From 9213b0368743edc56890aa2b34be9c066d7fb59b Mon Sep 17 00:00:00 2001
From: tianya <8445295+llgoer@user.noreply.gitee.com>
Date: Wed, 27 Apr 2022 14:33:34 +0800
Subject: [PATCH] =?UTF-8?q?=E7=94=A8=E6=88=B7=E5=AF=86=E7=A0=81=E8=B0=83?=
=?UTF-8?q?=E6=95=B4?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
src/admin/member_do.php | 3 +++
src/admin/sys_admin_user_add.php | 11 +++++++++--
src/admin/sys_admin_user_edit.php | 4 ++++
src/admin/templets/sys_admin_user_add.htm | 2 +-
src/install/v57sp2_to_v6.txt | 2 ++
src/system/memberlogin.class.php | 14 +++++++++++---
src/system/userlogin.class.php | 14 +++++++++++---
src/user/reg_new.php | 6 +++---
8 files changed, 44 insertions(+), 12 deletions(-)
diff --git a/src/admin/member_do.php b/src/admin/member_do.php
index 7b4f1f8d..f42b6b2f 100644
--- a/src/admin/member_do.php
+++ b/src/admin/member_do.php
@@ -146,6 +146,9 @@ else if ($dopost == 'edituser') {
CheckPurview('member_Edit');
if (!isset($_POST['id'])) exit('dedebiz');
$pwdsql = empty($pwd) ? '' : ",pwd='".md5($pwd)."'";
+ if (function_exists('password_hash')) {
+ $pwdsql = empty($pwd) ? '' : ",pwd_new='".password_hash($pwd, PASSWORD_BCRYPT)."'";
+ }
if (empty($sex)) $sex = '男';
$uptime = GetMkTime($uptime);
if ($matt == 10 && $oldmatt != 10) {
diff --git a/src/admin/sys_admin_user_add.php b/src/admin/sys_admin_user_add.php
index 0eae58f6..d1fa0885 100644
--- a/src/admin/sys_admin_user_add.php
+++ b/src/admin/sys_admin_user_add.php
@@ -28,12 +28,19 @@ if ($dopost == 'add') {
ShowMsg('用户名已存在', '-1');
exit();
}
+ $pfd = "pwd";
$mpwd = md5($pwd);
$pwd = substr(md5($pwd), 5, 20);
+ if (function_exists('password_hash')) {
+ $pfd = "pwd_new";
+ $mpwd = password_hash($pwd, PASSWORD_BCRYPT);
+ $pwd = password_hash($pwd, PASSWORD_BCRYPT);
+ }
+
$typeid = join(',', $typeids);
if ($typeid == '0') $typeid = '';
//关连前台会员帐号
- $adminquery = "INSERT INTO `#@__member` (`mtype`,`userid`,`pwd`,`uname`,`sex`,`rank`,`money`,`email`, `scores` ,`matt` ,`face`,`safequestion`,`safeanswer` ,`jointime` ,`joinip` ,`logintime` ,`loginip` )
+ $adminquery = "INSERT INTO `#@__member` (`mtype`,`userid`,`$pfd`,`uname`,`sex`,`rank`,`money`,`email`, `scores` ,`matt` ,`face`,`safequestion`,`safeanswer` ,`jointime` ,`joinip` ,`logintime` ,`loginip` )
VALUES ('个人','$userid','$mpwd','$uname','男','100','0','$email','1000','10','','0','','0','','0',''); ";
$dsql->ExecuteNoneQuery($adminquery);
$mid = $dsql->GetLastID();
@@ -41,7 +48,7 @@ if ($dopost == 'add') {
die($dsql->GetError().' 数据库出错');
}
//后台管理员
- $inquery = "INSERT INTO `#@__admin`(id,usertype,userid,pwd,uname,typeid,tname,email)
+ $inquery = "INSERT INTO `#@__admin`(id,usertype,userid,$pfd,uname,typeid,tname,email)
VALUES('$mid','$usertype','$userid','$pwd','$uname','$typeid','$tname','$email'); ";
$rs = $dsql->ExecuteNoneQuery($inquery);
$adminquery = "INSERT INTO `#@__member_person` (`mid`,`onlynet`,`sex`,`uname`,`qq`,`msn`,`tel`,`mobile`,`place`,`oldplace`,`birthday`,`star`, `income` , `education` , `height` , `bodytype` , `blood` , `vocation` , `smoke` , `marital` , `house` ,`drink` , `datingtype` , `language` , `nature` , `lovemsg` , `address`,`uptime`)
diff --git a/src/admin/sys_admin_user_edit.php b/src/admin/sys_admin_user_edit.php
index b0b500b8..8ef798aa 100644
--- a/src/admin/sys_admin_user_edit.php
+++ b/src/admin/sys_admin_user_edit.php
@@ -29,6 +29,10 @@ if ($dopost == 'saveedit') {
if ($pwd != '') {
$pwdm = ",pwd='".md5($pwd)."'";
$pwd = ",pwd='".substr(md5($pwd), 5, 20)."'";
+ if (function_exists('password_hash')) {
+ $pwdm = ",pwd_new='".password_hash($pwd, PASSWORD_BCRYPT)."'";
+ $pwd = ",pwd_new='".password_hash($pwd, PASSWORD_BCRYPT)."'";
+ }
}
if (empty($typeids)) {
$typeid = '';
diff --git a/src/admin/templets/sys_admin_user_add.htm b/src/admin/templets/sys_admin_user_add.htm
index 2163149f..48a2bff2 100644
--- a/src/admin/templets/sys_admin_user_add.htm
+++ b/src/admin/templets/sys_admin_user_add.htm
@@ -104,7 +104,7 @@
-
+
|
diff --git a/src/install/v57sp2_to_v6.txt b/src/install/v57sp2_to_v6.txt
index 66e5eb92..465f9ae0 100644
--- a/src/install/v57sp2_to_v6.txt
+++ b/src/install/v57sp2_to_v6.txt
@@ -1,6 +1,8 @@
-- 6.1.9
ALTER TABLE `#@__archives` MODIFY COLUMN `title` varchar(255) NOT NULL DEFAULT '' AFTER `money`;
ALTER TABLE `#@__arctype` MODIFY COLUMN `typename` varchar(255) NOT NULL DEFAULT '' AFTER `sortrank`;
+ALTER TABLE `#@__admin` ADD COLUMN `pwd_new` varchar(120) NOT NULL DEFAULT '' AFTER `pwd`;
+ALTER TABLE `#@__member` ADD COLUMN `pwd_new` varchar(120) NOT NULL DEFAULT '' AFTER `pwd`;
-- 6.1.8
INSERT INTO `#@__sysconfig` VALUES ('710', 'cfg_tags_dir', 'TAGS生成目录', 7, 'string', '{cmspath}/a/tags');
diff --git a/src/system/memberlogin.class.php b/src/system/memberlogin.class.php
index 3afd2ee6..32c66329 100755
--- a/src/system/memberlogin.class.php
+++ b/src/system/memberlogin.class.php
@@ -389,11 +389,19 @@ class MemberLogin
return '0';
}
//matt=10 是管理员关连的前台帐号,为了安全起见,这个帐号只能从后台登录,不能直接从前台登录
- $row = $dsql->GetOne("SELECT mid,matt,pwd,logintime FROM `#@__member` WHERE userid LIKE '$loginuser' ");
+ $row = $dsql->GetOne("SELECT mid,matt,pwd,pwd_new,logintime FROM `#@__member` WHERE userid LIKE '$loginuser' ");
if (is_array($row)) {
- if ($this->GetShortPwd($row['pwd']) != $this->GetEncodePwd($loginpwd)) {
+ if (!empty($row['pwd_new']) && !password_verify($loginpwd, $row['pwd_new'])) {
+ return -1;
+ }else if (!empty($row['pwd']) && $this->GetShortPwd($row['pwd']) != $this->GetEncodePwd($loginpwd)) {
return -1;
} else {
+ if (empty($row['pwd_new']) && function_exists('password_hash')) {
+ // 升级密码
+ $newpwd = password_hash($loginpwd, PASSWORD_BCRYPT);
+ $inquery = "UPDATE `#@__member` SET pwd='',pwd_new='{$newpwd}' WHERE mid='".$row['mid']."'";
+ $dsql->ExecuteNoneQuery($inquery);
+ }
//管理员帐号不允许从前台登录
if ($row['matt'] == 10) {
return -2;
@@ -419,7 +427,7 @@ class MemberLogin
global $cfg_login_adds, $dsql;
//登录增加积分(上一次登录时间必须大于两小时)
if (time() - $logintime > 7200 && $cfg_login_adds > 0) {
- $dsql->ExecuteNoneQuery("Update `#@__member` set `scores`=`scores`+{$cfg_login_adds} where mid='$uid' ");
+ $dsql->ExecuteNoneQuery("UPDATE `#@__member` SET `scores`=`scores`+{$cfg_login_adds} where mid='$uid' ");
}
$this->M_ID = $uid;
$this->M_LoginTime = time();
diff --git a/src/system/userlogin.class.php b/src/system/userlogin.class.php
index 8a864a37..60304ca9 100755
--- a/src/system/userlogin.class.php
+++ b/src/system/userlogin.class.php
@@ -217,16 +217,24 @@ class userLogin
$row = $dsql->GetObject();
if (!isset($row->pwd)) {
return -1;
- } else if ($pwd != $row->pwd) {
+ } else if (!empty($row->pwd_new) && !password_verify($this->userPwd, $row->pwd_new)) {
return -2;
- } else {
+ } else if (!empty($row->pwd) && $pwd != $row->pwd) {
+ return -2;
+ }else {
+ $upsql = "";
+ if (empty($row->pwd_new) && function_exists('password_hash')) {
+ // 升级密码
+ $newpwd = password_hash($this->userPwd, PASSWORD_BCRYPT);
+ $upsql .= ",pwd='',pwd_new='{$newpwd}'";
+ }
$loginip = GetIP();
$this->userID = $row->id;
$this->userType = $row->usertype;
$this->userChannel = $row->typeid;
$this->userName = $row->uname;
$this->userPurview = $row->purviews;
- $inquery = "UPDATE `#@__admin` SET loginip='$loginip',logintime='".time()."' WHERE id='".$row->id."'";
+ $inquery = "UPDATE `#@__admin` SET loginip='$loginip',logintime='".time()."'{$upsql} WHERE id='".$row->id."'";
$dsql->ExecuteNoneQuery($inquery);
$sql = "UPDATE `#@__member` SET logintime=".time().", loginip='$loginip' WHERE mid=".$row->id;
$dsql->ExecuteNoneQuery($sql);
diff --git a/src/user/reg_new.php b/src/user/reg_new.php
index 15286575..324e600b 100755
--- a/src/user/reg_new.php
+++ b/src/user/reg_new.php
@@ -67,11 +67,11 @@ if ($step == 1) {
$logintime = time();
$joinip = GetIP();
$loginip = GetIP();
- $pwd = md5($userpwd);
+ $pwd = password_hash($userpwd, PASSWORD_BCRYPT);
$mtype = '个人';
$spaceSta = ($cfg_mb_spacesta < 0 ? $cfg_mb_spacesta : 0);
- $inQuery = "INSERT INTO `#@__member` (`mtype` ,`userid` ,`pwd` ,`uname` ,`sex` ,`rank` ,`money` ,`email` ,`scores` ,`matt`, `spacesta` ,`face`,`safequestion`,`safeanswer` ,`jointime` ,`joinip` ,`logintime` ,`loginip` )
- VALUES ('$mtype','$userid','$pwd','$uname','','10','$dfmoney','','$dfscores','0','$spaceSta','','','','$jointime','$joinip','$logintime','$loginip'); ";
+ $inQuery = "INSERT INTO `#@__member` (`mtype` ,`userid` ,`pwd`, `pwd_new` ,`uname` ,`sex` ,`rank` ,`money` ,`email` ,`scores` ,`matt`, `spacesta` ,`face`,`safequestion`,`safeanswer` ,`jointime` ,`joinip` ,`logintime` ,`loginip` )
+ VALUES ('$mtype','$userid','','$pwd','$uname','','10','$dfmoney','','$dfscores','0','$spaceSta','','','','$jointime','$joinip','$logintime','$loginip'); ";
if ($dsql->ExecuteNoneQuery($inQuery)) {
$mid = $dsql->GetLastID();
//写入默认会员详细资料