X-Git-Url: https://git.nubati.net/cgi-bin/gitweb.cgi?p=e-DoKo.git;a=blobdiff_plain;f=include%2Fregister.php;h=028e1bb278dd62af2ffb8dd4bc422aa8de074bfc;hp=a1370ea52803f9b6c90e686989e8f4f87d9b4979;hb=742ba18eaf36386d2d0e0936975b3f2545afc59e;hpb=90e831805a19358ab5a76c569181f72bc3534cb8

diff --git a/include/register.php b/include/register.php
index a1370ea..028e1bb 100644
--- a/include/register.php
+++ b/include/register.php
@@ -1,5 +1,5 @@
 <?php
-/* Copyright 2006, 2007, 2008, 2009, 2010, 2011, 2012 Arun Persaud <arun@nubati.net>
+/* Copyright 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014 Arun Persaud <arun@nubati.net>
  *
  *   This file is part of e-DoKo.
  *
@@ -94,7 +94,7 @@ if(myisset('Rfullname','Remail','Rtimezone') )
       }
     if($robot==0)
       {
-	echo _('You answered the math question wrong.').' <br />\n';
+	echo _('You answered the math question wrong.').' <br />'."\n";
 	$ok=0;
       }
     /* everything ok, go ahead and create user */
@@ -102,10 +102,21 @@ if(myisset('Rfullname','Remail','Rtimezone') )
       {
 	if(myisset('Rpassword'))
 	  {
-	    $r=DB_query('INSERT INTO User VALUES(NULL,'.DB_quote_smart($_REQUEST['Rfullname']).
-			','.DB_quote_smart($_REQUEST['Remail']).
-			','.DB_quote_smart(md5($_REQUEST['Rpassword'])).
-			','.DB_quote_smart($_REQUEST['Rtimezone']).',NULL,NULL)');
+	    // create a password hash using the crypt function, need php 5.3 for this
+	    // create a random salt
+	    $salt = substr(str_replace('+', '.', base64_encode(sha1(microtime(true), true))), 0, 22);
+	    // hash incoming password using 12 rounds of blowfish
+	    $hash = crypt($_REQUEST['Rpassword'], '$2y$12$' . $salt);
+
+	    if(strlen($hash)>13)
+	      {
+		$r=DB_query('INSERT INTO User VALUES(NULL,'.DB_quote_smart($_REQUEST['Rfullname']).
+			    ','.DB_quote_smart($_REQUEST['Remail']).
+			    ','.DB_quote_smart($hash).
+			    ','.DB_quote_smart($_REQUEST['Rtimezone']).',NULL,NULL)');
+	      }
+	    else /* hash function didn't work */
+	      $r=0;
 	  }
 	else if(myisset('Ropenid'))
 	  {
@@ -113,7 +124,7 @@ if(myisset('Rfullname','Remail','Rtimezone') )
 	    $r=DB_query('INSERT INTO User VALUES(NULL,'.DB_quote_smart($_REQUEST['Rfullname']).
 			','.DB_quote_smart($_REQUEST['Remail']).
 			','.DB_quote_smart(md5($password)).
-			','.DB_quote_smart($_REQUEST['Rtimezone').',NULL,NULL)');
+			','.DB_quote_smart($_REQUEST['Rtimezone']).',NULL,NULL)');
 	    if($r)
 	      {
 		include_once('openid.php');
@@ -139,7 +150,7 @@ if(myisset('Rfullname','Remail','Rtimezone') )
       }
     else
       {
-	echo 'Could not register you. Please <a href="index.php">try again</a>! </br />\n';
+	echo '<br />Could not register you. Please <a href="index.php">try again</a>! </br />'."\n";
       }
   }
 else