From: Richard H. <ha...@sc...> - 2002-12-16 15:59:38
|
hi all, I thought about how not to store the passwords plain text in the database. I think it would be easiest if the php function md5 would be used. for this it would be necessary to make a change in the database: ALTER TABLE users_users CHANGE password password VARCHAR(32) NOT NULL; One field in users_users I am not sure of as I haven't looked at its functionality is 'provpass'. There's a function (in tiki-register.php: line 65) that adds info here, but I havent't checked whether this info needs to be available in plaintext at some point. There's also the issue of the backup_database and restore_database functions in tikilib, but I am not quite sure of all the changes I'd have to make there, I think I'd rather leave the to the pro's :) I decided to add quite a few calls to md5() throughout the code so that validate_user and add_user can remain unchanged, ... The issue remains of how to convert the old passwords to encrypted ones. As my site has very few users it was easy to do this directly in the DB using a quick and dirty php script with only a few lines (I included this at the bottom). non encrypted passwords should be recognizable easily enough as noone can (as of yet) have more than 30 chars and md5 output is always 32 ... Here are the changes I made: tiki-login.php: line 16 - $isvalid = $userlib->validate_user($_REQUEST["user"],$_REQUEST["pass"]); + $isvalid = $userlib->validate_user($_REQUEST["user"],md5($_REQUEST["pass"])); line 13 - $userlib->add_user("admin",ADMIN_PASSWORD,'none'); + $userlib->add_user("admin",md5(ADMIN_PASSWORD),'none'); tiki-login_validate.php: line 6 -$isvalid = $userlib->validate_user($_REQUEST["user"],$_REQUEST["pass"]); +$isvalid = $userlib->validate_user($_REQUEST["user"],md5($_REQUEST["pass"])); tiki-user_preferences.php: line 64 - if($old != $_REQUEST["old"]) { + if($old != md5($_REQUEST["old"])) { line 69 - $userlib->change_user_password($userwatch,$_REQUEST["pass1"]); + $userlib->change_user_password($userwatch,md5($_REQUEST["pass1"])); tiki-adminusers.php: line 26 - $userlib->add_user($_REQUEST["name"],$_REQUEST["pass"],$_REQUEST["email"]); + $userlib->add_user($_REQUEST["name"],md5($_REQUEST["pass"]),$_REQUEST["email "]); tiki-register.php: line 65 - $userlib->add_user($_REQUEST["name"],$apass,$_REQUEST["email"],$_REQUEST["pa ss"]); + $userlib->add_user($_REQUEST["name"],$apass,$_REQUEST["email"],$_REQUEST["pa ss"]); line 85 - $userlib->add_user($_REQUEST["name"],$_REQUEST["pass"],$_REQUEST["email"],'' ); + $userlib->add_user($_REQUEST["name"],md5($_REQUEST["pass"]),$_REQUEST["email "],''); tikilib.php: line 7164 - $pass = addslashes($pass); -->deleted, no longer necessary commxmlrpc.php: line 38 - if(!$userlib->validate_user($username,$password)) { + if(!$userlib->validate_user($username,md5($password))) { line 85 - if(!$userlib->validate_user($username,$password)) { + if(!$userlib->validate_user($username,md5($password))) { xmlrpc.php: line 53 - if($userlib->validate_user($username,$password)) { + if($userlib->validate_user($username,md5($password))) { line 78 - if(!$userlib->validate_user($username,$password)) { + if(!$userlib->validate_user($username,md5($password))) { line 119 - if(!$userlib->validate_user($username,$password)) { + if(!$userlib->validate_user($username,md5($password))) { line 158 - if(!$userlib->validate_user($username,$password)) { + if(!$userlib->validate_user($username,md5($password))) { line 195 - if(!$userlib->validate_user($username,$password)) { + if(!$userlib->validate_user($username,md5($password))) { line 241 - if(!$userlib->validate_user($username,$password)) { + if(!$userlib->validate_user($username,md5($password))) { --- I used to get an error when trying to change the password, so I changed a line there as well to fix this: tiki-user_preferences.php: line 21 - if($tiki_p_admin == 'y') { + if($tiki_p_admin == 'y' || $_REQUEST["view_user"] == $user) { <?php define ('CFG_SQLUSER', 'root'); define ('CFG_SQLPASS', 'secret'); $tiki_db = 'tiki_dev'; $dbcon = mysql_connect('localhost', CFG_SQLUSER, CFG_SQLPASS) or die("could not connect to db"); $res = mysql_query("SELECT userId, password from " . $tiki_db . ".users_users", $dbcon); while ($row = mysql_fetch_object ($res)) { mysql_query("UPDATE " . $tiki_db . ".users_users SET password='" . md5($row->password) . "' WHERE userId=" . $row->userId, $dbcon); } echo 'done.' ?> |