Changeset 126 for tags/2.0.1/lib/Auth_SQL.inc.php

Timestamp:

May 24, 2006 6:07:38 AM (18 years ago)

Author:

scdev

Message:

Q - Releasing tags/2.0.1, use branches/2.0 for maintaining.

File:

• tags/2.0.1/lib/Auth_SQL.inc.php (modified) (6 diffs)

tags/2.0.1/lib/Auth_SQL.inc.php

@@ -251 +251 @@
             WHERE " . $this->_params['db_primary_key'] . " = '" . $this->getVal('user_id') . "'
         ");
-        $_SESSION['_auth_file'] = array('authenticated' => false);
+        $_SESSION[$this->_sess] = array('authenticated' => false);
     }
 
@@ -300 +300 @@
         $this->initDB();
 
-        // Query DB for user matching credentials.
-        // FIXME: Cannot compare crypt style passwords this way.
-        $qid = DB::query("
-            SELECT *, " . $this->_params['db_primary_key'] . " AS user_id
-            FROM " . $this->_params['db_table'] . "
-            WHERE " . $this->_params['db_username_column'] . " = '" . DB::escapeString($username) . "'
-            AND BINARY userpass = '" . DB::escapeString($this->encryptPassword($password)) . "'
-        ");
+        switch ($this->_params['encryption_type']) {
+        case AUTH_ENCRYPT_CRYPT :
+            // Query DB for user matching credentials. Compare cyphertext with salted-encrypted password.
+            $qid = DB::query("
+                SELECT *, " . $this->_params['db_primary_key'] . " AS user_id
+                FROM " . $this->_params['db_table'] . "
+                WHERE " . $this->_params['db_username_column'] . " = '" . DB::escapeString($username) . "'
+                AND BINARY userpass = ENCRYPT('" . DB::escapeString($password) . "', LEFT(userpass, 2)))
+            ");
+            break;
+        case AUTH_ENCRYPT_PLAINTEXT :
+        case AUTH_ENCRYPT_MD5 :
+        case AUTH_ENCRYPT_SHA1 :
+        default :
+            // Query DB for user matching credentials. Directly compare cyphertext with result from encryptPassword().
+            $qid = DB::query("
+                SELECT *, " . $this->_params['db_primary_key'] . " AS user_id
+                FROM " . $this->_params['db_table'] . "
+                WHERE " . $this->_params['db_username_column'] . " = '" . DB::escapeString($username) . "'
+                AND BINARY userpass = '" . DB::escapeString($this->encryptPassword($password)) . "'
+            ");
+            break;
+        }
 
         // Return user data if found.
@@ -528 +543 @@
                 $expire_reasons[] = 'idle_timeout expired';
             }
-            if ($_SESSION['_auth_file']['remote_ip'] != getRemoteAddr() && !$user_in_trusted_network) {
+            if ($_SESSION[$this->_sess]['remote_ip'] != getRemoteAddr() && !$user_in_trusted_network) {
                 $expire_reasons[] = sprintf('remote_ip not matched (%s != %s)', $_SESSION[$this->_sess]['remote_ip'], getRemoteAddr());
             }
@@ -682 +697 @@
      *
      */
-    function encryptPassword($password)
+    function encryptPassword($password, $salt=null)
     {
         switch ($this->_params['encryption_type']) {
@@ -690 +705 @@
 
         case AUTH_ENCRYPT_CRYPT :
-            return crypt($password);
+            // If comparing clear-text password with encrypted text, provide encrypted text as the salt.
+            return isset($salt) ? crypt($password, substr($salt, 0, 2)) : crypt($password);
             break;
 
@@ -720 +736 @@
             WHERE " . $this->_params['db_primary_key'] . " = '" . DB::escapeString($user_id) . "'
         ");
+        
+        if (mysql_affected_rows(DB::getDBH()) != 1) {
+            App::logMsg(sprintf('setPassword failed to update password for user %s', $user_id), LOG_NOTICE, __FILE__, __LINE__);
+        }
     }