save a hash of the password instead of the password itself in the DB (requires schema upgrade, just run install.php again)
parent
5ea9ff0197
commit
52cf654c20
|
@ -58,7 +58,7 @@ function fof_db_query($sql, $live=0)
|
|||
//echo "<pre>";
|
||||
//print_r(debug_backtrace());
|
||||
//echo "</pre>";
|
||||
die("Cannot query database. Have you run <a href=\"install.php\"><code>install.php</code></a>? MySQL says: <b>". mysql_error() . "</b>");
|
||||
die("Cannot query database. Have you run <a href=\"install.php\"><code>install.php</code></a> to create or upgrade your installation? MySQL says: <b>". mysql_error() . "</b>");
|
||||
}
|
||||
return $result;
|
||||
}
|
||||
|
@ -306,7 +306,7 @@ function fof_db_authenticate($user_name, $user_password_hash)
|
|||
{
|
||||
global $FOF_USER_TABLE, $FOF_ITEM_TABLE, $FOF_ITEM_TAG_TABLE, $fof_connection, $fof_user_id, $fof_user_name, $fof_user_level, $fof_user_prefs;
|
||||
|
||||
$sql = "select * from $FOF_USER_TABLE where user_name = '$user_name' and md5(user_password) = '" . mysql_escape_string($user_password_hash) . "'";
|
||||
$sql = "select * from $FOF_USER_TABLE where user_name = '$user_name' and user_password_hash = '" . mysql_escape_string($user_password_hash) . "'";
|
||||
|
||||
$result = fof_db_query($sql);
|
||||
|
||||
|
|
21
install.php
21
install.php
|
@ -34,9 +34,9 @@ header("Content-Type: text/html; charset=utf-8");
|
|||
<?php
|
||||
if($_GET['password'])
|
||||
{
|
||||
$password = mysql_real_escape_string($_GET['password']);
|
||||
$password_hash = mysql_real_escape_string(md5($_GET['password'] . 'admin'));
|
||||
|
||||
fof_db_query("insert into $FOF_USER_TABLE (user_id, user_name, user_password, user_level) values (1, 'admin', '$password', 'admin')");
|
||||
fof_db_query("insert into $FOF_USER_TABLE (user_id, user_name, user_password_hash, user_level) values (1, 'admin', '$password_hash', 'admin')");
|
||||
|
||||
echo 'OK! Setup complete! <a href=".">Login as admin</a>, and start subscribing!';
|
||||
}
|
||||
|
@ -108,7 +108,7 @@ $tables[] = <<<EOQ
|
|||
CREATE TABLE IF NOT EXISTS `$FOF_USER_TABLE` (
|
||||
`user_id` int(11) NOT NULL auto_increment,
|
||||
`user_name` varchar(100) NOT NULL default '',
|
||||
`user_password` varchar(32) NOT NULL default '',
|
||||
`user_password_hash` varchar(32) NOT NULL default '',
|
||||
`user_level` enum('user','admin') NOT NULL default 'user',
|
||||
`user_prefs` text,
|
||||
PRIMARY KEY (`user_id`)
|
||||
|
@ -126,6 +126,21 @@ foreach($tables as $table)
|
|||
?>
|
||||
Tables exist.<br><br>
|
||||
|
||||
<?php
|
||||
$result = fof_db_query("show columns from $FOF_USER_TABLE like 'user_password_hash'");
|
||||
|
||||
if(mysql_num_rows($result) == 0)
|
||||
{
|
||||
|
||||
print "Upgrading schema...";
|
||||
|
||||
fof_db_query("ALTER TABLE $FOF_USER_TABLE CHANGE `user_password` `user_password_hash` VARCHAR( 32 ) NOT NULL");
|
||||
fof_db_query("update $FOF_USER_TABLE set user_password_hash = md5(concat(user_password_hash, user_name))");
|
||||
|
||||
print "Done.<BR><BR>";
|
||||
}
|
||||
?>
|
||||
|
||||
Inserting initial data...
|
||||
|
||||
<?php
|
||||
|
|
|
@ -21,7 +21,7 @@ header("Content-Type: text/html; charset=utf-8");
|
|||
|
||||
if(isset($_POST["user_name"]) && isset($_POST["user_password"]))
|
||||
{
|
||||
if(fof_authenticate($_POST['user_name'], md5($_POST['user_password'])))
|
||||
if(fof_authenticate($_POST['user_name'], md5($_POST['user_password'] . $_POST['user_name'])))
|
||||
{
|
||||
Header("Location: .");
|
||||
}
|
||||
|
|
|
@ -28,8 +28,9 @@ if(isset($_POST['adduser']) && isset($_POST['username']) && isset($_POST['passwo
|
|||
{
|
||||
$username = $_POST['username'];
|
||||
$password = $_POST['password'];
|
||||
$password_hash = md5($password . $username);
|
||||
|
||||
fof_db_query("insert into $FOF_USER_TABLE (user_name, user_password) values ('$username', '$password')");
|
||||
fof_db_query("insert into $FOF_USER_TABLE (user_name, user_password_hash) values ('$username', '$password_hash')");
|
||||
|
||||
$message = "User '$username' added.";
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue