/** * Hash a password. * * To use multiple algorithms in series, provide them as an array. * Salted algorithms such as bcrypt, pbkdf2, or portable must be used last. * On error, false will be returned. * * @param string $password * @param string|array $algos (optional) * @param string $salt (optional) * @return string|false */ public static function hashPassword($password, $algos = null, $salt = null) { // If the algorithm is null, use the default algorithm. if ($algos === null) { $algos = self::getDefaultAlgorithm(); } // Initialize the chain of hashes. $algos = array_map('strtolower', array_map('trim', is_array($algos) ? $algos : explode(',', $algos))); $hashchain = preg_replace('/\\s+/', ' ', trim($password)); // Apply the given algorithms one by one. foreach ($algos as $algo) { switch ($algo) { // bcrypt (must be used last) case 'bcrypt': $hashchain = self::bcrypt($hashchain, $salt, self::getWorkFactor()); if ($hashchain[0] === '*') { return false; } return $hashchain; // PBKDF2 (must be used last) // PBKDF2 (must be used last) case 'pbkdf2': if ($salt === null) { $salt = Security::getRandom(12, 'alnum'); $hash_algorithm = 'sha512'; $iterations = intval(pow(2, self::getWorkFactor() + 5)) ?: 16384; $key_length = 24; } else { $parts = explode(':', $salt); $salt = $parts[2]; $hash_algorithm = $parts[0]; $iterations = intval($parts[1], 10); $key_length = strlen(base64_decode($parts[3])); } return self::pbkdf2($hashchain, $salt, $hash_algorithm, $iterations, $key_length); // phpass portable algorithm (must be used last) // phpass portable algorithm (must be used last) case 'portable': $phpass = new \Hautelook\Phpass\PasswordHash(self::getWorkFactor(), true); if ($salt === null) { $hashchain = $phpass->HashPassword($hashchain); return $hashchain; } else { $match = $phpass->CheckPassword($hashchain, $salt); return $match ? $salt : false; } // Drupal's SHA-512 based algorithm (must be used last) // Drupal's SHA-512 based algorithm (must be used last) case 'drupal': $hashchain = \VendorPass::drupal($password, $salt); return $hashchain; // Joomla's MD5 based algorithm (must be used last) // Joomla's MD5 based algorithm (must be used last) case 'joomla': $hashchain = \VendorPass::joomla($password, $salt); return $hashchain; // KimsQ Rb algorithms (must be used last) // KimsQ Rb algorithms (must be used last) case 'kimsqrb': $hashchain = \VendorPass::kimsqrb($password, $salt); return $hashchain; // crypt() function (must be used last) // crypt() function (must be used last) case 'crypt': if ($salt === null) { $salt = Security::getRandom(2, 'alnum'); } $hashchain = crypt($hashchain, $salt); return $hashchain; // MS SQL's PWDENCRYPT() function (must be used last) // MS SQL's PWDENCRYPT() function (must be used last) case 'mssql_pwdencrypt': $hashchain = \VendorPass::mssql_pwdencrypt($hashchain, $salt); return $hashchain; // MySQL's old PASSWORD() function. // MySQL's old PASSWORD() function. case 'mysql_old_password': $hashchain = \VendorPass::mysql_old_password($hashchain); break; // MySQL's new PASSWORD() function. // MySQL's new PASSWORD() function. case 'mysql_new_password': $hashchain = \VendorPass::mysql_new_password($hashchain); break; // A dummy algorithm that does nothing. // A dummy algorithm that does nothing. case 'null': break; // All other algorithms will be passed to hash() or treated as a function name. // All other algorithms will be passed to hash() or treated as a function name. default: if (isset(self::$_algorithm_callbacks[$algo])) { $callback = self::$_algorithm_callbacks[$algo]; $hashchain = $callback($hashchain, $salt); } elseif (in_array($algo, hash_algos())) { $hashchain = hash($algo, $hashchain); } elseif (function_exists($algo)) { $hashchain = $algo($hashchain, $salt); } else { return false; } } } return $hashchain; }
/** * Attempt to login a user with the given password * * @param string $user * @param string $password * @return bool */ public function login($user, $password) { $userslug = makeSlug($user); // for once we don't use getUser(), because we need the password. $query = "SELECT * FROM " . $this->usertable . " WHERE username=?"; $query = $this->app['db']->getDatabasePlatform()->modifyLimitQuery($query, 1); $user = $this->db->executeQuery($query, array($userslug), array(\PDO::PARAM_STR))->fetch(); if (empty($user)) { $this->session->getFlashBag()->set('error', __('Username or password not correct. Please check your input.')); return false; } $hasher = new \Hautelook\Phpass\PasswordHash($this->hash_strength, true); if ($hasher->CheckPassword($password, $user['password'])) { if (!$user['enabled']) { $this->session->getFlashBag()->set('error', __('Your account is disabled. Sorry about that.')); return false; } $update = array('lastseen' => date('Y-m-d H:i:s'), 'lastip' => $this->remoteIP, 'failedlogins' => 0, 'throttleduntil' => $this->throttleUntil(0)); // Attempt to update the last login, but don't break on failure. try { $this->db->update($this->usertable, $update, array('id' => $user['id'])); } catch (\Doctrine\DBAL\DBALException $e) { // Oops. User will get a warning on the dashboard about tables that need to be repaired. } $user = $this->getUser($user['id']); $user['sessionkey'] = $this->getAuthToken($user['username']); // We wish to create a new session-id for extended security, but due to a bug in PHP < 5.4.11, this // will throw warnings. Suppress them here. #shakemyhead // @see: https://bugs.php.net/bug.php?id=63379 @$this->session->migrate(true); $this->session->set('user', $user); $this->session->getFlashBag()->set('success', __("You've been logged on successfully.")); $this->currentuser = $user; $this->setAuthToken(); return true; } else { $this->session->getFlashBag()->set('error', __('Username or password not correct. Please check your input.')); $this->app['log']->add("Failed login attempt for '" . $user['displayname'] . "'.", 3, '', 'issue'); // Update the failed login attempts, and perhaps throttle the logins. $update = array('failedlogins' => $user['failedlogins'] + 1, 'throttleduntil' => $this->throttleUntil($user['failedlogins'] + 1)); // Attempt to update the last login, but don't break on failure. try { $this->db->update($this->usertable, $update, array('id' => $user['id'])); } catch (\Doctrine\DBAL\DBALException $e) { // Oops. User will get a warning on the dashboard about tables that need to be repaired. } // Take a nap, to prevent brute-forcing. Zzzzz... sleep(1); return false; } }
<?php include 'vendor/hautelook/phpass/src/Hautelook/Phpass/PasswordHash.php'; $pg = pg_connect("dbname=d36nc9cjq76ssj host=ec2-107-22-170-249.compute-1.amazonaws.com user=mayjytdutzptbd password=58uHggM_ukv0s-5YD-2oUKoa6z port=5432 sslmode=require"); $user = pg_escape_string($pg, $_POST["username"]); $password = pg_escape_string($pg, $_POST["password"]); $ret = pg_query($pg, "SELECT password FROM bolt_users WHERE username='******'"); $row = pg_fetch_row($ret); $hasher = new Hautelook\Phpass\PasswordHash(10, true); if ($hasher->CheckPassword($password, $row[0])) { echo "true"; } else { echo "false"; }