Do not blow away non-MD5 password hashes in user_update_7000()

Patch for D7 attached, it may apply cleanly to D8, let's see.

Right, this will only apply to D7 as user_update_7000() has been removed in D8.

Yeah that was one of my ideas to restrict to match only MD5 hashes.

re #6 - Dave Reid's last patch cross-posted with mine and uses the same approach (plus he has tests).

Note that using just the string values instead of preg_match() was > 5.x faster in a simple test locally (testing 4 different strings 100000 times each).

#5: 1205138-user-update-7000-non-md5.patch queued for re-testing.

The code comment doesn't seem to match what the code is doing there... we're not checking for md5(), we're checking for some weird $ mumbo jumbo.

This mumbo jumbo is *also* not explained, neither in this issue nor in this patch. What are we doing this for? Why are we checking that stuff? Is just checking for $ enough?

simple string inspection is much faster than preg match.

This is a purely useless optimization. The preg_match() here is already *way slower* then the db_query(), and all those are orders of magnitude slower then the hashing/stretching we do after that. There is absolutely no point in optimizing here.

[updated the summary]

Hmm, well a minor conumdrum is that we cannot actually add a D7 hash, since the D6 {users} table field is not long enough. Here's patch plus added assertion with a truncated hash.

Verified that assertion failed w/out patch and passes with patch from #15.

oops - left a git config in place to strip the patch prefix. Kind of silly the test bot totally rejects -p0 patches now.

Took some time to understand this patch, but now it makes 100% sense. Ready to fly, IMO.

@skottler, not sure I agree - I think the existing comment is grammatically correct.

fixed typo.

Automatically closed -- issue fixed for 2 weeks with no activity.