From a73846717f5c884e0eef0b5591ff7ad374375a0b Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Fri, 2 Nov 2012 13:59:07 +0000
Subject: feature 2727: improve password security with the use of PasswordHash
 class. This class performs salt and multiple iterations. Already used in
 Wordpress, Drupal, phpBB and many other web applications.

$conf['pass_convert'] is replaced by $conf['password_hash'] + $conf['password_verify']


git-svn-id: http://piwigo.org/svn/trunk@18889 68402e56-0260-453c-a942-63ccdbb3a9ee
---
 profile.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'profile.php')

diff --git a/profile.php b/profile.php
index 259b0e382..e60ef4f36 100644
--- a/profile.php
+++ b/profile.php
@@ -177,7 +177,7 @@ function save_profile_from_post($userdata, &$errors)
   ;';
       list($current_password) = pwg_db_fetch_row(pwg_query($query));
 
-      if ($conf['pass_convert']($_POST['password']) != $current_password)
+      if (!$conf['password_verify']($_POST['password'], $current_password))
       {
         $errors[] = l10n('Current password is wrong');
       }
@@ -202,8 +202,8 @@ function save_profile_from_post($userdata, &$errors)
       if (!empty($_POST['use_new_pwd']))
       {
         array_push($fields, $conf['user_fields']['password']);
-        // password is encrpyted with function $conf['pass_convert']
-        $data{$conf['user_fields']['password']} = $conf['pass_convert']($_POST['use_new_pwd']);
+        // password is hashed with function $conf['password_hash']
+        $data{$conf['user_fields']['password']} = $conf['password_hash']($_POST['use_new_pwd']);
       }
       
       // username is updated only if allowed
-- 
cgit v1.2.3