Changeset 18889 for trunk/profile.php

Timestamp:

Nov 2, 2012, 2:59:07 PM (12 years ago)

Author:

plg

Message:

feature 2727: improve password security with the use of PasswordHash class.
This class performs salt and multiple iterations. Already used in Wordpress,
Drupal, phpBB and many other web applications.

$confpass_convert is replaced by $confpassword_hash + $confpassword_verify

File:

• trunk/profile.php (modified) (2 diffs)

trunk/profile.php

@@ -178 +178 @@
       list($current_password) = pwg_db_fetch_row(pwg_query($query));
 
-      if ($conf['pass_convert']($_POST['password']) != $current_password)
+      if (!$conf['password_verify']($_POST['password'], $current_password))
       {
         $errors[] = l10n('Current password is wrong');
@@ -203 +203 @@
       {
         array_push($fields, $conf['user_fields']['password']);
-        // password is encrpyted with function $conf['pass_convert']
-        $data{$conf['user_fields']['password']} = $conf['pass_convert']($_POST['use_new_pwd']);
+        // password is hashed with function $conf['password_hash']
+        $data{$conf['user_fields']['password']} = $conf['password_hash']($_POST['use_new_pwd']);
       }