/_taios.php |
---|
359,6 → 359,7 |
$user->salt = $row['Salt']; |
$user->emailAddress = $row['EmailAddress']; |
$user->name = $row['Name']; |
$user->csrftoken = $row['CSRFToken']; |
$user->challengeID = $row['ChallengeID']; |
return $user; |
472,9 → 473,36 |
} |
function saltAndBurn($pass, $salt) { |
return sha1($salt + $pass); |
return sha1($salt . $pass); |
} |
function rndString($len = 8) { |
$chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZlolphp'; |
$clen = strlen($characters); |
$res = ''; |
for ($i = $len - 1; $i >= 0; $i--) { |
$res .= $chars[rand(0, clen - 1)]; |
} |
return $res; |
} |
function getCRSFToken($id) { |
$token = $this->rndString(); |
$this->query("UPDATE USERS Set CSRFToken = ? WHERE ID = ?", array($token, $id)); |
return $token; |
} |
function checkCRSFToken($id, $token) { |
$user = $this->getUserByID($id); |
if ($token !== $user->csrftoken) { |
die("a death"); |
} |
$this->getCRSFToken($id); // change to something else so we can't re-use it |
} |
function getGetID() { |
$id = $_GET['id']; |
if (empty($id)) { |
501,8 → 529,10 |
public $accessID; |
public $username; |
public $password; |
public $salt; |
public $emailAddress; |
public $name; |
public $csrftoken; |
public $challengeID; |
} |
/install.sql |
---|
12,6 → 12,7 |
EmailAddress TEXT, |
Name TEXT, |
Salt TEXT, |
CSRFToken TEXT, |
ChallengeID INT, |
PRIMARY KEY(ID) |
); |
/admin/account-do.php |
---|
19,7 → 19,8 |
} |
if (!empty($password)) { |
$page->query("UPDATE Users SET Password = ? WHERE ID = ?", array(sha1($password), $userID)); |
$salt = $user->username . "sheeps"; |
$page->query("UPDATE Users SET Password = ?, Salt = ? WHERE ID = ?", array($page->saltAndBurn($password, $salt), $salt, $userID)); |
} |
if (!empty($email)) { |
/admin/all-accounts.php |
---|
17,7 → 17,7 |
write('<td class="bold">ID</td>'); |
write('<td class="bold">AccessID</td>'); |
write('<td class="bold">Username</td>'); |
write('<td class="bold">SHA1 Password</td>'); |
write('<td class="bold">Salt and Burned Password</td>'); |
write('<td class="bold">Name</td>'); |
write('<td class="bold">Email Address</td>'); |
write('<td class="bold">Challenge ID</td>'); |
/register-do.php |
---|
42,7 → 42,7 |
$page->redirect('register.php?error=Incorrect reCAPTCHA response'); |
} |
$salt = $username + "horses"; |
$salt = $username . "horses"; |
$args = array(2, $username, $page->saltAndBurn($password, $salt), $salt, $email, $name, 0); |
$page->query("INSERT INTO Users (AccessID, Username, Password, Salt, EmailAddress, Name, ChallengeID) VALUES (?, ?, ?, ?, ?, ?, ?)", $args); |