PHP Bcrypt Hashing and Verifying Passwords.

B

Berk

berkibap#4233
Developer
Oct 17, 2015
863
190
Hello everyone.
This might be a habbo related but however. Sorry if posted in wrong section.
I'm using Micro Edit (
You must be registered for see links
) by @JynX and I use bcrypt on my revcms.

For HK login, it uses md5 and I want to use bcrypt.
My RevCMS bcrypt function
PHP: 
 public function hashed($string) { 
return password_hash($string, PASSWORD_BCRYPT, array('cost' => 12));
}
Login function for HK:
PHP: 
    public function authenticate($user_name,$password)
        {
            if($user_name == NULL || $password == NULL)
            {
                return false;
            }
                else
            {
                $user_name    = parent::filter($user_name);
                $password    = parent::password($password);
                // $staff_pin = parent::filter($_POST['pin']);
                $find_user    = mysql_query("SELECT * FROM `users` WHERE `username` = '".$user_name."' AND `password` = '".$password."' LIMIT 1");
                if(mysql_num_rows($find_user) == 0)
                {
                    $this->log_Login($user_name,FALSE);
                    return false;
                }
                    else
                {
                    $user_name        = parent::user_Data($user_name,'username');
                    $rank_id        = parent::user_Data($user_name,'rank');
                    $allow_access    = mysql_query("SELECT * FROM `housekeeping_permissions` WHERE `rank_id` = '".$rank_id."' LIMIT 1");
                    $allow_access    = mysql_fetch_array($allow_access);
                    if($allow_access['hk.login'] == 1)
                    {
                        $this->log_Login($user_name,TRUE);
                        if($this->create_Session($user_name))
                        {
                            return true;
                        }
                            else
                        {
                            return false;
                        }
                    }
                        else
                    {
                        $this->log_Login($user_name,FALSE);
                        return false;
                    }
                }
            }
        }
password function (parent::password($password))
PHP: 
public function password($data)
        {
            if($data == NULL)
            {
                return $this->error_Handler('Validate Data','The given data could not be validated.');
            }
                else
            {
               return md5($data);
            }
        }
I want to change this to BCRYPT. I tried to change everything but didn't worked. Could you help me? Thanks.
 
Sort by date Sort by votes
MayoMayn

MayoMayn

BestDev
Oct 18, 2016
1,423
683
Why not just remove that and authenticate by the rank of the already existing session of the user?
Can't figure out why you would have double authentication.

Second of all use prepared statements to prevent SQLi.
 
Upvote 0 Downvote
Damien

Damien

Don't need glasses if you can C#
Feb 26, 2012
426
642
Atomic said:
Why not just remove that and authenticate by the rank of the already existing session of the user?
Can't figure out why you would have double authentication.

Second of all use prepared statements to prevent SQLi.
Click to expand...

1) Double authentication stops users from accessing housekeeping after they've been fired/demoted. They'll retain their rank till the session ends, this way it provided an extra layer of protection before they can access the ASE. One way to solve this is to do a rank check when the user hits the ASE, then the login wouldn't be needed.

2) There is nothing wrong with his queries. Whilst my_sql is deprecated, it can still be used safely and securely.. like he's doing. He's filtering the information before it gets used in the query, so people wont be able exploit it.

Code: 
public function password($data)
{
    if($data == NULL)
    {
        return $this->error_Handler('Validate Data','The given data could not be validated.');
    }
    else
    {
      return password_hash($data, PASSWORD_BCRYPT, array('cost' => 12));
    }
}
 
Upvote 0 Downvote
B

Berk

berkibap#4233
Developer
Oct 17, 2015
863
190
Damien said:
1) Double authentication stops users from accessing housekeeping after they've been fired/demoted. They'll retain their rank till the session ends, this way it provided an extra layer of protection before they can access the ASE. One way to solve this is to do a rank check when the user hits the ASE, then the login wouldn't be needed.

2) There is nothing wrong with his queries. Whilst my_sql is deprecated, it can still be used safely and securely.. like he's doing. He's filtering the information before it gets used in the query, so people wont be able exploit it.

Code: 
public function password($data)
{
    if($data == NULL)
    {
        return $this->error_Handler('Validate Data','The given data could not be validated.');
    }
    else
    {
      return password_hash($data, PASSWORD_BCRYPT, array('cost' => 12));
    }
}
Click to expand...
Thanks for this, now how I am gonna verify password? Sorry I am new to Bcrypt so.
 
Upvote 0 Downvote

Users who are viewing this thread

Total: 2 (members: 0, guests: 2)
☀️  Switch to Light Theme

Latest posts

Top