drupal 7 採用的是加鹽(salt)MD5碼來對用戶密碼進行加密,而不是以前drupal5和drupal6時代的簡單MD5加密方式。
這種新的加鹽(salt)MD5碼加密算法的大概情況可以參考這篇《浅谈MD5加密算法中的加盐值(SALT)》。
據說這種加密方式更安全喇~但是……
嗯,但是,在跟別的只使用MD5加密的程序共享用戶的時候問題就複雜了呢。
於是,小雪此次的任務是把drupal 7 用戶密碼的加密方式改回原來的簡單MD5加密。在這裡簡單記錄一下,參考官方論壇上某位大大提供的解決辦法。
- 備份SQL數據庫
- 清除所有緩存 (caches)
- 執行以下SQL命令:
DELETE FROM cache WHERE cid = 'variables'; DELETE FROM cache_bootstrap WHERE cid = 'variables';
- 在drupal程序的根目錄添加 tools.php 文件,文件內容如下:
"; define('DRUPAL_ROOT', getcwd()); try { include_once DRUPAL_ROOT . '/includes/database/database.inc'; include_once DRUPAL_ROOT . '/includes/cache.inc'; require_once DRUPAL_ROOT . '/includes/bootstrap.inc'; require_once DRUPAL_ROOT . '/includes/update.inc'; require_once DRUPAL_ROOT . '/includes/common.inc'; require_once DRUPAL_ROOT . '/includes/file.inc'; require_once DRUPAL_ROOT . '/includes/entity.inc'; require_once DRUPAL_ROOT . '/includes/unicode.inc'; require_once DRUPAL_ROOT . '/sites/default/settings.php'; echo "mode=" . $_REQUEST["mode"] . " "; if($_REQUEST["mode"] == "set-var") { variable_set($_REQUEST["name"], $_REQUEST["value"]); echo "variable '" . $_REQUEST["name"] . "' was set to '" . $_REQUEST["value"] . "'"; } else if($_REQUEST["mode"] == "get-var") { $var = variable_get($_REQUEST["name"]); echo "get variable '" . $_REQUEST["name"] . "' value= '" . $var . "'"; //NOT WORKING FOR SOME REASON BIU NOT REQUIRE FOR THIS CHANGE } }catch(Exception $e) { echo " error: "; echo $e->getMessage(); } ?> - 在瀏覽器中打開以下網址:
http://[drupal所在根目錄地址]/tools.php?mode=set-var&name=password_inc&value=includes/mypassword.inc
如果網頁顯示有 variable ‘password_inc’ was set to ‘includes/mypassword.inc’ 則成功 - 在drupal程序的includes文件夾下添加 mypassword.inc 文件,文件內容如下:
DEBUG mypassword.inc _password_crypt::password = '" . $password . "'"; return md5($password); } /** * Parse the log2 iteration count from a stored hash or setting string. */ function _password_get_count_log2($setting) { $itoa64 = _password_itoa64(); return strpos($itoa64, $setting[3]); } /** * Hash a password using a secure hash. * * @param $password * A plain-text password. * @param $count_log2 * Optional integer to specify the iteration count. Generally used only during * mass operations where a value less than the default is needed for speed. * * @return * A string containing the hashed password (and a salt), or FALSE on failure. */ function user_hash_password($password, $count_log2 = 0) { return _password_crypt($password); } /** * Check whether a plain text password matches a stored hashed password. * * Alternative implementations of this function may use other data in the * $account object, for example the uid to look up the hash in a custom table * or remote database. * * @param $password * A plain-text password * @param $account * A user object with at least the fields from the {users} table. * * @return * TRUE or FALSE. */ function user_check_password($password, $account) { $stored_hash = $account->pass; $hash = _password_crypt($password); //echo " DEBUG mypassword.inc user_check_password::stored_hash = '" . $stored_hash . "'"; //echo " DEBUG mypassword.inc user_check_password::hash = '" . $hash . "'"; return ($hash && $stored_hash == $hash); } /** * Check whether a user's hashed password needs to be replaced with a new hash. * * This is typically called during the login process when the plain text * password is available. A new hash is needed when the desired iteration count * has changed through a change in the variable password_count_log2 or * DRUPAL_HASH_COUNT or if the user's password hash was generated in an update * like user_update_7000(). * * Alternative implementations of this function might use other criteria based * on the fields in $account. * * @param $account * A user object with at least the fields from the {users} table. * * @return * TRUE or FALSE. */ function user_needs_new_hash($account) { // Check whether this was an updated password. if ((strlen($account->pass) != DRUPAL_HASH_LENGTH)) { return TRUE; } return FALSE; // Ensure that $count_log2 is within set bounds. //$count_log2 = _password_enforce_log2_boundaries(variable_get('password_count_log2', DRUPAL_HASH_COUNT)); // Check whether the iteration count used differs from the standard number. //return (_password_get_count_log2($account->pass) !== $count_log2); } ?> - 至此,已經將drupal7用戶密碼加密方式改為簡單的MD5了,現在可以移除剛才的tools.php文件了。
如果不成功,歡迎前往原帖查看debug方式XD 。小雪在生產和測試環境都是做一次就成功了,對不同的站點做也成功實現了,因此覺得這個變更應該不會太常出包吧XD。
需要注意的是,更改完了加密方式以後,原來的密碼就失效了~如果你跟小雪一樣在操作前就已經用user ID 1的賬號登錄了,並且保持活動狀態的話,在更改完密碼以後就可以直接在drupal後台對除此賬號外的用戶更改新密碼。也可以在SQL數據庫中直接更新相應的密碼,用update命令可以批量更新喔~