Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
user password get lost if editing user account without setting new password
Create 1st account and set new password all is ok.
But if edit account again without new password i got this warning:
md5() expects parameter 1 to be string, array given in C:\www.example.com\modules\user.module on line 113.
and field "pass" of table "users" is empty.
Comment | File | Size | Author |
---|---|---|---|
#7 | password_confirm_array_0.patch | 1.03 KB | chx |
#5 | password_confirm_array.patch | 1.25 KB | Jaza |
Comments
Comment #1
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedcan't confirm that on an existing installation. Do you use any contrib modules?
Comment #2
rstamm CreditAttribution: rstamm commentedNo crontrib module.
used only drupal core HEAD
Comment #3
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedphp5?
Comment #4
rstamm CreditAttribution: rstamm commentedI can confirm it again.
Drupal core HEAD
Setup fresh database.
Created 1st account.
It happen only if edit user account without new password.
If edit user account later again with new password all is ok.
I use XAMPP with PHP 5.1.1 and MySQL 5.0.18
Comment #5
Jaza CreditAttribution: Jaza commentedI can confirm that this is a real bug, and that it causes problems in PHP4 as well. The bug works differently in PHP4, but the problem is just as serious as in PHP5.
The problem is that password confirm fields are only getting converted from a 2-element array (with elements 'pass1' and 'pass2') into a single string, if the user enters a value in 'pass1'. If not, then the 'pass' element remains as an array, all the way until it gets passed into the md5() function. In PHP4, md5() seems to accept an array (I assume that it somehow converts it into a string), which results in the user's password getting set to an essentially random md5 hash. The only difference with PHP5, is that md5() won't accept the array that it gets passed - the problem is there and stuffs up the user's password in both systems.
Attached patch makes password confirm fields get converted from a 2-element array into a single string, whether or not 'pass1' is empty. This fixes the problem for me.
Comment #6
moshe weitzman CreditAttribution: moshe weitzman commentedcode looks sane to me. i did not test.
Comment #7
chx CreditAttribution: chx commentedI did.
Comment #8
chx CreditAttribution: chx commentedNo change in the patch, just rerolled to remove the offset.
Comment #9
jwilde CreditAttribution: jwilde commentedtested on head - it works for me.
Thank you
Comment #10
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedapplied
Comment #11
rstamm CreditAttribution: rstamm commented