diff options
author | Andrew Dolgov <[email protected]> | 2012-01-23 12:20:09 +0400 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2012-01-23 12:20:09 +0400 |
commit | 098df83ba6a5fb7ea03cb9dfc9f6eca82397fe27 (patch) | |
tree | b5b6c5e972b68ff36344c30382b28b22adb38d5d /classes/pref_users.php | |
parent | 8b4fb0d0d6045c9905bea5d427aba8ab28a77dc9 (diff) |
fix various password-change related functions
Diffstat (limited to 'classes/pref_users.php')
-rw-r--r-- | classes/pref_users.php | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/classes/pref_users.php b/classes/pref_users.php index fe32ce14c..975b41f5c 100644 --- a/classes/pref_users.php +++ b/classes/pref_users.php @@ -206,8 +206,9 @@ class Pref_Users extends Protected_Handler { $password = db_escape_string(trim($_REQUEST["password"])); if ($password) { - $pwd_hash = encrypt_password($password, $login); - $pass_query_part = "pwd_hash = '$pwd_hash', "; + $salt = substr(bin2hex(openssl_random_pseudo_bytes(125)), 0, 250); + $pwd_hash = encrypt_password($password, $salt, true); + $pass_query_part = "pwd_hash = '$pwd_hash', salt = '$salt',"; } else { $pass_query_part = ""; } @@ -233,7 +234,8 @@ class Pref_Users extends Protected_Handler { $login = db_escape_string(trim($_REQUEST["login"])); $tmp_user_pwd = make_password(8); - $pwd_hash = encrypt_password($tmp_user_pwd, $login); + $salt = substr(bin2hex(openssl_random_pseudo_bytes(125)), 0, 250); + $pwd_hash = encrypt_password($tmp_user_pwd, $salt, true); $result = db_query($this->link, "SELECT id FROM ttrss_users WHERE login = '$login'"); @@ -241,8 +243,8 @@ class Pref_Users extends Protected_Handler { if (db_num_rows($result) == 0) { db_query($this->link, "INSERT INTO ttrss_users - (login,pwd_hash,access_level,last_login,created) - VALUES ('$login', '$pwd_hash', 0, null, NOW())"); + (login,pwd_hash,access_level,last_login,created, salt) + VALUES ('$login', '$pwd_hash', 0, null, NOW(), '$salt')"); $result = db_query($this->link, "SELECT id FROM ttrss_users WHERE @@ -276,10 +278,14 @@ class Pref_Users extends Protected_Handler { $login = db_fetch_result($result, 0, "login"); $email = db_fetch_result($result, 0, "email"); + $salt = db_fetch_result($result, 0, "salt"); + + $new_salt = substr(bin2hex(openssl_random_pseudo_bytes(125)), 0, 250); $tmp_user_pwd = make_password(8); - $pwd_hash = encrypt_password($tmp_user_pwd, $login); - db_query($this->link, "UPDATE ttrss_users SET pwd_hash = '$pwd_hash' + $pwd_hash = encrypt_password($tmp_user_pwd, $new_salt, true); + + db_query($this->link, "UPDATE ttrss_users SET pwd_hash = '$pwd_hash', salt = '$new_salt' WHERE id = '$uid'"); print T_sprintf("Changed password of user <b>%s</b> |