diff --git a/ag/include/user.inc.php b/ag/include/user.inc.php
index 1097b44..91a42e8 100644
--- a/ag/include/user.inc.php
+++ b/ag/include/user.inc.php
@@ -90,39 +90,42 @@ function checkCookiePassword($username, $password){
}
function checkLoginPassword($username, $password){
+ // We should now use the BCRYPT algo to store passwords
+ $pw = encryptPassword($password);
+
$sql = 'SELECT SHA1(AES_ENCRYPT(\''.$password.'\',\''.$GLOBALS['PW_AES_KEY'].'\')) as encrypt_password, passwort from user where nickname = \''.$username.'\'';
// echo $sql.'
';
$row = mysql_fetch_assoc(mysql_query($sql));
if($row){
- if($row['encrypt_password'] != $row['passwort'] && md5($password) == $row['passwort']){
+ if($row['passwort'] == $pw) {
+ return true; // already bcrypt based!
+ }
+ if($row['encrypt_password'] == $row['passwort'] || md5($password) == $row['passwort']){
setPassword($username, $password);
return true;
- } else{
- return $row['encrypt_password'] == $row['passwort'];
}
- } else{
- return false;
}
+ return false;
}
function setCookies($nick_name, $password){
+ $pw = encryptPassword($password);
checkCookies($nick_name, $_COOKIE['yps']);
- $row = mysql_fetch_assoc(mysql_query('select SHA1(AES_ENCRYPT(\''.$password.'\',\''.$GLOBALS['PW_AES_KEY'].'\')) as pw'));
setcookie('name',$nick_name,time()+864000);
- setcookie('passwort',$row['pw'],time()+864000);
+ setcookie('passwort',$pw,time()+864000);
setcookie('yps',$nick_name.','.md5($nick_name),time()+864000);
}
function setPassword($username, $password){
- $sql = 'UPDATE user set passwort = SHA1(AES_ENCRYPT(\''.$password.'\',\''.$GLOBALS['PW_AES_KEY'].'\')) where nickname = \''.$username.'\'';
+ $pw = encryptPassword($password);
+ $sql = 'UPDATE user set passwort = \''.$pw.'\' where nickname = \''.$username.'\'';
// echo $sql.'
';
mysql_query($sql);
}
function encryptPassword($password){
- $sql = 'SELECT SHA1(AES_ENCRYPT(\''.$password.'\',\''.$GLOBALS['PW_AES_KEY'].'\')) as pw';
- $result = mysql_fetch_assoc(mysql_query($sql));
- return $result['pw'];
+ $pw = password_hash($password, PASSWORD_BCRYPT, array('salt' => $GLOBALS['PW_AES_KEY']));
+ return $pw;
}
function getUserMetaData($userid) {