From b13675f10d80c149cd4e8a6bbff4a275586bdd94 Mon Sep 17 00:00:00 2001
From: Sibidharan <sibidharan@icloud.com>
Date: Tue, 29 Mar 2022 16:33:48 +0000
Subject: [PATCH] password_hash implementation
---
libs/includes/Database.class.php | 2 +-
libs/includes/User.class.php | 13 ++++++++-----
logintest.php | 6 +++---
passwordhash.php | 13 +++++++++++++
testhash.php | 8 ++++++++
5 files changed, 33 insertions(+), 9 deletions(-)
create mode 100644 passwordhash.php
diff --git a/libs/includes/Database.class.php b/libs/includes/Database.class.php
index 03e9d917..af71ea50 100644
--- a/libs/includes/Database.class.php
+++ b/libs/includes/Database.class.php
@@ -8,7 +8,7 @@ class Database
if (Database::$conn == null) {
$servername = "mysql.selfmade.ninja";
$username = "sibidharan";
- $password = "xyjxo8-xefjat-gYnsif";
+ $password = "gifSaw-nycdag-6kifwa";
$dbname = "sibidharan_newdb";
// Create connection
diff --git a/libs/includes/User.class.php b/libs/includes/User.class.php
index 1a85d29f..16a9cd12 100644
--- a/libs/includes/User.class.php
+++ b/libs/includes/User.class.php
@@ -5,10 +5,13 @@ class User
private $conn;
public static function signup($user, $pass, $email, $phone)
{
- $pass = md5(strrev(md5($pass))); //Security through obscurity
+ $options = [
+ 'cost' => 9,
+ ];
+ $pass = password_hash($pass, PASSWORD_BCRYPT, $options);
$conn = Database::getConnection();
- $sql = "INSERT INTO `auth` (`username`, `password`, `email`, `phone`, `active`)
- VALUES ('$user', '$pass', '$email', '$phone', '1');";
+ $sql = "INSERT INTO `auth` (`username`, `password`, `email`, `phone`)
+ VALUES ('$user', '$pass', '$email', '$phone');";
$error = false;
if ($conn->query($sql) === true) {
$error = false;
@@ -23,13 +26,13 @@ class User
public static function login($user, $pass)
{
- $pass = md5(strrev(md5($pass)));
$query = "SELECT * FROM `auth` WHERE `username` = '$user'";
$conn = Database::getConnection();
$result = $conn->query($query);
if ($result->num_rows == 1) {
$row = $result->fetch_assoc();
- if ($row['password'] == $pass) {
+ //if ($row['password'] == $pass) {
+ if (password_verify($pass, $row['password'])) {
return $row;
} else {
return false;
diff --git a/logintest.php b/logintest.php
index dd995288..0afdfe0b 100644
--- a/logintest.php
+++ b/logintest.php
@@ -1,8 +1,8 @@
<?php
include 'libs/load.php';
-$user = "fooboo";
-$pass = "decneg-napCaf-jakcy1";
+$user = "sibidharan";
+$pass = isset($_GET['pass']) ? $_GET['pass'] : '';
$result = null;
if (isset($_GET['logout'])) {
@@ -22,7 +22,7 @@ if (Session::get('is_loggedin')) {
Session::set('is_loggedin', true);
Session::set('session_user', $result);
} else {
- echo "Login failed <br>";
+ echo "Login failed, $user <br>";
}
}
echo <<<EOL
diff --git a/passwordhash.php b/passwordhash.php
new file mode 100644
index 00000000..a6c1c67b
--- /dev/null
+++ b/passwordhash.php
@@ -0,0 +1,13 @@
+<?php
+$time = microtime(true);
+$options = [
+ 'cost' => 20,
+];
+echo password_hash("rasmuslerdorf", PASSWORD_BCRYPT, $options);
+echo "\nTook ".(microtime(true) - $time) . " sec";
+
+// if (password_verify("rasmuslerdorf", '$2y$12$vxk72IX.vOSgV4gleQs0ru5MNo5CMHBFuHMVBHyeT03LLqsbwREzC')) {
+// print("Correct password");
+// } else {
+// print("Wrong password");
+// }
diff --git a/testhash.php b/testhash.php
index a94dafa5..e1008fca 100644
--- a/testhash.php
+++ b/testhash.php
@@ -17,3 +17,11 @@ $b64len = strlen($b64);
echo("MD5: $md5 (Lenght: $md5len)\n");
echo("Base64: $b64 \n(Length: $b64len)\n");
+
+
+$data = "sibidharan";
+
+foreach (hash_algos() as $v) {
+ $r = hash($v, $data, false);
+ printf("%-12s %3d %s\n", $v, strlen($r), $r);
+}
--
GitLab