Closed neo22s closed 10 years ago
yep, just better to send a email with a link to change your password, I didn't developed the account part, I need to check how it works.
md5 is not secure, there is a lot of md5 databases I allways use something like sha1( md5( $user_nick ) . 'My own secret string' . md5( $password ) )
2012/11/28 Chema notifications@github.com
Do not store the password in plain at least md5.
Also change the flow to restore the password.
— Reply to this email directly or view it on GitHubhttps://github.com/neo22s/OpenClassifieds/issues/19.
Juan Manuel Doren Santiago, Chile
Normally I use sha1 + salt.
The problem is to generate that salt...maybe we can modify the installation and generate the salt in the config.php?
In Kohana we do it like here https://github.com/neo22s/openclassifieds2/blob/master/oc/classes/auth/oc.php
This is pro...like it should be but soon we are in 2.0. few months...
probably you don't need the public function password($user) the more secure mode to check it is queryng like this:
SELECT user_id FROM user WHERE mail='pepito@example.com" AND PASSWORD='encrypted password' AND status = 'ACTIVE'
If there is no rows then the user doesn't exists or is inactive or the password is invalid, but a hacker wont know which one.
the more secure mode to check it is querying like this:
SELECT user_id FROM user WHERE mail='pepito@goodsite.es" AND PASSWORD='encrypted password' AND status = 'ACTIVE'
can't confirm it's "the more secure" but right, let's use the tools as they're designed for.
that's old Open Classifieds not the new version ;)
geee :-1: sooooorry :walking:
woke up a good old friend btw :beers:
Do not store the password in plain at least md5.
Also change the flow to restore the password.