diff options
| author | plegall <plg@piwigo.org> | 2012-11-02 13:59:07 +0000 |
|---|---|---|
| committer | plegall <plg@piwigo.org> | 2012-11-02 13:59:07 +0000 |
| commit | a73846717f5c884e0eef0b5591ff7ad374375a0b (patch) | |
| tree | a8e52d992545558cbacacf50e704a332a80c9810 /profile.php | |
| parent | 805ce4bb02c9e3114c76841db75c23a59d17a3c4 (diff) | |
feature 2727: improve password security with the use of PasswordHash class.
This class performs salt and multiple iterations. Already used in Wordpress,
Drupal, phpBB and many other web applications.
$conf['pass_convert'] is replaced by $conf['password_hash'] + $conf['password_verify']
git-svn-id: http://piwigo.org/svn/trunk@18889 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'profile.php')
| -rw-r--r-- | profile.php | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/profile.php b/profile.php index 259b0e382..e60ef4f36 100644 --- a/profile.php +++ b/profile.php @@ -177,7 +177,7 @@ function save_profile_from_post($userdata, &$errors) ;'; list($current_password) = pwg_db_fetch_row(pwg_query($query)); - if ($conf['pass_convert']($_POST['password']) != $current_password) + if (!$conf['password_verify']($_POST['password'], $current_password)) { $errors[] = l10n('Current password is wrong'); } @@ -202,8 +202,8 @@ function save_profile_from_post($userdata, &$errors) if (!empty($_POST['use_new_pwd'])) { array_push($fields, $conf['user_fields']['password']); - // password is encrpyted with function $conf['pass_convert'] - $data{$conf['user_fields']['password']} = $conf['pass_convert']($_POST['use_new_pwd']); + // password is hashed with function $conf['password_hash'] + $data{$conf['user_fields']['password']} = $conf['password_hash']($_POST['use_new_pwd']); } // username is updated only if allowed |