You are here

function user_update_7000 in Drupal 7

Increase the length of the password field to accommodate better hashes.

Also re-hashes all current passwords to improve security. This may be a lengthy process, and is performed batch-wise.

Related topics

File

modules/user/user.install, line 420
Install, update and uninstall functions for the user module.

Code

function user_update_7000(&$sandbox) {
  $sandbox['#finished'] = 0;

  // Lower than DRUPAL_HASH_COUNT to make the update run at a reasonable speed.
  $hash_count_log2 = 11;

  // Multi-part update.
  if (!isset($sandbox['user_from'])) {
    db_change_field('users', 'pass', 'pass', array(
      'type' => 'varchar',
      'length' => 128,
      'not null' => TRUE,
      'default' => '',
    ));
    $sandbox['user_from'] = 0;
    $sandbox['user_count'] = db_query("SELECT COUNT(uid) FROM {users}")
      ->fetchField();
  }
  else {
    require_once DRUPAL_ROOT . '/' . variable_get('password_inc', 'includes/password.inc');

    //  Hash again all current hashed passwords.
    $has_rows = FALSE;

    // Update this many per page load.
    $count = 1000;
    $result = db_query_range("SELECT uid, pass FROM {users} WHERE uid > 0 ORDER BY uid", $sandbox['user_from'], $count);
    foreach ($result as $account) {
      $has_rows = TRUE;

      // If the $account->pass value is not a MD5 hash (a 32 character
      // hexadecimal string) then skip it.
      if (!preg_match('/^[0-9a-f]{32}$/', $account->pass)) {
        continue;
      }
      $new_hash = user_hash_password($account->pass, $hash_count_log2);
      if ($new_hash) {

        // Indicate an updated password.
        $new_hash = 'U' . $new_hash;
        db_update('users')
          ->fields(array(
          'pass' => $new_hash,
        ))
          ->condition('uid', $account->uid)
          ->execute();
      }
    }
    $sandbox['#finished'] = $sandbox['user_from'] / $sandbox['user_count'];
    $sandbox['user_from'] += $count;
    if (!$has_rows) {
      $sandbox['#finished'] = 1;
      return t('User passwords rehashed to improve security');
    }
  }
}