Upgrade old MD5 password hashing (#822)

2026-04-08 17:08:04 -04:00 · 2016-09-01 19:12:08 +02:00
parent ce2c83b3f9
commit 35f9904dbe
3 changed files with 25 additions and 5 deletions
--- a/application/models/Employee.php
+++ b/application/models/Employee.php
@@ -298,14 +298,29 @@ class Employee extends Person
 	*/
 	public function login($username, $password)
 	{
-		$query = $this->db->get_where('employees', array('username' => $username, 'password' => md5($password), 'deleted' => 0), 1);
+
+		$query = $this->db->get_where('employees', array('username' => $username, 'deleted' => 0), 1);

 		if($query->num_rows() == 1)
 		{
 			$row = $query->row();
-			$this->session->set_userdata('person_id', $row->person_id);

-			return TRUE;
+			// compare passwords depending on the hash version
+			if ($row->hash_version == 1 && $row->password == md5($password))
+			{
+				$this->db->where('person_id', $row->person_id);
+				$this->session->set_userdata('person_id', $row->person_id);
+				$password_hash = password_hash($password, PASSWORD_DEFAULT);
+
+				return $this->db->update('employees', array('hash_version' => 2, 'password' => $password_hash));
+			}
+			else if ($row->hash_version == 2 && password_verify($password, $row->password))
+			{
+				$this->session->set_userdata('person_id', $row->person_id);
+
+				return TRUE;
+			}
+
 		}

 		return FALSE;
--- a/database/2.4_to_3.0.sql
+++ b/database/2.4_to_3.0.sql
@@ -63,7 +63,6 @@ INSERT INTO `ospos_app_config` (`key`, `value`) VALUES
 
 DELETE FROM `ospos_app_config` WHERE `key` = 'use_invoice_template';

-
 -- add messages (SMS) module and permissions

 UPDATE `ospos_modules` SET `sort` = 110 WHERE `name_lang_key` = 'module_config';
@@ -89,4 +88,9 @@ CREATE TABLE `ospos_sessions` (
  `data` blob NOT NULL,
  KEY `ci_sessions_timestamp` (`timestamp`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
- 
+
+-- upgrade employees table
+ALTER TABLE `ospos_employees`
+ ADD COLUMN `hash_version` int(1) NOT NULL DEFAULT '2';
+
+UPDATE `ospos_employees` SET `hash_version` = 1;
--- a/database/tables.sql
+++ b/database/tables.sql
@@ -115,6 +115,7 @@ CREATE TABLE `ospos_employees` (
  `password` varchar(255) NOT NULL,
  `person_id` int(10) NOT NULL,
  `deleted` int(1) NOT NULL DEFAULT '0',
+  `hash_version` int(1) NOT NULL DEFAULT '2'
  UNIQUE KEY `username` (`username`),
  KEY `person_id` (`person_id`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;