From 92cdd4cc7f6955760236e134126d8a68efa13360 Mon Sep 17 00:00:00 2001
From: Andreas Baumann <mail@andreasbaumann.cc>
Date: Wed, 12 Feb 2020 19:21:35 +0100
Subject: hand-picked changes for better password functions from tyzoids branch

---
 profile.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'profile.php')

diff --git a/profile.php b/profile.php
index 8b0eb86..a5e21e4 100644
--- a/profile.php
+++ b/profile.php
@@ -102,16 +102,16 @@ if ($action == 'change_pass')
 		{
 			$old_password_hash = pun_hash($old_password);
 
-			if ($cur_user['password'] == $old_password_hash || $pun_user['is_admmod'])
+			if (pun_password_verify($old_password, $cur_user['password']) || $pun_user['is_admmod'])
 				$authorized = true;
 		}
 
 		if (!$authorized)
 			message($lang_profile['Wrong pass']);
 
-		$new_password_hash = pun_hash($new_password1);
+		$new_password_hash = pun_password_hash($new_password1);
 
-		$db->query('UPDATE '.$db->prefix.'users SET password=\''.$new_password_hash.'\''.(!empty($cur_user['salt']) ? ', salt=NULL' : '').' WHERE id='.$id) or error('Unable to update password', __FILE__, __LINE__, $db->error());
+		$db->query('UPDATE '.$db->prefix.'users SET password=\''.$db->escape($new_password_hash).'\''.(!empty($cur_user['salt']) ? ', salt=NULL' : '').' WHERE id='.$id) or error('Unable to update password', __FILE__, __LINE__, $db->error());
 
 		if ($pun_user['id'] == $id)
 			pun_setcookie($pun_user['id'], $new_password_hash, time() + $pun_config['o_timeout_visit']);
@@ -193,7 +193,7 @@ else if ($action == 'change_email')
 	}
 	else if (isset($_POST['form_sent']))
 	{
-		if (pun_hash($_POST['req_password']) !== $pun_user['password'])
+		if (!pun_password_verify($_POST['req_password'], $pun_user['password']))
 			message($lang_profile['Wrong pass']);
 			
 		// Make sure they got here from the site
-- 
cgit v1.2.3-54-g00ecf