/**
* Checks whether an email and password combination is valid
* @param string $username
* @param string $password
* @param bool $password_already_hashed
* @return int user id or false
*/
public function ValidateUser($username, $password, $password_already_hashed = false)
{
$valid = false;
if (is_string($username) and is_string($password)) {
$sql = "SELECT salt, password_md5, password_hash, user_id\r\n FROM nsa_user WHERE email = " . Sql::ProtectString($this->GetDataConnection(), $username);
$result = $this->GetDataConnection()->query($sql);
$row = $result->fetch();
if ($row) {
# Check for password hashed by PHP
if ($row->password_hash) {
$valid = password_verify($password, $row->password_hash);
if ($valid) {
# If PHP has updated its hashing algorithm, update the saved hash
if (password_needs_rehash($row->password_hash, PASSWORD_DEFAULT)) {
$password_change_user = new User();
$password_change_user->SetId($row->user_id);
$password_change_user->SetRequestedPassword($password);
$this->SavePassword($password_change_user);
}
}
} else {
if ($row->password_md5) {
if (!$password_already_hashed) {
$submitted_password_hashed = md5($password . $row->salt);
} else {
$submitted_password_hashed = $password;
}
if ($submitted_password_hashed === $row->password_md5) {
$valid = true;
# If using old password storage, re-store it using up-to-date method
if ($row->password_md5 && !$password_already_hashed) {
$password_change_user = new User();
$password_change_user->SetId($row->user_id);
$password_change_user->SetRequestedPassword($password);
$this->SavePassword($password_change_user);
}
}
}
}
if ($valid) {
$valid = $row->user_id;
}
}
$result->closeCursor();
}
return $valid;
}
