use hash_equals to compare hashes

1db18069 · Daniel Ruf · 493f568c · 1db18069
Commit 1db18069 authored Feb 24, 2016 by Daniel Ruf
Hide whitespace changes
Inline Side-by-side

Showing with 1 additions and 1 deletions

login.php qa-include/pages/login.php +1 -1

No files found.
--- a/qa-include/pages/login.php
+++ b/qa-include/pages/login.php
@@ -68,7 +68,7 @@
 					$inuserid=$matchusers[0];
 					$userinfo=qa_db_select_with_pending(qa_db_user_account_selectspec($inuserid, true));

-					$legacyPassOk = strtolower(qa_db_calc_passcheck($inpassword, $userinfo['passsalt'])) == strtolower($userinfo['passcheck']);
+					$legacyPassOk = hash_equals(strtolower($userinfo['passcheck']), strtolower(qa_db_calc_passcheck($inpassword, $userinfo['passsalt'])));

 					if (QA_PASSWORD_HASH) {
 						$haspassword = isset($userinfo['passhash']);