Community Forum

Forum Replies Created

  • thibaut
    Participant
    # 2 years, 11 months ago

    I updated the code to use wordpress’ secure hash instead, this is working fully

    $key = $wpdb->get_var($wpdb->prepare("SELECT user_activation_key FROM $wpdb->users WHERE user_login = %s", $user_login));
                //if (empty($key))
                //{
                    // Generate something random for a key...
                    $key = wp_generate_password(20, false);
                    do_action('retrieve_password_key', $user_login, $key);
    
                    global $wp_hasher;
                    // Now insert the key, hashed, into the DB.
                    if ( empty( $wp_hasher ) ) {
                        require_once ABSPATH . WPINC . '/class-phpass.php';
                        $wp_hasher = new PasswordHash( 8, true );
                    }
    
                    $hashed = time() . ':' . $wp_hasher->HashPassword( $key );
    
                    // Now insert the new md5 key into the db
                    $wpdb->update($wpdb->users, array('user_activation_key' => $hashed), array('user_login' => $user_login));
                //}
    thibaut
    Participant
    # 2 years, 11 months ago

    I found the issue in your code:

    in the file customer-area-login-form/src/php/wp-login-helper.class.php

    starting line 77 should be changed to this :

                $key = $wpdb->get_var($wpdb->prepare("SELECT user_activation_key FROM $wpdb->users WHERE user_login = %s", $user_login));
                //if (empty($key))
                //{
                    // Generate something random for a key...
                    $key = wp_generate_password(20, false);
                    do_action('retrieve_password_key', $user_login, $key);
    
                    // Now insert the new md5 key into the db
                    $wpdb->update($wpdb->users, array('user_activation_key' => time() . ':'. $key), array('user_login' => $user_login));
                //}

    First you should always regenerate the activation key on demand, second the time() needs to be added in front of the key in the DB separated by “:” in order to allow expiration and verification.

    pleaseĀ  correct this ASAP

Viewing 2 posts - 1 through 2 (of 2 total)