Added SHA-512 hash generation function for middleware.

nthnn · nthnn · commit a32a8c6787ff · 2024-12-07T12:03:13.000+08:00
diff --git a/controller/account.php b/controller/account.php
@@ -30,6 +30,7 @@
  */
 
 include_once("db_config.php");
+include_once("hash_helper.php");
 include_once("session_ctrl.php");
 
 global $db_conn;
@@ -80,7 +81,7 @@ public static function create($name, $username, $email, $password) {
             $db_conn,
             "INSERT INTO accounts (name, username, email, password) ".
             "VALUES (\"".$name."\", \"".$username."\", \"".$email.
-            "\", \"".md5($password)."\")"
+            "\", \"".hashString($password)."\")"
         );
 
         $status = $result ?
@@ -97,8 +98,8 @@ public static function update($username, $name, $email, $password, $old) {
 
         global $db_conn;
         $res = mysqli_query($db_conn, "UPDATE accounts SET name=\"".$name.
-            "\", email=\"".$email."\", password=\"".md5($password)."\" WHERE username=\"".
-            $username."\" AND password=\"".md5($old)."\" AND id=".(SessionControl::getId()));
+            "\", email=\"".$email."\", password=\"".hashString($password)."\" WHERE username=\"".
+            $username."\" AND password=\"".hashString($old)."\" AND id=".(SessionControl::getId()));
 
         $result = !(!$res);
         freeDBQuery($res);
@@ -114,7 +115,7 @@ public static function login($username, $password, $createSession = true) {
         $result = mysqli_query(
             $db_conn,
             "SELECT id FROM accounts WHERE ".
-            "username=\"".$username."\" AND password=\"".md5($password)."\""
+            "username=\"".$username."\" AND password=\"".hashString($password)."\""
         );
 
         if(!$result || mysqli_num_rows($result) == 0)
diff --git a/controller/apps.php b/controller/apps.php
@@ -31,6 +31,7 @@
 
 include_once("account.php");
 include_once("db_config.php");
+include_once("hash_helper.php");
 include_once("session_ctrl.php");
 include_once("shell.php");
 include_once("util.php");
@@ -67,8 +68,8 @@ public static function create($name, $description) {
             freeDBQuery($check);
         }
 
-        $id_hash = sha1(md5($name));
-        $app_key = "qba_" . substr_replace($id_hash, '', 10) . "_" . substr(md5($id_hash), 24);
+        $id_hash = sha1(hashString($name));
+        $app_key = "qba_" . substr_replace($id_hash, '', 10) . "_" . substr(hashString($id_hash), 120);
         $res = mysqli_query(
             $db_conn,
             "INSERT INTO app (creator_id, app_id, app_key, name, description) VALUES(".
diff --git a/controller/hash_helper.php b/controller/hash_helper.php
@@ -0,0 +1,36 @@
+<?php
+
+/*
+ * This file is part of QLBase (https://github.com/nthnn/QLBase).
+ * Copyright 2024 - Nathanne Isip
+ * 
+ * Permission is hereby granted, free of charge,
+ * to any person obtaining a copy of this software
+ * and associated documentation files (the “Software”),
+ * to deal in the Software without restriction,
+ * including without limitation the rights to use, copy,
+ * modify, merge, publish, distribute, sublicense, and/or
+ * sell copies of the Software, and to permit persons to
+ * whom the Software is furnished to do so, subject to
+ * the following conditions:
+ * 
+ * The above copyright notice and this permission notice
+ * shall be included in all copies or substantial portions
+ * of the Software.
+ * 
+ * THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF
+ * ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED
+ * TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+ * PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT
+ * SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR
+ * ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
+ * OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+function hashString($str) {
+    return hash('sha512', $str);
+}
+
+?>
diff --git a/controller/session_ctrl.php b/controller/session_ctrl.php
@@ -30,6 +30,7 @@
  */
 
 include_once("db_config.php");
+include_once("hash_helper.php");
 include_once("util.php");
 
 global $db_conn;
@@ -65,7 +66,7 @@ public static function validate($hash) {
     public static function create($user_id) {
         global $db_conn;
 
-        $hash = md5(Util::guidv4(null));
+        $hash = hashString(Util::guidv4(null));
         $result = mysqli_query(
             $db_conn,
             "INSERT INTO sessions(user_id, hash, user_agent, remote_addr) ".
diff --git a/controller/validator.php b/controller/validator.php
@@ -49,7 +49,7 @@ public static function name($name) {
     }
 
     public static function loginPassword($password) {
-        return strlen($password) === 32 &&
+        return strlen($password) === 128 &&
             preg_match("/^[a-f0-9]+$/", $password);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,7 @@ public static function name($name) {`
`49`	`49`	`}`
`50`	`50`
`51`	`51`	`public static function loginPassword($password) {`
`52`		`- return strlen($password) === 32 &&`
	`52`	`+ return strlen($password) === 128 &&`
`53`	`53`	`preg_match("/^[a-f0-9]+$/", $password);`
`54`	`54`	`}`
`55`	`55`