ported the password handling to use bcrypt instead of the old AES stuffz

main
hecht 9 years ago
parent 4500fa63c6
commit f34103ab5e

@ -90,39 +90,42 @@ function checkCookiePassword($username, $password){
} }
function checkLoginPassword($username, $password){ function checkLoginPassword($username, $password){
// We should now use the BCRYPT algo to store passwords
$pw = encryptPassword($password);
$sql = 'SELECT SHA1(AES_ENCRYPT(\''.$password.'\',\''.$GLOBALS['PW_AES_KEY'].'\')) as encrypt_password, passwort from user where nickname = \''.$username.'\''; $sql = 'SELECT SHA1(AES_ENCRYPT(\''.$password.'\',\''.$GLOBALS['PW_AES_KEY'].'\')) as encrypt_password, passwort from user where nickname = \''.$username.'\'';
// echo $sql.'<br>'; // echo $sql.'<br>';
$row = mysql_fetch_assoc(mysql_query($sql)); $row = mysql_fetch_assoc(mysql_query($sql));
if($row){ if($row){
if($row['encrypt_password'] != $row['passwort'] && md5($password) == $row['passwort']){ if($row['passwort'] == $pw) {
return true; // already bcrypt based!
}
if($row['encrypt_password'] == $row['passwort'] || md5($password) == $row['passwort']){
setPassword($username, $password); setPassword($username, $password);
return true; return true;
} else{
return $row['encrypt_password'] == $row['passwort'];
} }
} else{
return false;
} }
return false;
} }
function setCookies($nick_name, $password){ function setCookies($nick_name, $password){
$pw = encryptPassword($password);
checkCookies($nick_name, $_COOKIE['yps']); checkCookies($nick_name, $_COOKIE['yps']);
$row = mysql_fetch_assoc(mysql_query('select SHA1(AES_ENCRYPT(\''.$password.'\',\''.$GLOBALS['PW_AES_KEY'].'\')) as pw'));
setcookie('name',$nick_name,time()+864000); setcookie('name',$nick_name,time()+864000);
setcookie('passwort',$row['pw'],time()+864000); setcookie('passwort',$pw,time()+864000);
setcookie('yps',$nick_name.','.md5($nick_name),time()+864000); setcookie('yps',$nick_name.','.md5($nick_name),time()+864000);
} }
function setPassword($username, $password){ function setPassword($username, $password){
$sql = 'UPDATE user set passwort = SHA1(AES_ENCRYPT(\''.$password.'\',\''.$GLOBALS['PW_AES_KEY'].'\')) where nickname = \''.$username.'\''; $pw = encryptPassword($password);
$sql = 'UPDATE user set passwort = \''.$pw.'\' where nickname = \''.$username.'\'';
// echo $sql.'<br>'; // echo $sql.'<br>';
mysql_query($sql); mysql_query($sql);
} }
function encryptPassword($password){ function encryptPassword($password){
$sql = 'SELECT SHA1(AES_ENCRYPT(\''.$password.'\',\''.$GLOBALS['PW_AES_KEY'].'\')) as pw'; $pw = password_hash($password, PASSWORD_BCRYPT, array('salt' => $GLOBALS['PW_AES_KEY']));
$result = mysql_fetch_assoc(mysql_query($sql)); return $pw;
return $result['pw'];
} }
function getUserMetaData($userid) { function getUserMetaData($userid) {

Loading…
Cancel
Save