| Bug in fud_update_user() [message #34992] |
Thu, 30 November 2006 22:03  |
rcwjenks
Messages: 3
Registered: November 2006
Karma: 0
|
Junior Member |
|
|
Unlike the fud_add_user() function, the fud_update_user() function does not properly MD5 the password field. Not only does that prevent login, but the password is then in the database as clear text.
Just add the following near the beginning of the function (mostly copied from the fud_add_user() function):
if (!empty($vals['passwd'])) {
if (strncmp($vals['passwd'], 'md5', 3)) {
$vals['passwd'] = md5($vals['passwd']);
} else {
$vals['passwd'] = substr($vals['passwd'], 3);
}
}
FYI, kudos on the excellent API. I had it integrated into my own site's login system in about an hour.
-Robert
|
|
|
|
| Re: Bug in fud_update_user() [message #35012 is a reply to message #34992] |
Fri, 01 December 2006 15:34  |
Ilia
Messages: 13241
Registered: January 2002
Karma: 0
|
Senior Member
Administrator
Core Developer |
|
|
Its not a bug, the update user function expects the password to already be md5ed or not be present if you are not changing it.
FUDforum Core Developer
|
|
|
|
| Re: Bug in fud_update_user() [message #35477 is a reply to message #35012] |
Mon, 15 January 2007 20:05 |
maarten
Messages: 7
Registered: January 2007
Karma: 0
|
Junior Member |
|
|
I tripped over this too.
Just a user vote: The "pass it either way" construct of fud_add_user() makes sense to me, but more than that, consistent APIs will save time.
I'd suggest documenting the difference in the comment above fud_update_user() to minimize surprises.
cheers!
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]