It is always interesting looking at various CMS’s and how they implement security. For this post I’ll be covering the methods eZ Publish up to (at least) release 4.6 uses. This post is based on the following PHP class file: kernel\classes\datatypes\ezuser\ezuser.php. More information can be found there.

Various password constants and their use

The basis for this list is this static function:

static function createHash( $user, $password, $site, $type, $hash = false )
MD5 of password

        $str = md5( $password );
MD5 of user and password – which happens to be default.

        $str = md5( "$user\n$password" ); // notice the newline character!!!
MD5 of site, user and password

        $str = md5( "$user\n$password\n$site" ); // again, notice the newline characters!!!
Legacy support for mysql hashed passwords

            $db = eZDB::instance();
            $hash = $db->escapeString( $password ); // pay close attention to any escapes

            $str = $db->arrayQuery( "SELECT PASSWORD( '$hash' )" );
            $hashes = array_values( $str[0] );
            $str = $hashes[0];
Passwords in plaintext, should not be used for real sites

        $str = $password
Crypted passwords

            if ( $hash ) // $hash is an input parameter initially set to false. Pay close attention to this.
                $str = crypt( $password, $hash );
                $str = crypt( $password );