improved password generating method (salt + SHA-256)
This commit is contained in:
@@ -144,7 +144,7 @@ class AdminController extends Controller
|
||||
$av = $user_info['avatar']; //if new avatar is not set
|
||||
|
||||
if ($_POST['passwd'] != '')
|
||||
$this->getModel('UsersModel')->changeUserPassword($_GET['id'], sha1($_POST['passwd']));
|
||||
$this->getModel('UsersModel')->changeUserPassword($_GET['id'], $user_info['nick'], $_POST['passwd']);
|
||||
|
||||
$this->getModel('UsersModel')->changeUserRank($_GET['id'], $_POST['user_rank']);
|
||||
$this->getModel('UsersModel')->updateUserProfile($_GET['id'], $_POST['nick'], $_POST['email'], $_POST['location'], $_POST['signature'], $av);
|
||||
|
||||
@@ -39,6 +39,7 @@ class MainController extends Controller
|
||||
public function main()
|
||||
{
|
||||
$this->loadDependencies();
|
||||
$this->loadModel('UsersModel');
|
||||
$this->getView('MainView')->main();
|
||||
}
|
||||
|
||||
@@ -538,7 +539,7 @@ class MainController extends Controller
|
||||
|
||||
if ($_POST['email'] != $user_info['email'] || $_POST['passwd'] != '')
|
||||
{
|
||||
if (sha1($_POST['passwd_old']) != $user_info['password'])
|
||||
if ($this->getModel('UsersModel')->generatePasswordHash($user_info['nick'], $_POST['passwd_old']) != $user_info['password'])
|
||||
$msg .= 'Old password is incorrect!<br>';
|
||||
}
|
||||
if ($_POST['passwd'] != '')
|
||||
@@ -590,7 +591,7 @@ class MainController extends Controller
|
||||
$av = $user_info['avatar']; //if new avatar is not set
|
||||
|
||||
if ($_POST['passwd'] != '')
|
||||
$this->getModel('UsersModel')->changeUserPassword($this->getModel('SessionModel')->getID(), sha1($_POST['passwd']));
|
||||
$this->getModel('UsersModel')->changeUserPassword($this->getModel('SessionModel')->getID(), $user_info['nick'], $_POST['passwd']);
|
||||
|
||||
$this->getModel('UsersModel')->updateUserProfile($this->getModel('SessionModel')->getID(), '', $_POST['email'], $_POST['location'], $_POST['signature'], $av);
|
||||
$this->getView('MainView')->forum_message('Your profile has changed.', buildURL('index.php?mode=viewprofile&id='.$this->getModel('SessionModel')->getID()));
|
||||
@@ -627,6 +628,7 @@ class MainController extends Controller
|
||||
{
|
||||
$this->loadDependencies();
|
||||
$this->loadModel('BansModel');
|
||||
$this->loadModel('UsersModel');
|
||||
|
||||
if ($this->getModel('SessionModel')->isLogged())
|
||||
$this->forward(buildURL('index.php'));
|
||||
@@ -636,7 +638,7 @@ class MainController extends Controller
|
||||
{
|
||||
//secure pools
|
||||
$_POST['nick'] = trim(strip_tags($this->db->real_escape_string($_POST['nick'])));
|
||||
$_POST['passwd'] = sha1(trim(strip_tags($this->db->real_escape_string($_POST['passwd']))));
|
||||
$_POST['passwd'] = $this->getModel('UsersModel')->generatePasswordHash($_POST['nick'], trim(strip_tags($this->db->real_escape_string($_POST['passwd']))));
|
||||
|
||||
$userinfo = $this->getModel('SessionModel')->tryGetUser($_POST['nick'], $_POST['passwd']);
|
||||
|
||||
@@ -700,7 +702,7 @@ class MainController extends Controller
|
||||
|
||||
if ($msg == '')
|
||||
{
|
||||
$this->getModel('UsersModel')->createNewUser($_POST['nick'], sha1($_POST['passwd']), $_POST['email']);
|
||||
$this->getModel('UsersModel')->createNewUser($_POST['nick'], $_POST['passwd'], $_POST['email']);
|
||||
$this->getView('MainView')->forum_message('Your account has created. Log in to write new posts.', buildURL('index.php'), 3);
|
||||
$lockv = true;
|
||||
}
|
||||
|
||||
@@ -22,6 +22,7 @@ class UsersModel extends Model
|
||||
|
||||
public function createNewUser($nick, $passwd, $email)
|
||||
{
|
||||
$passwd = $this->generatePasswordHash($nick, $passwd);
|
||||
$this->db->query('call add_user(\''.$nick.'\', \''.$passwd.'\', \''.$email.'\');');
|
||||
}
|
||||
|
||||
@@ -59,8 +60,9 @@ class UsersModel extends Model
|
||||
return $this->user_info;
|
||||
}
|
||||
|
||||
public function changeUserPassword($user_id, $passwd)
|
||||
public function changeUserPassword($user_id, $nick, $passwd)
|
||||
{
|
||||
$passwd = $this->generatePasswordHash($nick, $passwd);
|
||||
$query =
|
||||
'UPDATE .'.USERS_TABLE.'
|
||||
SET `password`=\''.$passwd.'\'
|
||||
@@ -128,5 +130,16 @@ class UsersModel extends Model
|
||||
WHERE `user_id` = \''.$user_id.'\'';
|
||||
$this->db->query($query);
|
||||
}
|
||||
|
||||
public function generatePasswordHash($nick, $password)
|
||||
{
|
||||
$modulo = strlen($nick) % 8;
|
||||
|
||||
$salt_begin = substr(RANDOM_STRING, $modulo*SALT_LENGTH, SALT_LENGTH-$modulo);
|
||||
|
||||
$salt_end = substr(RANDOM_STRING, $modulo*SALT_LENGTH + SALT_LENGTH-$modulo, $modulo);
|
||||
|
||||
return hash('haval256,5', $salt_begin.$password.$salt_end);
|
||||
}
|
||||
}
|
||||
?>
|
||||
Reference in New Issue
Block a user