Use PHP's built-in password hashing and verification for user accounts
This commit is contained in:
parent
bbb3e7c0e3
commit
6084650181
|
|
@ -541,6 +541,19 @@ function _md5cr($pass, $salt = "") {
|
|||
return crypt($pass, $salt);
|
||||
}
|
||||
|
||||
/**
|
||||
* Transtional function to check if a string matches a saved password hash.
|
||||
* @param string $pass string
|
||||
* @param string $hash string
|
||||
* @return bool
|
||||
*/
|
||||
function _password_verify($pass, $hash) {
|
||||
if (strncmp($hash, '$1$', 3) == 0) {
|
||||
// @TODO Raise a warning for the user to update their password.
|
||||
return _md5cr($pass, $hash) == $hash;
|
||||
}
|
||||
return password_verify($pass, $hash);
|
||||
}
|
||||
|
||||
/** split mysql database name between username and custom database name
|
||||
* @param string $dbname database name
|
||||
|
|
|
|||
|
|
@ -634,7 +634,7 @@ class m_admin {
|
|||
$msg->raise("ERROR", "admin", _("Login can only contains characters a-z, 0-9 and -"));
|
||||
return false;
|
||||
}
|
||||
$pass = _md5cr($pass);
|
||||
$pass = password_hash($pass);
|
||||
$db = new DB_System();
|
||||
// Already exist?
|
||||
$db->query("SELECT count(*) AS cnt FROM membres WHERE login= ?;", array($login));
|
||||
|
|
@ -772,7 +772,7 @@ class m_admin {
|
|||
$db = new DB_System();
|
||||
|
||||
if ($pass) {
|
||||
$pass = _md5cr($pass);
|
||||
$pass = password_hash($pass);
|
||||
$second_query = "UPDATE membres SET mail= ?, canpass= ?, enabled= ?, `type`= ?, notes= ? , pass = ? WHERE uid= ?;";
|
||||
$second_query_args = array($mail, $canpass, $enabled, $type, $notes, $pass, $uid);
|
||||
} else {
|
||||
|
|
|
|||
|
|
@ -93,7 +93,7 @@ class m_mem {
|
|||
return false;
|
||||
}
|
||||
$db->next_record();
|
||||
if (_md5cr($password, $db->f("pass")) != $db->f("pass")) {
|
||||
if (!_password_verify($password, $db->f('pass'))) {
|
||||
$db->query("UPDATE membres SET lastfail=lastfail+1 WHERE uid= ? ;", array($db->f("uid")));
|
||||
$msg->raise("ERROR", "mem", _("User or password incorrect"));
|
||||
return false;
|
||||
|
|
@ -396,7 +396,7 @@ class m_mem {
|
|||
$msg->raise("ERROR", "mem", _("You are not allowed to change your password."));
|
||||
return false;
|
||||
}
|
||||
if ($this->user["pass"] != _md5cr($oldpass, $this->user["pass"])) {
|
||||
if (!_password_verify($oldpass, $this->user['pass'])) {
|
||||
$msg->raise("ERROR", "mem", _("The old password is incorrect"));
|
||||
return false;
|
||||
}
|
||||
|
|
@ -410,7 +410,7 @@ class m_mem {
|
|||
if (!$admin->checkPolicy("mem", $login, $newpass)) {
|
||||
return false; // The error has been raised by checkPolicy()
|
||||
}
|
||||
$newpass = _md5cr($newpass);
|
||||
$newpass = password_hash($newpass);
|
||||
$db->query("UPDATE membres SET pass= ? WHERE uid= ?;", array($newpass, $cuid));
|
||||
$msg->init_msgs();
|
||||
return true;
|
||||
|
|
|
|||
Loading…
Reference in New Issue