Menu
▾
▴
[Tikiwiki-devel] Passwords not stored plain text in the DB
|
From: Richard H. <ha...@sc...> - 2002-12-16 15:59:38
|
hi all,
I thought about how not to store the passwords plain text in the database. I
think it would be easiest if the php function md5 would be used.
for this it would be necessary to make a change in the database:
ALTER TABLE users_users CHANGE password password VARCHAR(32) NOT NULL;
One field in users_users I am not sure of as I haven't looked at its
functionality is 'provpass'. There's a function (in tiki-register.php: line
65) that adds info here, but I havent't checked whether this info needs to
be available in plaintext at some point.
There's also the issue of the backup_database and restore_database functions
in tikilib, but I am not quite sure of all the changes I'd have to make
there, I think I'd rather leave the to the pro's :)
I decided to add quite a few calls to md5() throughout the code so that
validate_user and add_user can remain unchanged, ...
The issue remains of how to convert the old passwords to encrypted ones. As
my site has very few users it was easy to do this directly in the DB using a
quick and dirty php script with only a few lines (I included this at the
bottom).
non encrypted passwords should be recognizable easily enough as noone can
(as of yet) have more than 30 chars and md5 output is always 32 ...
Here are the changes I made:
tiki-login.php: line 16
- $isvalid = $userlib->validate_user($_REQUEST["user"],$_REQUEST["pass"]);
+ $isvalid =
$userlib->validate_user($_REQUEST["user"],md5($_REQUEST["pass"]));
line 13
- $userlib->add_user("admin",ADMIN_PASSWORD,'none');
+ $userlib->add_user("admin",md5(ADMIN_PASSWORD),'none');
tiki-login_validate.php: line 6
-$isvalid = $userlib->validate_user($_REQUEST["user"],$_REQUEST["pass"]);
+$isvalid =
$userlib->validate_user($_REQUEST["user"],md5($_REQUEST["pass"]));
tiki-user_preferences.php: line 64
- if($old != $_REQUEST["old"]) {
+ if($old != md5($_REQUEST["old"])) {
line 69
- $userlib->change_user_password($userwatch,$_REQUEST["pass1"]);
+ $userlib->change_user_password($userwatch,md5($_REQUEST["pass1"]));
tiki-adminusers.php: line 26
-
$userlib->add_user($_REQUEST["name"],$_REQUEST["pass"],$_REQUEST["email"]);
+
$userlib->add_user($_REQUEST["name"],md5($_REQUEST["pass"]),$_REQUEST["email
"]);
tiki-register.php: line 65
-
$userlib->add_user($_REQUEST["name"],$apass,$_REQUEST["email"],$_REQUEST["pa
ss"]);
+
$userlib->add_user($_REQUEST["name"],$apass,$_REQUEST["email"],$_REQUEST["pa
ss"]);
line 85
-
$userlib->add_user($_REQUEST["name"],$_REQUEST["pass"],$_REQUEST["email"],''
);
+
$userlib->add_user($_REQUEST["name"],md5($_REQUEST["pass"]),$_REQUEST["email
"],'');
tikilib.php: line 7164
- $pass = addslashes($pass);
-->deleted, no longer necessary
commxmlrpc.php: line 38
- if(!$userlib->validate_user($username,$password)) {
+ if(!$userlib->validate_user($username,md5($password))) {
line 85
- if(!$userlib->validate_user($username,$password)) {
+ if(!$userlib->validate_user($username,md5($password))) {
xmlrpc.php: line 53
- if($userlib->validate_user($username,$password)) {
+ if($userlib->validate_user($username,md5($password))) {
line 78
- if(!$userlib->validate_user($username,$password)) {
+ if(!$userlib->validate_user($username,md5($password))) {
line 119
- if(!$userlib->validate_user($username,$password)) {
+ if(!$userlib->validate_user($username,md5($password))) {
line 158
- if(!$userlib->validate_user($username,$password)) {
+ if(!$userlib->validate_user($username,md5($password))) {
line 195
- if(!$userlib->validate_user($username,$password)) {
+ if(!$userlib->validate_user($username,md5($password))) {
line 241
- if(!$userlib->validate_user($username,$password)) {
+ if(!$userlib->validate_user($username,md5($password))) {
---
I used to get an error when trying to change the password, so I changed a
line there as well to fix this:
tiki-user_preferences.php: line 21
- if($tiki_p_admin == 'y') {
+ if($tiki_p_admin == 'y' || $_REQUEST["view_user"] == $user) {
<?php
define ('CFG_SQLUSER', 'root');
define ('CFG_SQLPASS', 'secret');
$tiki_db = 'tiki_dev';
$dbcon = mysql_connect('localhost', CFG_SQLUSER, CFG_SQLPASS)
or die("could not connect to db");
$res = mysql_query("SELECT userId, password from " . $tiki_db .
".users_users", $dbcon);
while ($row = mysql_fetch_object ($res)) {
mysql_query("UPDATE " . $tiki_db . ".users_users SET password='" .
md5($row->password) . "' WHERE userId=" . $row->userId, $dbcon);
}
echo 'done.'
?>
|