X-Git-Url: http://git.harvie.cz/?a=blobdiff_plain;f=wwwroot%2Finc%2Feventz%2Flogin.inc;h=154cdef2d451029112f8ffc110a50bb72ed79ec3;hb=1ca26066fd412911ba5a08461c0c076d93b12932;hp=c8b5ef8c658873272fec7cd8790d2eb65f655fba;hpb=117ec8d86ad28c3850599b2ab9329094039281f0;p=mirrors%2FKyberia-bloodline.git

diff --git a/wwwroot/inc/eventz/login.inc b/wwwroot/inc/eventz/login.inc
index c8b5ef8..154cdef 100644
--- a/wwwroot/inc/eventz/login.inc
+++ b/wwwroot/inc/eventz/login.inc
@@ -4,7 +4,14 @@ function login() {
     global $db,$error,$node_id;
     $login = mysql_real_escape_string($_POST['login']);
     $password = $_POST['password']; // Not SQLi but be carefull
-    $hash = md5($password);
+    $password_hash_algos=array('sha256','sha1','md5'); //List of supported algos can be obtained using: php -r 'print_r(hash_algos());'
+
+    $hash_query='(';
+    foreach($password_hash_algos as $algo) {
+      $hash_query.="password='".hash($algo, $password)."' OR ";
+    }
+    $hash_query.='false )';
+
     $login_type = $_POST['login_type'];
     $referer = $_SERVER['HTTP_REFERER'];
 
@@ -15,7 +22,7 @@ function login() {
 
     switch ($login_type) {
         case "name":
-            $q = "select * from users where login='$login' and password='$hash'";
+            $q = "select * from users where login='$login' and $hash_query";
             $set = $db->query($q);
             $set->next();
             $user_id = $set->getString('user_id');
@@ -27,7 +34,7 @@ function login() {
             // HA! if it is number, escape_string is not enough
 	    $login=intval($login);
 
-            $q="select * from users where user_id='$login' and password='$hash'";
+            $q="select * from users where user_id='$login' and $hash_query";
             $set=$db->query($q);
             $set->next();
             $user_id=$set->getString('user_id');