password_hash implementation

b13675f1 · Sibidharan · cde1139e · b13675f1 · b13675f1 · b13675f1
Commit b13675f1 authored 2 years ago by Sibidharan
--- a/libs/includes/Database.class.php
+++ b/libs/includes/Database.class.php
@@ -8,7 +8,7 @@ class Database
        if (Database::$conn == null) {
            $servername = "mysql.selfmade.ninja";
            $username = "sibidharan";
-            $password = "xyjxo8-xefjat-gYnsif";
+            $password = "gifSaw-nycdag-6kifwa";
            $dbname = "sibidharan_newdb";
        
            // Create connection

--- a/libs/includes/User.class.php
+++ b/libs/includes/User.class.php
@@ -5,10 +5,13 @@ class User
    private $conn;
    public static function signup($user, $pass, $email, $phone)
    {
-        $pass = md5(strrev(md5($pass))); //Security through obscurity
+        $options = [
+            'cost' => 9,
+        ];
+        $pass = password_hash($pass, PASSWORD_BCRYPT, $options);
        $conn = Database::getConnection();
-        $sql = "INSERT INTO `auth` (`username`, `password`, `email`, `phone`, `active`)
-        VALUES ('$user', '$pass', '$email', '$phone', '1');";
+        $sql = "INSERT INTO `auth` (`username`, `password`, `email`, `phone`)
+        VALUES ('$user', '$pass', '$email', '$phone');";
        $error = false;
        if ($conn->query($sql) === true) {
            $error = false;
@@ -23,13 +26,13 @@ class User

    public static function login($user, $pass)
    {
-        $pass = md5(strrev(md5($pass)));
        $query = "SELECT * FROM `auth` WHERE `username` = '$user'";
        $conn = Database::getConnection();
        $result = $conn->query($query);
        if ($result->num_rows == 1) {
            $row = $result->fetch_assoc();
-            if ($row['password'] == $pass) {
+            //if ($row['password'] == $pass) {
+            if (password_verify($pass, $row['password'])) {
                return $row;
            } else {
                return false;

--- a/logintest.php
+++ b/logintest.php
 <?php
 include 'libs/load.php';

-$user = "fooboo";
-$pass = "decneg-napCaf-jakcy1";
+$user = "sibidharan";
+$pass = isset($_GET['pass']) ? $_GET['pass'] : '';
 $result = null;

 if (isset($_GET['logout'])) {
@@ -22,7 +22,7 @@ if (Session::get('is_loggedin')) {
        Session::set('is_loggedin', true);
        Session::set('session_user', $result);
    } else {
-        echo "Login failed <br>";
+        echo "Login failed, $user <br>";
    }
 }
 echo <<<EOL

--- a/passwordhash.php
+++ b/passwordhash.php
+<?php
+$time = microtime(true);
+$options = [
+    'cost' => 20,
+];
+echo password_hash("rasmuslerdorf", PASSWORD_BCRYPT, $options);
+echo "\nTook ".(microtime(true) - $time) . " sec";
+
+// if (password_verify("rasmuslerdorf", '$2y$12$vxk72IX.vOSgV4gleQs0ru5MNo5CMHBFuHMVBHyeT03LLqsbwREzC')) {
+//     print("Correct password");
+// } else {
+//     print("Wrong password");
+// }
--- a/testhash.php
+++ b/testhash.php
@@ -17,3 +17,11 @@ $b64len = strlen($b64);

 echo("MD5: $md5 (Lenght: $md5len)\n");
 echo("Base64: $b64 \n(Length: $b64len)\n");
+
+
+$data = "sibidharan";
+
+foreach (hash_algos() as $v) {
+    $r = hash($v, $data, false);
+    printf("%-12s %3d %s\n", $v, strlen($r), $r);
+}