Menu
▾
▴
[Web-erp-svn] SF.net SVN: web-erp:[6843] trunk/includes
|
From: <dai...@us...> - 2014-08-20 06:04:49
|
Revision: 6843
http://sourceforge.net/p/web-erp/reponame/6843
Author: daintree
Date: 2014-08-20 06:04:47 +0000 (Wed, 20 Aug 2014)
Log Message:
-----------
code review
Modified Paths:
--------------
trunk/includes/UserLogin.php
trunk/includes/session.inc
Modified: trunk/includes/UserLogin.php
===================================================================
--- trunk/includes/UserLogin.php 2014-08-20 05:58:04 UTC (rev 6842)
+++ trunk/includes/UserLogin.php 2014-08-20 06:04:47 UTC (rev 6843)
@@ -43,52 +43,52 @@
$sql = "SELECT *
FROM www_users
WHERE www_users.userid='" . $Name . "'";
-
+
$ErrMsg = _('Could not retrieve user details on login because');
$debug =1;
- $continue = false;
+ $PasswordVerified = false;
$Auth_Result = DB_query($sql, $db,$ErrMsg);
-
- if (DB_num_rows($Auth_Result) > 0) {
- $myrow = DB_fetch_array($Auth_Result);
- if (VerifyPass($Password,$myrow['password'])) {
- $continue = true;
- } elseif (isset($GLOBALS['CryptFunction'])) {
- /*if the password stored in the DB was compiled the old way,
- * the previous comparison will fail,
- * try again with the old hashing algorithm,
- * then re-hash the password using the new algorithm.
- * The next version should not have $CryptFunction any more for new installs.
- */
- switch ($GLOBALS['CryptFunction']) {
- case 'sha1':
- if ($myrow['password'] == sha1($Password)) {
- $continue = true;
- }
- break;
- case 'md5':
- if ($myrow['password'] == md5($Password)) {
- $continue = true;
- }
- break;
- default:
- if ($myrow['password'] == $Password) {
- $continue = true;
- }
- }
- if ($continue) {
- $sql = "UPDATE www_users SET password = '".CryptPass($Password)."'"
- . " WHERE userid = '".$Name."';";
- DB_query($sql,$db);
- }
- }
- }
-
-
+ if (DB_num_rows($Auth_Result) > 0) {
+ $myrow = DB_fetch_array($Auth_Result);
+ if (VerifyPass($Password,$myrow['password'])) {
+ $PasswordVerified = true;
+ } elseif (isset($GLOBALS['CryptFunction'])) {
+ /*if the password stored in the DB was compiled the old way,
+ * the previous comparison will fail,
+ * try again with the old hashing algorithm,
+ * then re-hash the password using the new algorithm.
+ * The next version should not have $CryptFunction any more for new installs.
+ */
+ switch ($GLOBALS['CryptFunction']) {
+ case 'sha1':
+ if ($myrow['password'] == sha1($Password)) {
+ $PasswordVerified = true;
+ }
+ break;
+ case 'md5':
+ if ($myrow['password'] == md5($Password)) {
+ $PasswordVerified = true;
+ }
+ break;
+ default:
+ if ($myrow['password'] == $Password) {
+ $PasswordVerified = true;
+ }
+ }
+ if ($PasswordVerified) {
+ $sql = "UPDATE www_users SET password = '" . CryptPass($Password) . "'"
+ . " WHERE userid = '" . $Name . "';";
+ DB_query($sql,$db);
+ }
+
+ }
+ }
+
+
// Populate session variables with data base results
- if ($continue) {
-
+ if ($PasswordVerified) {
+
if ($myrow['blocked']==1){
//the account is blocked
return UL_BLOCKED;
Modified: trunk/includes/session.inc
===================================================================
--- trunk/includes/session.inc 2014-08-20 05:58:04 UTC (rev 6842)
+++ trunk/includes/session.inc 2014-08-20 06:04:47 UTC (rev 6843)
@@ -295,15 +295,15 @@
}
function CryptPass( $Password ) {
if (PHP_VERSION_ID < 50500) {
- $salt = base64_encode(mcrypt_create_iv(22, MCRYPT_DEV_URANDOM));
- $salt = str_replace('+', '.', $salt);
- $hash = crypt($Password, '$2y$10$'.$salt.'$');
+ $Salt = base64_encode(mcrypt_create_iv(22, MCRYPT_DEV_URANDOM));
+ $Salt = str_replace('+', '.', $Salt);
+ $Hash = crypt($Password, '$2y$10$' . $Salt . '$');
} else {
- $hash = password_hash($Password,PASSWORD_DEFAULT);
+ $Hash = password_hash($Password,PASSWORD_DEFAULT);
}
- return $hash;
+ return $Hash;
}
-
+
function VerifyPass($Password,$Hash) {
if(PHP_VERSION_ID < 50500) {
return (crypt($Password,$Hash)==$Hash);
|
