Skip to content

Q
question2answer
Commit 0605eb99 by Scott
Options

Coding style (new password hash code)

parent b29c7635
Showing with 49 additions and 41 deletions
qa-include/db/install.php
......@@ -1460,13 +1460,13 @@
break;
// Up to here: Version 1.8 alpha
case 62:
qa_db_upgrade_query('ALTER TABLE ^users ADD COLUMN passhash '.$definitions['users']['passhash'].' AFTER passcheck');
qa_db_upgrade_query($locktablesquery);
break;
// add column to qa_users to handle new bcrypt passwords
qa_db_upgrade_query('ALTER TABLE ^users ADD COLUMN passhash '.$definitions['users']['passhash'].' AFTER passcheck');
qa_db_upgrade_query($locktablesquery);
break;
// Up to here: Version 1.8 alpha
}
qa_db_set_db_version($newversion);
......
qa-include/db/users.php
......@@ -44,22 +44,22 @@
{
require_once QA_INCLUDE_DIR.'util/string.php';
if(!qa_php_version_below('5.3.7')){
if (!qa_php_version_below('5.3.7')) {
qa_db_query_sub(
'INSERT INTO ^users (created, createip, email, passhash, level, handle, loggedin, loginip) '.
'VALUES (NOW(), COALESCE(INET_ATON($), 0), $, $, #, $, NOW(), COALESCE(INET_ATON($), 0))',
$ip, $email, isset($password) ? password_hash($password, PASSWORD_BCRYPT) : null, (int)$level, $handle, $ip
);
} else {
$salt=isset($password) ? qa_random_alphanum(16) : null;
$salt = isset($password) ? qa_random_alphanum(16) : null;
qa_db_query_sub(
'INSERT INTO ^users (created, createip, email, passsalt, passcheck, level, handle, loggedin, loginip) '.
'VALUES (NOW(), COALESCE(INET_ATON($), 0), $, $, UNHEX($), #, $, NOW(), COALESCE(INET_ATON($), 0))',
$ip, $email, $salt, isset($password) ? qa_db_calc_passcheck($password, $salt) : null, (int)$level, $handle, $ip
);
}
return qa_db_last_insert_id();
}
......@@ -163,13 +163,13 @@
require_once QA_INCLUDE_DIR.'util/string.php';
if(!qa_php_version_below('5.3.7')){
if (!qa_php_version_below('5.3.7')) {
qa_db_query_sub(
'UPDATE ^users SET passhash=$, passsalt=NULL, passcheck=NULL WHERE userid=$',
password_hash($password, PASSWORD_BCRYPT), $userid
);
} else {
$salt=qa_random_alphanum(16);
$salt = qa_random_alphanum(16);
qa_db_query_sub(
'UPDATE ^users SET passsalt=$, passcheck=UNHEX($) WHERE userid=$',
......
qa-include/pages/account.php
......@@ -37,7 +37,7 @@
if (QA_FINAL_EXTERNAL_USERS)
qa_fatal_error('User accounts are handled by external code');
$userid=qa_get_logged_in_userid();
$userid = qa_get_logged_in_userid();
if (!isset($userid))
qa_redirect('login');
......@@ -52,14 +52,15 @@
qa_db_userfields_selectspec()
);
$changehandle=qa_opt('allow_change_usernames') || ((!$userpoints['qposts']) && (!$userpoints['aposts']) && (!$userpoints['cposts']));
$doconfirms=qa_opt('confirm_user_emails') && ($useraccount['level']<QA_USER_LEVEL_EXPERT);
$isconfirmed=($useraccount['flags'] & QA_USER_FLAGS_EMAIL_CONFIRMED) ? true : false;
if(!qa_php_version_below('5.3.7')){
$haspasswordold=isset($useraccount['passsalt']) && isset($useraccount['passcheck']);
$haspassword=isset($useraccount['passhash']);
$changehandle = qa_opt('allow_change_usernames') || (!$userpoints['qposts'] && !$userpoints['aposts'] && !$userpoints['cposts']);
$doconfirms = qa_opt('confirm_user_emails') && $useraccount['level'] < QA_USER_LEVEL_EXPERT;
$isconfirmed = ($useraccount['flags'] & QA_USER_FLAGS_EMAIL_CONFIRMED) ? true : false;
if (!qa_php_version_below('5.3.7')) {
$haspasswordold = isset($useraccount['passsalt']) && isset($useraccount['passcheck']);
$haspassword = isset($useraccount['passhash']);
} else {
$haspassword=isset($useraccount['passsalt']) && isset($useraccount['passcheck']);
$haspassword = isset($useraccount['passsalt']) && isset($useraccount['passcheck']);
}
$permit_error = qa_user_permit_error();
$isblocked = $permit_error !== false;
......@@ -209,16 +210,18 @@
else {
$errors = array();
if(!qa_php_version_below('5.3.7')){
if (!qa_php_version_below('5.3.7')) {
if (
($haspasswordold && (strtolower(qa_db_calc_passcheck($inoldpassword, $useraccount['passsalt'])) != strtolower($useraccount['passcheck']))) ||
(!$haspasswordold && $haspassword && !password_verify($inoldpassword,$useraccount['passhash']))
)
($haspasswordold && (strtolower(qa_db_calc_passcheck($inoldpassword, $useraccount['passsalt'])) != strtolower($useraccount['passcheck']))) ||
(!$haspasswordold && $haspassword && !password_verify($inoldpassword,$useraccount['passhash']))
) {
$errors['oldpassword'] = qa_lang('users/password_wrong');
}
} else {
if ($haspassword && (strtolower(qa_db_calc_passcheck($inoldpassword, $useraccount['passsalt'])) != strtolower($useraccount['passcheck'])))
if ($haspassword && (strtolower(qa_db_calc_passcheck($inoldpassword, $useraccount['passsalt'])) != strtolower($useraccount['passcheck']))) {
$errors['oldpassword'] = qa_lang('users/password_wrong');
}
}
$useraccount['password'] = $inoldpassword;
......
qa-include/pages/login.php
......@@ -67,47 +67,50 @@
if (count($matchusers)==1) { // if matches more than one (should be impossible), don't log in
$inuserid=$matchusers[0];
$userinfo=qa_db_select_with_pending(qa_db_user_account_selectspec($inuserid, true));
if(!qa_php_version_below('5.3.7')){
if (!qa_php_version_below('5.3.7')) {
$haspassword=isset($userinfo['passhash']);
$haspasswordold=isset($userinfo['passsalt']) && isset($userinfo['passcheck']);
if (
($haspasswordold && strtolower(qa_db_calc_passcheck($inpassword, $userinfo['passsalt'])) == strtolower($userinfo['passcheck'])) ||
($haspassword && password_verify($inpassword,$userinfo['passhash']))
){ // login and redirect
($haspasswordold && strtolower(qa_db_calc_passcheck($inpassword, $userinfo['passsalt'])) == strtolower($userinfo['passcheck'])) ||
($haspassword && password_verify($inpassword,$userinfo['passhash']))
) {
// login and redirect
require_once QA_INCLUDE_DIR.'app/users.php';
// upgrade password or rehash, when options like the cost parameter changed
if($haspasswordold || password_needs_rehash($userinfo['passhash'], PASSWORD_BCRYPT)) qa_db_user_set_password($inuserid, $inpassword);
if ($haspasswordold || password_needs_rehash($userinfo['passhash'], PASSWORD_BCRYPT)) {
qa_db_user_set_password($inuserid, $inpassword);
}
qa_set_logged_in_user($inuserid, $userinfo['handle'], !empty($inremember));
$topath=qa_get('to');
if (isset($topath))
qa_redirect_raw(qa_path_to_root().$topath); // path already provided as URL fragment
elseif ($passwordsent)
qa_redirect('account');
else
qa_redirect('');
} else
$errors['password']=qa_lang('users/password_wrong');
} else {
if (strtolower(qa_db_calc_passcheck($inpassword, $userinfo['passsalt'])) == strtolower($userinfo['passcheck'])) { // login and redirect
require_once QA_INCLUDE_DIR.'app/users.php';
qa_set_logged_in_user($inuserid, $userinfo['handle'], !empty($inremember));
$topath=qa_get('to');
if (isset($topath))
qa_redirect_raw(qa_path_to_root().$topath); // path already provided as URL fragment
elseif ($passwordsent)
qa_redirect('account');
else
qa_redirect('');
} else
$errors['password']=qa_lang('users/password_wrong');
}
......
qa-include/qa-base.php
......@@ -77,7 +77,9 @@
qa_load_plugin_files();
qa_load_override_files();
if(!qa_php_version_below('5.3.7')) require_once QA_INCLUDE_DIR.'vendor/password_compat.php';
if (!qa_php_version_below('5.3.7')) {
require_once QA_INCLUDE_DIR.'vendor/password_compat.php';
}
require_once QA_INCLUDE_DIR.'qa-db.php';
qa_db_allow_connect();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment