This topic is locked

Update PHP password functions

12/4/2016 5:25:11 AM
PHPRunner Tips and Tricks
kujox author

Hi, i've not been around or using PHP Runner for a while due to other projects but I've just updated to 9.6, looks great.
I wanted to know how to swap out the MD5 encryption for the newer PHP functions, password_hash and password_verify, so i could connect to a Laravel application.
Ideally I wanted to do it in the events so i don't have to mess with the installation.
I used the events template for this but you can just swap out the evusers for your own user table name.
Update the evusers table from the default 50 chars to 100.
I then entered this into the AfterSuccessfulRegistration event which encrypts the password.



$password = password_hash( $userdata['Password'], PASSWORD_DEFAULT );

$sql = "UPDATE evusers SET password = '".$password."' WHERE Email='".$userdata['Email']."' AND Username='".$userdata['Username']."'";

CustomQuery($sql);


I was thinking about intercepting the BeforeLogin event but then I need to stop the control returning to the other login functions and bypass them so that wouldn't work.
Then I was looking at the AfterUnsuccessfulLogin event, check the login, log them in and then use header:location to redirect the user to the landing page.



global $conn;
$strSQLExists = "SELECT * FROM evusers WHERE Username='".$username."'";

$rsExists = db_query($strSQLExists,$conn);

$data=db_fetch_array($rsExists);

if($data)

{

// check the password

if (password_verify( $password, $data['Password'] )) {

// 'Password is valid against the hash so log them in';

$_SESSION['UserID'] = $data['Username'];

$_SESSION['UserName'] = $data['Username'];

$_SESSION['GroupID'] = $data['Username'];

$_SESSION['AccessLevel'] = 'user'

$_SESSION['fromFacebook'] = '';

$_SESSION['OwnerID'] = $data['ID'];

$_SESSION['_evcategories_OwnerID'] = $data['ID'];

$_SESSION['_evtellfriend_OwnerID'] = $data['ID'];

$_SESSION['_evusers_OwnerID'] = $data['ID'];

$_SESSION['_evevents_OwnerID'] = $data['ID'];
//********** Redirect to another page ************

header("location:menu.php");

exit;

} else {

$message = 'Invalid Password against the hash.';

}

}

else

{

// if doesn't exist then let it fail

$message = 'Invalid Record.';

}


Any use to anyone or any ideas to improve it?

501415 1/7/2017

PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5.0). Note that this constant is designed to change over time as new and stronger algorithms are added to PHP. For that reason, the length of the result from using this identifier can change over time. Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice). PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH algorithm to create the hash. This will produce a standard crypt() compatible hash using the "$2y$" identifier. The result will always be a 60 character string, or FALSE on failure