The AmpJuke forum

[wolf]

I had some problems when I changed my password to one that was a bit more secure. It seems that "special characters" (that is, other than a-z, 0-9) may cause problems. It would be a good idea to fix that.

But worse, the passwords are stored in clear text in the database. I think this is a security concern that should be addressed.

An obvious solution would be to use MD5 hashes of the passwords. I'd imagine this will require minimal effort: as soon as the password is entered, compute the MD5 hash using PHP's md5 function, and you're all set. All current clear-test passwords can be passed through the MD5 hash function during the upgrade operation.

- wolf -

[Michael]

Hi wolf,

But worse, the passwords are stored in clear text in the database. I think this is a security concern that should be addressed.

You're absolutely right. It will be changed in the next release (0.7.4).

Thanks for another great suggestion !

//Michael.

[Michael]

I had some problems when I changed my password to one that was a bit more secure. It seems that "special characters" (that is, other than a-z, 0-9) may cause problems. It would be a good idea to fix that.

Sorry, forgot to address this last time.
The reason for the sanitizing stuff is it makes it (more) difficult for a b*stard to enter "; DROP TABLE..." ..or similar in the username/password.

If you would like to accept more characters in username/password, simply get rid of these lines in "loginvalidate.php" (around line 40 in version 0.7.3):

Code: Select all

$user=ereg_replace('[^a-zA-Z0-9]', "", $_POST['login']);
$pw=ereg_replace('[^a-zA-Z0-9]', "", $_POST['password']);


...or - even better - if you or somebody else out there could point me in the right direction in terms of constructing the ereg_replace statements so they accept more letters/characters, I would be grateful.
Perhaps ereg_replace is the wring tool afterall..? I'm a bit stuck here...


In relation to the issue about storing passwords in clear text:
I made a working solution yesterday.
Changing passwords to hashes is handled gracefully (automatically) after upgrade.
The code a bit too comprehensive to post here (numerous files had to be changed), but I'll include it in the next release (0.7.4).

Thanks again for your suggestions.

//Michael.

[wolf]

...or - even better - if you or somebody else out there could point me in the right direction in terms of constructing the ereg_replace statements so they accept more letters/characters, I would be grateful.
Perhaps ereg_replace is the wring tool afterall..? I'm a bit stuck here...

To avoid SQL injections, you just need to escape the query string. See the PHP mysql_real_escape_string function for details.