public function validate_password($password, $correct_hash)
{
$params = explode(":", $correct_hash);
if (count($params) < HASH_SECTIONS) {
return false;
}
$pbkdf2 = base64_decode($params[HASH_PBKDF2_INDEX]);
return PasswordHash::slow_equals($pbkdf2, PasswordHash::pbkdf2($params[HASH_ALGORITHM_INDEX], $password, $params[HASH_SALT_INDEX], (int) $params[HASH_ITERATION_INDEX], strlen($pbkdf2), true));
}
<?php
require_once 'db.php';
require_once 'PasswordHashClass.php';
# Make sure params are in place or die!
if (!isset($_GET['user']) || !isset($_GET['key'])) {
die("Missing some parameters here");
}
$db = new PDO('mysql:host=' . DB_HOST . ';dbname=' . DB_NAME . ';charset=utf8', DB_USER, DB_PASS);
# Retrieve user data
$userCheck = $db->prepare("SELECT * FROM ovr_lists_login WHERE user_id = :id");
$userCheck->bindParam(':id', $_GET['user'], PDO::PARAM_INT);
$userCheck->execute();
if ($userCheck->rowCount() == 1) {
$user = $userCheck->fetch(PDO::FETCH_ASSOC);
$activation_hash_string = $user['user_id'] . $user['user_name'] . $user['user_email'] . $user['user_password_hash'];
$generatedActivation = urlencode(hash_hmac('sha256', $activation_hash_string, $user['user_password_hash']));
if (PasswordHash::slow_equals($generatedActivation, $_GET['key']) == 1) {
$activateUser = $db->prepare("UPDATE ovr_lists_login SET activated = '1' WHERE user_id = :id");
$activateUser->bindParam(':id', $_GET['user'], PDO::PARAM_INT);
if ($activateUser->execute()) {
echo "<h1>Activation successful</h1>";
} else {
echo "<h1 style='color:red'>Activation failed</h1>";
}
}
}
require_once 'PasswordHashClass.php';
require_once 'db.php';
require_once 'Mandrill.php';
$db = new PDO('mysql:host=' . DB_HOST . ';dbname=' . DB_NAME . ';charset=utf8', DB_USER, DB_PASS);
if (isset($_POST['key']) && isset($_POST['user_id'])) {
$hashCheck = $db->prepare("SELECT * FROM ovr_lists_login WHERE user_id = :id");
$hashCheck->bindParam("id", $_POST['user_id'], PDO::PARAM_STR);
$hashCheck->execute();
if ($hashCheck->rowCount() !== 1) {
echo "Something went wrong, please try again.";
} else {
$user = $hashCheck->fetch(PDO::FETCH_ASSOC);
$hash_string = $user['user_id'] . $user['user_name'] . $user['user_email'] . $user['user_password_hash'];
$reset_hash = urlencode(hash_hmac('sha256', $hash_string, $user['user_password_hash']));
if (PasswordHash::slow_equals($_POST['key'], $reset_hash) == 1) {
$hashed_password = PasswordHash::create_hash($_POST['user_password']);
$passwordReset = $db->prepare("UPDATE ovr_lists_login SET user_password_hash = :password_hash, activated = '1' WHERE user_id = :id");
if ($passwordReset->execute(array("password_hash" => $hashed_password, "id" => $_POST['user_id']))) {
echo "Password has been reset go to <a href='https://{$_SERVER['SERVER_NAME']}/login/login.php'>https://{$_SERVER['SERVER_NAME']}/login/login.php</a> to login";
} else {
echo "Password failed to update.";
}
}
}
} else {
if (isset($_POST['Reset']) && $_POST['user_name'] && isset($_POST['user_email'])) {
$userCheck = $db->prepare("SELECT * FROM ovr_lists_login WHERE user_name = :user AND user_email = :email");
$userCheck->bindParam("user", $_POST['user_name'], PDO::PARAM_STR);
$userCheck->bindParam("email", $_POST['user_email'], PDO::PARAM_STR);
$userCheck->execute();
