Changeset 124 for trunk/lib/Auth_SQL.inc.php
- Timestamp:
- May 24, 2006 5:35:19 AM (18 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/lib/Auth_SQL.inc.php
r121 r124 4 4 * 5 5 * @author Quinn Comendant <quinn@strangecode.com> 6 * @version 2. 06 * @version 2.1 7 7 */ 8 8 9 9 // Available encryption types for class Auth_SQL. 10 define('AUTH_ENCRYPT_MD5', 'md5');11 define('AUTH_ENCRYPT_CRYPT', 'crypt');12 define('AUTH_ENCRYPT_SHA1', 'sha1');13 define('AUTH_ENCRYPT_PLAINTEXT', 'plaintext');10 define('AUTH_ENCRYPT_MD5', 1); 11 define('AUTH_ENCRYPT_CRYPT', 2); 12 define('AUTH_ENCRYPT_SHA1', 3); 13 define('AUTH_ENCRYPT_PLAINTEXT', 4); 14 14 15 15 require_once dirname(__FILE__) . '/Email.inc.php'; … … 41 41 42 42 // The type of encryption to use for passwords stored in the db_table. Use one of the AUTH_ENCRYPT_* types specified above. 43 'encryption_type' => AUTH_ENCRYPT_ MD5,43 'encryption_type' => AUTH_ENCRYPT_SHA1, 44 44 45 45 // The URL to the login script. … … 47 47 48 48 // The maximum amount of time a user is allowed to be logged in. They will be forced to login again if they expire. 49 // This applies to admins and users.In seconds. 21600 seconds = 6 hours.49 // In seconds. 21600 seconds = 6 hours. 50 50 'login_timeout' => 21600, 51 51 52 52 // The maximum amount of time a user is allowed to be idle before their session expires. They will be forced to login again if they expire. 53 // This applies to admins and users.In seconds. 3600 seconds = 1 hour.53 // In seconds. 3600 seconds = 1 hour. 54 54 'idle_timeout' => 3600, 55 55 … … 300 300 $this->initDB(); 301 301 302 // Query DB for user matching credentials. 303 // FIXME: Cannot compare crypt style passwords this way. 304 $qid = DB::query(" 305 SELECT *, " . $this->_params['db_primary_key'] . " AS user_id 306 FROM " . $this->_params['db_table'] . " 307 WHERE " . $this->_params['db_username_column'] . " = '" . DB::escapeString($username) . "' 308 AND BINARY userpass = '" . DB::escapeString($this->encryptPassword($password)) . "' 309 "); 302 switch ($this->_params['encryption_type']) { 303 case AUTH_ENCRYPT_CRYPT : 304 // Query DB for user matching credentials. Compare cyphertext with salted-encrypted password. 305 $qid = DB::query(" 306 SELECT *, " . $this->_params['db_primary_key'] . " AS user_id 307 FROM " . $this->_params['db_table'] . " 308 WHERE " . $this->_params['db_username_column'] . " = '" . DB::escapeString($username) . "' 309 AND BINARY userpass = ENCRYPT('" . DB::escapeString($password) . "', LEFT(userpass, 2))) 310 "); 311 break; 312 case AUTH_ENCRYPT_PLAINTEXT : 313 case AUTH_ENCRYPT_MD5 : 314 case AUTH_ENCRYPT_SHA1 : 315 default : 316 // Query DB for user matching credentials. Directly compare cyphertext with result from encryptPassword(). 317 $qid = DB::query(" 318 SELECT *, " . $this->_params['db_primary_key'] . " AS user_id 319 FROM " . $this->_params['db_table'] . " 320 WHERE " . $this->_params['db_username_column'] . " = '" . DB::escapeString($username) . "' 321 AND BINARY userpass = '" . DB::escapeString($this->encryptPassword($password)) . "' 322 "); 323 break; 324 } 310 325 311 326 // Return user data if found. … … 665 680 function generatePassword($pattern='CvccvCdd') 666 681 { 667 mt_srand((double) microtime() * 10000000);668 682 $str = ''; 669 683 for ($i=0; $i<strlen($pattern); $i++) { … … 682 696 * 683 697 */ 684 function encryptPassword($password )698 function encryptPassword($password, $salt=null) 685 699 { 686 700 switch ($this->_params['encryption_type']) { … … 690 704 691 705 case AUTH_ENCRYPT_CRYPT : 692 return crypt($password); 706 // If comparing plaintext password with a hash, provide first two chars of the hash as the salt. 707 return isset($salt) ? crypt($password, substr($salt, 0, 2)) : crypt($password); 693 708 break; 694 709 695 710 case AUTH_ENCRYPT_SHA1 : 696 return sha1( $password);711 return sha1(App::getParam('signing_key') . sha1($password)); 697 712 break; 698 713 699 714 case AUTH_ENCRYPT_MD5 : 700 715 default : 701 return md5( $password);716 return md5(App::getParam('signing_key') . md5($password)); 702 717 break; 703 718 }
Note: See TracChangeset
for help on using the changeset viewer.