pioder/uf2
1
0
Fork 0
Code Releases Activity

improved password generating method (salt + SHA-256)

Browse Source
This commit is contained in:
Piotr Dergun
2015-02-15 16:23:01 +01:00
parent a542813c8f
commit bf23339cfe
3 changed files with 21 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
inc/controllers/AdminController.class.php
View File

@@ -144,7 +144,7 @@ class AdminController extends Controller
$av = $user_info['avatar']; //if new avatar is not set $av = $user_info['avatar']; //if new avatar is not set
if ($_POST['passwd'] != '') if ($_POST['passwd'] != '')
$this->getModel('UsersModel')->changeUserPassword($_GET['id'], sha1($_POST['passwd'])); $this->getModel('UsersModel')->changeUserPassword($_GET['id'], $user_info['nick'], $_POST['passwd']);
$this->getModel('UsersModel')->changeUserRank($_GET['id'], $_POST['user_rank']); $this->getModel('UsersModel')->changeUserRank($_GET['id'], $_POST['user_rank']);
$this->getModel('UsersModel')->updateUserProfile($_GET['id'], $_POST['nick'], $_POST['email'], $_POST['location'], $_POST['signature'], $av); $this->getModel('UsersModel')->updateUserProfile($_GET['id'], $_POST['nick'], $_POST['email'], $_POST['location'], $_POST['signature'], $av);

10
inc/controllers/MainController.class.php
View File

@@ -39,6 +39,7 @@ class MainController extends Controller
public function main() public function main()
{ {
$this->loadDependencies(); $this->loadDependencies();
$this->loadModel('UsersModel');
$this->getView('MainView')->main(); $this->getView('MainView')->main();
} }
@@ -538,7 +539,7 @@ class MainController extends Controller
if ($_POST['email'] != $user_info['email'] || $_POST['passwd'] != '') if ($_POST['email'] != $user_info['email'] || $_POST['passwd'] != '')
{ {
if (sha1($_POST['passwd_old']) != $user_info['password']) if ($this->getModel('UsersModel')->generatePasswordHash($user_info['nick'], $_POST['passwd_old']) != $user_info['password'])
$msg .= 'Old password is incorrect!<br>'; $msg .= 'Old password is incorrect!<br>';
} }
if ($_POST['passwd'] != '') if ($_POST['passwd'] != '')
@@ -590,7 +591,7 @@ class MainController extends Controller
$av = $user_info['avatar']; //if new avatar is not set $av = $user_info['avatar']; //if new avatar is not set
if ($_POST['passwd'] != '') if ($_POST['passwd'] != '')
$this->getModel('UsersModel')->changeUserPassword($this->getModel('SessionModel')->getID(), sha1($_POST['passwd'])); $this->getModel('UsersModel')->changeUserPassword($this->getModel('SessionModel')->getID(), $user_info['nick'], $_POST['passwd']);
$this->getModel('UsersModel')->updateUserProfile($this->getModel('SessionModel')->getID(), '', $_POST['email'], $_POST['location'], $_POST['signature'], $av); $this->getModel('UsersModel')->updateUserProfile($this->getModel('SessionModel')->getID(), '', $_POST['email'], $_POST['location'], $_POST['signature'], $av);
$this->getView('MainView')->forum_message('Your profile has changed.', buildURL('index.php?mode=viewprofile&amp;id='.$this->getModel('SessionModel')->getID())); $this->getView('MainView')->forum_message('Your profile has changed.', buildURL('index.php?mode=viewprofile&amp;id='.$this->getModel('SessionModel')->getID()));
@@ -627,6 +628,7 @@ class MainController extends Controller
{ {
$this->loadDependencies(); $this->loadDependencies();
$this->loadModel('BansModel'); $this->loadModel('BansModel');
$this->loadModel('UsersModel');
if ($this->getModel('SessionModel')->isLogged()) if ($this->getModel('SessionModel')->isLogged())
$this->forward(buildURL('index.php')); $this->forward(buildURL('index.php'));
@@ -636,7 +638,7 @@ class MainController extends Controller
{ {
//secure pools //secure pools
$_POST['nick'] = trim(strip_tags($this->db->real_escape_string($_POST['nick']))); $_POST['nick'] = trim(strip_tags($this->db->real_escape_string($_POST['nick'])));
$_POST['passwd'] = sha1(trim(strip_tags($this->db->real_escape_string($_POST['passwd'])))); $_POST['passwd'] = $this->getModel('UsersModel')->generatePasswordHash($_POST['nick'], trim(strip_tags($this->db->real_escape_string($_POST['passwd']))));
$userinfo = $this->getModel('SessionModel')->tryGetUser($_POST['nick'], $_POST['passwd']); $userinfo = $this->getModel('SessionModel')->tryGetUser($_POST['nick'], $_POST['passwd']);
@@ -700,7 +702,7 @@ class MainController extends Controller
if ($msg == '') if ($msg == '')
{ {
$this->getModel('UsersModel')->createNewUser($_POST['nick'], sha1($_POST['passwd']), $_POST['email']); $this->getModel('UsersModel')->createNewUser($_POST['nick'], $_POST['passwd'], $_POST['email']);
$this->getView('MainView')->forum_message('Your account has created. Log in to write new posts.', buildURL('index.php'), 3); $this->getView('MainView')->forum_message('Your account has created. Log in to write new posts.', buildURL('index.php'), 3);
$lockv = true; $lockv = true;
} }

15
inc/models/UsersModel.class.php
View File

@@ -22,6 +22,7 @@ class UsersModel extends Model
public function createNewUser($nick, $passwd, $email) public function createNewUser($nick, $passwd, $email)
{ {
$passwd = $this->generatePasswordHash($nick, $passwd);
$this->db->query('call add_user(\''.$nick.'\', \''.$passwd.'\', \''.$email.'\');'); $this->db->query('call add_user(\''.$nick.'\', \''.$passwd.'\', \''.$email.'\');');
} }
@@ -59,8 +60,9 @@ class UsersModel extends Model
return $this->user_info; return $this->user_info;
} }
public function changeUserPassword($user_id, $passwd) public function changeUserPassword($user_id, $nick, $passwd)
{ {
$passwd = $this->generatePasswordHash($nick, $passwd);
$query = $query =
'UPDATE .'.USERS_TABLE.' 'UPDATE .'.USERS_TABLE.'
SET `password`=\''.$passwd.'\' SET `password`=\''.$passwd.'\'
@@ -128,5 +130,16 @@ class UsersModel extends Model
WHERE `user_id` = \''.$user_id.'\''; WHERE `user_id` = \''.$user_id.'\'';
$this->db->query($query); $this->db->query($query);
} }
public function generatePasswordHash($nick, $password)
{
$modulo = strlen($nick) % 8;
$salt_begin = substr(RANDOM_STRING, $modulo*SALT_LENGTH, SALT_LENGTH-$modulo);
$salt_end = substr(RANDOM_STRING, $modulo*SALT_LENGTH + SALT_LENGTH-$modulo, $modulo);
return hash('haval256,5', $salt_begin.$password.$salt_end);
}
} }
?> ?>