From dfa356e0c62797dd0ec8e5142e3a09dca989899a Mon Sep 17 00:00:00 2001
From: Miles Lott <milosch@alumni.egroupware.org>
Date: Thu, 5 Feb 2004 02:01:39 +0000
Subject: [PATCH] Fix smd5 password comparison for sql

---
 phpgwapi/inc/class.auth.inc.php | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/phpgwapi/inc/class.auth.inc.php b/phpgwapi/inc/class.auth.inc.php
index 8e7ce423f7..eafa80621d 100644
--- a/phpgwapi/inc/class.auth.inc.php
+++ b/phpgwapi/inc/class.auth.inc.php
@@ -216,10 +216,13 @@
 		{
 			/* Start with the first char after {SMD5} */
 			$hash = base64_decode(substr($db_val,6));
-			$new_hash = mhash(MHASH_MD5,$form_val);
+			$orig_hash = substr($hash, 0, 16);
+			$salt = substr($hash, 16);
+
+			$new_hash = mhash(MHASH_MD5,$form_val . $salt);
 			//echo '<br>  DB: ' . base64_encode($orig_hash) . '<br>FORM: ' . base64_encode($new_hash);
 
-			if(strcmp($hash,$new_hash) == 0)
+			if(strcmp($orig_hash,$new_hash) == 0)
 			{
 				return True;
 			}