Menu
▾
▴
[Helpmeict-cvs] Helpdesk/system authentication.php,1.4,1.5
|
From: Scott P. <wht...@us...> - 2007-09-07 05:04:17
|
Update of /cvsroot/helpmeict/Helpdesk/system
In directory sc8-pr-cvs17:/tmp/cvs-serv17400
Modified Files:
authentication.php
Log Message:
Fixed from logging passwords in the clear.
I now have it generate an MD5 has of the password the failed.
This could be bad if someone types correct password but incorrect username.
Fixes bug report# 1718493
Index: authentication.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/system/authentication.php,v
retrieving revision 1.4
retrieving revision 1.5
diff -C2 -d -r1.4 -r1.5
*** authentication.php 7 Feb 2007 01:20:17 -0000 1.4
--- authentication.php 7 Sep 2007 05:04:13 -0000 1.5
***************
*** 6,9 ****
--- 6,10 ----
Changelog:
+ 2007-09-07 whtghst1: stop passwords from being logged in the clear in the database.
2006-01-14 dave: Cleaned up code for v1.0 release
2005-07-02 arne_sf: Failed login attempts are now logged on userid 0, not "-1" as before (which caused a constraint violation)
***************
*** 46,49 ****
--- 47,51 ----
// Try to find the submitted username and password combination in the
// tbl_Users database table.
+ $passwordhash = md5($password);
$sql = "SELECT id,username,name,email,root,restricted FROM tbl_Users
WHERE active=1 AND username='" . strtolower($user) . "' AND pass='" .
***************
*** 53,57 ****
if (count($result) == 0) {
//Attempt unsucessful
! makelog(0,0,"ATTEMPTED LOGIN - FAILURE","User: $user, with password: $password");
return 0;
} elseif (count($result) != 1) {
--- 55,59 ----
if (count($result) == 0) {
//Attempt unsucessful
! makelog(0,0,"ATTEMPTED LOGIN - FAILURE","User: $user, with password: ($passwordhash");
return 0;
} elseif (count($result) != 1) {
***************
*** 70,72 ****
}
! ?>
\ No newline at end of file
--- 72,74 ----
}
! ?>
|
