diff options
| author | Arun Persaud <arun@nubati.net> | 2012-09-22 12:38:58 -0700 |
|---|---|---|
| committer | Arun Persaud <arun@nubati.net> | 2012-09-22 12:46:27 -0700 |
| commit | 14f6017a5b84d70320bde9d6e074ea8ac948a85e (patch) | |
| tree | 6ad038518dff9737042501929a8919f622652c8d /include/register.php | |
| parent | 90e831805a19358ab5a76c569181f72bc3534cb8 (diff) | |
| download | e-DoKo-14f6017a5b84d70320bde9d6e074ea8ac948a85e.tar.gz e-DoKo-14f6017a5b84d70320bde9d6e074ea8ac948a85e.tar.bz2 e-DoKo-14f6017a5b84d70320bde9d6e074ea8ac948a85e.zip | |
updated to better password hash: use crypt instead of md5
the upgrade will be done automatically when a user logs in, password recovery is still based
on md5, but that should be OK, since it's a random generated password anyway
Diffstat (limited to 'include/register.php')
| -rw-r--r-- | include/register.php | 25 |
1 files changed, 18 insertions, 7 deletions
diff --git a/include/register.php b/include/register.php index a1370ea..72e9ad2 100644 --- a/include/register.php +++ b/include/register.php @@ -94,7 +94,7 @@ if(myisset('Rfullname','Remail','Rtimezone') ) } if($robot==0) { - echo _('You answered the math question wrong.').' <br />\n'; + echo _('You answered the math question wrong.').' <br />'."\n"; $ok=0; } /* everything ok, go ahead and create user */ @@ -102,10 +102,21 @@ if(myisset('Rfullname','Remail','Rtimezone') ) { if(myisset('Rpassword')) { - $r=DB_query('INSERT INTO User VALUES(NULL,'.DB_quote_smart($_REQUEST['Rfullname']). - ','.DB_quote_smart($_REQUEST['Remail']). - ','.DB_quote_smart(md5($_REQUEST['Rpassword'])). - ','.DB_quote_smart($_REQUEST['Rtimezone']).',NULL,NULL)'); + // create a password hash using the crypt function, need php 5.3 for this + // create a random salt + $salt = substr(str_replace('+', '.', base64_encode(sha1(microtime(true), true))), 0, 22); + // hash incoming password using 12 rounds of blowfish + $hash = crypt($_REQUEST['Rpassword'], '$2y$12$' . $salt); + + if(strlen($hash)>13) + { + $r=DB_query('INSERT INTO User VALUES(NULL,'.DB_quote_smart($_REQUEST['Rfullname']). + ','.DB_quote_smart($_REQUEST['Remail']). + ','.DB_quote_smart($hash). + ','.DB_quote_smart($_REQUEST['Rtimezone']).',NULL,NULL)'); + } + else /* hash function didn't work */ + $r=0; } else if(myisset('Ropenid')) { @@ -113,7 +124,7 @@ if(myisset('Rfullname','Remail','Rtimezone') ) $r=DB_query('INSERT INTO User VALUES(NULL,'.DB_quote_smart($_REQUEST['Rfullname']). ','.DB_quote_smart($_REQUEST['Remail']). ','.DB_quote_smart(md5($password)). - ','.DB_quote_smart($_REQUEST['Rtimezone').',NULL,NULL)'); + ','.DB_quote_smart($_REQUEST['Rtimezone']).',NULL,NULL)'); if($r) { include_once('openid.php'); @@ -139,7 +150,7 @@ if(myisset('Rfullname','Remail','Rtimezone') ) } else { - echo 'Could not register you. Please <a href="index.php">try again</a>! </br />\n'; + echo '<br />Could not register you. Please <a href="index.php">try again</a>! </br />'."\n"; } } else |