Updated mysql auth to use PHPass

2024-10-07 16:52:45 +00:00 · 2014-02-03 10:45:34 +00:00
parent e80f8f33a6
commit 04a9f4a2f3
4 changed files with 276 additions and 5 deletions
--- a/html/includes/authentication/mysql.inc.php
+++ b/html/includes/authentication/mysql.inc.php
@ -9,14 +9,26 @@ function authenticate($username,$password)
    // Migrate from old, unhashed password
    if ($row['password'] == $encrypted_old)
    {
-      $row = dbFetchRow("DESCRIBE users password");
-      if ($row['Type'] == 'varchar(34)')
+      $row_type = dbFetchRow("DESCRIBE users password");
+      if ($row_type['Type'] == 'varchar(34)')
      {
        changepassword($username,$password);
      }
      return 1;
    }
-    if ($row['password'] == crypt($password,$row['password']))
+    elseif(substr($row['password'],0,3) == '$1$')
+    {
+      $row_type = dbFetchRow("DESCRIBE users password");
+      if ($row_type['Type'] == 'varchar(60)')
+      {
+        if ($row['password'] == crypt($password,$row['password']))
+        {
+          changepassword($username,$password);
+        }
+      }
+    }
+    $hasher = new PasswordHash(8, FALSE);
+    if($hasher->CheckPassword($password, $row['password']))
    {
      return 1;
    }
@ -62,7 +74,9 @@ function generateSalt($max = 15)

 function changepassword($username,$password)
 {
-  $encrypted = crypt($password,'$1$' . generateSalt(8).'$');
+  //$encrypted = crypt($password,'$1$' . generateSalt(8).'$');
+  $hasher = new PasswordHash(8, FALSE);
+  $encrypted = $hasher->HashPassword($password);
  return dbUpdate(array('password' => $encrypted), 'users', '`username` = ?', array($username));
 }

@ -75,7 +89,9 @@ function adduser($username, $password, $level, $email = "", $realname = "", $can
 {
  if (!user_exists($username))
  {
-    $encrypted = crypt($password,'$1$' . generateSalt(8).'$');
+    //$encrypted = crypt($password,'$1$' . generateSalt(8).'$');
+    $hasher = new PasswordHash(8, FALSE);
+    $encrypted = $hasher->HashPassword($password);
    return dbInsert(array('username' => $username, 'password' => $encrypted, 'level' => $level, 'email' => $email, 'realname' => $realname, 'can_modify_passwd' => $can_modify_passwd), 'users');
  } else {
    return FALSE;