diff options
| author | Meik Sievertsen <acydburn@phpbb.com> | 2007-10-04 18:50:25 +0000 |
|---|---|---|
| committer | Meik Sievertsen <acydburn@phpbb.com> | 2007-10-04 18:50:25 +0000 |
| commit | 760fe6bc66cc5571b220e3a80ddc027ad67b86f3 (patch) | |
| tree | 85cc3fdacda920243e9bfad58f9e44d4cd65841a /phpBB/includes/auth/auth_db.php | |
| parent | c2085565789b4a5858ba9bb1189804b731cb2ab4 (diff) | |
| download | forums-760fe6bc66cc5571b220e3a80ddc027ad67b86f3.tar forums-760fe6bc66cc5571b220e3a80ddc027ad67b86f3.tar.gz forums-760fe6bc66cc5571b220e3a80ddc027ad67b86f3.tar.bz2 forums-760fe6bc66cc5571b220e3a80ddc027ad67b86f3.tar.xz forums-760fe6bc66cc5571b220e3a80ddc027ad67b86f3.zip | |
#i42
new password hashing mechanism for storing passwords
git-svn-id: file:///svn/phpbb/trunk@8139 89ea8834-ac86-4346-8a33-228a782c2dd0
Diffstat (limited to 'phpBB/includes/auth/auth_db.php')
| -rw-r--r-- | phpBB/includes/auth/auth_db.php | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php index 49e6b8fc5d..8804ac9b8e 100644 --- a/phpBB/includes/auth/auth_db.php +++ b/phpBB/includes/auth/auth_db.php @@ -125,15 +125,17 @@ function login_db(&$username, &$password) // cp1252 is phpBB2's default encoding, characters outside ASCII range might work when converted into that encoding if (md5($password_old_format) == $row['user_password'] || md5(utf8_to_cp1252($password_old_format)) == $row['user_password']) { + $hash = phpbb_hash($password_new_format); + // Update the password in the users table to the new format and remove user_pass_convert flag $sql = 'UPDATE ' . USERS_TABLE . ' - SET user_password = \'' . $db->sql_escape(md5($password_new_format)) . '\', + SET user_password = \'' . $db->sql_escape($hash) . '\', user_pass_convert = 0 WHERE user_id = ' . $row['user_id']; $db->sql_query($sql); $row['user_pass_convert'] = 0; - $row['user_password'] = md5($password_new_format); + $row['user_password'] = $hash; } else { @@ -154,8 +156,23 @@ function login_db(&$username, &$password) } // Check password ... - if (!$row['user_pass_convert'] && md5($password) == $row['user_password']) + if (!$row['user_pass_convert'] && phpbb_check_hash($password, $row['user_password'])) { + // Check for old password hash... + if (strlen($row['user_password']) == 32) + { + $hash = phpbb_hash($password); + + // Update the password in the users table to the new format + $sql = 'UPDATE ' . USERS_TABLE . " + SET user_password = '" . $db->sql_escape($hash) . "', + user_pass_convert = 0 + WHERE user_id = {$row['user_id']}"; + $db->sql_query($sql); + + $row['user_password'] = $hash; + } + if ($row['user_login_attempts'] != 0) { // Successful, reset login attempts (the user passed all stages) |