From 9b81d48e7228bddcb41ffe6356a983927da2ebd8 Mon Sep 17 00:00:00 2001 From: Sebastian Grewe Date: Fri, 5 Jul 2013 22:56:22 +0200 Subject: [PATCH] Fix PHP Warning on user login While at it, I also extracted the hash function into it's own getHash method. This will allow easy changes to hashing for string in the future. Fixes #382 --- public/include/classes/user.class.php | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/public/include/classes/user.class.php b/public/include/classes/user.class.php index a1d508e8..69ebf8de 100644 --- a/public/include/classes/user.class.php +++ b/public/include/classes/user.class.php @@ -26,6 +26,9 @@ class User { public function getError() { return $this->sError; } + private function getHash($string) { + return hash('sha256', $string.$this->salt); + } public function getUserName($id) { return $this->getSingle($id, 'username', 'id'); } @@ -68,7 +71,7 @@ class User { return $this->updateSingle($id, $field); } public function setUserToken($id) { - $field = array('name' => 'token', 'type' => 's', 'value' => hash('sha256', $id.time().$this->salt)); + $field = array('name' => 'token', 'type' => 's', 'value' => setHash($id.time())); return $this->updateSingle($id, $field); } public function setUserFailed($id, $value) { @@ -135,7 +138,7 @@ class User { $this->debug->append("STA " . __METHOD__, 4); $this->debug->append("Confirming PIN for $userId and pin $pin", 2); $stmt = $this->mysqli->prepare("SELECT pin FROM $this->table WHERE id=? AND pin=? LIMIT 1"); - $pin_hash = hash('sha256', $pin.$this->salt); + $pin_hash = $this->getHash($pin); $stmt->bind_param('is', $userId, $pin_hash); $stmt->execute(); $stmt->bind_result($row_pin); @@ -254,8 +257,8 @@ class User { $this->setErrorMessage( 'New password is too short, please use more than 8 chars' ); return false; } - $current = hash('sha256', $current.$this->salt); - $new = hash('sha256', $new1.$this->salt); + $current = $this->getHash($current); + $new = $this->getHash($new1); $stmt = $this->mysqli->prepare("UPDATE $this->table SET pass = ? WHERE ( id = ? AND pass = ? )"); if ($this->checkStmt($stmt)) { $stmt->bind_param('sis', $new, $userID, $current); @@ -345,9 +348,10 @@ class User { private function checkUserPassword($username, $password) { $this->debug->append("STA " . __METHOD__, 4); $user = array(); + $password_hash = $this->getHash($password); $stmt = $this->mysqli->prepare("SELECT username, id, is_admin FROM $this->table WHERE username=? AND pass=? LIMIT 1"); if ($this->checkStmt($stmt)) { - $stmt->bind_param('ss', $username, hash('sha256', $password.$this->salt)); + $stmt->bind_param('ss', $username, $password_hash); $stmt->execute(); $stmt->bind_result($row_username, $row_id, $row_admin); $stmt->fetch(); @@ -468,9 +472,9 @@ class User { } // Create hashed strings using original string and salt - $password_hash = hash('sha256', $password1.$this->salt); - $pin_hash = hash('sha256', $pin.$this->salt); - $apikey_hash = hash('sha256', $username.$this->salt); + $password_hash = $this->getHash($password1); + $pin_hash = $this->getHash($pin); + $apikey_hash = $this->getHash($username); if ($this->checkStmt($stmt) && $stmt->bind_param('sssss', $username, $password_hash, $email1, $pin_hash, $apikey_hash)) { if (!$stmt->execute()) { @@ -502,9 +506,9 @@ class User { $this->setErrorMessage( 'New password is too short, please use more than 8 chars' ); return false; } - $new = hash('sha256', $new1.$this->salt); + $new_hash = $this->getHash($new1); $stmt = $this->mysqli->prepare("UPDATE $this->table SET pass = ?, token = NULL WHERE id = ? AND token = ?"); - if ($this->checkStmt($stmt) && $stmt->bind_param('sis', $new, $id, $token) && $stmt->execute() && $stmt->affected_rows === 1) { + if ($this->checkStmt($stmt) && $stmt->bind_param('sis', $new_hash, $id, $token) && $stmt->execute() && $stmt->affected_rows === 1) { return true; } } else {