diff options
| -rw-r--r-- | inc/auth/mysql.php | 33 |
1 files changed, 23 insertions, 10 deletions
diff --git a/inc/auth/mysql.php b/inc/auth/mysql.php index 758fe3b77..c60e9b018 100644 --- a/inc/auth/mysql.php +++ b/inc/auth/mysql.php @@ -55,10 +55,12 @@ function auth_mysql_runsql($sql_string) { /** * Check user+password [required auth function] * - * Checks if the given user exists and the given - * plaintext password is correct. Furtheron it - * might be checked wether the user is member of - * the right group + * Checks if the given user exists and the given plaintext password + * is correct. Furtheron it might be checked wether the user is + * member of the right group + * + * Depending on which SQL string is defined in the config, password + * checking is done here (getpass) or by the database (passcheck) * * @author Andreas Gohr <andi@splitbrain.org> * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> @@ -68,15 +70,26 @@ function auth_checkPass($user,$pass){ global $conf; $cnf = $conf['auth']['mysql']; - $sql = str_replace('%u',addslashes($user),$cnf['passcheck']); - $sql = str_replace('%g',addslashes($conf['defaultgroup']),$sql); - $result = auth_mysql_runsql($sql); + if($cnf['getpass']){ + // we check the pass ourself against the crypted one + $sql = str_replace('%u',addslashes($user),$cnf['getpass']); + $sql = str_replace('%g',addslashes($conf['defaultgroup']),$sql); + $result = auth_mysql_runsql($sql); - if(count($result)){ - return(auth_verifyPassword($pass,$result[0]['pass'])); + if(count($result)){ + return(auth_verifyPassword($pass,$result[0]['pass'])); + } }else{ - return(false); + // we leave pass checking to the database + $sql = str_replace('%u',addslashes($user),$cnf['passcheck']); + $sql = str_replace('%g',addslashes($conf['defaultgroup']),$sql); + $sql = str_replace('%p',addslashes($pass,$sql)); + + if(count($result) == 1){ + return true; + } } + return false; } /** |