RevCMS BCRYPT

Blasteh · Feb 20, 2017

Hello,
I'm resetting my hotel and I want to encrypt passwords differently. I want to use a more secure one, such as bcrypt.

By default, rev uses md5.

Code:

    final public function hashed($password)
    {
        return md5($password);
    }

I want to use a more secure method, but after changing it, I cannot login as it says "Details do not Match".

PHP:

    final public function hashed($password)
    {
        return password_hash($password, PASSWORD_BCRYPT);
    }

The password does encrypt to bcrypt in the database, the only problem is – I cannot login!

MayoMayn · Feb 20, 2017

PHP:

password_hash($password, PASSWORD_BCRYPT, ['cost' => 12]);

I'd just stick with the ordinary PASSWORD_DEFAULT and without the array, unless you're providing your own hashing.

And for validation, just use:

PHP:

password_verify(
      $pass, // unencrypted password that the user has entered in the form
      $dbpass // the hashed password in the db column
);

If you get incorrect false responses from password_verify when manually including the hash variable (eg. for testing) and you know it should be correct, make sure you are enclosing the hash variable in single quotes (') and not double quotes (").

PHP parses anything that starts with a $ inside double quotes as a variable:

PHP:

// this will result in 'Invalid Password' as the hash is parsed into 3 variables of
// $2y, $07 and $BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq
// due to it being enclosed inside double quotes
$hash ="$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq";

// this will result in 'Password is valid' as variables are not parsed inside single quotes
$hash ='$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq';

if (password_verify('rasmuslerdorf',$hash)) {
    echo 'Password is valid!';
} else {
    echo 'Invalid password.';
}

Blasteh · Feb 20, 2017

So wait, replace my current one with the first one? What does the cost variable have to do with it? Is this validation in a class or do I create my own function? I'm confused as fuck.

MayoMayn · Feb 20, 2017

Blasteh said:
So wait, replace my current one with the first one? What does the cost variable have to do with it? Is this validation in a class or do I create my own function? I'm confused as fuck.

Both of them are PHP functions. Just include the cost array in your password_hash(), and use the password_verify() to verify.

Sent from my SM-G928F using Tapatalk

Blasteh · Feb 20, 2017

gandalfmcdaddy said:
Both of them are PHP functions. Just include the cost array in your password_hash(), and use the password_verify() to verify.

Sent from my SM-G928F using Tapatalk

Ah okay, I'll try and fix up in the morning. Currently on my phone, can't do much. Thanks.

Bekmezci · Feb 21, 2017

Why not use SHA1 ? if it is for safety this is the best option in my opinion

BIOS · Feb 21, 2017

Blasteh said:
Hello,
I'm resetting my hotel and I want to encrypt passwords differently. I want to use a more secure one, such as bcrypt.

By default, rev uses md5.

Code:

final public function hashed($password) { return md5($password); }

I want to use a more secure method, but after changing it, I cannot login as it says "Details do not Match".

PHP:

final public function hashed($password) { return password_hash($password, PASSWORD_BCRYPT); }

The password does encrypt to bcrypt in the database, the only problem is – I cannot login!

You need to change the userValidation function in class.users.php, basically: check that the user exists, grab the hash of the user, compare it to the the $password argument, also update the login() function as you need to remove $core->hashed on line 229 since you're no longer using md5 and password_verify expects a plaintext value.

Blasteh · Feb 21, 2017

BIOS said:
You need to change the userValidation function in class.users.php, basically: check that the user exists, grab the hash of the user, compare it to the the $password argument, also update the login() function as you need to remove $core->hashed on line 229 since you're no longer using md5 and password_verify expects a plaintext value.

Okay. I never really done this before, so I'm a little off on this.

Class.core.php

PHP:

    final public function hashed($password)
    {
        return password_hash($password, PASSWORD_BCRYPT);
    }

Class.users.php

PHP:

                    if($this->userValidation($template->form->log_username, $core->hashed($template->form->log_password)))
                    {
                        $this->turnOn($template->form->log_username);
                        $this->updateUser($_SESSION['user']['id'], 'ip_last', $_SERVER['REMOTE_ADDR']);
                        $template->form->unsetData();
                        header('Location: ' . $_CONFIG['hotel']['url'] . '/me');
                        exit;
                    }

MasterJiq · Feb 21, 2017

@

You must be registered for see links

mine.

Code:

    public static

    function Encrypt($q)
        {
        $cryptKey = 'qJB0rGtIn5UB1xG03efyCp';
        $qEncoded = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($cryptKey) , $q, MCRYPT_MODE_CBC, md5(md5($cryptKey))));
        return ($qEncoded);
        }

    public static

    function Decrypt($q)
        {
        $cryptKey = 'qJB0rGtIn5UB1xG03efyCp';
        $qDecoded = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($cryptKey) , base64_decode($q) , MCRYPT_MODE_CBC, md5(md5($cryptKey))) , "\0");
        return ($qDecoded);
        }

and it's also good if

Code:

    public static function hash($input)
    {
        return md5(sha1($input));
    }

Blasteh · Feb 21, 2017

I'm stumped.

Class.users.php:

You must be registered for see links

Class.core.php:

You must be registered for see links

Thanks for the help <3_<3

MayoMayn · Feb 21, 2017

Blasteh said:
Lmao

Nope

Just change the PASSWORD_BCRYPT to PASSWORD_DEFAULT, your user validation stuff is incorrect too. I will fix it for you later.

Sent from my SM-G928F using Tapatalk

Blasteh · Feb 21, 2017

gandalfmcdaddy said:
Just change the PASSWORD_BCRYPT to PASSWORD_DEFAULT, your user validation stuff is incorrect too. I will fix it for you later.

Sent from my SM-G928F using Tapatalk

I'm guessing this?

PHP:

    final public function hashed($password)
    {
        return password_hash($password, PASSWORD_DEFAULT);
    }

Thanks, will look forward to it. In the meantime, trial and error <3_<3

MayoMayn · Feb 21, 2017

Blasteh said:
I'm guessing this?

PHP:

final public function hashed($password) { return password_hash($password, PASSWORD_DEFAULT); }

Thanks, will look forward to it. In the meantime, trial and error

Yup that.

Sent from my SM-G928F using Tapatalk

JayC · Feb 21, 2017

Alright Boys,

Set this method in your Register page:

Code:

final public function hashed($password)
    {
        return password_hash($password, PASSWORD_BCRYPT);
    }

Then in your login page you are going to do this:

Code:

$password = mysql_real_escape_string($_POST['password']);
$findUser= mysql_query("SELECT password FROM users WHERE username = '".mysql_real_escape_string($_POST['password'])."' LIMIT 1");

if(mysql_num_rows($findUser) == 1){
    $usersPass = mysql_fetch_assoc($findUser);
    if($usersPass == md5($password){
      mysql_query("UPDATE users SET password = '".password_hash($password, PASSWORD_BCRYPT)."' WHERE username = '".mysql_real_escape_string($_POST['password'])."' LIMIT 1");
     //Login Normal
    }else if($usersPass == password_hash($password, PASSWORD_BCRYPT)){
     //Login Normal
    }else{
      echo "Incorrect Password";
    }
}else{
   echo "Username Not Found";
}

This is just an example coded right here in devbest however it should work fine

MayoMayn · Feb 21, 2017

JayCustom said:

Alright Boys,

Set this method in your Register page:

Code:

final public function hashed($password)
    {
        return password_hash($password, PASSWORD_BCRYPT);
    }

Then in your login page you are going to do this:

Code:

$password = mysql_real_escape_string($_POST['password']);
$findUser= mysql_query("SELECT password FROM users WHERE username = '".mysql_real_escape_string($_POST['password'])."' LIMIT 1");

if(mysql_num_rows($findUser) == 1){
    $usersPass = mysql_fetch_assoc($findUser);
    if($usersPass == md5($password){
      mysql_query("UPDATE users SET password = '".password_hash($password, PASSWORD_BCRYPT)."' WHERE username = '".mysql_real_escape_string($_POST['password'])."' LIMIT 1");
     //Login Normal
    }else if($usersPass == password_hash($password, PASSWORD_BCRYPT)){
     //Login Normal
    }else{
      echo "Incorrect Password";
    }
}else{
   echo "Username Not Found";
}

This is just an example coded right here in devbest however it should work fine

What the hell kind of password validation is that lmfao. First query line, select password from users where username is post password? Wtf.
Either way, this wouldn't work, since you're not verifying the posted password, you're just hashing the input and checking it against the one in the database. By this reply, you clearly don't understand how hashing works. Every hash is different from one another, even though if the string is the same, so this wouldn't even be close to working at all.

Sent from my SM-G928F using Tapatalk

PHP:

public function hashPass($string) {
    // I'd just use DEFAULT instead of BCRYPT and a cost.
    return password_hash($string, PASSWORD_BCRYPT, ['cost' => 12]);
}
public function login() {
    // Escape here or whatever stupid mysql functions that needs to be used
    $username = mysql_real_escape_string($_POST['username']);
    $password = mysql_real_escape_string($_POST['password']);
 
   // Get the password column from the users table by the username entered
    $user = mysql_query("
        SELECT `password`
            FROM `users`
        WHERE `username` = '{$username}'
            LIMIT 1
    ");
 
    // Check if user exists
    if(mysql_num_rows($user) > 0) {
        // User does exist, then fetch the HASHED password from the table
        $dbpass = mysql_fetch_assoc($user);
        // Verify the typed in password against the hashed in database. Read my above reply to understand why use the verify function instead of hashing the inputted password to check against the one on database. Simply research folks.
        if(password_verify($password, $dbpass)) {
            // Password matched
            // Redirect user etc
        } else {
            // Password was incorrect
            // Echo something out
        }
    } else {
        // User doesnt exist
        // echo something u
    }
}

Blasteh · Feb 21, 2017

gandalfmcdaddy said:
What the hell kind of password validation is that lmfao. First query line, select password from users where username is post password? Wtf.
Either way, this wouldn't work, since you're not verifying the posted password, you're just hashing the input and checking it against the one in the database. By this reply, you clearly don't understand how hashing works. Every hash is different from one another, even though if the string is the same, so this wouldn't even be close to working at all.

Sent from my SM-G928F using Tapatalk

PHP:

public function hashPass($string) { return password_hash($string, PASSWORD_BCRYPT, ['cost' => 12]); } public function login() { // Escape here or whatever stupid mysql functions that needs to be used $username = mysql_real_escape_string($_POST['username']); $password = mysql_real_escape_string($_POST['password']); // Get the password column from the users table by the username entered $user = mysql_query(" SELECT `password` FROM `users` WHERE `username` = '{$username}' LIMIT 1 "); // Check if user exists if(mysql_num_rows($user) > 0) { // User does exist, then fetch the HASHED password from the table $dbpass = mysql_fetch_assoc($user); // Verify the typed in password against the hashed in database. Read my above reply to understand why use the verify function instead of hashing the inputted password to check against the one on database. Simply research folks. if(password_verify($password, $dbpass)) { // Password matched // Redirect user etc } else { // Password was incorrect // Echo something out } } else { // User doesnt exist // echo something u } }

If I replace my whole login function with that, it errors.

MayoMayn · Feb 21, 2017

Blasteh said:
If I replace my whole login function with that, it errors.

Dunno how the heck your login function works, this was an example on how passwords are verified. Don't expect me to write a whole script for you, because then you'll never truly understand it, before you do it yourself. Never used RevCMS in production, and would never bother to do so.

EDIT:
JayCustom's example was just really bad coded and retarded, so had to fix it, so you'd understand better on how it works. No offense, but that was one awful example.

Blasteh · Feb 21, 2017

gandalfmcdaddy said:
Dunno how the heck your login function works, this was an example on how passwords are verified. Don't expect me to write a whole script for you, because then you'll never truly understand it, before you do it yourself. Never used RevCMS in production, and would never bother to do so.

EDIT:
JayCustom's example was just really bad coded and retarded, so had to fix it, so you'd understand better on how it works. No offense, but that was one awful example.

Thanks anyways!

For other people, this is the login function:

PHP:

    final public function login()
    {
        global $template, $_CONFIG, $core;
        
        if(isset($_POST['login']))
        {
            $template->form->setData();
            unset($template->form->error);
            
            if($this->nameTaken($template->form->log_username))
            {
                if($this->isBanned($template->form->log_username) == false || $this->isBanned($_SERVER['REMOTE_ADDR']) == false)
                {
                    if($this->userValidation($template->form->log_username, $core->hashed($template->form->log_password)))
                    {
                        $this->turnOn($template->form->log_username);
                        $this->updateUser($_SESSION['user']['id'], 'ip_last', $_SERVER['REMOTE_ADDR']);
                        $template->form->unsetData();
                        header('Location: ' . $_CONFIG['hotel']['url'] . '/me');
                        exit;
                    }
                    else
                    {
                        $template->form->error = 'Details do not match';
                        return;
                    }
                }
                else
                {
                    $template->form->error = 'Sorry, it appears this user is banned<br />';
                    $template->form->error .= 'Reason: ' . $this->getReason($template->form->log_username);
                    return;
                }
            }
            else
            {
                $template->form->error = 'Username does not exist';
                return;
            }
        }
    }

MayoMayn · Feb 21, 2017

Blasteh said:

Thanks anyways!

For other people, this is the login function:

PHP:

    final public function login()
    {
        global $template, $_CONFIG, $core;
    
        if(isset($_POST['login']))
        {
            $template->form->setData();
            unset($template->form->error);
        
            if($this->nameTaken($template->form->log_username))
            {
                if($this->isBanned($template->form->log_username) == false || $this->isBanned($_SERVER['REMOTE_ADDR']) == false)
                {
                    if($this->userValidation($template->form->log_username, $core->hashed($template->form->log_password)))
                    {
                        $this->turnOn($template->form->log_username);
                        $this->updateUser($_SESSION['user']['id'], 'ip_last', $_SERVER['REMOTE_ADDR']);
                        $template->form->unsetData();
                        header('Location: ' . $_CONFIG['hotel']['url'] . '/me');
                        exit;
                    }
                    else
                    {
                        $template->form->error = 'Details do not match';
                        return;
                    }
                }
                else
                {
                    $template->form->error = 'Sorry, it appears this user is banned<br />';
                    $template->form->error .= 'Reason: ' . $this->getReason($template->form->log_username);
                    return;
                }
            }
            else
            {
                $template->form->error = 'Username does not exist';
                return;
            }
        }
    }

Drop me your userValidation function, because I can see the error.
Are you using password_verify() or are you just simply checking the two hashes against eachother? Because you're pretty much hashing the entered password on this line:

PHP:

if($this->userValidation($template->form->log_username, $core->hashed($template->form->log_password)))

Blasteh · Feb 21, 2017

gandalfmcdaddy said:
Drop your userValidation function, because I can see the error.
Are you using password_verify() or are you just simply checking the two hashes against eachother? Because you're pretty much hashing the entered password on this line:

PHP:

if($this->userValidation($template->form->log_username, $core->hashed($template->form->log_password)))

I'm unsure, lol. Never was good with PHP.

If you go to my class.users.php (

You must be registered for see links

) you'd understand better than I would and you can lead me in the right direction. As stated before, I have no clue.

RevCMS BCRYPT

Lord Farquaad

BestDev

Lord Farquaad

BestDev

Lord Farquaad

Member

ಠ‿ಠ

Lord Farquaad

Member

Lord Farquaad

BestDev

Lord Farquaad

BestDev

Always Learning

BestDev

Lord Farquaad

BestDev

Lord Farquaad

BestDev

Lord Farquaad

Users who are viewing this thread