From 9cb3f5682e5c91ac8b9b581e8edb1b8447e87ba6 Mon Sep 17 00:00:00 2001 From: Michael Rowley Date: Thu, 29 Jul 2021 02:22:16 +0100 Subject: [PATCH] Added bin2hex to hash patches. bin2hex should convert the random-generated bytes to a hex-formatted string. --- application/model/PasswordResetModel.php | 4 ++-- application/model/RegistrationModel.php | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/application/model/PasswordResetModel.php b/application/model/PasswordResetModel.php index 1507903e..25a0f2ac 100644 --- a/application/model/PasswordResetModel.php +++ b/application/model/PasswordResetModel.php @@ -35,9 +35,9 @@ public static function requestPasswordReset($user_name_or_email, $captcha) } // generate integer-timestamp (to see when exactly the user (or an attacker) requested the password reset mail) - // generate random hash for email password reset verification (40 char string) + // generate random hash for email password reset verification (40 bytes) $temporary_timestamp = time(); - $user_password_reset_hash = random_bytes(40); + $user_password_reset_hash = bin2hex(random_bytes(40)); // set token (= a random hash string and a timestamp) into database ... $token_set = self::setPasswordResetDatabaseToken($result->user_name, $user_password_reset_hash, $temporary_timestamp); diff --git a/application/model/RegistrationModel.php b/application/model/RegistrationModel.php index bcfe481b..044e00fe 100644 --- a/application/model/RegistrationModel.php +++ b/application/model/RegistrationModel.php @@ -50,8 +50,8 @@ public static function registerNewUser() // if Username or Email were false, return false if (!$return) return false; - // generate random hash for email verification (40 char string) - $user_activation_hash = random_bytes(40); + // generate random hash for email verification (40 bytes) + $user_activation_hash = bin2hex(random_bytes(40)); // write user data to database if (!self::writeNewUserToDatabase($user_name, $user_password_hash, $user_email, time(), $user_activation_hash)) {