Salted password by default if 'db_password_algorithm' is not set in f…

…ilez.ini

app/models/User.php

@@ -42,6 +42,9 @@ class App_Model_User extends Fz_Db_Table_Row_Abstract {
      */
     public function __construct ($exists = false) {
         parent::__construct ($exists);
+
+        if ($exists == false)
+            $this->salt = sha1 (uniqid (mt_rand (), true));
     }
 
     /**
@@ -73,7 +76,11 @@ public function setPassword ($password) {
         $this->password = $password;
 
         $sql = null;
-        if ($algorithm == 'MD5') {
+        if ($algorithm === null) {
+            $sql = 'SHA1(CONCAT(:salt,:password))';
+            $this->_updatedColumns [] = 'salt'; // to force PDO::bindValue when updating
+        }
+        else if ($algorithm == 'MD5') {
             $sql = 'MD5(:password)';
         }
         else if ($algorithm == 'SHA1') {

lib/Fz/User/Factory/Database.php

@@ -71,8 +71,12 @@ protected function _findByUsernameAndPassword ($username, $password) {
               .'=';
 
         $algorithm = trim ($this->getOption ('db_password_algorithm'));
-        if (empty ($algorithm)) { // Shame on you !
-            $sql .= ':password';
+
+        if (empty ($algorithm)) {
+            if (fz_config_get ('user_factory_options', 'db_table') == 'fz_user')
+                $sql .= 'SHA1(CONCAT(salt, :password))'; // Default value for filez
+            else // Shame on you !
+                $sql .= ':password';
         } else if ($algorithm == 'MD5') {
             $sql .= 'MD5(:password)';
         } else if ($algorithm == 'SHA1') {
@@ -84,7 +88,7 @@ protected function _findByUsernameAndPassword ($username, $password) {
                     call_user_func ($algorithm, $password));
             unset ($bindValues[':password']);
         } else {
-            return $algorithm; // Plain SQL
+            $sql .= $algorithm; // Plain SQL
         }
 
         return $this->fetchOne ($sql, $bindValues);