RevCMS BCRYPT

Blasteh

big tits
Apr 3, 2013
1,156
521
Hi,
Previously I was looking for this and I finally found someone that released it on a rival forum so I decided to post here.

Please note, if you already have a user(s) in your database I wouldn't suggest doing this, as they won't be able to login.

Go to app/class.core.php and find this line:
PHP:
final public function hashed($password)
    {
        return md5($password);
    }

and change it to:
PHP:
final public function hashed($password)
    {
        return password_hash($password, PASSWORD_BCRYPT);
    }
Step 2, go to class.users.php and find something similar to:
PHP:
final public function userValidation($username, $password)    {                 global $engine;         if($engine->num_rows("SELECT * FROM users WHERE username = '" . $username . "' AND password = '" . $password . "' LIMIT 1") > 0)        {            return true;        }                      return false;    }
then change it to:
PHP:
final public function userValidation($username, $password)    {                 global $engine;         if($engine->num_rows("SELECT * FROM users WHERE username = '" . $username . "' AND password = '" . $password . "' LIMIT 1") > 0)        return password_verify($password);    }
 

CosmoPeak

PeakRP.com
May 15, 2016
271
268
Does this even work? :confused:

password_verify takes 2 arguments and you can't compare it by doing a database request as the password will have a different hash every time it's called (as bcrypt uses a salt).

You need to get the password hash from the database for the user and call password_verify on it with the plaintext password from the user input.
 

Blasteh

big tits
Apr 3, 2013
1,156
521
Does this even work? :confused:

password_verify takes 2 arguments and you can't compare it by doing a database request as the password will have a different hash every time it's called (as bcrypt uses a salt).

You need to get the password hash from the database for the user and call password_verify on it with the plaintext password from the user input.
I tested it on localhost, works fine for me.
 

CosmoPeak

PeakRP.com
May 15, 2016
271
268
I tested it on localhost, works fine for me.
Maybe you're from a planet where password_verify only takes 1 argument and hashing with a different salt each time produces the same hash. If it's working in the state you've posted it, I doubt it's working at all. Have you tried incorrect passwords?

Example:
 

TheRealMoonman

I eat babies
Sep 30, 2014
360
74
It doesn't take "op PHP skills" to post code that... works. If you're going to post something, at least test it first? :S It's a completely pointless post that does absolutely nothing...
But you don't need to be arrogant about it, makes some people misinterpret and get defensive, show encouragement and constructive criticism. Obviously they are still learning.
 

CosmoPeak

PeakRP.com
May 15, 2016
271
268
But you don't need to be arrogant about it, makes some people misinterpret and get defensive, show encouragement and constructive criticism. Obviously they are still learning.
I told him the issues with the code and he said "it works" (it doesn't). Whatever. You can stare at this code and tell him it's great and pretend it works if you so desire.
 

Weasel

👄 I'd intercept me
Nov 25, 2011
4,135
2,461
The only reason this might "work" is because the response defaults to true somewhere, hence logging you in. Unless you have a cleartext password, it wouldn't even get to password_verify as the num_rows in the if statements would always be false.
 

JMS

Posting Freak
Aug 25, 2014
562
270
Not sure if this is relevant, but after using this - logging out of the hotel, I am unable to log back in
 

Wickd

The first member of the Knights of the Pink Table
Jan 15, 2013
1,936
612
Not sure if this is relevant, but after using this - logging out of the hotel, I am unable to log back in
It's because of your old password hash.I personally use BFish.
 

Users who are viewing this thread

Top