phpass not working - codeigniter

I'm hashing the passwords upon account creation, and that it working (with the password set to VARCHAR(60)) but when I try to do this:
$query = $this->CI->db->query("SELECT * FROM users WHERE email = ?", $email);
if ($query->num_rows() > 0) {
$user_pass = $query->row()->password;
$hasher = new PasswordHash(PHPASS_HASH_STRENGTH, PHPASS_HASH_PORTABLE);
if ($hasher->CheckPassword($user_pass, $pass)) {
return true;
} else {
return false;
}
} else {
return false;
}
it always returns false. Any ideas as to why this might be? (the password I'm providing is correct)

I think you have inverted the check password field. It has to be like this:
$hasher->CheckPassword(password which has to be checked, password from database).
This makes a difference because Check Password is going to hash the password which is to be checked.

Related

Can update a users password in localhost but not on shared hosting server

This is the function to update user password
function update_systemusers_password($input) {
$systemusers = users::find($input['userid']);
$systemusers->password = bcrypt($input['password']);
$systemusers->save();
}
however it doesn't update in shared hosting server
First of all you need to confirm that your function is execute or not. Try something like this to make sure.
function update_systemusers_password($input) {
dd($input); // it will show the all of input
$systemusers = users::find($input['userid']);
$systemusers->password = bcrypt($input['password']);
$systemusers->save();
}
if dd(); print all the value of request then remove the dd(); inside the function and write some condition for confirmation.
function update_systemusers_password($input) {
$systemusers = users::find($input['userid']);
$systemusers->password = bcrypt($input['password']);
if($systemusers->save()){
dd("save successfully");
}
else{
dd("found error");
}
}

Symfony2: check whether session exists or not

Is there a method to check whether a session exists or not?
I tried this method, but it always gives me a 'Bravo !' answer:
$session = $this->getRequest()->hasPreviousSession();
if($session)
{
return new Response('Bravo !');
}
else
{
return new Response('Oooops !');
}
$this->container->get('session')->isStarted()
is what you're looking for.

Importing customers into magento with existing passwords

I'm importing 15000 users from virtuemart into magento but have been unable to get the passwords to import correctly.
My problem is that the passwords are hashed differently.
Virtuemart HASH = md5($password.$salt);
Magento HASH = md5($salt.$password);
An example password looks like:
c957d358c8a79e66af10086b53b5a069:AuHg2mCXUhViqKYCLtFco22rmUCDwIFI
An answer has been provided below which partially solves my problem. Applying this allows my virtuemart customers to login but causes issues with the admin login and forces new users to use the virtuemart password hash format.
I now need to modify this in such a way that it checks the core hashing method, and if that fails it checks the virtuemart hashing method allowing both password formats to login.
I was thinking something along the lines of
public function getHash($password, $salt = false)
{
if (is_integer($salt)) {
$salt = $this->_helper->getRandomString($salt);
}
return $salt === false ? $this->hash($password) : $this->hash($password . $salt) . ':' . $salt : $this->hash($salt . $password) . ':' . $salt;
}
.
public function validateHash($password, $hash)
{
$hashArr = explode(':', $hash);
switch (count($hashArr)) {
case 1:
// no hash
return $this->hash($password) === $hash;
case 2:
// magento default hash
return $this->hash($hashArr[1] . $password) === $hashArr[0];
case 3:
// virtuemart hash
return $this->hash($password . $hashArr[1]) === $hashArr[0]; }
Mage::throwException('Invalid hash.');
}
but as you can probably tell this doesnt work as i have no way to check the hash type method.
How would i go about this please ?
UPDATE - Heres my latest attempt.
public function validateHash($password, $hash)
{
$hashArr = explode(':', $hash);
if(admin_login_handling_and_api_user_accounts){
switch (count($hashArr)) {
case 1:
return $this->hash($password) === $hash;
case 2:
return $this->hash($hashArr[1] . $password) === $hashArr[0];
}
} else if(Magento_customer_handling){
switch (count($hashArr)) {
case 1:
return $this->hash($password) === $hash;
case 2:
return $this->hash($password . $hashArr[1]) === $hashArr[0];
}
} else if(soap_Api_customer_handling){
switch (count($hashArr)) {
case 1:
return $this->hash($password) === $hash;
case 2:
return $this->hash($hashArr[1] . $password) === $hashArr[0];
}
}
}
I've changed the validatehash function to include if statements but this doesnt seem to be recognised. My php skills are on the very basic side so if someone could please explain where im going wrong with this or if theres a better way to go about it.
Thanks.
It all depends how the algorithm works in virtuemart. After a quick google it seems like it takes the password provided by the user and appends the salt (the part after the semi-colon) to the end, then md5's the value, which it compares to the password hash (the part before the semi-colon in the database).
In contrast to that Magento prepends the salt to the start of the password before md5 hashing it, rather than the end.
Long story short, the quick win should be attainable by editing Mage_Core_Model_Encryption::validateHash so that if $hashArr has a count of two it will append the hash, rather than prepend.
// replace
return $this->hash($hashArr[1] . $password) === $hashArr[0];
// with
return $this->hash($password . $hashArr[1]) === $hashArr[0];

magento saving admin details

I'm wondering if its possible to programmatically save admin user details? email, password, first name, last name and password.
This is what I have so far:
$details = Mage::getSingleton('admin/session')->getUser();
$details->setEmail($postData['email'])
->setFirstName($postData['first_name'])
->setLastName($postData['last_name']);
if($postData['password']) {
if($postData['password'] === $postData['password_confirm']) {
$details->setPassword($postData['password']);
}
}
$details->save();
However, it's not saving (it is saving other details). It is also not generating any errors.
Got it working:
$details = Mage::getSingleton('admin/session')->getUser();
$model = Mage::getModel('admin/user')->load($details2->getUserId());
$model->setEmail($postData['email'])
->setFirstname($postData['firstname'])
->setLastname($postData['lastname']);
if($postData['password']) {
if($postData['password'] === $postData['password_confirm']) {
$model->setPassword($postData['password']);
}
}
$model->save();

codeigniter admin login hacked although I have used all security matters

how come have the code before hacked with SQL Injection :(
$query = $this->db->query("SELECT * FROM users WHERE username = ? AND password = ?", array(mysql_real_escape_string($this->input->post('username')), mysql_real_escape_string(MD5($this->input->post('password')))));
appreciate helps!!
You don't need to use mysql_real_escape_string() as CodeIgniter Database driver does that for you. Double escaping your string could well cause some problems.
Use like this for more safer queries:
$query_username = $this->db->query("SELECT COUNT(username) AS count_username FROM users WHERE username=?", $this->input->post('username'));
$row_username = $query_username->row_array();
if ($row_username['count_username'] > 0) {
$query_password = $this->db->query("SELECT password FROM users WHERE username=?", $this->input->post('username'));
$row_password = $query_password->row_array();
if ($row_password['password'] == MD5($this->input->post('password')) {
// LOGIN SUCCESS
} else {
// LOGIN FAILED
}
} else {
// LOGIN FAILED
}

Resources