mirrors/Piwigo
1
0
Fork 0
mirror of https://github.com/Piwigo/Piwigo.git synced 2025-04-26 11:19:55 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

feature 2727: improve password security with the use of PasswordHash class.

Browse source 
This class performs salt and multiple iterations. Already used in Wordpress,
Drupal, phpBB and many other web applications.

$conf['pass_convert'] is replaced by $conf['password_hash'] + $conf['password_verify']


git-svn-id: http://piwigo.org/svn/trunk@18889 68402e56-0260-453c-a942-63ccdbb3a9ee
This commit is contained in:
plegall 2012-11-02 13:59:07 +00:00
parent 805ce4bb02
commit a73846717f
8 changed files with 378 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

6
profile.php
View file

@ -177,7 +177,7 @@ function save_profile_from_post($userdata, &$errors)
;';
list($current_password) = pwg_db_fetch_row(pwg_query($query));
if ($conf['pass_convert']($_POST['password']) != $current_password)
if (!$conf['password_verify']($_POST['password'], $current_password))
{
$errors[] = l10n('Current password is wrong');
}
@ -202,8 +202,8 @@ function save_profile_from_post($userdata, &$errors)
if (!empty($_POST['use_new_pwd']))
{
array_push($fields, $conf['user_fields']['password']);
// password is encrpyted with function $conf['pass_convert']
$data{$conf['user_fields']['password']} = $conf['pass_convert']($_POST['use_new_pwd']);
// password is hashed with function $conf['password_hash']
$data{$conf['user_fields']['password']} = $conf['password_hash']($_POST['use_new_pwd']);
}
// username is updated only if allowed