Changeset 126 for tags/2.0.1/lib/Auth_SQL.inc.php
- Timestamp:
- May 24, 2006 6:07:38 AM (18 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
tags/2.0.1/lib/Auth_SQL.inc.php
r111 r126 251 251 WHERE " . $this->_params['db_primary_key'] . " = '" . $this->getVal('user_id') . "' 252 252 "); 253 $_SESSION[ '_auth_file'] = array('authenticated' => false);253 $_SESSION[$this->_sess] = array('authenticated' => false); 254 254 } 255 255 … … 300 300 $this->initDB(); 301 301 302 // Query DB for user matching credentials. 303 // FIXME: Cannot compare crypt style passwords this way. 304 $qid = DB::query(" 305 SELECT *, " . $this->_params['db_primary_key'] . " AS user_id 306 FROM " . $this->_params['db_table'] . " 307 WHERE " . $this->_params['db_username_column'] . " = '" . DB::escapeString($username) . "' 308 AND BINARY userpass = '" . DB::escapeString($this->encryptPassword($password)) . "' 309 "); 302 switch ($this->_params['encryption_type']) { 303 case AUTH_ENCRYPT_CRYPT : 304 // Query DB for user matching credentials. Compare cyphertext with salted-encrypted password. 305 $qid = DB::query(" 306 SELECT *, " . $this->_params['db_primary_key'] . " AS user_id 307 FROM " . $this->_params['db_table'] . " 308 WHERE " . $this->_params['db_username_column'] . " = '" . DB::escapeString($username) . "' 309 AND BINARY userpass = ENCRYPT('" . DB::escapeString($password) . "', LEFT(userpass, 2))) 310 "); 311 break; 312 case AUTH_ENCRYPT_PLAINTEXT : 313 case AUTH_ENCRYPT_MD5 : 314 case AUTH_ENCRYPT_SHA1 : 315 default : 316 // Query DB for user matching credentials. Directly compare cyphertext with result from encryptPassword(). 317 $qid = DB::query(" 318 SELECT *, " . $this->_params['db_primary_key'] . " AS user_id 319 FROM " . $this->_params['db_table'] . " 320 WHERE " . $this->_params['db_username_column'] . " = '" . DB::escapeString($username) . "' 321 AND BINARY userpass = '" . DB::escapeString($this->encryptPassword($password)) . "' 322 "); 323 break; 324 } 310 325 311 326 // Return user data if found. … … 528 543 $expire_reasons[] = 'idle_timeout expired'; 529 544 } 530 if ($_SESSION[ '_auth_file']['remote_ip'] != getRemoteAddr() && !$user_in_trusted_network) {545 if ($_SESSION[$this->_sess]['remote_ip'] != getRemoteAddr() && !$user_in_trusted_network) { 531 546 $expire_reasons[] = sprintf('remote_ip not matched (%s != %s)', $_SESSION[$this->_sess]['remote_ip'], getRemoteAddr()); 532 547 } … … 682 697 * 683 698 */ 684 function encryptPassword($password )699 function encryptPassword($password, $salt=null) 685 700 { 686 701 switch ($this->_params['encryption_type']) { … … 690 705 691 706 case AUTH_ENCRYPT_CRYPT : 692 return crypt($password); 707 // If comparing clear-text password with encrypted text, provide encrypted text as the salt. 708 return isset($salt) ? crypt($password, substr($salt, 0, 2)) : crypt($password); 693 709 break; 694 710 … … 720 736 WHERE " . $this->_params['db_primary_key'] . " = '" . DB::escapeString($user_id) . "' 721 737 "); 738 739 if (mysql_affected_rows(DB::getDBH()) != 1) { 740 App::logMsg(sprintf('setPassword failed to update password for user %s', $user_id), LOG_NOTICE, __FILE__, __LINE__); 741 } 722 742 } 723 743
Note: See TracChangeset
for help on using the changeset viewer.