Permalink
Browse files

switch to using the hashed passwords

  • Loading branch information...
1 parent d2421a9 commit bda4c3d48dc00714f95cf281d517030ec97ca43f @iamcal committed Nov 5, 2010
Showing with 21 additions and 6 deletions.
  1. +9 −3 edit.php
  2. +2 −2 reset.php
  3. +10 −1 station_add.php
View
@@ -22,22 +22,28 @@
$ok = 1;
$email_enc = AddSlashes(trim(StrToLower($_POST['email'])));
- $password_enc = AddSlashes(trim($_POST['password']));
+ $password = trim($_POST['password']);
- if (!strlen($email_enc) || !strlen($password_enc)){
+ if (!strlen($email_enc) || !strlen($password)){
$ok = 0;
$smarty->assign('error_missingfields', 1);
}
if ($ok){
- $weblog = db_single(db_fetch("SELECT * FROM tube_weblogs WHERE email='$email_enc' AND password='$password_enc'"));
+ $weblog = db_single(db_fetch("SELECT * FROM tube_weblogs WHERE email='$email_enc'"));
if (!$weblog['id']){
$ok = 0;
$smarty->assign('error_badlogin', 1);
}
+
+ if (!blog_check_password($weblog['password_hash'], $password)){
+
+ $ok = 0;
+ $smarty->assign('error_badlogin', 1);
+ }
}
if ($ok){
View
@@ -31,12 +31,12 @@
if ($_POST['done']){
- $password = AddSlashes(trim($_POST['password']));
+ $password = trim($_POST['password']);
if (strlen($password)){
db_update('tube_weblogs', array(
- 'password' => $password,
+ 'password_hash' => AddSlashes(blog_hash_password($password)),
), "id=$weblog[id]");
View
@@ -35,7 +35,7 @@
'name' => AddSlashes(trim($_POST['name'])),
'email' => AddSlashes(trim(StrToLower($_POST['email']))),
'about' => AddSlashes(trim($_POST['about'])),
- 'password' => AddSlashes(trim($_POST['password'])),
+ 'password' => trim($_POST['password']),
);
$ok = 1;
@@ -47,6 +47,15 @@
}
+ #
+ # we hash the password after checking for missing fields, since
+ # the hash always has length, even if the password is empty
+ #
+
+ $hash['password_hash'] = AddSlashes(blog_hash_password($hash['password']));
+ unset($hash['password']);
+
+
#
# url validation
#

0 comments on commit bda4c3d

Please sign in to comment.