public function validate_password($password, $correct_hash) { $params = explode(":", $correct_hash); if (count($params) < HASH_SECTIONS) { return false; } $pbkdf2 = base64_decode($params[HASH_PBKDF2_INDEX]); return PasswordHash::slow_equals($pbkdf2, PasswordHash::pbkdf2($params[HASH_ALGORITHM_INDEX], $password, $params[HASH_SALT_INDEX], (int) $params[HASH_ITERATION_INDEX], strlen($pbkdf2), true)); }
<?php require_once 'db.php'; require_once 'PasswordHashClass.php'; # Make sure params are in place or die! if (!isset($_GET['user']) || !isset($_GET['key'])) { die("Missing some parameters here"); } $db = new PDO('mysql:host=' . DB_HOST . ';dbname=' . DB_NAME . ';charset=utf8', DB_USER, DB_PASS); # Retrieve user data $userCheck = $db->prepare("SELECT * FROM ovr_lists_login WHERE user_id = :id"); $userCheck->bindParam(':id', $_GET['user'], PDO::PARAM_INT); $userCheck->execute(); if ($userCheck->rowCount() == 1) { $user = $userCheck->fetch(PDO::FETCH_ASSOC); $activation_hash_string = $user['user_id'] . $user['user_name'] . $user['user_email'] . $user['user_password_hash']; $generatedActivation = urlencode(hash_hmac('sha256', $activation_hash_string, $user['user_password_hash'])); if (PasswordHash::slow_equals($generatedActivation, $_GET['key']) == 1) { $activateUser = $db->prepare("UPDATE ovr_lists_login SET activated = '1' WHERE user_id = :id"); $activateUser->bindParam(':id', $_GET['user'], PDO::PARAM_INT); if ($activateUser->execute()) { echo "<h1>Activation successful</h1>"; } else { echo "<h1 style='color:red'>Activation failed</h1>"; } } }
require_once 'PasswordHashClass.php'; require_once 'db.php'; require_once 'Mandrill.php'; $db = new PDO('mysql:host=' . DB_HOST . ';dbname=' . DB_NAME . ';charset=utf8', DB_USER, DB_PASS); if (isset($_POST['key']) && isset($_POST['user_id'])) { $hashCheck = $db->prepare("SELECT * FROM ovr_lists_login WHERE user_id = :id"); $hashCheck->bindParam("id", $_POST['user_id'], PDO::PARAM_STR); $hashCheck->execute(); if ($hashCheck->rowCount() !== 1) { echo "Something went wrong, please try again."; } else { $user = $hashCheck->fetch(PDO::FETCH_ASSOC); $hash_string = $user['user_id'] . $user['user_name'] . $user['user_email'] . $user['user_password_hash']; $reset_hash = urlencode(hash_hmac('sha256', $hash_string, $user['user_password_hash'])); if (PasswordHash::slow_equals($_POST['key'], $reset_hash) == 1) { $hashed_password = PasswordHash::create_hash($_POST['user_password']); $passwordReset = $db->prepare("UPDATE ovr_lists_login SET user_password_hash = :password_hash, activated = '1' WHERE user_id = :id"); if ($passwordReset->execute(array("password_hash" => $hashed_password, "id" => $_POST['user_id']))) { echo "Password has been reset go to <a href='https://{$_SERVER['SERVER_NAME']}/login/login.php'>https://{$_SERVER['SERVER_NAME']}/login/login.php</a> to login"; } else { echo "Password failed to update."; } } } } else { if (isset($_POST['Reset']) && $_POST['user_name'] && isset($_POST['user_email'])) { $userCheck = $db->prepare("SELECT * FROM ovr_lists_login WHERE user_name = :user AND user_email = :email"); $userCheck->bindParam("user", $_POST['user_name'], PDO::PARAM_STR); $userCheck->bindParam("email", $_POST['user_email'], PDO::PARAM_STR); $userCheck->execute();