Added stronger password encyption with salts

emreakay · Jun 5, 2014 · 4aa6494 · 4aa6494
1 parent cf1ef61
commit 4aa6494
Showing 1 changed file with 15 additions and 6 deletions.
diff --git a/application/libraries/Aauth.php b/application/libraries/Aauth.php
@@ -77,9 +77,10 @@ public function __construct() {
      * @param string $pass Password to hash
      * @return string Hashed password
      */
-    function hash_password($pass) {
+    function hash_password($pass, $userid) {
 
-        return md5($pass);
+        $salt = md5($userid);
+        return hash('sha256', $salt.$pass);
     }
 
     ########################
@@ -113,6 +114,8 @@ public function login($email, $pass, $remember = FALSE) {
         $query = $this->CI->db->where('email', $email);
         $query = $this->CI->db->get($this->config_vars['users']);
 
+        $user_id = $query->row()->id;
+
         if ($query->num_rows() > 0) {
             $row = $query->row();
 
@@ -137,7 +140,7 @@ public function login($email, $pass, $remember = FALSE) {
         $query = $this->CI->db->where('email', $email);
 
         // Database stores pasword hashed password
-        $query = $this->CI->db->where('pass', hash_password($pass));
+        $query = $this->CI->db->where('pass', $this->hash_password($pass, $user_id));
         $query = $this->CI->db->where('banned', 0);
         $query = $this->CI->db->get($this->config_vars['users']);
 
@@ -393,7 +396,7 @@ public function create_user($email, $pass, $name='') {
 
         $data = array(
             'email' => $email,
-            'pass' => hash_password($pass),
+            'pass' => $this->hash_password($pass, 0), // Password cannot be blank but user_id required for salt, setting bad password for now
             'name' => $name,
         );
 
@@ -413,6 +416,12 @@ public function create_user($email, $pass, $name='') {
                 $this->send_verification($user_id);
             }
 
+            // Update to correct salted password
+            $data = null;
+            $data['pass'] = $this->hash_password($pass, $user_id);
+            $this->CI->db->where('id', $user_id);
+            $this->CI->db->update($this->config_vars['users'], $data);
+
             return $user_id;
 
         } else {
@@ -438,7 +447,7 @@ public function update_user($user_id, $email = FALSE, $pass = FALSE, $name = FAL
         }
 
         if ($pass != FALSE) {
-            $data['pass'] = hash_password($pass);
+            $data['pass'] = $this->hash_password($pass, $user_id);
         }
 
         if ($name != FALSE) {
@@ -649,7 +658,7 @@ public function reset_password($user_id, $ver_code){
 
             $data =  array(
                 'verification_code' => '',
-                'pass' => hash_password($pass)
+                'pass' => $this->hash_password($pass, $user_id)
             );
 
             $row = $query->row();