thooge/ipreg
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Subsequent fixes after major changes for PDO

Browse Source
This commit is contained in:
Thomas Hooge
2023-02-24 12:16:25 +01:00
parent 7c300e0a8f
commit e74bde2d14
46 changed files with 289 additions and 321 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
login.php
View File

@@ -14,7 +14,7 @@ include("config.php");
include("dbconnect.php");
include("lib.php");
function user_login($user_name, $user_pass) {
function user_login ($user_name, $user_pass) {
global $dbh;
if (strlen($user_name) < 1) {
@@ -42,10 +42,17 @@ function user_login($user_name, $user_pass) {
return FALSE;
}
// TODO use secure algo with salt!
if (strcmp(md5($user_pass), $user->user_pass) != 0) {
// password does not match
return FALSE;
if (strcmp(md5($user_pass), rtrim($user->user_pass)) != 0) {
// password does not match with md5, check if new hash matches
// For future expansion: $pwd_peppered = hash_hmac('sha256', $user_pass, $config_pepper);
if (! password_verify($user_pass, $user->user_pass)) {
return FALSE;
}
} else {
// md5 match but outdated. rewrite with new algo
$sth = $dbh->prepare("UPDATE user SET user_pass=? WHERE user_id=?");
$newhash = password_hash($user_pass, PASSWORD_BCRYPT);
$sth->execute([$newhash, $user->user_id]);
}
// all ok: user is logged in, register session data