new_format);
// Update the password in the users table to the new format and remove user_pass_convert flag
$sql = 'UPDATE ' . USERS_TABLE . '
SET user_password = \'' . $db->sql_escape(md5($password_new_format)) . '\',
SET user_password = \'' . $db->sql_escape($hash) . '\',
user_pass_convert = 0
WHERE user_id = ' . $row['user_id'];
$db->sql_query($sql);
$row['user_pass_convert'] = 0;
$row['user_password'] = md5($password_new_format);
$row['user_password'] = $hash;
}
else
{
@@ -154,8 +156,23 @@ function login_db(&$username, &$password)
}
// Check password ...
if (!$row['user_pass_convert'] && md5($password) == $row['user_password'])
if (!$row['user_pass_convert'] && phpbb_check_hash($password, $row['user_password']))
{
// Check for old password hash...
if (strlen($row['user_password']) == 32)
{
$hash = phpbb_hash($password);
// Update the password in the users table to the new format
$sql = 'UPDATE ' . USERS_TABLE . "
SET user_password = '" . $db->sql_escape($hash) . "',
user_pass_convert = 0
WHERE user_id = {$row['user_id']}";
$db->sql_query($sql);
$row['user_password'] = $hash;
}
if ($row['user_login_attempts'] != 0)
{
// Successful, reset login attempts (the user passed all stages)

2
phpBB/includes/auth/auth_ldap.php
View File

@@ -204,7 +204,7 @@ function login_ldap(&$username, &$password)
// generate user account data
$ldap_user_row = array(
'username' => $username,
'user_password' => md5($password),
'user_password' => phpbb_hash($password),
'user_email' => (!empty($config['ldap_email'])) ? $ldap_result[0][$config['ldap_email']][0] : '',
'group_id' => (int) $row['group_id'],
'user_type' => USER_NORMAL,