mirror of
https://github.com/Shadowss/TravianZ.git
synced 2026-06-28 00:24:23 +00:00
feat: MD5 passwords exchanged for bcrypt ones
This commit is contained in:
Martin Ambrus
@@ -79,7 +79,7 @@ $database->populateOasis();
|
||||
$database->populateOasisUnits2();
|
||||
$uid=$database->getVillageID(5);
|
||||
|
||||
$passw=md5('123456');
|
||||
$passw=password_hash("12345", PASSWORD_BCRYPT,['cost' => 12]);
|
||||
mysqli_query($GLOBALS["link"], "TRUNCATE TABLE ".TB_PREFIX."users");
|
||||
mysqli_query($GLOBALS["link"], "INSERT INTO ".TB_PREFIX."users (id, username, password, email, tribe, access, gold, gender, birthday, location, desc1, desc2, plus, b1, b2, b3, b4, sit1, sit2, alliance, sessid, act, timestamp, ap, apall, dp, dpall, protect, quest, gpack, cp, lastupdate, RR, Rc, ok) VALUES
|
||||
(5, 'Multihunter', '".$passw."', 'multihunter@travianx.mail', 0, 9, 0, 0, '0000-00-00', '', '', '', 0, 0, 0, 0, 0, 0, 0, 0, '', '', 0, 0, 0, 0, 0, 0, 0, 'gpack/travian_default/', 1, 0, 0, 0, 0),
|
||||
|
||||
+63
-10
@@ -39,11 +39,41 @@ class adm_DB {
|
||||
global $database;
|
||||
list($username,$password) = $database->escape_input($username,$password);
|
||||
|
||||
$q = "SELECT password FROM ".TB_PREFIX."users where username = '$username' and access >= ".MULTIHUNTER;
|
||||
$q = "SELECT id, password, is_bcrypt FROM ".TB_PREFIX."users where username = '$username' and access >= ".MULTIHUNTER;
|
||||
$result = mysqli_query($this->connection, $q);
|
||||
|
||||
// if we didn't update the database for bcrypt hashes yet...
|
||||
if (mysqli_error($database->dblink) != '') {
|
||||
// no need to select ID here, since the DB is not updated, so there will be no password conversion later
|
||||
$q = "SELECT id, password, 0 as is_bcrypt FROM ".TB_PREFIX."users where username = '$username' and access >= ".MULTIHUNTER;
|
||||
$result = mysqli_query($this->connection, $q);
|
||||
$bcrypt_update_done = false;
|
||||
} else {
|
||||
$bcrypt_update_done = true;
|
||||
}
|
||||
|
||||
$dbarray = mysqli_fetch_array($result);
|
||||
if($dbarray['password'] == md5($password)) {
|
||||
|
||||
// even if we didn't do a DB conversion for bcrypt passwords,
|
||||
// we still need to check if this password wasn't encrypted via password_hash,
|
||||
// since all methods were updated to use that instead of md5 and therefore
|
||||
// new passwords in DB will be bcrypt already even without the is_bcrypt field present
|
||||
$bcrypted = true;
|
||||
$pwOk = password_verify($password, $dbarray['password']);
|
||||
|
||||
if (!$pwOk && !$dbarray['is_bcrypt']) {
|
||||
$pwOk = ($dbarray['password'] == md5($password));
|
||||
$bcrypted = false;
|
||||
}
|
||||
|
||||
if($pwOk) {
|
||||
// update password to bcrypt, if correct
|
||||
if (!$dbarray['is_bcrypt'] && !$bcrypted) {
|
||||
mysqli_query($this->connection, "UPDATE " . TB_PREFIX . "users SET password = '".password_hash($password, PASSWORD_BCRYPT,['cost' => 12])."'".($bcrypt_update_done ? ', is_bcrypt = 1' : '')." where id = ".(int) $dbarray['id']);
|
||||
}
|
||||
|
||||
mysqli_query("Insert into ".TB_PREFIX."admin_log values (0,'X','$username logged in (IP: <b>".$_SERVER['REMOTE_ADDR']."</b>)',".time().")");
|
||||
|
||||
return true;
|
||||
}
|
||||
else {
|
||||
@@ -227,14 +257,37 @@ class adm_DB {
|
||||
}
|
||||
|
||||
function CheckPass($password,$uid){
|
||||
$q = "SELECT password FROM ".TB_PREFIX."users where id = ".(int) $uid." and access = ".ADMIN;
|
||||
$result = mysqli_query($this->connection, $q);
|
||||
$dbarray = mysqli_fetch_array($result);
|
||||
if($dbarray['password'] == md5($password)) {
|
||||
return true;
|
||||
}else{
|
||||
return false;
|
||||
}
|
||||
$q = "SELECT id,password, is_bcrypt FROM ".TB_PREFIX."users where id = ".(int) $uid." and access = ".ADMIN;
|
||||
$result = mysqli_query($this->connection, $q);
|
||||
|
||||
// if we didn't update the database for bcrypt hashes yet...
|
||||
if (mysqli_error($this->dblink) != '') {
|
||||
// no need to select ID here, since the DB is not updated, so there will be no password conversion later
|
||||
$q = "SELECT password, 0 as is_bcrypt FROM ".TB_PREFIX."users where id = ".(int) $uid." and access = ".ADMIN;
|
||||
$result = mysqli_query($this->dblink,$q);
|
||||
$bcrypt_update_done = false;
|
||||
} else {
|
||||
$bcrypt_update_done = true;
|
||||
}
|
||||
|
||||
$dbarray = mysqli_fetch_array($result);
|
||||
|
||||
// check if this is still md5 password hash
|
||||
if (!$dbarray['is_bcrypt']) {
|
||||
$pwOk = ($dbarray['password'] == md5($password));
|
||||
} else {
|
||||
$pwOk = password_verify($password, $dbarray['password']);
|
||||
}
|
||||
|
||||
if($pwOk) {
|
||||
// update password to bcrypt, if correct
|
||||
if ($bcrypt_update_done && !$dbarray['is_bcrypt']) {
|
||||
mysqli_query($this->connection, "UPDATE " . TB_PREFIX . "users SET password = '".password_hash($password, PASSWORD_BCRYPT,['cost' => 12])."', is_bcrypt = 1 where id = ".(int) $dbarray['id']);
|
||||
}
|
||||
return true;
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
function DelVillage($wref, $mode=0){
|
||||
|
||||
@@ -114,7 +114,7 @@ class Account {
|
||||
if(AUTH_EMAIL){
|
||||
$act = $generator->generateRandStr(10);
|
||||
$act2 = $generator->generateRandStr(5);
|
||||
$uid = $database->activate($_POST['name'],md5($_POST['pw']),$_POST['email'],$_POST['vid'],$_POST['kid'],$act,$act2);
|
||||
$uid = $database->activate($_POST['name'],password_hash($_POST['pw'], PASSWORD_BCRYPT,['cost' => 12]),$_POST['email'],$_POST['vid'],$_POST['kid'],$act,$act2);
|
||||
if($uid) {
|
||||
|
||||
$mailer->sendActivate($_POST['email'],$_POST['name'],$_POST['pw'],$act);
|
||||
@@ -122,7 +122,7 @@ class Account {
|
||||
}
|
||||
}
|
||||
else {
|
||||
$uid = $database->register($_POST['name'],md5($_POST['pw']),$_POST['email'],$_POST['vid'],$act);
|
||||
$uid = $database->register($_POST['name'],password_hash($_POST['pw'], PASSWORD_BCRYPT,['cost' => 12]),$_POST['email'],$_POST['vid'],$act);
|
||||
if($uid) {
|
||||
setcookie("COOKUSR",$_POST['name'],time()+COOKIE_EXPIRE,COOKIE_PATH);
|
||||
setcookie("COOKEMAIL",$_POST['email'],time()+COOKIE_EXPIRE,COOKIE_PATH);
|
||||
@@ -167,7 +167,7 @@ class Account {
|
||||
$q = "SELECT * FROM ".TB_PREFIX."activate where id = '".$database->escape((int) $_POST['id'])."'";
|
||||
$result = mysqli_query($GLOBALS['link'],$q);
|
||||
$dbarray = mysqli_fetch_array($result);
|
||||
if(md5($_POST['pw']) == $dbarray['password']) {
|
||||
if(password_verify($_POST['pw'], $dbarray['password'])) {
|
||||
$database->unreg($dbarray['username']);
|
||||
header("Location: anmelden.php");
|
||||
}
|
||||
|
||||
@@ -85,7 +85,7 @@ else
|
||||
else
|
||||
{
|
||||
// Register them and build the village
|
||||
$uid = $database->register($userName, md5($password), $email, $tribe ,$act);
|
||||
$uid = $database->register($userName, password_hash($password, PASSWORD_BCRYPT, ['cost' => 12]), $email, $tribe ,$act);
|
||||
if($uid)
|
||||
{
|
||||
/*
|
||||
|
||||
@@ -17,7 +17,7 @@ mysqli_select_db($GLOBALS["link"], SQL_DB);
|
||||
|
||||
$session = (int) $_POST['admid'];
|
||||
$id = (int) $_POST['uid'];
|
||||
$pass = md5($_POST['newpw']);
|
||||
$pass = password_hash($_POST['newpw'], PASSWORD_BCRYPT, ['cost' => 12]);
|
||||
|
||||
$sql = mysqli_query($GLOBALS["link"], "SELECT * FROM ".TB_PREFIX."users WHERE id = ".$session."");
|
||||
$access = mysqli_fetch_array($sql);
|
||||
|
||||
@@ -43,19 +43,49 @@ class adm_DB {
|
||||
}
|
||||
|
||||
function Login($username,$password){
|
||||
global $database;
|
||||
list($username,$password) = $database->escape_input($username,$password);
|
||||
$q = "SELECT password FROM ".TB_PREFIX."users where username = '$username' and access >= ".MULTIHUNTER;
|
||||
$result = mysqli_query($this->connection,$q);
|
||||
$dbarray = mysqli_fetch_array($result);
|
||||
if($dbarray['password'] == md5($password)) {
|
||||
mysqli_query($this->connection,"Insert into ".TB_PREFIX."admin_log values (0,'X','$username logged in (IP: <b>".$_SERVER['REMOTE_ADDR']."</b>)',".time().")");
|
||||
return true;
|
||||
}
|
||||
else {
|
||||
mysqli_query($this->connection,"Insert into ".TB_PREFIX."admin_log values (0,'X','<font color=\'red\'><b>IP: ".$_SERVER['REMOTE_ADDR']." tried to log in with username <u> $username</u> but access was denied!</font></b>',".time().")");
|
||||
return false;
|
||||
}
|
||||
global $database;
|
||||
list($username,$password) = $database->escape_input($username,$password);
|
||||
|
||||
$q = "SELECT id, password, is_bcrypt FROM ".TB_PREFIX."users where username = '$username' and access >= ".MULTIHUNTER;
|
||||
$result = mysqli_query($this->connection, $q);
|
||||
|
||||
// if we didn't update the database for bcrypt hashes yet...
|
||||
if (mysqli_error($database->dblink) != '') {
|
||||
$q = "SELECT id, password, 0 as is_bcrypt FROM ".TB_PREFIX."users where username = '$username' and access >= ".MULTIHUNTER;
|
||||
$result = mysqli_query($this->connection, $q);
|
||||
$bcrypt_update_done = false;
|
||||
} else {
|
||||
$bcrypt_update_done = true;
|
||||
}
|
||||
|
||||
$dbarray = mysqli_fetch_array($result);
|
||||
|
||||
// even if we didn't do a DB conversion for bcrypt passwords,
|
||||
// we still need to check if this password wasn't encrypted via password_hash,
|
||||
// since all methods were updated to use that instead of md5 and therefore
|
||||
// new passwords in DB will be bcrypt already even without the is_bcrypt field present
|
||||
$bcrypted = true;
|
||||
$pwOk = password_verify($password, $dbarray['password']);
|
||||
|
||||
if (!$pwOk && !$dbarray['is_bcrypt']) {
|
||||
$pwOk = ($dbarray['password'] == md5($password));
|
||||
$bcrypted = false;
|
||||
}
|
||||
|
||||
if($pwOk) {
|
||||
// update password to bcrypt, if correct
|
||||
if (!$dbarray['is_bcrypt'] && !$bcrypted) {
|
||||
mysqli_query($this->connection, "UPDATE " . TB_PREFIX . "users SET password = '".password_hash($password, PASSWORD_BCRYPT,['cost' => 12])."'".($bcrypt_update_done ? ', is_bcrypt = 1' : '')." where id = ".(int) $dbarray['id']);
|
||||
}
|
||||
|
||||
mysqli_query("Insert into ".TB_PREFIX."admin_log values (0,'X','$username logged in (IP: <b>".$_SERVER['REMOTE_ADDR']."</b>)',".time().")");
|
||||
|
||||
return true;
|
||||
}
|
||||
else {
|
||||
mysqli_query("Insert into ".TB_PREFIX."admin_log values (0,'X','<font color=\'red\'><b>IP: ".$_SERVER['REMOTE_ADDR']." tried to log in with username <u> $username</u> but access was denied!</font></b>',".time().")");
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
function recountPopUser($uid){
|
||||
@@ -233,13 +263,36 @@ class adm_DB {
|
||||
}
|
||||
|
||||
function CheckPass($password,$uid){
|
||||
$q = "SELECT password FROM ".TB_PREFIX."users where id = ".(int) $uid." and access = ".ADMIN;
|
||||
$result = mysqli_query($this->connection, $q);
|
||||
$dbarray = mysqli_fetch_array($result);
|
||||
if($dbarray['password'] == md5($password)) {
|
||||
return true;
|
||||
}else{
|
||||
return false;
|
||||
$q = "SELECT id,password, is_bcrypt FROM ".TB_PREFIX."users where id = ".(int) $uid." and access = ".ADMIN;
|
||||
$result = mysqli_query($this->connection, $q);
|
||||
|
||||
// if we didn't update the database for bcrypt hashes yet...
|
||||
if (mysqli_error($this->dblink) != '') {
|
||||
// no need to select ID here, since the DB is not updated, so there will be no password conversion later
|
||||
$q = "SELECT password, 0 as is_bcrypt FROM ".TB_PREFIX."users where id = ".(int) $uid." and access = ".ADMIN;
|
||||
$result = mysqli_query($this->dblink,$q);
|
||||
$bcrypt_update_done = false;
|
||||
} else {
|
||||
$bcrypt_update_done = true;
|
||||
}
|
||||
|
||||
$dbarray = mysqli_fetch_array($result);
|
||||
|
||||
// check if this is still md5 password hash
|
||||
if (!$dbarray['is_bcrypt']) {
|
||||
$pwOk = ($dbarray['password'] == md5($password));
|
||||
} else {
|
||||
$pwOk = password_verify($password, $dbarray['password']);
|
||||
}
|
||||
|
||||
if($pwOk) {
|
||||
// update password to bcrypt, if correct
|
||||
if ($bcrypt_update_done && !$dbarray['is_bcrypt']) {
|
||||
mysqli_query($this->connection, "UPDATE " . TB_PREFIX . "users SET password = '".password_hash($password, PASSWORD_BCRYPT,['cost' => 12])."', is_bcrypt = 1 where id = ".(int) $dbarray['id']);
|
||||
}
|
||||
return true;
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -392,7 +392,7 @@
|
||||
if($session->access != BANNED){
|
||||
if(!isset($post['pw']) || $post['pw'] == "") {
|
||||
$form->addError("pw1", PW_EMPTY);
|
||||
} elseif(md5($post['pw']) !== $session->userinfo['password']) {
|
||||
} elseif(!password_verify($post['pw'], $session->userinfo['password'])) {
|
||||
$form->addError("pw2", PW_ERR);
|
||||
} else {
|
||||
$database->updateUserField($session->uid, 'alliance', 0, 1);
|
||||
|
||||
+68
-35
@@ -23,7 +23,7 @@ class MYSQLi_DB {
|
||||
|
||||
var $dblink;
|
||||
function __construct() {
|
||||
$this->dblink = mysqli_connect(SQL_SERVER, SQL_USER, SQL_PASS) or die(mysqli_error($database->dblink));
|
||||
$this->dblink = mysqli_connect(SQL_SERVER, SQL_USER, SQL_PASS) or die(mysqli_error($this->dblink));
|
||||
mysqli_select_db($this->dblink, SQL_DB);
|
||||
mysqli_query($this->dblink,"SET NAMES 'UTF8'");
|
||||
}
|
||||
@@ -64,11 +64,17 @@ class MYSQLi_DB {
|
||||
}
|
||||
$timep = $time + PROTECTION;
|
||||
$time = time();
|
||||
$q = "INSERT INTO " . TB_PREFIX . "users (username,password,access,email,timestamp,tribe,act,protect,lastupdate,regtime) VALUES ('$username', '$password', " . USER . ", '$email', $time, " . (int) $tribe . ", '$act', $timep, $time, $time)";
|
||||
$q = "INSERT INTO " . TB_PREFIX . "users (username,password,access,email,timestamp,tribe,act,protect,lastupdate,regtime,is_bcrypt) VALUES ('$username', '$password', " . USER . ", '$email', $time, " . (int) $tribe . ", '$act', $timep, $time, $time,1)";
|
||||
if(mysqli_query($this->dblink,$q)) {
|
||||
return mysqli_insert_id($this->dblink);
|
||||
} else {
|
||||
return false;
|
||||
// if an error has occured, we probably don't have DB converted to handle bcrypt passwords yet
|
||||
$q = "INSERT INTO " . TB_PREFIX . "users (username,password,access,email,timestamp,tribe,act,protect,lastupdate,regtime) VALUES ('$username', '$password', " . USER . ", '$email', $time, " . (int) $tribe . ", '$act', $timep, $time, $time)";
|
||||
if(mysqli_query($this->dblink,$q)) {
|
||||
return mysqli_insert_id($this->dblink);
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -232,7 +238,7 @@ class MYSQLi_DB {
|
||||
function getVrefField($ref, $field) {
|
||||
list($ref, $field) = $this->escape_input((int) $ref, $field);
|
||||
$q = "SELECT $field FROM " . TB_PREFIX . "vdata where wref = $ref";
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink));
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink));
|
||||
$dbarray = mysqli_fetch_array($result);
|
||||
return $dbarray[$field];
|
||||
}
|
||||
@@ -240,7 +246,7 @@ class MYSQLi_DB {
|
||||
function getVrefCapital($ref) {
|
||||
list($ref) = $this->escape_input((int) $ref);
|
||||
$q = "SELECT * FROM " . TB_PREFIX . "vdata where owner = $ref and capital = 1";
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink));
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink));
|
||||
$dbarray = mysqli_fetch_array($result);
|
||||
return $dbarray;
|
||||
}
|
||||
@@ -265,17 +271,44 @@ class MYSQLi_DB {
|
||||
} else {
|
||||
$q = "SELECT $field FROM " . TB_PREFIX . "activate where username = '$ref'";
|
||||
}
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink));
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink));
|
||||
$dbarray = mysqli_fetch_array($result);
|
||||
return $dbarray[$field];
|
||||
}
|
||||
|
||||
function login($username, $password) {
|
||||
list($username, $password) = $this->escape_input($username, $password);
|
||||
$q = "SELECT password,sessid FROM " . TB_PREFIX . "users where username = '$username'";
|
||||
$q = "SELECT id,password,sessid,is_bcrypt FROM " . TB_PREFIX . "users where username = '$username'";
|
||||
$result = mysqli_query($this->dblink,$q);
|
||||
|
||||
// if we didn't update the database for bcrypt hashes yet...
|
||||
if (mysqli_error($this->dblink) != '') {
|
||||
$q = "SELECT id, password,sessid,0 as is_bcrypt FROM " . TB_PREFIX . "users where username = '$username'";
|
||||
$result = mysqli_query($this->dblink,$q);
|
||||
$bcrypt_update_done = false;
|
||||
} else {
|
||||
$bcrypt_update_done = true;
|
||||
}
|
||||
|
||||
$dbarray = mysqli_fetch_array($result);
|
||||
if($dbarray['password'] == md5($password)) {
|
||||
|
||||
// even if we didn't do a DB conversion for bcrypt passwords,
|
||||
// we still need to check if this password wasn't encrypted via password_hash,
|
||||
// since all methods were updated to use that instead of md5 and therefore
|
||||
// new passwords in DB will be bcrypt already even without the is_bcrypt field present
|
||||
$bcrypted = true;
|
||||
$pwOk = password_verify($password, $dbarray['password']);
|
||||
|
||||
if (!$pwOk && !$dbarray['is_bcrypt']) {
|
||||
$pwOk = ($dbarray['password'] == md5($password));
|
||||
$bcrypted = false;
|
||||
}
|
||||
|
||||
if($pwOk) {
|
||||
// update password to bcrypt, if correct
|
||||
if (!$dbarray['is_bcrypt'] && !$bcrypted) {
|
||||
mysqli_query($this->dblink, "UPDATE " . TB_PREFIX . "users SET password = '".password_hash($password, PASSWORD_BCRYPT,['cost' => 12])."'".($bcrypt_update_done ? ', is_bcrypt = 1' : '')." where id = ".(int) $dbarray['id']);
|
||||
}
|
||||
return true;
|
||||
} else {
|
||||
return false;
|
||||
@@ -309,7 +342,7 @@ class MYSQLi_DB {
|
||||
$dbarray3 = mysqli_fetch_array($result3);
|
||||
}
|
||||
if($dbarray['sit1'] != 0 || $dbarray['sit2'] != 0) {
|
||||
if($dbarray2['password'] == md5($password) || $dbarray3['password'] == md5($password)) {
|
||||
if(password_verify($password, $dbarray2['password']) || password_verify($password, $dbarray3['password'])) {
|
||||
return true;
|
||||
} else {
|
||||
return false;
|
||||
@@ -526,7 +559,7 @@ class MYSQLi_DB {
|
||||
}
|
||||
$time = time();
|
||||
$q = "INSERT into " . TB_PREFIX . "vdata (wref, owner, name, capital, pop, cp, celebration, wood, clay, iron, maxstore, crop, maxcrop, lastupdate, created) values ($wid, $uid, '$vname', $capital, 2, 1, 0, 750, 750, 750, ".STORAGE_BASE.", 750, ".STORAGE_BASE.", $time, $time)";
|
||||
return mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink));
|
||||
return mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink));
|
||||
}
|
||||
|
||||
function addResourceFields($vid, $type) {
|
||||
@@ -1523,7 +1556,7 @@ class MYSQLi_DB {
|
||||
} else {
|
||||
$q = "SELECT $field FROM " . TB_PREFIX . "ali_permission where username = '$ref'";
|
||||
}
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink));
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink));
|
||||
$dbarray = mysqli_fetch_array($result);
|
||||
return $dbarray[$field];
|
||||
}
|
||||
@@ -2149,7 +2182,7 @@ class MYSQLi_DB {
|
||||
|
||||
$time = time();
|
||||
$q = "INSERT INTO " . TB_PREFIX . "ali_invite values (0,$uid,$alli,$sender,$time,0)";
|
||||
return mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink));
|
||||
return mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink));
|
||||
}
|
||||
|
||||
function removeInvitation($id) {
|
||||
@@ -2297,7 +2330,7 @@ class MYSQLi_DB {
|
||||
$time = time();
|
||||
}
|
||||
$q = "INSERT INTO " . TB_PREFIX . "ndata (id, uid, toWref, ally, topic, ntype, data, time, viewed) values (0,'$uid','$toWref','$ally','$topic',$type,'$data',$time,0)";
|
||||
return mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink));
|
||||
return mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink));
|
||||
}
|
||||
|
||||
function getNotice($uid) {
|
||||
@@ -2361,7 +2394,7 @@ class MYSQLi_DB {
|
||||
list($id) = $this->escape_input((int) $id);
|
||||
|
||||
$q = "SELECT * FROM " . TB_PREFIX . "route where id = $id";
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink));
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink));
|
||||
$dbarray = mysqli_fetch_array($result);
|
||||
return $dbarray;
|
||||
}
|
||||
@@ -2370,7 +2403,7 @@ class MYSQLi_DB {
|
||||
list($id) = $this->escape_input((int) $id);
|
||||
|
||||
$q = "SELECT * FROM " . TB_PREFIX . "route where id = $id";
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink));
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink));
|
||||
$dbarray = mysqli_fetch_array($result);
|
||||
return $dbarray['uid'];
|
||||
}
|
||||
@@ -2397,7 +2430,7 @@ class MYSQLi_DB {
|
||||
list($wid, $field, $type, $loop, $time, $master, $level) = $this->escape_input((int) $wid, $field, (int) $type, (int) $loop, (int) $time, (int) $master, (int) $level);
|
||||
|
||||
$x = "UPDATE " . TB_PREFIX . "fdata SET f" . $field . "t=" . $type . " WHERE vref=" . $wid;
|
||||
mysqli_query($this->dblink,$x) or die(mysqli_error($database->dblink));
|
||||
mysqli_query($this->dblink,$x) or die(mysqli_error($this->dblink));
|
||||
$q = "INSERT into " . TB_PREFIX . "bdata values (0,$wid,$field,$type,$loop,$time,$master,$level)";
|
||||
return mysqli_query($this->dblink,$q);
|
||||
}
|
||||
@@ -2497,13 +2530,13 @@ class MYSQLi_DB {
|
||||
} else {
|
||||
if($jobs[$jobDeleted]['field'] >= 19) {
|
||||
$x = "SELECT f" . $jobs[$jobDeleted]['field'] . " FROM " . TB_PREFIX . "fdata WHERE vref=" . (int) $jobs[$jobDeleted]['wid'];
|
||||
$result = mysqli_query($this->dblink,$x) or die(mysqli_error($database->dblink));
|
||||
$result = mysqli_query($this->dblink,$x) or die(mysqli_error($this->dblink));
|
||||
$fieldlevel = mysqli_fetch_row($result);
|
||||
if($fieldlevel[0] == 0) {
|
||||
if ($village->natar==1 && $jobs[$jobDeleted]['field']==99) { //fix by ronix
|
||||
}else{
|
||||
$x = "UPDATE " . TB_PREFIX . "fdata SET f" . $jobs[$jobDeleted]['field'] . "t=0 WHERE vref=" . (int) $jobs[$jobDeleted]['wid'];
|
||||
mysqli_query($this->dblink,$x) or die(mysqli_error($database->dblink));
|
||||
mysqli_query($this->dblink,$x) or die(mysqli_error($this->dblink));
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -2511,7 +2544,7 @@ class MYSQLi_DB {
|
||||
if(($jobs[$jobLoopconID]['field'] <= 18 && $jobs[$jobDeleted]['field'] <= 18) || ($jobs[$jobLoopconID]['field'] >= 19 && $jobs[$jobDeleted]['field'] >= 19) || sizeof($jobs) < 3) {
|
||||
$uprequire = $building->resourceRequired($jobs[$jobLoopconID]['field'], $jobs[$jobLoopconID]['type']);
|
||||
$x = "UPDATE " . TB_PREFIX . "bdata SET loopcon=0,timestamp=" . (time() + (int) $uprequire['time']) . " WHERE wid=" . (int) $jobs[$jobDeleted]['wid'] . " AND loopcon=1 AND master=0";
|
||||
mysqli_query($this->dblink,$x) or die(mysqli_error($database->dblink));
|
||||
mysqli_query($this->dblink,$x) or die(mysqli_error($this->dblink));
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -2742,7 +2775,7 @@ class MYSQLi_DB {
|
||||
list($vref, $field) = $this->escape_input($vref, $field);
|
||||
|
||||
$q = "SELECT $field FROM " . TB_PREFIX . "market where vref = '$vref'";
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink));
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink));
|
||||
$dbarray = mysqli_fetch_array($result);
|
||||
return $dbarray[$field];
|
||||
}
|
||||
@@ -3136,7 +3169,7 @@ class MYSQLi_DB {
|
||||
list($vref, $unit) = $this->escape_input((int) $vref, $unit);
|
||||
|
||||
$q = "SELECT $unit FROM " . TB_PREFIX . "tdata WHERE vref = $vref";
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink));
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink));
|
||||
$dbarray = mysqli_fetch_array($result);
|
||||
return $dbarray[$unit];
|
||||
}
|
||||
@@ -3462,7 +3495,7 @@ class MYSQLi_DB {
|
||||
list($vref) = $this->escape_input((int) $vref);
|
||||
|
||||
$q = "SELECT f99 FROM " . TB_PREFIX . "fdata WHERE vref = $vref";
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink));
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink));
|
||||
$dbarray = mysqli_fetch_array($result);
|
||||
return $dbarray['f99'];
|
||||
}
|
||||
@@ -3476,7 +3509,7 @@ class MYSQLi_DB {
|
||||
list($vref) = $this->escape_input((int) $vref);
|
||||
|
||||
$q = "SELECT owner FROM " . TB_PREFIX . "vdata WHERE wref = $vref";
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink));
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink));
|
||||
$dbarray = mysqli_fetch_array($result);
|
||||
return $dbarray['owner'];
|
||||
}
|
||||
@@ -3490,7 +3523,7 @@ class MYSQLi_DB {
|
||||
list($id) = $this->escape_input((int) $id);
|
||||
|
||||
$q = "SELECT alliance FROM " . TB_PREFIX . "users where id = $id";
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink));
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink));
|
||||
$dbarray = mysqli_fetch_array($result);
|
||||
return $dbarray['alliance'];
|
||||
}
|
||||
@@ -3504,7 +3537,7 @@ class MYSQLi_DB {
|
||||
list($vref) = $this->escape_input((int) $vref);
|
||||
|
||||
$q = "SELECT wwname FROM " . TB_PREFIX . "fdata WHERE vref = $vref";
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink));
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink));
|
||||
$dbarray = mysqli_fetch_array($result);
|
||||
return $dbarray['wwname'];
|
||||
}
|
||||
@@ -3657,7 +3690,7 @@ class MYSQLi_DB {
|
||||
list($wref) = $this->escape_input((int) $wref);
|
||||
|
||||
$q = "SELECT wood FROM " . TB_PREFIX . "vdata WHERE wref = $wref";
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink));
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink));
|
||||
$dbarray = mysqli_fetch_array($result);
|
||||
return $dbarray['wood'];
|
||||
}
|
||||
@@ -3666,7 +3699,7 @@ class MYSQLi_DB {
|
||||
list($wref) = $this->escape_input((int) $wref);
|
||||
|
||||
$q = "SELECT clay FROM " . TB_PREFIX . "vdata WHERE wref = $wref";
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink));
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink));
|
||||
$dbarray = mysqli_fetch_array($result);
|
||||
return $dbarray['clay'];
|
||||
}
|
||||
@@ -3675,7 +3708,7 @@ class MYSQLi_DB {
|
||||
list($wref) = $this->escape_input((int) $wref);
|
||||
|
||||
$q = "SELECT iron FROM " . TB_PREFIX . "vdata WHERE wref = $wref";
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink));
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink));
|
||||
$dbarray = mysqli_fetch_array($result);
|
||||
return $dbarray['iron'];
|
||||
}
|
||||
@@ -3684,7 +3717,7 @@ class MYSQLi_DB {
|
||||
list($wref) = $this->escape_input((int) $wref);
|
||||
|
||||
$q = "SELECT crop FROM " . TB_PREFIX . "vdata WHERE wref = $wref";
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink));
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink));
|
||||
$dbarray = mysqli_fetch_array($result);
|
||||
return $dbarray['crop'];
|
||||
}
|
||||
@@ -4075,19 +4108,19 @@ class MYSQLi_DB {
|
||||
function addPassword($uid, $npw, $cpw) {
|
||||
list($uid, $npw, $cpw) = $this->escape_input((int) $uid, $npw, $cpw);
|
||||
$q = "REPLACE INTO `" . TB_PREFIX . "password`(uid, npw, cpw) VALUES ($uid, '$npw', '$cpw')";
|
||||
mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink));
|
||||
mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink));
|
||||
}
|
||||
|
||||
function resetPassword($uid, $cpw) {
|
||||
list($uid, $cpw) = $this->escape_input((int) $uid, $cpw);
|
||||
$q = "SELECT npw FROM `" . TB_PREFIX . "password` WHERE uid = $uid AND cpw = '$cpw' AND used = 0";
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink));
|
||||
$result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink));
|
||||
$dbarray = mysqli_fetch_array($result);
|
||||
|
||||
if(!empty($dbarray)) {
|
||||
if(!$this->updateUserField($uid, 'password', md5($dbarray['npw']), 1)) return false;
|
||||
if(!$this->updateUserField($uid, 'password', password_hash($dbarray['npw'], PASSWORD_BCRYPT,['cost' => 12]), 1)) return false;
|
||||
$q = "UPDATE `" . TB_PREFIX . "password` SET used = 1 WHERE uid = $uid AND cpw = '$cpw' AND used = 0";
|
||||
mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink));
|
||||
mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink));
|
||||
return true;
|
||||
}
|
||||
|
||||
@@ -4174,7 +4207,7 @@ class MYSQLi_DB {
|
||||
|
||||
$time = time();
|
||||
$q = "INSERT INTO " . TB_PREFIX . "general values (0,'$casualties','$time',1)";
|
||||
return mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink));
|
||||
return mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink));
|
||||
}
|
||||
|
||||
function getAttackByDate($time) {
|
||||
@@ -4269,7 +4302,7 @@ class MYSQLi_DB {
|
||||
list($wid,$from,$t1,$t2,$t3,$t4,$t5,$t6,$t7,$t8,$t9,$t10,$t11) = $this->escape_input((int) $wid,(int) $from,(int) $t1,(int) $t2,(int) $t3,(int) $t4,(int) $t5,(int) $t6,(int) $t7,(int) $t8,(int) $t9,(int) $t10,(int) $t11);
|
||||
|
||||
$q = "UPDATE " . TB_PREFIX . "prisoners set t1 = t1 + $t1, t2 = t2 + $t2, t3 = t3 + $t3, t4 = t4 + $t4, t5 = t5 + $t5, t6 = t6 + $t6, t7 = t7 + $t7, t8 = t8 + $t8, t9 = t9 + $t9, t10 = t10 + $t10, t11 = t11 + $t11 where wref = $wid and ".TB_PREFIX."prisoners.from = $from";
|
||||
return mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink));
|
||||
return mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink));
|
||||
}
|
||||
|
||||
function getPrisoners($wid,$mode=0) {
|
||||
|
||||
@@ -140,7 +140,7 @@ class Profile {
|
||||
if ($_POST['uid'] != $session->uid){
|
||||
die("Hacking Attempr");
|
||||
} else {
|
||||
$database->updateUserField($post['uid'],"password",md5($post['pw2']),1);
|
||||
$database->updateUserField($post['uid'],"password",password_hash($post['pw2'], PASSWORD_BCRYPT,['cost' => 12]),1);
|
||||
}
|
||||
}
|
||||
else {
|
||||
@@ -156,7 +156,7 @@ class Profile {
|
||||
else {
|
||||
$form->addError("email",EMAIL_ERROR);
|
||||
}
|
||||
if($post['del'] && md5($post['del_pw']) == $session->userinfo['password']) {
|
||||
if($post['del'] && password_verify($session->userinfo['password'], $post['del_pw'])) {
|
||||
$database->setDeleting($post['uid'],0);
|
||||
}
|
||||
else {
|
||||
|
||||
@@ -9,7 +9,7 @@ if($_POST AND $_GET['action'] == 'change_capital') {
|
||||
$pass = mysqli_escape_string($GLOBALS['link'],$_POST['pass']);
|
||||
$query = mysqli_query($GLOBALS['link'],'SELECT * FROM `' . TB_PREFIX . 'users` WHERE `id` = ' . (int) $session->uid);
|
||||
$data = mysqli_fetch_assoc($query);
|
||||
if($data['password'] == md5($pass)) {
|
||||
if(password_verify($pass, $data['password'])) {
|
||||
$query1 = mysqli_query($GLOBALS['link'],'SELECT * FROM `' . TB_PREFIX . 'vdata` WHERE `owner` = ' .(int) $session->uid . ' AND `capital` = 1');
|
||||
$data1 = mysqli_fetch_assoc($query1);
|
||||
$query2 = mysqli_query($GLOBALS['link'],'SELECT * FROM `' . TB_PREFIX . 'fdata` WHERE `vref` = ' . (int) $data1['wref']);
|
||||
|
||||
+1
-1
@@ -102,7 +102,7 @@ if($_POST['password'] != ""){
|
||||
*/
|
||||
|
||||
$username = "Natars";
|
||||
$password = md5($_POST['password']);
|
||||
$password = password_hash($_POST['password'], PASSWORD_BCRYPT,['cost' => 12]);
|
||||
$email = "natars@noreply.com";
|
||||
$tribe = 5;
|
||||
$desc = "***************************
|
||||
|
||||
@@ -1542,6 +1542,7 @@ CREATE TABLE IF NOT EXISTS `%PREFIX%users` (
|
||||
`vac_time` varchar(255) NULL DEFAULT '0',
|
||||
`vac_mode` int(2) NULL DEFAULT '0',
|
||||
`vactwoweeks` varchar(255) NULL DEFAULT '0',
|
||||
`is_bcrypt` tinyint(1) NOT NULL DEFAULT '0',
|
||||
PRIMARY KEY (`id`),
|
||||
KEY `invited` (`invited`),
|
||||
KEY `lastupdate` (`lastupdate`),
|
||||
|
||||
@@ -14,7 +14,7 @@
|
||||
|
||||
if(isset($_POST['mhpw'])) {
|
||||
$password = $_POST['mhpw'];
|
||||
mysqli_query($conn, "UPDATE " . TB_PREFIX . "users SET password = '" . md5($password) . "' WHERE username = 'Multihunter'");
|
||||
mysqli_query($conn, "UPDATE " . TB_PREFIX . "users SET password = '" . password_hash($password, PASSWORD_BCRYPT,['cost' => 12]) . "' WHERE username = 'Multihunter'");
|
||||
$wid = $admin->getWref(0, 0);
|
||||
$uid = 5;
|
||||
$status = $database->getVillageState($wid);
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
-- 20.10.2017 -> changing MD5 for bcrypt password hashing algo
|
||||
ALTER TABLE `s1_users` ADD `is_bcrypt` TINYINT(1) NOT NULL DEFAULT '0' AFTER `vactwoweeks`;
|
||||
@@ -1,4 +1,3 @@
|
||||
- just so it's really visible => exchange md5 for something more secure (probably password_hash() using bcrypt)
|
||||
- change title for each page, so it fits with H1 (or history will always show a lot of "TravianZ" entries without a way to know where that history entry leads)
|
||||
... same in Admin panel
|
||||
- fix deleting users (need to delete their villages (+alliances/construction plans/...?) after a while)
|
||||
|
||||
Reference in New Issue
Block a user