diff --git a/src/admin/member_do.php b/src/admin/member_do.php index 7b4f1f8d..f42b6b2f 100644 --- a/src/admin/member_do.php +++ b/src/admin/member_do.php @@ -146,6 +146,9 @@ else if ($dopost == 'edituser') { CheckPurview('member_Edit'); if (!isset($_POST['id'])) exit('dedebiz'); $pwdsql = empty($pwd) ? '' : ",pwd='".md5($pwd)."'"; + if (function_exists('password_hash')) { + $pwdsql = empty($pwd) ? '' : ",pwd_new='".password_hash($pwd, PASSWORD_BCRYPT)."'"; + } if (empty($sex)) $sex = '男'; $uptime = GetMkTime($uptime); if ($matt == 10 && $oldmatt != 10) { diff --git a/src/admin/sys_admin_user_add.php b/src/admin/sys_admin_user_add.php index 0eae58f6..d1fa0885 100644 --- a/src/admin/sys_admin_user_add.php +++ b/src/admin/sys_admin_user_add.php @@ -28,12 +28,19 @@ if ($dopost == 'add') { ShowMsg('用户名已存在', '-1'); exit(); } + $pfd = "pwd"; $mpwd = md5($pwd); $pwd = substr(md5($pwd), 5, 20); + if (function_exists('password_hash')) { + $pfd = "pwd_new"; + $mpwd = password_hash($pwd, PASSWORD_BCRYPT); + $pwd = password_hash($pwd, PASSWORD_BCRYPT); + } + $typeid = join(',', $typeids); if ($typeid == '0') $typeid = ''; //关连前台会员帐号 - $adminquery = "INSERT INTO `#@__member` (`mtype`,`userid`,`pwd`,`uname`,`sex`,`rank`,`money`,`email`, `scores` ,`matt` ,`face`,`safequestion`,`safeanswer` ,`jointime` ,`joinip` ,`logintime` ,`loginip` ) + $adminquery = "INSERT INTO `#@__member` (`mtype`,`userid`,`$pfd`,`uname`,`sex`,`rank`,`money`,`email`, `scores` ,`matt` ,`face`,`safequestion`,`safeanswer` ,`jointime` ,`joinip` ,`logintime` ,`loginip` ) VALUES ('个人','$userid','$mpwd','$uname','男','100','0','$email','1000','10','','0','','0','','0',''); "; $dsql->ExecuteNoneQuery($adminquery); $mid = $dsql->GetLastID(); @@ -41,7 +48,7 @@ if ($dopost == 'add') { die($dsql->GetError().' 数据库出错'); } //后台管理员 - $inquery = "INSERT INTO `#@__admin`(id,usertype,userid,pwd,uname,typeid,tname,email) + $inquery = "INSERT INTO `#@__admin`(id,usertype,userid,$pfd,uname,typeid,tname,email) VALUES('$mid','$usertype','$userid','$pwd','$uname','$typeid','$tname','$email'); "; $rs = $dsql->ExecuteNoneQuery($inquery); $adminquery = "INSERT INTO `#@__member_person` (`mid`,`onlynet`,`sex`,`uname`,`qq`,`msn`,`tel`,`mobile`,`place`,`oldplace`,`birthday`,`star`, `income` , `education` , `height` , `bodytype` , `blood` , `vocation` , `smoke` , `marital` , `house` ,`drink` , `datingtype` , `language` , `nature` , `lovemsg` , `address`,`uptime`) diff --git a/src/admin/sys_admin_user_edit.php b/src/admin/sys_admin_user_edit.php index b0b500b8..8ef798aa 100644 --- a/src/admin/sys_admin_user_edit.php +++ b/src/admin/sys_admin_user_edit.php @@ -29,6 +29,10 @@ if ($dopost == 'saveedit') { if ($pwd != '') { $pwdm = ",pwd='".md5($pwd)."'"; $pwd = ",pwd='".substr(md5($pwd), 5, 20)."'"; + if (function_exists('password_hash')) { + $pwdm = ",pwd_new='".password_hash($pwd, PASSWORD_BCRYPT)."'"; + $pwd = ",pwd_new='".password_hash($pwd, PASSWORD_BCRYPT)."'"; + } } if (empty($typeids)) { $typeid = ''; diff --git a/src/admin/templets/sys_admin_user_add.htm b/src/admin/templets/sys_admin_user_add.htm index 2163149f..48a2bff2 100644 --- a/src/admin/templets/sys_admin_user_add.htm +++ b/src/admin/templets/sys_admin_user_add.htm @@ -104,7 +104,7 @@ - + diff --git a/src/install/v57sp2_to_v6.txt b/src/install/v57sp2_to_v6.txt index 66e5eb92..465f9ae0 100644 --- a/src/install/v57sp2_to_v6.txt +++ b/src/install/v57sp2_to_v6.txt @@ -1,6 +1,8 @@ -- 6.1.9 ALTER TABLE `#@__archives` MODIFY COLUMN `title` varchar(255) NOT NULL DEFAULT '' AFTER `money`; ALTER TABLE `#@__arctype` MODIFY COLUMN `typename` varchar(255) NOT NULL DEFAULT '' AFTER `sortrank`; +ALTER TABLE `#@__admin` ADD COLUMN `pwd_new` varchar(120) NOT NULL DEFAULT '' AFTER `pwd`; +ALTER TABLE `#@__member` ADD COLUMN `pwd_new` varchar(120) NOT NULL DEFAULT '' AFTER `pwd`; -- 6.1.8 INSERT INTO `#@__sysconfig` VALUES ('710', 'cfg_tags_dir', 'TAGS生成目录', 7, 'string', '{cmspath}/a/tags'); diff --git a/src/system/memberlogin.class.php b/src/system/memberlogin.class.php index 3afd2ee6..32c66329 100755 --- a/src/system/memberlogin.class.php +++ b/src/system/memberlogin.class.php @@ -389,11 +389,19 @@ class MemberLogin return '0'; } //matt=10 是管理员关连的前台帐号,为了安全起见,这个帐号只能从后台登录,不能直接从前台登录 - $row = $dsql->GetOne("SELECT mid,matt,pwd,logintime FROM `#@__member` WHERE userid LIKE '$loginuser' "); + $row = $dsql->GetOne("SELECT mid,matt,pwd,pwd_new,logintime FROM `#@__member` WHERE userid LIKE '$loginuser' "); if (is_array($row)) { - if ($this->GetShortPwd($row['pwd']) != $this->GetEncodePwd($loginpwd)) { + if (!empty($row['pwd_new']) && !password_verify($loginpwd, $row['pwd_new'])) { + return -1; + }else if (!empty($row['pwd']) && $this->GetShortPwd($row['pwd']) != $this->GetEncodePwd($loginpwd)) { return -1; } else { + if (empty($row['pwd_new']) && function_exists('password_hash')) { + // 升级密码 + $newpwd = password_hash($loginpwd, PASSWORD_BCRYPT); + $inquery = "UPDATE `#@__member` SET pwd='',pwd_new='{$newpwd}' WHERE mid='".$row['mid']."'"; + $dsql->ExecuteNoneQuery($inquery); + } //管理员帐号不允许从前台登录 if ($row['matt'] == 10) { return -2; @@ -419,7 +427,7 @@ class MemberLogin global $cfg_login_adds, $dsql; //登录增加积分(上一次登录时间必须大于两小时) if (time() - $logintime > 7200 && $cfg_login_adds > 0) { - $dsql->ExecuteNoneQuery("Update `#@__member` set `scores`=`scores`+{$cfg_login_adds} where mid='$uid' "); + $dsql->ExecuteNoneQuery("UPDATE `#@__member` SET `scores`=`scores`+{$cfg_login_adds} where mid='$uid' "); } $this->M_ID = $uid; $this->M_LoginTime = time(); diff --git a/src/system/userlogin.class.php b/src/system/userlogin.class.php index 8a864a37..60304ca9 100755 --- a/src/system/userlogin.class.php +++ b/src/system/userlogin.class.php @@ -217,16 +217,24 @@ class userLogin $row = $dsql->GetObject(); if (!isset($row->pwd)) { return -1; - } else if ($pwd != $row->pwd) { + } else if (!empty($row->pwd_new) && !password_verify($this->userPwd, $row->pwd_new)) { return -2; - } else { + } else if (!empty($row->pwd) && $pwd != $row->pwd) { + return -2; + }else { + $upsql = ""; + if (empty($row->pwd_new) && function_exists('password_hash')) { + // 升级密码 + $newpwd = password_hash($this->userPwd, PASSWORD_BCRYPT); + $upsql .= ",pwd='',pwd_new='{$newpwd}'"; + } $loginip = GetIP(); $this->userID = $row->id; $this->userType = $row->usertype; $this->userChannel = $row->typeid; $this->userName = $row->uname; $this->userPurview = $row->purviews; - $inquery = "UPDATE `#@__admin` SET loginip='$loginip',logintime='".time()."' WHERE id='".$row->id."'"; + $inquery = "UPDATE `#@__admin` SET loginip='$loginip',logintime='".time()."'{$upsql} WHERE id='".$row->id."'"; $dsql->ExecuteNoneQuery($inquery); $sql = "UPDATE `#@__member` SET logintime=".time().", loginip='$loginip' WHERE mid=".$row->id; $dsql->ExecuteNoneQuery($sql); diff --git a/src/user/reg_new.php b/src/user/reg_new.php index 15286575..324e600b 100755 --- a/src/user/reg_new.php +++ b/src/user/reg_new.php @@ -67,11 +67,11 @@ if ($step == 1) { $logintime = time(); $joinip = GetIP(); $loginip = GetIP(); - $pwd = md5($userpwd); + $pwd = password_hash($userpwd, PASSWORD_BCRYPT); $mtype = '个人'; $spaceSta = ($cfg_mb_spacesta < 0 ? $cfg_mb_spacesta : 0); - $inQuery = "INSERT INTO `#@__member` (`mtype` ,`userid` ,`pwd` ,`uname` ,`sex` ,`rank` ,`money` ,`email` ,`scores` ,`matt`, `spacesta` ,`face`,`safequestion`,`safeanswer` ,`jointime` ,`joinip` ,`logintime` ,`loginip` ) - VALUES ('$mtype','$userid','$pwd','$uname','','10','$dfmoney','','$dfscores','0','$spaceSta','','','','$jointime','$joinip','$logintime','$loginip'); "; + $inQuery = "INSERT INTO `#@__member` (`mtype` ,`userid` ,`pwd`, `pwd_new` ,`uname` ,`sex` ,`rank` ,`money` ,`email` ,`scores` ,`matt`, `spacesta` ,`face`,`safequestion`,`safeanswer` ,`jointime` ,`joinip` ,`logintime` ,`loginip` ) + VALUES ('$mtype','$userid','','$pwd','$uname','','10','$dfmoney','','$dfscores','0','$spaceSta','','','','$jointime','$joinip','$logintime','$loginip'); "; if ($dsql->ExecuteNoneQuery($inQuery)) { $mid = $dsql->GetLastID(); //写入默认会员详细资料