mirror of
https://github.com/Shadowss/TravianZ.git
synced 2026-07-12 15:46:06 +00:00
feat: MD5 passwords exchanged for bcrypt ones
This commit is contained in:
@@ -79,7 +79,7 @@ $database->populateOasis();
|
||||
$database->populateOasisUnits2();
|
||||
$uid=$database->getVillageID(5);
|
||||
|
||||
$passw=md5('123456');
|
||||
$passw=password_hash("12345", PASSWORD_BCRYPT,['cost' => 12]);
|
||||
mysqli_query($GLOBALS["link"], "TRUNCATE TABLE ".TB_PREFIX."users");
|
||||
mysqli_query($GLOBALS["link"], "INSERT INTO ".TB_PREFIX."users (id, username, password, email, tribe, access, gold, gender, birthday, location, desc1, desc2, plus, b1, b2, b3, b4, sit1, sit2, alliance, sessid, act, timestamp, ap, apall, dp, dpall, protect, quest, gpack, cp, lastupdate, RR, Rc, ok) VALUES
|
||||
(5, 'Multihunter', '".$passw."', 'multihunter@travianx.mail', 0, 9, 0, 0, '0000-00-00', '', '', '', 0, 0, 0, 0, 0, 0, 0, 0, '', '', 0, 0, 0, 0, 0, 0, 0, 'gpack/travian_default/', 1, 0, 0, 0, 0),
|
||||
|
||||
+63
-10
@@ -39,11 +39,41 @@ class adm_DB {
|
||||
global $database;
|
||||
list($username,$password) = $database->escape_input($username,$password);
|
||||
|
||||
$q = "SELECT password FROM ".TB_PREFIX."users where username = '$username' and access >= ".MULTIHUNTER;
|
||||
$q = "SELECT id, password, is_bcrypt FROM ".TB_PREFIX."users where username = '$username' and access >= ".MULTIHUNTER;
|
||||
$result = mysqli_query($this->connection, $q);
|
||||
|
||||
// if we didn't update the database for bcrypt hashes yet...
|
||||
if (mysqli_error($database->dblink) != '') {
|
||||
// no need to select ID here, since the DB is not updated, so there will be no password conversion later
|
||||
$q = "SELECT id, password, 0 as is_bcrypt FROM ".TB_PREFIX."users where username = '$username' and access >= ".MULTIHUNTER;
|
||||
$result = mysqli_query($this->connection, $q);
|
||||
$bcrypt_update_done = false;
|
||||
} else {
|
||||
$bcrypt_update_done = true;
|
||||
}
|
||||
|
||||
$dbarray = mysqli_fetch_array($result);
|
||||
if($dbarray['password'] == md5($password)) {
|
||||
|
||||
// even if we didn't do a DB conversion for bcrypt passwords,
|
||||
// we still need to check if this password wasn't encrypted via password_hash,
|
||||
// since all methods were updated to use that instead of md5 and therefore
|
||||
// new passwords in DB will be bcrypt already even without the is_bcrypt field present
|
||||
$bcrypted = true;
|
||||
$pwOk = password_verify($password, $dbarray['password']);
|
||||
|
||||
if (!$pwOk && !$dbarray['is_bcrypt']) {
|
||||
$pwOk = ($dbarray['password'] == md5($password));
|
||||
$bcrypted = false;
|
||||
}
|
||||
|
||||
if($pwOk) {
|
||||
// update password to bcrypt, if correct
|
||||
if (!$dbarray['is_bcrypt'] && !$bcrypted) {
|
||||
mysqli_query($this->connection, "UPDATE " . TB_PREFIX . "users SET password = '".password_hash($password, PASSWORD_BCRYPT,['cost' => 12])."'".($bcrypt_update_done ? ', is_bcrypt = 1' : '')." where id = ".(int) $dbarray['id']);
|
||||
}
|
||||
|
||||
mysqli_query("Insert into ".TB_PREFIX."admin_log values (0,'X','$username logged in (IP: <b>".$_SERVER['REMOTE_ADDR']."</b>)',".time().")");
|
||||
|
||||
return true;
|
||||
}
|
||||
else {
|
||||
@@ -227,14 +257,37 @@ class adm_DB {
|
||||
}
|
||||
|
||||
function CheckPass($password,$uid){
|
||||
$q = "SELECT password FROM ".TB_PREFIX."users where id = ".(int) $uid." and access = ".ADMIN;
|
||||
$result = mysqli_query($this->connection, $q);
|
||||
$dbarray = mysqli_fetch_array($result);
|
||||
if($dbarray['password'] == md5($password)) {
|
||||
return true;
|
||||
}else{
|
||||
return false;
|
||||
}
|
||||
$q = "SELECT id,password, is_bcrypt FROM ".TB_PREFIX."users where id = ".(int) $uid." and access = ".ADMIN;
|
||||
$result = mysqli_query($this->connection, $q);
|
||||
|
||||
// if we didn't update the database for bcrypt hashes yet...
|
||||
if (mysqli_error($this->dblink) != '') {
|
||||
// no need to select ID here, since the DB is not updated, so there will be no password conversion later
|
||||
$q = "SELECT password, 0 as is_bcrypt FROM ".TB_PREFIX."users where id = ".(int) $uid." and access = ".ADMIN;
|
||||
$result = mysqli_query($this->dblink,$q);
|
||||
$bcrypt_update_done = false;
|
||||
} else {
|
||||
$bcrypt_update_done = true;
|
||||
}
|
||||
|
||||
$dbarray = mysqli_fetch_array($result);
|
||||
|
||||
// check if this is still md5 password hash
|
||||
if (!$dbarray['is_bcrypt']) {
|
||||
$pwOk = ($dbarray['password'] == md5($password));
|
||||
} else {
|
||||
$pwOk = password_verify($password, $dbarray['password']);
|
||||
}
|
||||
|
||||
if($pwOk) {
|
||||
// update password to bcrypt, if correct
|
||||
if ($bcrypt_update_done && !$dbarray['is_bcrypt']) {
|
||||
mysqli_query($this->connection, "UPDATE " . TB_PREFIX . "users SET password = '".password_hash($password, PASSWORD_BCRYPT,['cost' => 12])."', is_bcrypt = 1 where id = ".(int) $dbarray['id']);
|
||||
}
|
||||
return true;
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
function DelVillage($wref, $mode=0){
|
||||
|
||||
Reference in New Issue
Block a user