From 098df83ba6a5fb7ea03cb9dfc9f6eca82397fe27 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <fox@madoka.volgo-balt.ru>
Date: Mon, 23 Jan 2012 12:20:09 +0400
Subject: fix various password-change related functions

---
 register.php | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'register.php')

diff --git a/register.php b/register.php
index 4107a2eac..e75c1c94c 100644
--- a/register.php
+++ b/register.php
@@ -4,7 +4,7 @@
 	// 1) templates/register_notice.txt - displayed above the registration form
 	// 2) register_expire_do.php - contains user expiration queries when necessary
 
-	set_include_path(get_include_path() . PATH_SEPARATOR . 
+	set_include_path(get_include_path() . PATH_SEPARATOR .
 		dirname(__FILE__) . "/include");
 
 	require_once 'lib/phpmailer/class.phpmailer.php';
@@ -270,11 +270,12 @@
 
 				$password = make_password();
 
-				$pwd_hash = encrypt_password($password, $login);
+				$salt = substr(bin2hex(openssl_random_pseudo_bytes(125)), 0, 250);
+				$pwd_hash = encrypt_password($password, $salt, true);
 
 				db_query($link, "INSERT INTO ttrss_users
-					(login,pwd_hash,access_level,last_login, email, created)
-					VALUES ('$login', '$pwd_hash', 0, null, '$email', NOW())");
+					(login,pwd_hash,access_level,last_login, email, created, salt)
+					VALUES ('$login', '$pwd_hash', 0, null, '$email', NOW(), '$salt')");
 
 				$result = db_query($link, "SELECT id FROM ttrss_users WHERE
 					login = '$login' AND pwd_hash = '$pwd_hash'");
-- 
cgit v1.2.3