diff options
| author | andi <andi@splitbrain.org> | 2005-06-12 13:10:44 +0200 |
|---|---|---|
| committer | andi <andi@splitbrain.org> | 2005-06-12 13:10:44 +0200 |
| commit | b7ed4d8eac13b41cf26b4ba1f9878de5e8f6dfd6 (patch) | |
| tree | 808bce990d2309c8c0adc095aaac5745cbc2e71b | |
| parent | 869379f57546991e7c0d23b35ddca73b7baca07d (diff) | |
| download | rpg-b7ed4d8eac13b41cf26b4ba1f9878de5e8f6dfd6.tar.gz rpg-b7ed4d8eac13b41cf26b4ba1f9878de5e8f6dfd6.tar.bz2 | |
mysql auth: added support for old passchecking method #359
This patch changes the mysql auth mechanism to support the old
method of password checking (leaving it to the DB) as well as
the new one. Which one is used is decided on which option is
defined:
$conf['auth']['mysql']['passcheck'] now behaves as in older
releases, You can use %u, %g and %p where %p contains the
cleartext password entered by the user. Access is granted
if the SQL statement returns one result row.
if $conf['auth']['mysql']['getpass'] is defined it is used
to fetch the crypted password from the database which is then
checked with auth_verifyPassword() - This is the preferred
method.
Users of the devel need to change their config by renaming
passcheck to getpass
darcs-hash:20050612111044-9977f-545feafc098082a067fdbbbc7d7d3a61c5903590.gz
| -rw-r--r-- | inc/auth/mysql.php | 33 |
1 files changed, 23 insertions, 10 deletions
diff --git a/inc/auth/mysql.php b/inc/auth/mysql.php index 758fe3b77..c60e9b018 100644 --- a/inc/auth/mysql.php +++ b/inc/auth/mysql.php @@ -55,10 +55,12 @@ function auth_mysql_runsql($sql_string) { /** * Check user+password [required auth function] * - * Checks if the given user exists and the given - * plaintext password is correct. Furtheron it - * might be checked wether the user is member of - * the right group + * Checks if the given user exists and the given plaintext password + * is correct. Furtheron it might be checked wether the user is + * member of the right group + * + * Depending on which SQL string is defined in the config, password + * checking is done here (getpass) or by the database (passcheck) * * @author Andreas Gohr <andi@splitbrain.org> * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> @@ -68,15 +70,26 @@ function auth_checkPass($user,$pass){ global $conf; $cnf = $conf['auth']['mysql']; - $sql = str_replace('%u',addslashes($user),$cnf['passcheck']); - $sql = str_replace('%g',addslashes($conf['defaultgroup']),$sql); - $result = auth_mysql_runsql($sql); + if($cnf['getpass']){ + // we check the pass ourself against the crypted one + $sql = str_replace('%u',addslashes($user),$cnf['getpass']); + $sql = str_replace('%g',addslashes($conf['defaultgroup']),$sql); + $result = auth_mysql_runsql($sql); - if(count($result)){ - return(auth_verifyPassword($pass,$result[0]['pass'])); + if(count($result)){ + return(auth_verifyPassword($pass,$result[0]['pass'])); + } }else{ - return(false); + // we leave pass checking to the database + $sql = str_replace('%u',addslashes($user),$cnf['passcheck']); + $sql = str_replace('%g',addslashes($conf['defaultgroup']),$sql); + $sql = str_replace('%p',addslashes($pass,$sql)); + + if(count($result) == 1){ + return true; + } } + return false; } /** |