• karpet
  • Junior Member
  • Offline
  • Registered: 2004-03-27
  • Posts: 2

Topic: Not sure if it counts a bug but...

I was looking through the source and noticed an oversight in pun_hash().
The choice of which hashing algorithm to use isn't fixed, it's done every time the function is called.. what if someone starts off only with md5() support, has a load of users register, and then upgrades their php?
Presumably then all the stored passwords will remain md5'd, but the login attempt will be checking for say sha1, and the users wont be able to login without all requesting new passwords?

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: Not sure if it counts a bug but...

No, have a look at the login code in login.php. If SHA1 is available and the password in the database is an MD5 hash, it will be replaced by an SHA1 hash.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

  • karpet
  • Junior Member
  • Offline
  • Registered: 2004-03-27
  • Posts: 2

Re: Not sure if it counts a bug but...

ahar.. ah yes.. oops =P

  • From: Göteborg
  • Registered: 2003-02-25
  • Posts: 168

Re: Not sure if it counts a bug but...

What if the other way around?
all is stored in SHA1, but the moves to another host with only md5.

I'm not familiar with sha1 tho.

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: Not sure if it counts a bug but...

Then this happens. People will have to request a new password. I don't believe it's a very common scenario though.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

  • From: Göteborg
  • Registered: 2003-02-25
  • Posts: 168

Re: Not sure if it counts a bug but...

I suspected that, but wasn't sure.
Maybe write a little note or something about it in the installfile at the end?