From a73846717f5c884e0eef0b5591ff7ad374375a0b Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Fri, 2 Nov 2012 13:59:07 +0000
Subject: feature 2727: improve password security with the use of PasswordHash
 class. This class performs salt and multiple iterations. Already used in
 Wordpress, Drupal, phpBB and many other web applications.

$conf['pass_convert'] is replaced by $conf['password_hash'] + $conf['password_verify']


git-svn-id: http://piwigo.org/svn/trunk@18889 68402e56-0260-453c-a942-63ccdbb3a9ee
---
 install/db/132-database.php        | 36 ++++++++++++++++++++++++++++++++++++
 install/piwigo_structure-mysql.sql |  2 +-
 2 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 install/db/132-database.php

(limited to 'install')

diff --git a/install/db/132-database.php b/install/db/132-database.php
new file mode 100644
index 000000000..744e8e3ba
--- /dev/null
+++ b/install/db/132-database.php
@@ -0,0 +1,36 @@
+<?php
+// +-----------------------------------------------------------------------+
+// | Piwigo - a PHP based photo gallery                                    |
+// +-----------------------------------------------------------------------+
+// | Copyright(C) 2008-2012 Piwigo Team                  http://piwigo.org |
+// | Copyright(C) 2003-2008 PhpWebGallery Team    http://phpwebgallery.net |
+// | Copyright(C) 2002-2003 Pierrick LE GALL   http://le-gall.net/pierrick |
+// +-----------------------------------------------------------------------+
+// | This program is free software; you can redistribute it and/or modify  |
+// | it under the terms of the GNU General Public License as published by  |
+// | the Free Software Foundation                                          |
+// |                                                                       |
+// | This program is distributed in the hope that it will be useful, but   |
+// | WITHOUT ANY WARRANTY; without even the implied warranty of            |
+// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU      |
+// | General Public License for more details.                              |
+// |                                                                       |
+// | You should have received a copy of the GNU General Public License     |
+// | along with this program; if not, write to the Free Software           |
+// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
+// | USA.                                                                  |
+// +-----------------------------------------------------------------------+
+
+defined('PHPWG_ROOT_PATH') or die('Hacking attempt!');
+
+$upgrade_description = 'Enlarge #users.password to increase security.';
+
+global $prefixeTable;
+
+// we don't use USERS_TABLE because it might be an external table, here we
+// want to change to users table specific to Piwigo
+$query = 'ALTER TABLE '.$prefixeTable.'users CHANGE password password varchar(255) default NULL';
+pwg_query($query);
+
+echo "\n".$upgrade_description."\n";
+?>
\ No newline at end of file
diff --git a/install/piwigo_structure-mysql.sql b/install/piwigo_structure-mysql.sql
index c75dbaae3..cde461bcd 100644
--- a/install/piwigo_structure-mysql.sql
+++ b/install/piwigo_structure-mysql.sql
@@ -441,7 +441,7 @@ DROP TABLE IF EXISTS `piwigo_users`;
 CREATE TABLE `piwigo_users` (
   `id` smallint(5) NOT NULL auto_increment,
   `username` varchar(100) binary NOT NULL default '',
-  `password` varchar(32) default NULL,
+  `password` varchar(255) default NULL,
   `mail_address` varchar(255) default NULL,
   PRIMARY KEY  (`id`),
   UNIQUE KEY `users_ui1` (`username`)
-- 
cgit v1.2.3