diff options
author | Denis <d.v.kobozev@gmail.com> | 2010-04-05 09:41:30 -0400 |
---|---|---|
committer | Loui Chang <louipc.ist@gmail.com> | 2010-04-17 16:50:24 -0400 |
commit | 290c436046327d9f04b7d12b5fda19f4dc14f574 (patch) | |
tree | 93c9ca0485e5ffb7d87460fbb78218c5f03e830f /web/html | |
parent | 5b8b0757f4f938f86bed86ae56fa3511704e006f (diff) | |
download | aurweb-290c436046327d9f04b7d12b5fda19f4dc14f574.tar.xz |
Support for storing salted passwords
To upgrade existing databases:
ALTER TABLE Users ADD Salt CHAR(32) NOT NULL DEFAULT '';
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
Diffstat (limited to 'web/html')
-rw-r--r-- | web/html/passreset.php | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/web/html/passreset.php b/web/html/passreset.php index 6fbd1ca..0f98593 100644 --- a/web/html/passreset.php +++ b/web/html/passreset.php @@ -31,10 +31,13 @@ if (isset($_GET['resetkey'], $_POST['email'], $_POST['password'], $_POST['confir if (empty($error)) { $dbh = db_connect(); + $salt = generate_salt(); + $hash = salted_hash($password, $salt); # The query below won't affect any records unless the ResetKey # and Email combination is correct and ResetKey is nonempty $q = "UPDATE Users - SET Passwd = '".md5($password)."', + SET Passwd = '$hash', + Salt = '$salt', ResetKey = '' WHERE ResetKey != '' AND ResetKey = '".mysql_real_escape_string($resetkey)."' |