feature 2727: improve password security with the use of PasswordHash class.

This class performs salt and multiple iterations. Already used in Wordpress, Drupal, phpBB and many other web applications. $conf['pass_convert'] is replaced by $conf['password_hash'] + $conf['password_verify'] git-svn-id: http://piwigo.org/svn/trunk@18889 68402e56-0260-453c-a942-63ccdbb3a9ee
2012-11-02 13:59:07 +00:00 · 2012-11-02 13:59:07 +00:00 · a73846717f
commit a73846717f
parent 805ce4bb02
8 changed files with 378 additions and 16 deletions
--- a/admin/include/functions_upgrade.php
+++ b/admin/include/functions_upgrade.php
@ -247,12 +247,7 @@ WHERE '.$conf['user_fields']['username'].'=\''.$username.'\'
  }
  $row = pwg_db_fetch_assoc(pwg_query($query));

-  if (!isset($conf['pass_convert']))
-  {
-    $conf['pass_convert'] = create_function('$s', 'return md5($s);');
-  }
-
-  if ($row['password'] != $conf['pass_convert']($password))
+  if (!$conf['password_verify']($password, $row['password']))
  {
    array_push($page['errors'], l10n('Invalid password!'));
  }