#5 Hash user passwords before the database
It just takes a couple quick changes to keep user passwords safe in the database:
In file install.php:
Change line 359 to:
password varchar(32) NOT NULL default '',
Change line 435 to:
('".$config['username']."','".md5($config['password'])."','".$config['email']."','".$config['fullname
In file bblog/inc/bBlog.class.php:
Change line 506 to:
$query = "SELECT `id` FROM `".T_AUTHORS."` WHERE `nickname`='".my_addslashes($user)."' AND `password`='".md5($pass)."'";
These SQL queries will also have to be executed to update the database (I'm just not sure where they should go in the upgrade scripts):
ALTER TABLE `bB_authors` CHANGE `password` `password` varchar(32) NOT NULL DEFAULT '' ; /* Make the password field a bit wider */
update bB_authors set password=md5(password); /* Convert all current passwords to their MD5 hashes */
David
Logged In: YES
user_id=937661
Originator: YES
Err, I forgot to mention that I'm working with version 0.7.6 here.