From f4021d1452468189fea7378323576e2b6abeec4e Mon Sep 17 00:00:00 2001 From: Martin Ambrus Date: Fri, 20 Oct 2017 12:31:27 +0200 Subject: [PATCH] feat: MD5 passwords exchanged for bcrypt ones --- Admin/Templates/resetServer.php | 2 +- Admin/database.php | 73 +++++++++++++++--- GameEngine/Account.php | 6 +- GameEngine/Admin/Mods/addUsers.php | 2 +- GameEngine/Admin/Mods/editPassword.php | 2 +- GameEngine/Admin/database.php | 93 +++++++++++++++++----- GameEngine/Alliance.php | 2 +- GameEngine/Database.php | 103 ++++++++++++++++--------- GameEngine/Profile.php | 4 +- Templates/Build/26.tpl | 2 +- create_account.php | 2 +- install/data/sql.sql | 1 + install/include/multihunter.php | 2 +- sql_updates.txt | 2 + todo.txt | 1 - 15 files changed, 219 insertions(+), 78 deletions(-) create mode 100644 sql_updates.txt diff --git a/Admin/Templates/resetServer.php b/Admin/Templates/resetServer.php index 4114ca38..75fa3475 100644 --- a/Admin/Templates/resetServer.php +++ b/Admin/Templates/resetServer.php @@ -79,7 +79,7 @@ $database->populateOasis(); $database->populateOasisUnits2(); $uid=$database->getVillageID(5); -$passw=md5('123456'); +$passw=password_hash("12345", PASSWORD_BCRYPT,['cost' => 12]); mysqli_query($GLOBALS["link"], "TRUNCATE TABLE ".TB_PREFIX."users"); mysqli_query($GLOBALS["link"], "INSERT INTO ".TB_PREFIX."users (id, username, password, email, tribe, access, gold, gender, birthday, location, desc1, desc2, plus, b1, b2, b3, b4, sit1, sit2, alliance, sessid, act, timestamp, ap, apall, dp, dpall, protect, quest, gpack, cp, lastupdate, RR, Rc, ok) VALUES (5, 'Multihunter', '".$passw."', 'multihunter@travianx.mail', 0, 9, 0, 0, '0000-00-00', '', '', '', 0, 0, 0, 0, 0, 0, 0, 0, '', '', 0, 0, 0, 0, 0, 0, 0, 'gpack/travian_default/', 1, 0, 0, 0, 0), diff --git a/Admin/database.php b/Admin/database.php index 57c25133..5f1b92b5 100644 --- a/Admin/database.php +++ b/Admin/database.php @@ -39,11 +39,41 @@ class adm_DB { global $database; list($username,$password) = $database->escape_input($username,$password); - $q = "SELECT password FROM ".TB_PREFIX."users where username = '$username' and access >= ".MULTIHUNTER; + $q = "SELECT id, password, is_bcrypt FROM ".TB_PREFIX."users where username = '$username' and access >= ".MULTIHUNTER; $result = mysqli_query($this->connection, $q); + + // if we didn't update the database for bcrypt hashes yet... + if (mysqli_error($database->dblink) != '') { + // no need to select ID here, since the DB is not updated, so there will be no password conversion later + $q = "SELECT id, password, 0 as is_bcrypt FROM ".TB_PREFIX."users where username = '$username' and access >= ".MULTIHUNTER; + $result = mysqli_query($this->connection, $q); + $bcrypt_update_done = false; + } else { + $bcrypt_update_done = true; + } + $dbarray = mysqli_fetch_array($result); - if($dbarray['password'] == md5($password)) { + + // even if we didn't do a DB conversion for bcrypt passwords, + // we still need to check if this password wasn't encrypted via password_hash, + // since all methods were updated to use that instead of md5 and therefore + // new passwords in DB will be bcrypt already even without the is_bcrypt field present + $bcrypted = true; + $pwOk = password_verify($password, $dbarray['password']); + + if (!$pwOk && !$dbarray['is_bcrypt']) { + $pwOk = ($dbarray['password'] == md5($password)); + $bcrypted = false; + } + + if($pwOk) { + // update password to bcrypt, if correct + if (!$dbarray['is_bcrypt'] && !$bcrypted) { + mysqli_query($this->connection, "UPDATE " . TB_PREFIX . "users SET password = '".password_hash($password, PASSWORD_BCRYPT,['cost' => 12])."'".($bcrypt_update_done ? ', is_bcrypt = 1' : '')." where id = ".(int) $dbarray['id']); + } + mysqli_query("Insert into ".TB_PREFIX."admin_log values (0,'X','$username logged in (IP: ".$_SERVER['REMOTE_ADDR'].")',".time().")"); + return true; } else { @@ -227,14 +257,37 @@ class adm_DB { } function CheckPass($password,$uid){ - $q = "SELECT password FROM ".TB_PREFIX."users where id = ".(int) $uid." and access = ".ADMIN; - $result = mysqli_query($this->connection, $q); - $dbarray = mysqli_fetch_array($result); - if($dbarray['password'] == md5($password)) { - return true; - }else{ - return false; - } + $q = "SELECT id,password, is_bcrypt FROM ".TB_PREFIX."users where id = ".(int) $uid." and access = ".ADMIN; + $result = mysqli_query($this->connection, $q); + + // if we didn't update the database for bcrypt hashes yet... + if (mysqli_error($this->dblink) != '') { + // no need to select ID here, since the DB is not updated, so there will be no password conversion later + $q = "SELECT password, 0 as is_bcrypt FROM ".TB_PREFIX."users where id = ".(int) $uid." and access = ".ADMIN; + $result = mysqli_query($this->dblink,$q); + $bcrypt_update_done = false; + } else { + $bcrypt_update_done = true; + } + + $dbarray = mysqli_fetch_array($result); + + // check if this is still md5 password hash + if (!$dbarray['is_bcrypt']) { + $pwOk = ($dbarray['password'] == md5($password)); + } else { + $pwOk = password_verify($password, $dbarray['password']); + } + + if($pwOk) { + // update password to bcrypt, if correct + if ($bcrypt_update_done && !$dbarray['is_bcrypt']) { + mysqli_query($this->connection, "UPDATE " . TB_PREFIX . "users SET password = '".password_hash($password, PASSWORD_BCRYPT,['cost' => 12])."', is_bcrypt = 1 where id = ".(int) $dbarray['id']); + } + return true; + } else { + return false; + } } function DelVillage($wref, $mode=0){ diff --git a/GameEngine/Account.php b/GameEngine/Account.php index f265da9f..8b7cb0b8 100755 --- a/GameEngine/Account.php +++ b/GameEngine/Account.php @@ -114,7 +114,7 @@ class Account { if(AUTH_EMAIL){ $act = $generator->generateRandStr(10); $act2 = $generator->generateRandStr(5); - $uid = $database->activate($_POST['name'],md5($_POST['pw']),$_POST['email'],$_POST['vid'],$_POST['kid'],$act,$act2); + $uid = $database->activate($_POST['name'],password_hash($_POST['pw'], PASSWORD_BCRYPT,['cost' => 12]),$_POST['email'],$_POST['vid'],$_POST['kid'],$act,$act2); if($uid) { $mailer->sendActivate($_POST['email'],$_POST['name'],$_POST['pw'],$act); @@ -122,7 +122,7 @@ class Account { } } else { - $uid = $database->register($_POST['name'],md5($_POST['pw']),$_POST['email'],$_POST['vid'],$act); + $uid = $database->register($_POST['name'],password_hash($_POST['pw'], PASSWORD_BCRYPT,['cost' => 12]),$_POST['email'],$_POST['vid'],$act); if($uid) { setcookie("COOKUSR",$_POST['name'],time()+COOKIE_EXPIRE,COOKIE_PATH); setcookie("COOKEMAIL",$_POST['email'],time()+COOKIE_EXPIRE,COOKIE_PATH); @@ -167,7 +167,7 @@ class Account { $q = "SELECT * FROM ".TB_PREFIX."activate where id = '".$database->escape((int) $_POST['id'])."'"; $result = mysqli_query($GLOBALS['link'],$q); $dbarray = mysqli_fetch_array($result); - if(md5($_POST['pw']) == $dbarray['password']) { + if(password_verify($_POST['pw'], $dbarray['password'])) { $database->unreg($dbarray['username']); header("Location: anmelden.php"); } diff --git a/GameEngine/Admin/Mods/addUsers.php b/GameEngine/Admin/Mods/addUsers.php index faa54a3a..538aef08 100755 --- a/GameEngine/Admin/Mods/addUsers.php +++ b/GameEngine/Admin/Mods/addUsers.php @@ -85,7 +85,7 @@ else else { // Register them and build the village - $uid = $database->register($userName, md5($password), $email, $tribe ,$act); + $uid = $database->register($userName, password_hash($password, PASSWORD_BCRYPT, ['cost' => 12]), $email, $tribe ,$act); if($uid) { /* diff --git a/GameEngine/Admin/Mods/editPassword.php b/GameEngine/Admin/Mods/editPassword.php index d7075e59..529eb52f 100755 --- a/GameEngine/Admin/Mods/editPassword.php +++ b/GameEngine/Admin/Mods/editPassword.php @@ -17,7 +17,7 @@ mysqli_select_db($GLOBALS["link"], SQL_DB); $session = (int) $_POST['admid']; $id = (int) $_POST['uid']; -$pass = md5($_POST['newpw']); +$pass = password_hash($_POST['newpw'], PASSWORD_BCRYPT, ['cost' => 12]); $sql = mysqli_query($GLOBALS["link"], "SELECT * FROM ".TB_PREFIX."users WHERE id = ".$session.""); $access = mysqli_fetch_array($sql); diff --git a/GameEngine/Admin/database.php b/GameEngine/Admin/database.php index 32b179d5..b0f0f7bd 100755 --- a/GameEngine/Admin/database.php +++ b/GameEngine/Admin/database.php @@ -43,19 +43,49 @@ class adm_DB { } function Login($username,$password){ - global $database; - list($username,$password) = $database->escape_input($username,$password); - $q = "SELECT password FROM ".TB_PREFIX."users where username = '$username' and access >= ".MULTIHUNTER; - $result = mysqli_query($this->connection,$q); - $dbarray = mysqli_fetch_array($result); - if($dbarray['password'] == md5($password)) { - mysqli_query($this->connection,"Insert into ".TB_PREFIX."admin_log values (0,'X','$username logged in (IP: ".$_SERVER['REMOTE_ADDR'].")',".time().")"); - return true; - } - else { - mysqli_query($this->connection,"Insert into ".TB_PREFIX."admin_log values (0,'X','IP: ".$_SERVER['REMOTE_ADDR']." tried to log in with username $username but access was denied!',".time().")"); - return false; - } + global $database; + list($username,$password) = $database->escape_input($username,$password); + + $q = "SELECT id, password, is_bcrypt FROM ".TB_PREFIX."users where username = '$username' and access >= ".MULTIHUNTER; + $result = mysqli_query($this->connection, $q); + + // if we didn't update the database for bcrypt hashes yet... + if (mysqli_error($database->dblink) != '') { + $q = "SELECT id, password, 0 as is_bcrypt FROM ".TB_PREFIX."users where username = '$username' and access >= ".MULTIHUNTER; + $result = mysqli_query($this->connection, $q); + $bcrypt_update_done = false; + } else { + $bcrypt_update_done = true; + } + + $dbarray = mysqli_fetch_array($result); + + // even if we didn't do a DB conversion for bcrypt passwords, + // we still need to check if this password wasn't encrypted via password_hash, + // since all methods were updated to use that instead of md5 and therefore + // new passwords in DB will be bcrypt already even without the is_bcrypt field present + $bcrypted = true; + $pwOk = password_verify($password, $dbarray['password']); + + if (!$pwOk && !$dbarray['is_bcrypt']) { + $pwOk = ($dbarray['password'] == md5($password)); + $bcrypted = false; + } + + if($pwOk) { + // update password to bcrypt, if correct + if (!$dbarray['is_bcrypt'] && !$bcrypted) { + mysqli_query($this->connection, "UPDATE " . TB_PREFIX . "users SET password = '".password_hash($password, PASSWORD_BCRYPT,['cost' => 12])."'".($bcrypt_update_done ? ', is_bcrypt = 1' : '')." where id = ".(int) $dbarray['id']); + } + + mysqli_query("Insert into ".TB_PREFIX."admin_log values (0,'X','$username logged in (IP: ".$_SERVER['REMOTE_ADDR'].")',".time().")"); + + return true; + } + else { + mysqli_query("Insert into ".TB_PREFIX."admin_log values (0,'X','IP: ".$_SERVER['REMOTE_ADDR']." tried to log in with username $username but access was denied!',".time().")"); + return false; + } } function recountPopUser($uid){ @@ -233,13 +263,36 @@ class adm_DB { } function CheckPass($password,$uid){ - $q = "SELECT password FROM ".TB_PREFIX."users where id = ".(int) $uid." and access = ".ADMIN; - $result = mysqli_query($this->connection, $q); - $dbarray = mysqli_fetch_array($result); - if($dbarray['password'] == md5($password)) { - return true; - }else{ - return false; + $q = "SELECT id,password, is_bcrypt FROM ".TB_PREFIX."users where id = ".(int) $uid." and access = ".ADMIN; + $result = mysqli_query($this->connection, $q); + + // if we didn't update the database for bcrypt hashes yet... + if (mysqli_error($this->dblink) != '') { + // no need to select ID here, since the DB is not updated, so there will be no password conversion later + $q = "SELECT password, 0 as is_bcrypt FROM ".TB_PREFIX."users where id = ".(int) $uid." and access = ".ADMIN; + $result = mysqli_query($this->dblink,$q); + $bcrypt_update_done = false; + } else { + $bcrypt_update_done = true; + } + + $dbarray = mysqli_fetch_array($result); + + // check if this is still md5 password hash + if (!$dbarray['is_bcrypt']) { + $pwOk = ($dbarray['password'] == md5($password)); + } else { + $pwOk = password_verify($password, $dbarray['password']); + } + + if($pwOk) { + // update password to bcrypt, if correct + if ($bcrypt_update_done && !$dbarray['is_bcrypt']) { + mysqli_query($this->connection, "UPDATE " . TB_PREFIX . "users SET password = '".password_hash($password, PASSWORD_BCRYPT,['cost' => 12])."', is_bcrypt = 1 where id = ".(int) $dbarray['id']); + } + return true; + } else { + return false; } } diff --git a/GameEngine/Alliance.php b/GameEngine/Alliance.php index 56342417..83bec4e5 100755 --- a/GameEngine/Alliance.php +++ b/GameEngine/Alliance.php @@ -392,7 +392,7 @@ if($session->access != BANNED){ if(!isset($post['pw']) || $post['pw'] == "") { $form->addError("pw1", PW_EMPTY); - } elseif(md5($post['pw']) !== $session->userinfo['password']) { + } elseif(!password_verify($post['pw'], $session->userinfo['password'])) { $form->addError("pw2", PW_ERR); } else { $database->updateUserField($session->uid, 'alliance', 0, 1); diff --git a/GameEngine/Database.php b/GameEngine/Database.php index d26170ac..d3efee74 100755 --- a/GameEngine/Database.php +++ b/GameEngine/Database.php @@ -23,7 +23,7 @@ class MYSQLi_DB { var $dblink; function __construct() { - $this->dblink = mysqli_connect(SQL_SERVER, SQL_USER, SQL_PASS) or die(mysqli_error($database->dblink)); + $this->dblink = mysqli_connect(SQL_SERVER, SQL_USER, SQL_PASS) or die(mysqli_error($this->dblink)); mysqli_select_db($this->dblink, SQL_DB); mysqli_query($this->dblink,"SET NAMES 'UTF8'"); } @@ -64,11 +64,17 @@ class MYSQLi_DB { } $timep = $time + PROTECTION; $time = time(); - $q = "INSERT INTO " . TB_PREFIX . "users (username,password,access,email,timestamp,tribe,act,protect,lastupdate,regtime) VALUES ('$username', '$password', " . USER . ", '$email', $time, " . (int) $tribe . ", '$act', $timep, $time, $time)"; + $q = "INSERT INTO " . TB_PREFIX . "users (username,password,access,email,timestamp,tribe,act,protect,lastupdate,regtime,is_bcrypt) VALUES ('$username', '$password', " . USER . ", '$email', $time, " . (int) $tribe . ", '$act', $timep, $time, $time,1)"; if(mysqli_query($this->dblink,$q)) { return mysqli_insert_id($this->dblink); } else { - return false; + // if an error has occured, we probably don't have DB converted to handle bcrypt passwords yet + $q = "INSERT INTO " . TB_PREFIX . "users (username,password,access,email,timestamp,tribe,act,protect,lastupdate,regtime) VALUES ('$username', '$password', " . USER . ", '$email', $time, " . (int) $tribe . ", '$act', $timep, $time, $time)"; + if(mysqli_query($this->dblink,$q)) { + return mysqli_insert_id($this->dblink); + } else { + return false; + } } } @@ -232,7 +238,7 @@ class MYSQLi_DB { function getVrefField($ref, $field) { list($ref, $field) = $this->escape_input((int) $ref, $field); $q = "SELECT $field FROM " . TB_PREFIX . "vdata where wref = $ref"; - $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); + $result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink)); $dbarray = mysqli_fetch_array($result); return $dbarray[$field]; } @@ -240,7 +246,7 @@ class MYSQLi_DB { function getVrefCapital($ref) { list($ref) = $this->escape_input((int) $ref); $q = "SELECT * FROM " . TB_PREFIX . "vdata where owner = $ref and capital = 1"; - $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); + $result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink)); $dbarray = mysqli_fetch_array($result); return $dbarray; } @@ -265,17 +271,44 @@ class MYSQLi_DB { } else { $q = "SELECT $field FROM " . TB_PREFIX . "activate where username = '$ref'"; } - $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); + $result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink)); $dbarray = mysqli_fetch_array($result); return $dbarray[$field]; } function login($username, $password) { list($username, $password) = $this->escape_input($username, $password); - $q = "SELECT password,sessid FROM " . TB_PREFIX . "users where username = '$username'"; + $q = "SELECT id,password,sessid,is_bcrypt FROM " . TB_PREFIX . "users where username = '$username'"; $result = mysqli_query($this->dblink,$q); + + // if we didn't update the database for bcrypt hashes yet... + if (mysqli_error($this->dblink) != '') { + $q = "SELECT id, password,sessid,0 as is_bcrypt FROM " . TB_PREFIX . "users where username = '$username'"; + $result = mysqli_query($this->dblink,$q); + $bcrypt_update_done = false; + } else { + $bcrypt_update_done = true; + } + $dbarray = mysqli_fetch_array($result); - if($dbarray['password'] == md5($password)) { + + // even if we didn't do a DB conversion for bcrypt passwords, + // we still need to check if this password wasn't encrypted via password_hash, + // since all methods were updated to use that instead of md5 and therefore + // new passwords in DB will be bcrypt already even without the is_bcrypt field present + $bcrypted = true; + $pwOk = password_verify($password, $dbarray['password']); + + if (!$pwOk && !$dbarray['is_bcrypt']) { + $pwOk = ($dbarray['password'] == md5($password)); + $bcrypted = false; + } + + if($pwOk) { + // update password to bcrypt, if correct + if (!$dbarray['is_bcrypt'] && !$bcrypted) { + mysqli_query($this->dblink, "UPDATE " . TB_PREFIX . "users SET password = '".password_hash($password, PASSWORD_BCRYPT,['cost' => 12])."'".($bcrypt_update_done ? ', is_bcrypt = 1' : '')." where id = ".(int) $dbarray['id']); + } return true; } else { return false; @@ -309,7 +342,7 @@ class MYSQLi_DB { $dbarray3 = mysqli_fetch_array($result3); } if($dbarray['sit1'] != 0 || $dbarray['sit2'] != 0) { - if($dbarray2['password'] == md5($password) || $dbarray3['password'] == md5($password)) { + if(password_verify($password, $dbarray2['password']) || password_verify($password, $dbarray3['password'])) { return true; } else { return false; @@ -526,7 +559,7 @@ class MYSQLi_DB { } $time = time(); $q = "INSERT into " . TB_PREFIX . "vdata (wref, owner, name, capital, pop, cp, celebration, wood, clay, iron, maxstore, crop, maxcrop, lastupdate, created) values ($wid, $uid, '$vname', $capital, 2, 1, 0, 750, 750, 750, ".STORAGE_BASE.", 750, ".STORAGE_BASE.", $time, $time)"; - return mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); + return mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink)); } function addResourceFields($vid, $type) { @@ -1523,7 +1556,7 @@ class MYSQLi_DB { } else { $q = "SELECT $field FROM " . TB_PREFIX . "ali_permission where username = '$ref'"; } - $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); + $result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink)); $dbarray = mysqli_fetch_array($result); return $dbarray[$field]; } @@ -2149,7 +2182,7 @@ class MYSQLi_DB { $time = time(); $q = "INSERT INTO " . TB_PREFIX . "ali_invite values (0,$uid,$alli,$sender,$time,0)"; - return mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); + return mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink)); } function removeInvitation($id) { @@ -2297,7 +2330,7 @@ class MYSQLi_DB { $time = time(); } $q = "INSERT INTO " . TB_PREFIX . "ndata (id, uid, toWref, ally, topic, ntype, data, time, viewed) values (0,'$uid','$toWref','$ally','$topic',$type,'$data',$time,0)"; - return mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); + return mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink)); } function getNotice($uid) { @@ -2361,7 +2394,7 @@ class MYSQLi_DB { list($id) = $this->escape_input((int) $id); $q = "SELECT * FROM " . TB_PREFIX . "route where id = $id"; - $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); + $result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink)); $dbarray = mysqli_fetch_array($result); return $dbarray; } @@ -2370,7 +2403,7 @@ class MYSQLi_DB { list($id) = $this->escape_input((int) $id); $q = "SELECT * FROM " . TB_PREFIX . "route where id = $id"; - $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); + $result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink)); $dbarray = mysqli_fetch_array($result); return $dbarray['uid']; } @@ -2397,7 +2430,7 @@ class MYSQLi_DB { list($wid, $field, $type, $loop, $time, $master, $level) = $this->escape_input((int) $wid, $field, (int) $type, (int) $loop, (int) $time, (int) $master, (int) $level); $x = "UPDATE " . TB_PREFIX . "fdata SET f" . $field . "t=" . $type . " WHERE vref=" . $wid; - mysqli_query($this->dblink,$x) or die(mysqli_error($database->dblink)); + mysqli_query($this->dblink,$x) or die(mysqli_error($this->dblink)); $q = "INSERT into " . TB_PREFIX . "bdata values (0,$wid,$field,$type,$loop,$time,$master,$level)"; return mysqli_query($this->dblink,$q); } @@ -2497,13 +2530,13 @@ class MYSQLi_DB { } else { if($jobs[$jobDeleted]['field'] >= 19) { $x = "SELECT f" . $jobs[$jobDeleted]['field'] . " FROM " . TB_PREFIX . "fdata WHERE vref=" . (int) $jobs[$jobDeleted]['wid']; - $result = mysqli_query($this->dblink,$x) or die(mysqli_error($database->dblink)); + $result = mysqli_query($this->dblink,$x) or die(mysqli_error($this->dblink)); $fieldlevel = mysqli_fetch_row($result); if($fieldlevel[0] == 0) { if ($village->natar==1 && $jobs[$jobDeleted]['field']==99) { //fix by ronix }else{ $x = "UPDATE " . TB_PREFIX . "fdata SET f" . $jobs[$jobDeleted]['field'] . "t=0 WHERE vref=" . (int) $jobs[$jobDeleted]['wid']; - mysqli_query($this->dblink,$x) or die(mysqli_error($database->dblink)); + mysqli_query($this->dblink,$x) or die(mysqli_error($this->dblink)); } } } @@ -2511,7 +2544,7 @@ class MYSQLi_DB { if(($jobs[$jobLoopconID]['field'] <= 18 && $jobs[$jobDeleted]['field'] <= 18) || ($jobs[$jobLoopconID]['field'] >= 19 && $jobs[$jobDeleted]['field'] >= 19) || sizeof($jobs) < 3) { $uprequire = $building->resourceRequired($jobs[$jobLoopconID]['field'], $jobs[$jobLoopconID]['type']); $x = "UPDATE " . TB_PREFIX . "bdata SET loopcon=0,timestamp=" . (time() + (int) $uprequire['time']) . " WHERE wid=" . (int) $jobs[$jobDeleted]['wid'] . " AND loopcon=1 AND master=0"; - mysqli_query($this->dblink,$x) or die(mysqli_error($database->dblink)); + mysqli_query($this->dblink,$x) or die(mysqli_error($this->dblink)); } } } @@ -2742,7 +2775,7 @@ class MYSQLi_DB { list($vref, $field) = $this->escape_input($vref, $field); $q = "SELECT $field FROM " . TB_PREFIX . "market where vref = '$vref'"; - $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); + $result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink)); $dbarray = mysqli_fetch_array($result); return $dbarray[$field]; } @@ -3136,7 +3169,7 @@ class MYSQLi_DB { list($vref, $unit) = $this->escape_input((int) $vref, $unit); $q = "SELECT $unit FROM " . TB_PREFIX . "tdata WHERE vref = $vref"; - $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); + $result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink)); $dbarray = mysqli_fetch_array($result); return $dbarray[$unit]; } @@ -3462,7 +3495,7 @@ class MYSQLi_DB { list($vref) = $this->escape_input((int) $vref); $q = "SELECT f99 FROM " . TB_PREFIX . "fdata WHERE vref = $vref"; - $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); + $result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink)); $dbarray = mysqli_fetch_array($result); return $dbarray['f99']; } @@ -3476,7 +3509,7 @@ class MYSQLi_DB { list($vref) = $this->escape_input((int) $vref); $q = "SELECT owner FROM " . TB_PREFIX . "vdata WHERE wref = $vref"; - $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); + $result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink)); $dbarray = mysqli_fetch_array($result); return $dbarray['owner']; } @@ -3490,7 +3523,7 @@ class MYSQLi_DB { list($id) = $this->escape_input((int) $id); $q = "SELECT alliance FROM " . TB_PREFIX . "users where id = $id"; - $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); + $result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink)); $dbarray = mysqli_fetch_array($result); return $dbarray['alliance']; } @@ -3504,7 +3537,7 @@ class MYSQLi_DB { list($vref) = $this->escape_input((int) $vref); $q = "SELECT wwname FROM " . TB_PREFIX . "fdata WHERE vref = $vref"; - $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); + $result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink)); $dbarray = mysqli_fetch_array($result); return $dbarray['wwname']; } @@ -3657,7 +3690,7 @@ class MYSQLi_DB { list($wref) = $this->escape_input((int) $wref); $q = "SELECT wood FROM " . TB_PREFIX . "vdata WHERE wref = $wref"; - $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); + $result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink)); $dbarray = mysqli_fetch_array($result); return $dbarray['wood']; } @@ -3666,7 +3699,7 @@ class MYSQLi_DB { list($wref) = $this->escape_input((int) $wref); $q = "SELECT clay FROM " . TB_PREFIX . "vdata WHERE wref = $wref"; - $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); + $result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink)); $dbarray = mysqli_fetch_array($result); return $dbarray['clay']; } @@ -3675,7 +3708,7 @@ class MYSQLi_DB { list($wref) = $this->escape_input((int) $wref); $q = "SELECT iron FROM " . TB_PREFIX . "vdata WHERE wref = $wref"; - $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); + $result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink)); $dbarray = mysqli_fetch_array($result); return $dbarray['iron']; } @@ -3684,7 +3717,7 @@ class MYSQLi_DB { list($wref) = $this->escape_input((int) $wref); $q = "SELECT crop FROM " . TB_PREFIX . "vdata WHERE wref = $wref"; - $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); + $result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink)); $dbarray = mysqli_fetch_array($result); return $dbarray['crop']; } @@ -4075,19 +4108,19 @@ class MYSQLi_DB { function addPassword($uid, $npw, $cpw) { list($uid, $npw, $cpw) = $this->escape_input((int) $uid, $npw, $cpw); $q = "REPLACE INTO `" . TB_PREFIX . "password`(uid, npw, cpw) VALUES ($uid, '$npw', '$cpw')"; - mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); + mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink)); } function resetPassword($uid, $cpw) { list($uid, $cpw) = $this->escape_input((int) $uid, $cpw); $q = "SELECT npw FROM `" . TB_PREFIX . "password` WHERE uid = $uid AND cpw = '$cpw' AND used = 0"; - $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); + $result = mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink)); $dbarray = mysqli_fetch_array($result); if(!empty($dbarray)) { - if(!$this->updateUserField($uid, 'password', md5($dbarray['npw']), 1)) return false; + if(!$this->updateUserField($uid, 'password', password_hash($dbarray['npw'], PASSWORD_BCRYPT,['cost' => 12]), 1)) return false; $q = "UPDATE `" . TB_PREFIX . "password` SET used = 1 WHERE uid = $uid AND cpw = '$cpw' AND used = 0"; - mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); + mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink)); return true; } @@ -4174,7 +4207,7 @@ class MYSQLi_DB { $time = time(); $q = "INSERT INTO " . TB_PREFIX . "general values (0,'$casualties','$time',1)"; - return mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); + return mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink)); } function getAttackByDate($time) { @@ -4269,7 +4302,7 @@ class MYSQLi_DB { list($wid,$from,$t1,$t2,$t3,$t4,$t5,$t6,$t7,$t8,$t9,$t10,$t11) = $this->escape_input((int) $wid,(int) $from,(int) $t1,(int) $t2,(int) $t3,(int) $t4,(int) $t5,(int) $t6,(int) $t7,(int) $t8,(int) $t9,(int) $t10,(int) $t11); $q = "UPDATE " . TB_PREFIX . "prisoners set t1 = t1 + $t1, t2 = t2 + $t2, t3 = t3 + $t3, t4 = t4 + $t4, t5 = t5 + $t5, t6 = t6 + $t6, t7 = t7 + $t7, t8 = t8 + $t8, t9 = t9 + $t9, t10 = t10 + $t10, t11 = t11 + $t11 where wref = $wid and ".TB_PREFIX."prisoners.from = $from"; - return mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); + return mysqli_query($this->dblink,$q) or die(mysqli_error($this->dblink)); } function getPrisoners($wid,$mode=0) { diff --git a/GameEngine/Profile.php b/GameEngine/Profile.php index a5b8d494..6657e6d7 100755 --- a/GameEngine/Profile.php +++ b/GameEngine/Profile.php @@ -140,7 +140,7 @@ class Profile { if ($_POST['uid'] != $session->uid){ die("Hacking Attempr"); } else { - $database->updateUserField($post['uid'],"password",md5($post['pw2']),1); + $database->updateUserField($post['uid'],"password",password_hash($post['pw2'], PASSWORD_BCRYPT,['cost' => 12]),1); } } else { @@ -156,7 +156,7 @@ class Profile { else { $form->addError("email",EMAIL_ERROR); } - if($post['del'] && md5($post['del_pw']) == $session->userinfo['password']) { + if($post['del'] && password_verify($session->userinfo['password'], $post['del_pw'])) { $database->setDeleting($post['uid'],0); } else { diff --git a/Templates/Build/26.tpl b/Templates/Build/26.tpl index f6def4bc..6d44051f 100644 --- a/Templates/Build/26.tpl +++ b/Templates/Build/26.tpl @@ -9,7 +9,7 @@ if($_POST AND $_GET['action'] == 'change_capital') { $pass = mysqli_escape_string($GLOBALS['link'],$_POST['pass']); $query = mysqli_query($GLOBALS['link'],'SELECT * FROM `' . TB_PREFIX . 'users` WHERE `id` = ' . (int) $session->uid); $data = mysqli_fetch_assoc($query); - if($data['password'] == md5($pass)) { + if(password_verify($pass, $data['password'])) { $query1 = mysqli_query($GLOBALS['link'],'SELECT * FROM `' . TB_PREFIX . 'vdata` WHERE `owner` = ' .(int) $session->uid . ' AND `capital` = 1'); $data1 = mysqli_fetch_assoc($query1); $query2 = mysqli_query($GLOBALS['link'],'SELECT * FROM `' . TB_PREFIX . 'fdata` WHERE `vref` = ' . (int) $data1['wref']); diff --git a/create_account.php b/create_account.php index 89af78e6..c1400880 100644 --- a/create_account.php +++ b/create_account.php @@ -102,7 +102,7 @@ if($_POST['password'] != ""){ */ $username = "Natars"; - $password = md5($_POST['password']); + $password = password_hash($_POST['password'], PASSWORD_BCRYPT,['cost' => 12]); $email = "natars@noreply.com"; $tribe = 5; $desc = "*************************** diff --git a/install/data/sql.sql b/install/data/sql.sql index 99a5dd3c..1100a9bd 100644 --- a/install/data/sql.sql +++ b/install/data/sql.sql @@ -1542,6 +1542,7 @@ CREATE TABLE IF NOT EXISTS `%PREFIX%users` ( `vac_time` varchar(255) NULL DEFAULT '0', `vac_mode` int(2) NULL DEFAULT '0', `vactwoweeks` varchar(255) NULL DEFAULT '0', + `is_bcrypt` tinyint(1) NOT NULL DEFAULT '0', PRIMARY KEY (`id`), KEY `invited` (`invited`), KEY `lastupdate` (`lastupdate`), diff --git a/install/include/multihunter.php b/install/include/multihunter.php index 9aeb11ac..6a551611 100644 --- a/install/include/multihunter.php +++ b/install/include/multihunter.php @@ -14,7 +14,7 @@ if(isset($_POST['mhpw'])) { $password = $_POST['mhpw']; - mysqli_query($conn, "UPDATE " . TB_PREFIX . "users SET password = '" . md5($password) . "' WHERE username = 'Multihunter'"); + mysqli_query($conn, "UPDATE " . TB_PREFIX . "users SET password = '" . password_hash($password, PASSWORD_BCRYPT,['cost' => 12]) . "' WHERE username = 'Multihunter'"); $wid = $admin->getWref(0, 0); $uid = 5; $status = $database->getVillageState($wid); diff --git a/sql_updates.txt b/sql_updates.txt new file mode 100644 index 00000000..2e59f090 --- /dev/null +++ b/sql_updates.txt @@ -0,0 +1,2 @@ +-- 20.10.2017 -> changing MD5 for bcrypt password hashing algo +ALTER TABLE `s1_users` ADD `is_bcrypt` TINYINT(1) NOT NULL DEFAULT '0' AFTER `vactwoweeks`; \ No newline at end of file diff --git a/todo.txt b/todo.txt index f58e4392..ee69b00c 100644 --- a/todo.txt +++ b/todo.txt @@ -1,4 +1,3 @@ -- just so it's really visible => exchange md5 for something more secure (probably password_hash() using bcrypt) - change title for each page, so it fits with H1 (or history will always show a lot of "TravianZ" entries without a way to know where that history entry leads) ... same in Admin panel - fix deleting users (need to delete their villages (+alliances/construction plans/...?) after a while)