feat: MD5 passwords exchanged for bcrypt ones

This commit is contained in:
Martin Ambrus
2017-10-20 12:31:27 +02:00
parent 606d0a6ad2
commit f4021d1452
15 changed files with 219 additions and 78 deletions
+73 -20
View File
@@ -43,19 +43,49 @@ class adm_DB {
}
function Login($username,$password){
global $database;
list($username,$password) = $database->escape_input($username,$password);
$q = "SELECT password FROM ".TB_PREFIX."users where username = '$username' and access >= ".MULTIHUNTER;
$result = mysqli_query($this->connection,$q);
$dbarray = mysqli_fetch_array($result);
if($dbarray['password'] == md5($password)) {
mysqli_query($this->connection,"Insert into ".TB_PREFIX."admin_log values (0,'X','$username logged in (IP: <b>".$_SERVER['REMOTE_ADDR']."</b>)',".time().")");
return true;
}
else {
mysqli_query($this->connection,"Insert into ".TB_PREFIX."admin_log values (0,'X','<font color=\'red\'><b>IP: ".$_SERVER['REMOTE_ADDR']." tried to log in with username <u> $username</u> but access was denied!</font></b>',".time().")");
return false;
}
global $database;
list($username,$password) = $database->escape_input($username,$password);
$q = "SELECT id, password, is_bcrypt FROM ".TB_PREFIX."users where username = '$username' and access >= ".MULTIHUNTER;
$result = mysqli_query($this->connection, $q);
// if we didn't update the database for bcrypt hashes yet...
if (mysqli_error($database->dblink) != '') {
$q = "SELECT id, password, 0 as is_bcrypt FROM ".TB_PREFIX."users where username = '$username' and access >= ".MULTIHUNTER;
$result = mysqli_query($this->connection, $q);
$bcrypt_update_done = false;
} else {
$bcrypt_update_done = true;
}
$dbarray = mysqli_fetch_array($result);
// even if we didn't do a DB conversion for bcrypt passwords,
// we still need to check if this password wasn't encrypted via password_hash,
// since all methods were updated to use that instead of md5 and therefore
// new passwords in DB will be bcrypt already even without the is_bcrypt field present
$bcrypted = true;
$pwOk = password_verify($password, $dbarray['password']);
if (!$pwOk && !$dbarray['is_bcrypt']) {
$pwOk = ($dbarray['password'] == md5($password));
$bcrypted = false;
}
if($pwOk) {
// update password to bcrypt, if correct
if (!$dbarray['is_bcrypt'] && !$bcrypted) {
mysqli_query($this->connection, "UPDATE " . TB_PREFIX . "users SET password = '".password_hash($password, PASSWORD_BCRYPT,['cost' => 12])."'".($bcrypt_update_done ? ', is_bcrypt = 1' : '')." where id = ".(int) $dbarray['id']);
}
mysqli_query("Insert into ".TB_PREFIX."admin_log values (0,'X','$username logged in (IP: <b>".$_SERVER['REMOTE_ADDR']."</b>)',".time().")");
return true;
}
else {
mysqli_query("Insert into ".TB_PREFIX."admin_log values (0,'X','<font color=\'red\'><b>IP: ".$_SERVER['REMOTE_ADDR']." tried to log in with username <u> $username</u> but access was denied!</font></b>',".time().")");
return false;
}
}
function recountPopUser($uid){
@@ -233,13 +263,36 @@ class adm_DB {
}
function CheckPass($password,$uid){
$q = "SELECT password FROM ".TB_PREFIX."users where id = ".(int) $uid." and access = ".ADMIN;
$result = mysqli_query($this->connection, $q);
$dbarray = mysqli_fetch_array($result);
if($dbarray['password'] == md5($password)) {
return true;
}else{
return false;
$q = "SELECT id,password, is_bcrypt FROM ".TB_PREFIX."users where id = ".(int) $uid." and access = ".ADMIN;
$result = mysqli_query($this->connection, $q);
// if we didn't update the database for bcrypt hashes yet...
if (mysqli_error($this->dblink) != '') {
// no need to select ID here, since the DB is not updated, so there will be no password conversion later
$q = "SELECT password, 0 as is_bcrypt FROM ".TB_PREFIX."users where id = ".(int) $uid." and access = ".ADMIN;
$result = mysqli_query($this->dblink,$q);
$bcrypt_update_done = false;
} else {
$bcrypt_update_done = true;
}
$dbarray = mysqli_fetch_array($result);
// check if this is still md5 password hash
if (!$dbarray['is_bcrypt']) {
$pwOk = ($dbarray['password'] == md5($password));
} else {
$pwOk = password_verify($password, $dbarray['password']);
}
if($pwOk) {
// update password to bcrypt, if correct
if ($bcrypt_update_done && !$dbarray['is_bcrypt']) {
mysqli_query($this->connection, "UPDATE " . TB_PREFIX . "users SET password = '".password_hash($password, PASSWORD_BCRYPT,['cost' => 12])."', is_bcrypt = 1 where id = ".(int) $dbarray['id']);
}
return true;
} else {
return false;
}
}