diff --git a/CHANGELOG b/CHANGELOG
index b17c176efef3985427f204325302977dc6017eb3..0356cad236123f5515a82e137064b354a8c6d359 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,9 @@
# Was alles passiert
+## [0.0.2] - 02.12.2017
+### hinzugefügt
+- die Funktion pw_erstellen wurde hinzugefügt.
+
## [0.0.1] - 02.12.2017
### Upload
Die BETA Version von VMS-SUEE 2 wurde veröffentlicht.
diff --git a/content/LKT_Rallysystem.php b/content/LKT_Rallysystem.php
index 8b24de70cb67b71bdc8ad5a6cbb061c1808122dd..1d491d18f8648140376cad8cad62dda22dafc130 100644
--- a/content/LKT_Rallysystem.php
+++ b/content/LKT_Rallysystem.php
@@ -1,6 +1,6 @@
<?php
// Variabeln
-$rallyname = mysqli_real_escape_string($_GET['rally']);
+$rallyname = mysqli_real_escape_string($sql_open,$_GET['rally']);
$time = time();
// Ralleydaten auslesen
$rally = mysqli_fetch_array (db_query ('SELECT * FROM vms_rallydaten WHERE name = "' . $rallyname . '" LIMIT 1'));
diff --git a/index.php b/index.php
index 70dba26d97534cb35439490271c052738630ce90..06ba83bd841ad99399573591a2df9e69edb2f17d 100644
--- a/index.php
+++ b/index.php
@@ -150,7 +150,7 @@ $ts = strtotime($datetime);
</li>
<?php } ?>
<?php
- if(isset($_SESSION['admin']){
+ if(isset($_SESSION['admin'])){
if($_SESSION['admin'] == 1){
echo '<li><a href="'.$domain.'/adminforce/index.php\">Adminforce</a></li>';
}
diff --git a/install/index.php b/install/index.php
index a20d36fc7f336a975757d9015456a99837acbf0f..edbd40547c4fde86962d9445578a1fe5ba9e1c56 100644
--- a/install/index.php
+++ b/install/index.php
@@ -15,6 +15,9 @@ if(isset($_POST['datenbank_anlegen'])){
//Datenbank Prefix
$db_prefix = "'.$_POST['prefix'].'";
+ //Passwort zusatz
+ $pw_zusatz = '. create_code(5) .';
+
//Datenbankverbindung herstellen
$sql_open = @mysqli_connect($db_host, $db_user, $db_pass, $db_base) or die(\'Verbindung zum Mysql Server fehlgeschlagen! <br>Tipp: <a href="http://www.vms-tutorial.de/wiki//Lib/Functions">http://www.vms-tutorial.de/wiki//Lib/Functions</a>\');
$sql_base = @mysqli_select_db($sql_open,$db_base) or die("Keine oder falsche Datenbank gewählt! Tipp: <br><a href=\'http://www.vms-tutorial.de/wiki//Lib/Functions\'>http://www.vms-tutorial.de/wiki//Lib/Functions</a>");
@@ -50,6 +53,12 @@ if(isset($_POST['datenbank_anlegen'])){
}
}
+ function pw_erstellen($pw){
+ global $pw_zusatz;
+ $pw_er = hash("sha256",$pw.$pw_zusatz);
+ return $pw_er;
+ }
+
/**
* db_close()
*
diff --git a/install/mysql.txt b/install/mysql.txt
index 9ac2db2fee1f88fe6a1e3460732bc138054595d4..6bd1bd4b638c719e47c4eebeda7636614e21f0f2 100644
--- a/install/mysql.txt
+++ b/install/mysql.txt
@@ -194,7 +194,7 @@ CREATE TABLE IF NOT EXISTS `vms_interface` (
CREATE TABLE IF NOT EXISTS `vms_kontodaten` (
`uid` int(7) NOT NULL,
- `passwort` char(32) NOT NULL,
+ `passwort` char(100) NOT NULL,
`status` tinyint(1) NOT NULL DEFAULT '0',
`hinweis` longtext NOT NULL,
`kontostand` double(100,2) NOT NULL DEFAULT '0.00',
diff --git a/lib/funktionen/konto/anmelden.php b/lib/funktionen/konto/anmelden.php
index 25bb0e4603a6cd2dc4ded121a1d59f35a2b6e819..87b4963630e3eca94d6d19835afe52ee22848259 100644
--- a/lib/funktionen/konto/anmelden.php
+++ b/lib/funktionen/konto/anmelden.php
@@ -46,7 +46,8 @@ if (!isset($ak)) $ak = "";
if($meldung['error'] != 1){
if ($_POST['newsletter'] == 0) $mailstatus = 0;
if ($_POST['newsletter'] == 1) $mailstatus = 1;
- db_query("INSERT INTO ".$db_prefix."_kontodaten (passwort,status) VALUES ('".md5($_POST['passwort_1'])."','0')");
+ $pw = pw_erstellen($_POST['passwort_1']);
+ db_query("INSERT INTO ".$db_prefix."_kontodaten (passwort,status) VALUES ('". $pw ."','0')");
$uid = mysqli_insert_id($sql_open);
if ($_SESSION['werber'] == $uid) $_SESSION['werber'] = 0;
diff --git a/lib/session.lib.php b/lib/session.lib.php
index 1a0d13bf72478cf4609f53c589b9416a483509ac..455a9a125836877ee5fb9bc6fc02ca1670eed555 100644
--- a/lib/session.lib.php
+++ b/lib/session.lib.php
@@ -32,11 +32,12 @@ if ($pageconfig['wartung'] == 1 && $_SESSION['uid'] != $admin_id) {
// Login
if ($_POST['checkid'] == 'Login' && $_POST['nickname'] && $_POST['passwort']) {
$_POST['nickname'] = addslashes($_POST['nickname']);
-
+
+ $pw = pw_erstellen($_POST['passwort']);
$login_check = db_query("SELECT k.uid,k.passwort,k.status,k.hinweis FROM
" . $db_prefix . "_userdaten u
LEFT JOIN " . $db_prefix . "_kontodaten k ON k.uid=u.uid
-WHERE u.nickname='" . $_POST['nickname'] . "' AND k.passwort='" . md5($_POST['passwort']) . "' LIMIT 1");
+WHERE u.nickname='" . $_POST['nickname'] . "' AND k.passwort='" . $pw . "' LIMIT 1");
if (mysqli_num_rows($login_check)) {
$login_check = mysqli_fetch_array($login_check);