Improved handling of passwords (encrypt upon storage, clear when fetched)

[misc/kostenrechnung] / ajax / ajax.php

diff --git a/ajax/ajax.php b/ajax/ajax.php
index f095f92..014b213 100644 (file)
--- a/ajax/ajax.php
+++ b/ajax/ajax.php
@@ -21,6 +21,8 @@ function fetch($mask)
   foreach ($mask['edit'] as $field => $info)
     if ($info['type'] == 'boolean')
       $row[$field] = $row[$field]?true:false;
+    elseif ($info['type'] == 'passwd')
+      $row[$field] = '';
     elseif (array_key_exists('format', $info))
       $row[$field] = sprintf($info['format'], $row[$field]);
 
@@ -64,6 +66,9 @@ function save($mask)
       $update[] = sprintf("%s=%d", $field, $_POST[$field] == 'on'?1:0);
     } elseif ($info['type'] == 'number') {
       $update[] = sprintf("%s=%d", $field, $_POST[$field]);
+    } elseif ($info['type'] == 'passwd') {
+      if (!empty($_POST[$field]))
+       $update[] = sprintf("%s='%s'", $field, pg_escape_string(passwd($_SESSION['sys']['login'],$_POST[$field])));
     } else {
       $update[] = sprintf("%s='%s'", $field, pg_escape_string($_POST[$field]));
     }
@@ -95,6 +100,11 @@ function insert($mask)
     } elseif ($info['type'] == 'number') {
       $fields[] = $field;
       $values[] = intval($_POST[$field]);
+    } elseif ($info['type'] == 'passwd') {
+      if (!empty($_POST[$field])) {
+       $fields[] = $field;
+       $values[] = sprintf("'%s'", pg_escape_string(passwd($_SESSION['sys']['login'],$_POST[$field])));
+      }
     } else {
       $fields[] = $field;
       $values[] = sprintf("'%s'", pg_escape_string($_POST[$field]));