From 0acac8074ca7aee2d7f8b2320507a8b7db95fd20 Mon Sep 17 00:00:00 2001 From: Jose Date: Thu, 18 Aug 2016 14:51:29 -0400 Subject: [PATCH] changing the creation of hashed passwords to a method call, so it's now centralized in one function to make it eaiser to update. Changed from using CI string helper to using php's built in uniqid function to generate a random salt. --- app/modules/users/models/user_model.php | 43 +++++++++++++++++-------- 1 file changed, 29 insertions(+), 14 deletions(-) diff --git a/app/modules/users/models/user_model.php b/app/modules/users/models/user_model.php index 072473ba..86a33572 100644 --- a/app/modules/users/models/user_model.php +++ b/app/modules/users/models/user_model.php @@ -153,9 +153,9 @@ public function login ($username, $password, $remember = FALSE) { $user_db = $query->row_array(); $user = $this->get_user($user_db['user_id']); - $hashed_password = ($user['salt'] == '') ? md5($password) : md5($password . ':' . $user['salt']); + $hashPassSalt = ($user['salt'] == '') ? $this->generatePassSalt($password,'') : $this->generatePassSalt($password,$user['salt'])); - if ($hashed_password == $user_db['user_password']) { + if ($hashPassSalt->pass == $user_db['user_password']) { $authenticated = TRUE; } } @@ -940,10 +940,7 @@ function new_user($email, $password, $username, $first_name, $last_name, $groups } // generate hashed password - $CI =& get_instance(); - $CI->load->helper('string'); - $salt = random_string('unique'); - $hashed_password = md5($password . ':' . $salt); + $hashPassSalt = $this->generatePassSalt($password); $insert_fields = array( 'user_is_admin' => ($is_admin == TRUE) ? '1' : '0', @@ -952,8 +949,8 @@ function new_user($email, $password, $username, $first_name, $last_name, $groups 'user_last_name' => $last_name, 'user_username' => $username, 'user_email' => $email, - 'user_password' => $hashed_password, - 'user_salt' => $salt, + 'user_password' => $hashPassSalt->pass, + 'user_salt' => $hashPassSalt->salt, 'user_referrer' => ($affiliate != FALSE) ? $affiliate : '0', 'user_signup_date' => date('Y-m-d H:i:s'), 'user_last_login' => '0000-00-00 00:00:00', @@ -974,6 +971,7 @@ function new_user($email, $password, $username, $first_name, $last_name, $groups // create customer record if (module_installed('billing')) { + $CI =& get_instance(); $CI->load->model('billing/customer_model'); $customer = array(); @@ -1196,12 +1194,9 @@ function delete_user ($user_id) { * @return boolean */ function update_password ($user_id, $new_password) { - $CI =& get_instance(); - $CI->load->helper('string'); - $salt = random_string('unique'); - $hashed_password = md5($new_password . ':' . $salt); + $hashPassSalt = $this->generatePassSalt($new_password); - $this->db->update('users',array('user_password' => $hashed_password, 'user_salt' => $salt),array('user_id' => $user_id)); + $this->db->update('users',array('user_password' => $hashPassSalt->pass, 'user_salt' => $hashPassSalt->salt),array('user_id' => $user_id)); // prep hook $CI =& get_instance(); @@ -1231,7 +1226,8 @@ function reset_password ($user_id) { $this->load->helper('string'); $password = random_string('alnum',9); - $this->db->update('users',array('user_password' => md5($password), 'user_salt' => ''),array('user_id' => $user['id'])); + $hashPassSalt = $this->generatePassSalt($password,''); + $this->db->update('users',array('user_password' => $hashPassSalt->pass, 'user_salt' => ''),array('user_id' => $user['id'])); // hook call $CI =& get_instance(); @@ -1244,6 +1240,25 @@ function reset_password ($user_id) { return TRUE; } + /** + * Generate a hashed password and unique salt + * + * @param string $password the password enetered by the user + * @return array an array containing the password and salt for a user + */ + function generatePassSalt($password,$salt=null){ + // generate hashed password + if($salt == '' ) { + $hashed_password = md5($password); + } else { + if($salt == null){ + $salt = uniqid(); + } + $hashed_password = md5($password . ':' . $salt); + } + return array('pass'=>$hashed_password,'salt'=>$salt); + } + /** * Suspend User *