From 8355f85e0a1e22f64248919a5759458ba897f0ee Mon Sep 17 00:00:00 2001 From: Thomas Lange Date: Sun, 20 Jun 2021 21:23:46 +0200 Subject: Call password_verify directly in login script --- admin/auth.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'admin/auth.php') diff --git a/admin/auth.php b/admin/auth.php index 8c6d5a6..9674563 100644 --- a/admin/auth.php +++ b/admin/auth.php @@ -30,8 +30,9 @@ if(Application::isAuthenticated()) { if(HTTP::issetPOST(['token' => Application::getSecurityToken()], 'username', 'password')) { try { $User = User\Factory::buildByUsername(HTTP::POST('username')); + $password = $User->getAttribute()->get('password'); - if($User->comparePassword(HTTP::POST('password'))) { + if(password_verify(HTTP::POST('password'), $password)) { $_SESSION['auth'] = $User->getID(); HTTP::redirect(Application::getAdminURL()); } -- cgit v1.2.3