public function logIn($username, $password)
{
// rate-limit requests.
$numFailedRequests = $this->dbConn->queryCount("SELECT COUNT(*) FROM `failed_logins` WHERE `ip` = " . $this->dbConn->quoteSmart($_SERVER['REMOTE_ADDR']) . " AND `date` > NOW() - INTERVAL 1 HOUR");
if ($numFailedRequests > 5) {
return array("location" => "index.php", "status" => "You have had too many unsuccessful login attempts. Please wait awhile and try again.", 'class' => 'error');
}
$bcrypt = new Bcrypt();
$findUsername = $this->dbConn->queryFirstRow("SELECT `id`, `name`, `facility_id`, `usermask`, `password_hash` FROM `users` WHERE `email` = " . $this->dbConn->quoteSmart($username) . " LIMIT 1");
if (!$findUsername) {
$this->dbConn->log_failed_login($username, $password);
return array("location" => "index.php", "status" => "Could not log in with the supplied credentials.", 'class' => 'error');
}
if (!$bcrypt->verify($password, $findUsername['password_hash'])) {
$this->dbConn->log_failed_login($username, $password);
return array("location" => "index.php", "status" => "Could not log in with the supplied credentials.", 'class' => 'error');
}
//update last IP address.
$updateLastIP = $this->dbConn->stdQuery("UPDATE `users` SET `last_ip` = " . $this->dbConn->quoteSmart($_SERVER['REMOTE_ADDR']) . " WHERE `id` = " . intval($findUsername['id']) . " LIMIT 1");
$_SESSION['id'] = $findUsername['id'];
$_SESSION['name'] = $findUsername['name'];
$_SESSION['facility_id'] = $findUsername['facility_id'];
$_SESSION['usermask'] = $findUsername['usermask'];
$this->id = intval($findUsername['id']);
$this->facility['id'] = intval($findUsername['facility_id']);
$this->usermask = intval($findUsername['usermask']);
return array("location" => "main.php", "status" => "Successfully logged in.", 'class' => 'success');
}
function testDontNeedRehash()
{
// create hash using default cost
$password = new Bcrypt();
$hash = $password->hash('test');
$this->assertEquals(true, $password->verify('test', $hash));
$this->assertEquals(false, $password->needsRehash($hash, $password->getCost()));
}
/**
* Validate the user password
*
* @author Arvind Singh
* @access public
*
* @param string $password
* // Password string
*
* @param string $hash
* // Hash string
*
* @return boolean
*/
public function verify($password, $hash)
{
if ($this->method == 'md5') {
return $hash == md5($this->salt . $password);
} elseif ($this->method == 'sha1') {
return $hash == sha1($this->salt . $password);
} elseif ($this->method == 'bcrypt') {
$bcrypt = new Bcrypt();
$bcrypt->setCost(14);
return $bcrypt->verify($password, $hash);
}
}
public function doPostAction()
{
$username = $_POST['username'];
$bcrypt = new Bcrypt(15);
if ($bcrypt->verify($_POST['password'], $this->User->getUserPassword($username))) {
$_SESSION['username'] = $username;
$this->sendMainPage();
} else {
$this->setMessage('Data login Anda salah!');
$this->sendLoginPage();
}
}
public function doPostAction()
{
$bcrypt = new Bcrypt(15);
$this->setView('admin/change_password');
try {
$username = $this->Setting->getSuperAdminUserName();
if ($bcrypt->verify($_POST['old_password'], $this->User->getUserPassword($username)) && $_POST['new_password'] === $_POST['new_password_verification']) {
$superuser = array('username' => $username, 'password' => $bcrypt->hash($_POST['new_password']));
$this->User->updateRecord($superuser);
$this->setMessage('Password berhasil diganti.');
} else {
$this->setMessage('Password yang Anda masukkan tidak sama!');
}
} catch (Exception $e) {
$this->setMessage('Password gagal diganti: ' . $e->getMessage());
}
}
<?php
$bcrypt = new Bcrypt(15);
$hash = $bcrypt->hash('password');
$isGood = $bcrypt->verify('password', $hash);
class Bcrypt
{
private $_ci;
public function __construct($_ci = 12)
{
if (CRYPT_BLOWFISH != 1) {
throw new Exception("bcrypt not supported in this installation. See http://php.net/crypt");
}
$this->_ci =& get_instance();
$this->rounds = $_ci;
}
public function hash($input)
{
$hash = crypt($input, $this->_ci->getSalt());
if (strlen($hash) > 13) {
return $hash;
}
return false;
}
public function verify($input, $existingHash)
{
$hash = crypt($input, $existingHash);
return $hash === $existingHash;
}
private function getSalt()
{
public function hash_password($plaintextpwd)
{
$bcrypt = new Bcrypt(15);
$hash = $bcrypt->hash($plaintextpwd);
$isGood = $bcrypt->verify($plaintextpwd, $hash);
if ($isGood) {
return $hash;
} else {
return false;
}
}
/**
* Given a cleartext password and a hash, determine if the
* given password and hash match.
* @param String cleartext password
* @param String a previously-generated hash of that password
* @return bool true if the password and the has are paired
* @see ApplicationHelper::hashPassword
*/
public static function verifyPassword($cleartext, $storedHash)
{
$bcrypt = new Bcrypt(12);
return $bcrypt->verify($cleartext . config('auth.salt'), $storedHash);
}
if (!mysql_query($sql)) {
echo json_encode(array('ok' => false, 'error' => mysql_error(), 'step' => '5.1'));
exit;
}
}
if ($key) {
$saved_email = $email;
$sql = sprintf('UPDATE ownership SET `key`="%s" WHERE `name`="%s"', mysql_real_escape_string($bcrypt->hash($key)), mysql_real_escape_string($name));
if (!mysql_query($sql)) {
echo json_encode(array('ok' => false, 'error' => mysql_error(), 'step' => '5.2'));
exit;
}
}
// (2.2) check bcrypt passsowrd matches
} else {
if ($bcrypt->verify($key, $hashed)) {
// otherwise username & password were okay, update their details (including email addy)
$ok = true;
$sql = sprintf('UPDATE ownership SET `last_login`=NOW() WHERE `name`="%s"', mysql_real_escape_string($name));
// (2.2.1) logged in, also update their email address
if ($email && $home) {
$sql = sprintf('UPDATE ownership SET `email`="%s", `last_login`=NOW() WHERE `name`="%s"', mysql_real_escape_string($email), mysql_real_escape_string($name));
$saved_email = $email;
}
if (!mysql_query($sql)) {
echo json_encode(array('ok' => false, 'error' => mysql_error(), 'step' => '2.2.1'));
exit;
}
} else {
// (2.3) found username, but the password didn't match
if ($email && !$home) {
function osc_verify_password($password, $hash) {
if(version_compare(PHP_VERSION, '5.3.7')>=0) {
return password_verify($password, $hash)?true:(sha1($password)==$hash);
}
require_once LIB_PATH . 'Bcrypt.php';
if(CRYPT_BLOWFISH==1) {
$bcrypt = new Bcrypt(BCRYPT_COST);
return $bcrypt->verify($password, $hash)?true:(sha1($password)==$hash);
}
return (sha1($password)==$hash);
}
case "login":
test_csrf();
$user = $_POST['user'];
$pass = $_POST['pass'];
$secret = $frase . $pass;
$_SESSION['userronin'] = $user;
$gen = new Bcrypt(12);
$bcrypt_hash = $gen->hash($secret);
$pdo2 = new crud();
$pdo2->conn();
$stmt = $pdo2->db->prepare("select * FROM userronin WHERE login = ? ");
$stmt->bindValue(1, $user, PDO::PARAM_STR);
$stmt->execute();
$res = $stmt->fetchAll();
$_SESSION['passronin'] = $bcrypt_hash;
if ($gen->verify($bcrypt_hash, $res[0]['pass']) == "false") {
print "<img src=\"../view/images/alerta.png\">\n <h1>ERROR at auth 05</h1> \n <meta HTTP-EQUIV='refresh' CONTENT='2; URL=../view/login.php'>";
exit;
}
$janela = ' <div class="portlet portlet-closable x4">
<div class="portlet-header">
<h4>Login manager</h4>
</div> <!-- .portlet-header -->
<div class="portlet-content">
';
$var = "<p><b>Login:</b>" . $r['login'] . " <br> <b>owner:</b>" . $r['owner'];
$bemvindo = "Welcome to Ooze tool</p>";
$values = array('last_ip' => "???");
//fix it
$crud->Update('userronin', $values, 'id', $r['id']);
$page->conteudo = $janela . " <br>" . $bemvindo . "<meta HTTP-EQUIV='refresh' CONTENT='1; URL=auth.php?page=conta'></div></div>";
<?php
if (ini_get('register_globals')) {
exit("<center><h3>Error: Turn that damned register globals off!</h3></center>");
}
if (!defined('CAN_INCLUDE')) {
exit("<center><h3>Error: Direct access denied!</h3></center>");
}
if (isset($_POST['password'])) {
require ROOT . 'include/func_crypt_random.php';
require ROOT . 'include/class_bcrypt.php';
$bcrypt = new Bcrypt(12);
require 'password.php';
if ($bcrypt->verify($_POST['password'], $hash)) {
$_SESSION['auth'] = true;
} else {
echo '<span style="color: red">Entered password was wrong!</span><br><br>';
}
}
if (!isset($_SESSION['auth'])) {
if (!file_exists('password.php')) {
echo 'password.php not found<br>';
echo 'first <a href=gen_pass_hash.php>create a password</a>';
exit;
} else {
require 'password.php';
if ($hash === '') {
return;
}
require ROOT . 'include/login_form.php';
exit;
public function actionPass()
{
$bcrypt = new Bcrypt(12);
$passes = array('xaby', 'marina', 'arturo', 'dani', 'pedro', 'manu', 'rober', 'marcos', 'alex', 'samu');
$result = array();
foreach ($passes as $pass) {
$hash = $bcrypt->hash($pass);
$check = $bcrypt->verify($pass, $hash);
echo '<pre>';
print_r(array('pass' => $pass, 'hash' => $hash, 'check' => $check));
echo '</pre>';
}
}
$emailmatches = db_get("SELECT 1 FROM login_user WHERE upper(email) = upper('{$unvalue}')", 'column');
if (!empty($unmatches[1])) {
$field = 'username';
} else {
if (!empty($emailmatches[1])) {
$field = 'email';
} else {
$form->errors[] = "No user found with username or email <strong>" . $unvalue . "</strong>";
$form->valid = false;
}
}
if (isset($field)) {
$userrow = db_get("SELECT * FROM login_user WHERE upper({$field}) = upper('{$unvalue}')", 'row');
$passhashvalue = $userrow[0]['PASS'];
$bcrypt = new Bcrypt(15);
$isGood = $bcrypt->verify($_REQUEST['password'], $passhashvalue);
if ($isGood) {
$form->successMessage = "Successfully logged on! If you are not redirected, please <a href='welcome.php'>click here</a>";
$user = new LoginUser();
$user->setFromArray($userrow[0]);
$user->sessionSet();
$redirect = "welcome.php";
if (isset($_SESSION["referring_page"]) && $_SESSION["referring_page"] != $_SERVER['REQUEST_URI']) {
$redirect = $_SESSION["referring_page"];
}
header("Location: {$redirect}");
} else {
$form->errors[] = "Wrong password";
$form->valid = false;
}
}
/**
* Validate a password for this account
* @since Version 3.8.7
* @param string $password
* @return boolean
*/
public function validatePassword($password = false, $username = false)
{
/**
* Check for a valid password
*/
if (!$password || empty($password)) {
throw new Exception("Cannot validate password - no password was provided");
}
/**
* Check for a supplied userame or if this object is populated
*/
if ((!$username || empty($username)) && (!filter_var($this->id, FILTER_VALIDATE_INT) || $this->id < 1)) {
throw new Exception("Cannot validate password for user because we don't know which user this is");
}
/**
* Check if a supplied username matches the username in this populated object
*/
if ($username && !empty($username) && !empty($this->username) && $this->username != $username) {
throw new Exception("The supplied username does not match the username given for this account. Something dodgy's going on...");
}
/**
* Create a temporary instance of the requested user for logging purposes
*/
$TmpUser = filter_var($this->id, FILTER_VALIDATE_INT) ? new User($this->id) : new User($username);
/**
* Get the stored password for this username
*/
if ($username && !empty($username) && empty($this->username)) {
$query = "SELECT user_id, user_password, user_password_bcrypt FROM nuke_users WHERE username = ?";
$row = $this->db->fetchRow($query, $username);
$stored_user_id = $row['user_id'];
$stored_password = $row['user_password'];
$stored_password_bcrypt = $row['user_password_bcrypt'];
} elseif (!empty($this->password)) {
$stored_user_id = $this->id;
$stored_password = $this->password;
$stored_password_bcrypt = $this->password_bcrypt;
}
/**
* Check if the invalid auth timeout is in effect
*/
if (isset($TmpUser->meta['InvalidAuthTimeout'])) {
if ($TmpUser->meta['InvalidAuthTimeout'] <= time()) {
unset($TmpUser->meta['InvalidAuthTimeout']);
unset($TmpUser->meta['InvalidAuthCounter']);
$TmpUser->commit();
$this->refresh();
} else {
$TmpUser->addNote("Login attempt while InvalidAuthTimeout is in effect");
throw new Exception("You've attempted to log in with the wrong password too many times. We've temporarily disabled your account to protect it against hackers. Please try again soon. <a href='/account/resetpassword'>Can't remember your password?</a>");
}
}
/**
* Load the BCrypt class
*/
require_once "includes/bcrypt.class.php";
$BCrypt = new \Bcrypt(RP_BCRYPT_ROUNDS);
/**
* Strip excess whitespace from the password
*/
$password = trim($password);
/**
* Try to validate the password
*/
if (empty($stored_password_bcrypt) && ($stored_password = md5($password)) || $BCrypt->verify($password, $stored_password_bcrypt)) {
/**
* Password validated! If we haven't populated this user object, do it now
*/
if (!filter_var($this->id, FILTER_VALIDATE_INT)) {
$this->load($stored_user_id);
}
/**
* No bcrypt password - set it
*/
if (empty($stored_password_bcrypt)) {
$this->setPassword($password);
}
/**
* Reset the InvalidAuthCounter
*/
unset($this->meta['InvalidAuthCounter']);
unset($this->meta['InvalidAuthTimeout']);
$this->commit();
return true;
}
/**
* Unsuccessful login attempt - bump up the invalid auth counter
*/
if (!isset($TmpUser->meta['InvalidAuthCounter'])) {
$TmpUser->meta['InvalidAuthCounter'] = 0;
}
$TmpUser->meta['InvalidAuthCounter']++;
$TmpUser->addNote(sprintf("Invalid login attempt %d", $TmpUser->meta['InvalidAuthCounter']));
$TmpUser->commit();
$this->refresh();
if ($TmpUser->meta['InvalidAuthCounter'] == 3) {
$TmpUser->meta['InvalidAuthTimeout'] = strtotime("+10 minutes");
$TmpUser->addNote("Too many invalid login attempts - account disabled for ten minutes");
$TmpUser->commit();
$this->refresh();
throw new Exception("You've attempted to log in with the wrong password too many times. As a result, we're disabling this account for the next ten minutes. <a href='/account/resetpassword'>Can't remember your password?</a>");
}
$this->reset();
return false;
}
$bcrypt->hash($password);
}
function password_verify($password, $hash)
{
$bcrypt->verify($password, $hash);
}
if (isset($_GET['debug'])) {
$debug = 1;
$hash = $bcrypt->hash($_GET['debug']);
} else {
$debug = 0;
}
if ($debug) {
echo "<fieldset><legend>Should return 1</legend>";
echo $hash . "<br>";
$isGood = $bcrypt->verify($_GET['debug'], $hash);
echo "→ " . $isGood;
echo "</fieldset>";
echo "<fieldset><legend>Should return 0</legend>";
echo $hash . "<br>";
$hash = "sdfsdf";
$isGood = $bcrypt->verify($_GET['debug'], $hash);
echo "→ " . $isGood;
echo "</fieldset>";
if (isset($_GET['compare'])) {
$hash = $_POST['compare'];
echo "<fieldset><legend>Manual comparison</legend>";
echo '<form action="" method="post">';
echo "<input type='text' name='compare' />";
echo "<input type='submit'/>";
echo '</form>';
/**
* Comprueba que la clave pasada por parametro es valida con respecto a la clave de la base de datos
*
* @param string $clave clave a comprobar
* @return string clave valida
*/
public function comprobarClave($clave)
{
$bcrypt = new Bcrypt(self::BCRYPT_ROUNDS);
$valida = $bcrypt->verify($clave, $this->pass);
return $valida;
}
/**
* Convience function for verifying a Bcrypt password against a plain-text
* input.
*
* @see Bcrypt::verify()
*
* @param string $input The plain-text password to verify.
* @param string $existingHash The stored hash.
* @return bool True if the password matches; false otherwise.
*
*/
function verify($plainText, $hashedPassword)
{
/* We don't need to explicilty provide prefix and round numbers. */
$bcrypt = new Bcrypt();
return $bcrypt->verify($plainText, $hashedPassword);
}
