/**
* Hash a password.
*
* To use multiple algorithms in series, provide them as an array.
* Salted algorithms such as bcrypt, pbkdf2, or portable must be used last.
* On error, false will be returned.
*
* @param string $password
* @param string|array $algos (optional)
* @param string $salt (optional)
* @return string|false
*/
public static function hashPassword($password, $algos = null, $salt = null)
{
// If the algorithm is null, use the default algorithm.
if ($algos === null) {
$algos = self::getDefaultAlgorithm();
}
// Initialize the chain of hashes.
$algos = array_map('strtolower', array_map('trim', is_array($algos) ? $algos : explode(',', $algos)));
$hashchain = preg_replace('/\\s+/', ' ', trim($password));
// Apply the given algorithms one by one.
foreach ($algos as $algo) {
switch ($algo) {
// bcrypt (must be used last)
case 'bcrypt':
$hashchain = self::bcrypt($hashchain, $salt, self::getWorkFactor());
if ($hashchain[0] === '*') {
return false;
}
return $hashchain;
// PBKDF2 (must be used last)
// PBKDF2 (must be used last)
case 'pbkdf2':
if ($salt === null) {
$salt = Security::getRandom(12, 'alnum');
$hash_algorithm = 'sha512';
$iterations = intval(pow(2, self::getWorkFactor() + 5)) ?: 16384;
$key_length = 24;
} else {
$parts = explode(':', $salt);
$salt = $parts[2];
$hash_algorithm = $parts[0];
$iterations = intval($parts[1], 10);
$key_length = strlen(base64_decode($parts[3]));
}
return self::pbkdf2($hashchain, $salt, $hash_algorithm, $iterations, $key_length);
// phpass portable algorithm (must be used last)
// phpass portable algorithm (must be used last)
case 'portable':
$phpass = new \Hautelook\Phpass\PasswordHash(self::getWorkFactor(), true);
if ($salt === null) {
$hashchain = $phpass->HashPassword($hashchain);
return $hashchain;
} else {
$match = $phpass->CheckPassword($hashchain, $salt);
return $match ? $salt : false;
}
// Drupal's SHA-512 based algorithm (must be used last)
// Drupal's SHA-512 based algorithm (must be used last)
case 'drupal':
$hashchain = \VendorPass::drupal($password, $salt);
return $hashchain;
// Joomla's MD5 based algorithm (must be used last)
// Joomla's MD5 based algorithm (must be used last)
case 'joomla':
$hashchain = \VendorPass::joomla($password, $salt);
return $hashchain;
// KimsQ Rb algorithms (must be used last)
// KimsQ Rb algorithms (must be used last)
case 'kimsqrb':
$hashchain = \VendorPass::kimsqrb($password, $salt);
return $hashchain;
// crypt() function (must be used last)
// crypt() function (must be used last)
case 'crypt':
if ($salt === null) {
$salt = Security::getRandom(2, 'alnum');
}
$hashchain = crypt($hashchain, $salt);
return $hashchain;
// MS SQL's PWDENCRYPT() function (must be used last)
// MS SQL's PWDENCRYPT() function (must be used last)
case 'mssql_pwdencrypt':
$hashchain = \VendorPass::mssql_pwdencrypt($hashchain, $salt);
return $hashchain;
// MySQL's old PASSWORD() function.
// MySQL's old PASSWORD() function.
case 'mysql_old_password':
$hashchain = \VendorPass::mysql_old_password($hashchain);
break;
// MySQL's new PASSWORD() function.
// MySQL's new PASSWORD() function.
case 'mysql_new_password':
$hashchain = \VendorPass::mysql_new_password($hashchain);
break;
// A dummy algorithm that does nothing.
// A dummy algorithm that does nothing.
case 'null':
break;
// All other algorithms will be passed to hash() or treated as a function name.
// All other algorithms will be passed to hash() or treated as a function name.
default:
if (isset(self::$_algorithm_callbacks[$algo])) {
$callback = self::$_algorithm_callbacks[$algo];
$hashchain = $callback($hashchain, $salt);
} elseif (in_array($algo, hash_algos())) {
$hashchain = hash($algo, $hashchain);
} elseif (function_exists($algo)) {
$hashchain = $algo($hashchain, $salt);
} else {
return false;
}
}
}
return $hashchain;
}
/**
* Attempt to login a user with the given password
*
* @param string $user
* @param string $password
* @return bool
*/
public function login($user, $password)
{
$userslug = makeSlug($user);
// for once we don't use getUser(), because we need the password.
$query = "SELECT * FROM " . $this->usertable . " WHERE username=?";
$query = $this->app['db']->getDatabasePlatform()->modifyLimitQuery($query, 1);
$user = $this->db->executeQuery($query, array($userslug), array(\PDO::PARAM_STR))->fetch();
if (empty($user)) {
$this->session->getFlashBag()->set('error', __('Username or password not correct. Please check your input.'));
return false;
}
$hasher = new \Hautelook\Phpass\PasswordHash($this->hash_strength, true);
if ($hasher->CheckPassword($password, $user['password'])) {
if (!$user['enabled']) {
$this->session->getFlashBag()->set('error', __('Your account is disabled. Sorry about that.'));
return false;
}
$update = array('lastseen' => date('Y-m-d H:i:s'), 'lastip' => $this->remoteIP, 'failedlogins' => 0, 'throttleduntil' => $this->throttleUntil(0));
// Attempt to update the last login, but don't break on failure.
try {
$this->db->update($this->usertable, $update, array('id' => $user['id']));
} catch (\Doctrine\DBAL\DBALException $e) {
// Oops. User will get a warning on the dashboard about tables that need to be repaired.
}
$user = $this->getUser($user['id']);
$user['sessionkey'] = $this->getAuthToken($user['username']);
// We wish to create a new session-id for extended security, but due to a bug in PHP < 5.4.11, this
// will throw warnings. Suppress them here. #shakemyhead
// @see: https://bugs.php.net/bug.php?id=63379
@$this->session->migrate(true);
$this->session->set('user', $user);
$this->session->getFlashBag()->set('success', __("You've been logged on successfully."));
$this->currentuser = $user;
$this->setAuthToken();
return true;
} else {
$this->session->getFlashBag()->set('error', __('Username or password not correct. Please check your input.'));
$this->app['log']->add("Failed login attempt for '" . $user['displayname'] . "'.", 3, '', 'issue');
// Update the failed login attempts, and perhaps throttle the logins.
$update = array('failedlogins' => $user['failedlogins'] + 1, 'throttleduntil' => $this->throttleUntil($user['failedlogins'] + 1));
// Attempt to update the last login, but don't break on failure.
try {
$this->db->update($this->usertable, $update, array('id' => $user['id']));
} catch (\Doctrine\DBAL\DBALException $e) {
// Oops. User will get a warning on the dashboard about tables that need to be repaired.
}
// Take a nap, to prevent brute-forcing. Zzzzz...
sleep(1);
return false;
}
}
<?php
include 'vendor/hautelook/phpass/src/Hautelook/Phpass/PasswordHash.php';
$pg = pg_connect("dbname=d36nc9cjq76ssj host=ec2-107-22-170-249.compute-1.amazonaws.com user=mayjytdutzptbd password=58uHggM_ukv0s-5YD-2oUKoa6z port=5432 sslmode=require");
$user = pg_escape_string($pg, $_POST["username"]);
$password = pg_escape_string($pg, $_POST["password"]);
$ret = pg_query($pg, "SELECT password FROM bolt_users WHERE username='******'");
$row = pg_fetch_row($ret);
$hasher = new Hautelook\Phpass\PasswordHash(10, true);
if ($hasher->CheckPassword($password, $row[0])) {
echo "true";
} else {
echo "false";
}
