/** * Checks whether an email and password combination is valid * @param string $username * @param string $password * @param bool $password_already_hashed * @return int user id or false */ public function ValidateUser($username, $password, $password_already_hashed = false) { $valid = false; if (is_string($username) and is_string($password)) { $sql = "SELECT salt, password_md5, password_hash, user_id\r\n FROM nsa_user WHERE email = " . Sql::ProtectString($this->GetDataConnection(), $username); $result = $this->GetDataConnection()->query($sql); $row = $result->fetch(); if ($row) { # Check for password hashed by PHP if ($row->password_hash) { $valid = password_verify($password, $row->password_hash); if ($valid) { # If PHP has updated its hashing algorithm, update the saved hash if (password_needs_rehash($row->password_hash, PASSWORD_DEFAULT)) { $password_change_user = new User(); $password_change_user->SetId($row->user_id); $password_change_user->SetRequestedPassword($password); $this->SavePassword($password_change_user); } } } else { if ($row->password_md5) { if (!$password_already_hashed) { $submitted_password_hashed = md5($password . $row->salt); } else { $submitted_password_hashed = $password; } if ($submitted_password_hashed === $row->password_md5) { $valid = true; # If using old password storage, re-store it using up-to-date method if ($row->password_md5 && !$password_already_hashed) { $password_change_user = new User(); $password_change_user->SetId($row->user_id); $password_change_user->SetRequestedPassword($password); $this->SavePassword($password_change_user); } } } } if ($valid) { $valid = $row->user_id; } } $result->closeCursor(); } return $valid; }