Implement more secuire password hashing and salting, fixes #2

Brianetta · Jul 10, 2016 · bb36ffb · bb36ffb
1 parent 16a24dd
commit bb36ffb
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 54 deletions.
diff --git a/auth.php b/auth.php
@@ -33,8 +33,7 @@
    session_name('PPCIS');
    session_start();
    $loginhost=$_SERVER["SERVER_NAME"];
-   if(!isset($userid))
-      $userid = 0;
+   $userid = 0; // 0 = not logged in
 if(!(@ include("settings.inc")))
 {
    header("location:".$_SERVER["HTTP_REFERER"]);
@@ -63,42 +62,34 @@ function safe_escape($str)
    }
 }
 
-// Dead simple - connect to the database, run a select query.  If
-// the user exists with that password, the userid variable gets
-// set and the user is logged in.
+// Connect to the database, run a select query. Retrieve any row
+// with matching usernanme, and verify the password. Set the userid
+// and the user is logged in.
 
 if(isset($form_user))
 {
 // Connect to the database
    $intranet_db = @ mysqli_connect($db_hostname, $db_username, $db_password, $db_name);
    showerror();
-   $sql = "SELECT * FROM users WHERE username = '".safe_escape(trim($form_user))."' AND password = $hash_function( '".safe_escape($form_pass)."')";
+   $sql = "SELECT * FROM users WHERE username = '".safe_escape(trim($form_user))."'";
    $result = @ mysqli_query($intranet_db, $sql);
    showerror();
    if(@ mysqli_num_rows($result) != 0)
    {
       while($row = @ mysqli_fetch_array($result,MYSQLI_ASSOC))
       {
-         if($row["enabled"]=='y')
+         if($row["enabled"]=='y' and password_verify($form_pass, $row["password"]))
          {
             $userid = $row["userid"];
             $username = $form_user;
             $firstname = $row["firstname"];
             $lastname = $row["lastname"];
          }
-         else
-         {
-            $userid = 0;
-            $username = "failed";
-            $firstname = "";
-            $lastname = "";
-            session_destroy();
-         }
       }
    }
-   elseif(isset($old_hash_function))
+   if($userid == 0 and isset($hash_function))
    {
-      $sql = "SELECT * FROM users WHERE username = '".safe_escape(trim($form_user))."' AND password = $old_hash_function( '".safe_escape($form_pass)."')";
+      $sql = "SELECT * FROM users WHERE username = '".safe_escape(trim($form_user))."' AND password = $hash_function( '".safe_escape($form_pass)."')";
       $result = @ mysqli_query($intranet_db,$sql);
       showerror();
       if(@ mysqli_num_rows($result) != 0)
@@ -112,23 +103,14 @@ function safe_escape($str)
                $firstname = $row["firstname"];
                $lastname = $row["lastname"];
             }
-            else
-            {
-               $userid = 0;
-               $username = "failed";
-               $firstname = "";
-               $lastname = "";
-               session_destroy();
-            }
-            $sql = "UPDATE users SET password = $hash_function( '".safe_escape($form_pass)."') WHERE userid = ".$row["userid"];
+            $sql = "UPDATE users SET password = '".password_hash($form_pass,PASSWORD_DEFAULT)."' WHERE userid = ".$row["userid"];
             $result = @ mysqli_query($intranet_db,$sql);
-            $updates = "Updated password from $old_password_function to $password_function";
+            $updates = "Updated password from $hash_function to secure hash with salt.";
          }
       }
    }
-   else
+   if ($userid == 0)
    {
-      $userid = 0;
       $username = "failed";
       $firstname = "";
       $lastname = "";

diff --git a/password.php b/password.php
@@ -25,24 +25,36 @@
 // Guest users cannot change their own password.
 if(isset($mod_userid))
 {
-   if(($mod_password==$mod_confirm) AND ($mod_password<>"")) // Make sure new password was typed twice, and isn't null
+   $sql = "SELECT * FROM users WHERE userid = $userid";
+   $result = @ mysqli_query($intranet_db, $sql);
+   showerror();
+   if(@ mysqli_num_rows($result) != 0)
    {
-      if($mod_password <> "") $mod_password = safe_escape($mod_password);
-      $sql = "UPDATE users SET password=$hash_function('$mod_password') WHERE userid = $mod_userid AND password = $hash_function('$old_password') AND guest = 'n'";
-      $result = @ mysqli_query($intranet_db,$sql);
-      showerror();
-      if( @ mysqli_affected_rows($intranet_db) != 0)
+      while($row = @ mysqli_fetch_array($result,MYSQLI_ASSOC))
       {
-         print("<span class=\"message\">".$lang['your_password_changed']."</span>");
+         if($row["enabled"]=='y' and password_verify($old_password, $row["password"]))
+         {
+            if(($mod_password==$mod_confirm) AND ($mod_password<>"")) // Make sure new password was typed twice, and isn't null
+            {
+               if($mod_password <> "") $mod_password = password_hash($mod_password,PASSWORD_DEFAULT);
+               $sql = "UPDATE users SET password='$mod_password' WHERE userid = $mod_userid";
+               $updateresult = @ mysqli_query($intranet_db,$sql);
+               showerror();
+               if( @ mysqli_affected_rows($intranet_db) != 0)
+               {
+                  print("<span class=\"message\">".$lang['your_password_changed']."</span>");
+               }
+            }
+            else
+            {
+               print("<span class=\"message\">".$lang['password_change_mismatch']."</span>");
+            }
+         }
+         else
+         {
+            print("<span class=\"message\">".$lang['password_change_wrong']."</span>");
+         }
       }
-      else
-      {
-         print("<span class=\"message\">".$lang['password_change_wrong']."</span>");
-      }
-   }
-   else
-   {
-      print("<span class=\"message\">".$lang['password_change_mismatch']."</span>");
    }
 }
 $sql = "SELECT * FROM users WHERE userid = $userid and guest = 'n'";

diff --git a/settings.inc b/settings.inc
@@ -1,6 +1,6 @@
 <?
 // Path of PPCIS files from web server root
-$siteprefix="/";
+$siteprefix="/ppcis/";
 
 // Name of web site at top of page
 $sitename="Portable PHP/MySQL Corporate Intranet System";
@@ -76,7 +76,7 @@ $old_hash_function = 'password';
 // hostname
 $db_hostname="localhost";
 // database name
-$db_name="intranet";
+$db_name="ppcis";
 // database user (must have SELECT, INSERT, UPDATE and DELETE)
 $db_username="intranet";
 // password for same

diff --git a/usermanagerpass.inc b/usermanagerpass.inc
@@ -33,14 +33,17 @@ if(isset($mod_userid))
       }
       else
       {
-         if($mod_password <> "") $mod_password = safe_escape($mod_password);
-         $sql = "UPDATE users SET username='$mod_username', password=$hash_function('$mod_password') WHERE userid = $mod_userid";
-         $result = @ mysqli_query($intranet_db,$sql);
-         if (mysqli_error($intranet_db))
-            print("<span class=\"message\">".$lang['username_already_in_use']."</span>");
-            // Couldn't possibly be anything else, right?
-         else
-            print("<span class=\"message\">".$lang['password_changed']."</span>");
+         if($mod_password <> "")
+         {
+            $mod_password = password_hash($mod_password,PASSWORD_DEFAULT);
+            $sql = "UPDATE users SET username='$mod_username', password='$mod_password' WHERE userid = $mod_userid";
+            $result = @ mysqli_query($intranet_db,$sql);
+            if (mysqli_error($intranet_db))
+               print("<span class=\"message\">".$lang['username_already_in_use']."</span>");
+               // Couldn't possibly be anything else, right?
+            else
+               print("<span class=\"message\">".$lang['password_changed']."</span>");
+         }
       }
    }
    else