RevCMS BCRYPT

[Blasteh]

Hi,
Previously I was looking for this and I finally found someone that released it on a rival forum so I decided to post here.

Please note, if you already have a user(s) in your database I wouldn't suggest doing this, as they won't be able to login.

Go to app/class.core.php and find this line:

final public function hashed($password)
    {
        return md5($password);
    }

and change it to:

final public function hashed($password)
    {
        return password_hash($password, PASSWORD_BCRYPT);
    }

Step 2, go to class.users.php and find something similar to:

final public function userValidation($username, $password)    {                 global $engine;         if($engine->num_rows("SELECT * FROM users WHERE username = '" . $username . "' AND password = '" . $password . "' LIMIT 1") > 0)        {            return true;        }                      return false;    }

then change it to:

final public function userValidation($username, $password)    {                 global $engine;         if($engine->num_rows("SELECT * FROM users WHERE username = '" . $username . "' AND password = '" . $password . "' LIMIT 1") > 0)        return password_verify($password);    }

 

[Paypal]

Nice release man

 

[CosmoPeak]

Does this even work?

password_verify takes 2 arguments and you can't compare it by doing a database request as the password will have a different hash every time it's called (as bcrypt uses a salt).

You need to get the password hash from the database for the user and call password_verify on it with the plaintext password from the user input.

 

[Blasteh]

Does this even work?

password_verify takes 2 arguments and you can't compare it by doing a database request as the password will have a different hash every time it's called (as bcrypt uses a salt).

You need to get the password hash from the database for the user and call password_verify on it with the plaintext password from the user input.

I tested it on localhost, works fine for me.

 

[CosmoPeak]

I tested it on localhost, works fine for me.

Maybe you're from a planet where password_verify only takes 1 argument and hashing with a different salt each time produces the same hash. If it's working in the state you've posted it, I doubt it's working at all. Have you tried incorrect passwords?

Example:

You must be registered for see links

 

[CosmoPeak]

Not everybody is a special snowflake and has OP PHP 5k1ll5 like you

It doesn't take "op PHP skills" to post code that... works. If you're going to post something, at least test it first? :S It's a completely pointless post that does absolutely nothing...

 

[TheRealMoonman]

It doesn't take "op PHP skills" to post code that... works. If you're going to post something, at least test it first? :S It's a completely pointless post that does absolutely nothing...

But you don't need to be arrogant about it, makes some people misinterpret and get defensive, show encouragement and constructive criticism. Obviously they are still learning.

 

[CosmoPeak]

But you don't need to be arrogant about it, makes some people misinterpret and get defensive, show encouragement and constructive criticism. Obviously they are still learning.

I told him the issues with the code and he said "it works" (it doesn't). Whatever. You can stare at this code and tell him it's great and pretend it works if you so desire.

 

[Weasel]

The only reason this might "work" is because the response defaults to true somewhere, hence logging you in. Unless you have a cleartext password, it wouldn't even get to password_verify as the num_rows in the if statements would always be false.

 

[JMS]

Not sure if this is relevant, but after using this - logging out of the hotel, I am unable to log back in

 

[CosmoPeak]

Not sure if this is relevant, but after using this - logging out of the hotel, I am unable to log back in

It doesn't work and wasn't fixed

 

[JMS]

Oh, does anyone have the function for login?

 

[Wickd]

Not sure if this is relevant, but after using this - logging out of the hotel, I am unable to log back in

It's because of your old password hash.I personally use BFish.