return;
}
- $old_pw_hash1 = encrypt_password($old_pw);
- $old_pw_hash2 = encrypt_password($old_pw, $_SESSION["name"]);
- $new_pw_hash = encrypt_password($new_pw, $_SESSION["name"]);
+ $result = db_query($this->link, "SELECT salt FROM ttrss_users WHERE
+ id = " . $_SESSION['uid']);
- $active_uid = $_SESSION["uid"];
+ $salt = db_fetch_result($result, 0, "salt");
- if ($old_pw && $new_pw) {
+ if (!$salt) {
+ $old_pw_hash1 = encrypt_password($old_pw);
+ $old_pw_hash2 = encrypt_password($old_pw, $_SESSION["name"]);
- $login = db_escape_string($_SERVER['PHP_AUTH_USER']);
+ $query = "SELECT id FROM ttrss_users WHERE
+ id = ".$_SESSION['uid']." AND (pwd_hash = '$old_pw_hash1' OR
+ pwd_hash = '$old_pw_hash2')";
- $result = db_query($this->link, "SELECT id FROM ttrss_users WHERE
- id = '$active_uid' AND (pwd_hash = '$old_pw_hash1' OR
- pwd_hash = '$old_pw_hash2')");
+ } else {
+ $old_pw_hash = encrypt_password($old_pw, $salt, true);
- if (db_num_rows($result) == 1) {
- db_query($this->link, "UPDATE ttrss_users SET pwd_hash = '$new_pw_hash'
- WHERE id = '$active_uid'");
+ $query = "SELECT id FROM ttrss_users WHERE
+ id = ".$_SESSION['uid']." AND pwd_hash = '$old_pw_hash'";
+ }
- $_SESSION["pwd_hash"] = $new_pw_hash;
+ $result = db_query($this->link, $query);
- print __("Password has been changed.");
- } else {
- print "ERROR: ".__('Old password is incorrect.');
- }
- }
+ if (db_num_rows($result) == 1) {
- return;
+ $new_salt = substr(bin2hex(openssl_random_pseudo_bytes(125)), 0, 250);
+ $new_pw_hash = encrypt_password($new_pw, $new_salt, true);
+
+ db_query($this->link, "UPDATE ttrss_users SET
+ pwd_hash = '$new_pw_hash', salt = '$new_salt'
+ WHERE id = ".$_SESSION['uid']);
+
+ $_SESSION["pwd_hash"] = $new_pw_hash;
+ print __("Password has been changed.");
+ } else {
+ print "ERROR: ".__('Old password is incorrect.');
+ }
}
function saveconfig() {
$password = db_escape_string(trim($_REQUEST["password"]));
if ($password) {
- $pwd_hash = encrypt_password($password, $login);
- $pass_query_part = "pwd_hash = '$pwd_hash', ";
+ $salt = substr(bin2hex(openssl_random_pseudo_bytes(125)), 0, 250);
+ $pwd_hash = encrypt_password($password, $salt, true);
+ $pass_query_part = "pwd_hash = '$pwd_hash', salt = '$salt',";
} else {
$pass_query_part = "";
}
$login = db_escape_string(trim($_REQUEST["login"]));
$tmp_user_pwd = make_password(8);
- $pwd_hash = encrypt_password($tmp_user_pwd, $login);
+ $salt = substr(bin2hex(openssl_random_pseudo_bytes(125)), 0, 250);
+ $pwd_hash = encrypt_password($tmp_user_pwd, $salt, true);
$result = db_query($this->link, "SELECT id FROM ttrss_users WHERE
login = '$login'");
if (db_num_rows($result) == 0) {
db_query($this->link, "INSERT INTO ttrss_users
- (login,pwd_hash,access_level,last_login,created)
- VALUES ('$login', '$pwd_hash', 0, null, NOW())");
+ (login,pwd_hash,access_level,last_login,created, salt)
+ VALUES ('$login', '$pwd_hash', 0, null, NOW(), '$salt')");
$result = db_query($this->link, "SELECT id FROM ttrss_users WHERE
$login = db_fetch_result($result, 0, "login");
$email = db_fetch_result($result, 0, "email");
+ $salt = db_fetch_result($result, 0, "salt");
+
+ $new_salt = substr(bin2hex(openssl_random_pseudo_bytes(125)), 0, 250);
$tmp_user_pwd = make_password(8);
- $pwd_hash = encrypt_password($tmp_user_pwd, $login);
- db_query($this->link, "UPDATE ttrss_users SET pwd_hash = '$pwd_hash'
+ $pwd_hash = encrypt_password($tmp_user_pwd, $new_salt, true);
+
+ db_query($this->link, "UPDATE ttrss_users SET pwd_hash = '$pwd_hash', salt = '$new_salt'
WHERE id = '$uid'");
print T_sprintf("Changed password of user <b>%s</b>
// 1) templates/register_notice.txt - displayed above the registration form
// 2) register_expire_do.php - contains user expiration queries when necessary
- set_include_path(get_include_path() . PATH_SEPARATOR .
+ set_include_path(get_include_path() . PATH_SEPARATOR .
dirname(__FILE__) . "/include");
require_once 'lib/phpmailer/class.phpmailer.php';
$password = make_password();
- $pwd_hash = encrypt_password($password, $login);
+ $salt = substr(bin2hex(openssl_random_pseudo_bytes(125)), 0, 250);
+ $pwd_hash = encrypt_password($password, $salt, true);
db_query($link, "INSERT INTO ttrss_users
- (login,pwd_hash,access_level,last_login, email, created)
- VALUES ('$login', '$pwd_hash', 0, null, '$email', NOW())");
+ (login,pwd_hash,access_level,last_login, email, created, salt)
+ VALUES ('$login', '$pwd_hash', 0, null, '$email', NOW(), '$salt')");
$result = db_query($link, "SELECT id FROM ttrss_users WHERE
login = '$login' AND pwd_hash = '$pwd_hash'");