I'm working on a custom system that works in parallell with my wordpress site, and the idea is that one can login to this system with the same credentials (username and password) as the ones they've made on my wordpress site.
So I already have a custom login-page for this system which, on submission, checks if the entered username and password exists in the wordpress database.
I've managed to do this, but it seems to generate a new string everytime it's run:
include_once( "../wp-config.php" );
include_once( "../wp-includes/class-phpass.php" );
$password = mysql_escape_string("password123");
$wp_hash = new PasswordHash( 8, TRUE );
echo $wp_hash->HashPassword( $password );
How can I do this?
$user = get_user_by( 'login', $username );
if ( $user && wp_check_password( $pass, $user->data->user_pass, $user->ID) )
echo "That's it";
else
echo "Nope";
you can see here
and if you define password's hash in your code;
require_once($_SERVER['DOCUMENT_ROOT']."/wp-load.php");
$password = '123456';
$hash = '$P$BpR40ssU1UobqMELuNlwzxVa4XgKNk1';
var_dump(wp_check_password($password, $hash));
note that be careful because you should define your password hash.
You can generate wordress pass hasher from here
Related
So, I have hashed the password for new accounts which are created on adduser.php with this:
if (isset($_POST['submit'])) {
require "../functions/db-insert.php";
$productcategory = [
'username' => $_POST['username'],
'password' => sha1($_POST['password']),
'isadmin' => $_POST['isadmin']
];
//$hash = password_hash($_POST['password'], PASSWORD_DEFAULT);
$category = insert($pdo, 'users', $productcategory);
echo "<p>User added</p>";
}
and now I'm trying to modify my login.php to be able to sign properly using password_verify, but I seem to be doing something wrong as I can no longer sign in.
if (isset($_POST['submit'])) {
if (isset($_POST["username"]) && isset($_POST["password"])) {
$results = $pdo->prepare("SELECT * FROM users
WHERE username = :username AND password = :password");
$values = [
':username' => $_POST["username"],
':password' => $_POST['password']
];
$password = $_POST['password'];
$hash = password_hash($password, PASSWORD_DEFAULT);
$results->execute($values);
$row = $results->fetchAll();
if(count($row) < 1){
echo '<h3><strong>Wrong username or password!</h3>';
}
else if (!password_verify($password, $hash)){
$_SESSION['loggedin'] = true;
$_SESSION['name'] = $_POST['username'];
echo "<h3>Welcome back " . $_SESSION['name'] . " !</h3>";
}
}
}
At this point, I'm not entirely sure what I'm doing wrong and would really appreciate if someone could help me troubleshoot the stuff I do wrong. I've looked all over stackoverflow but none of the previously asked questions were working for me, unfortunately.
You're re-hashing the password. When you use password_hash you don't get the same value for the same string, so you are never going to find a match. You need to select the password (hashed) and then pass the raw string (input) into password_verify. So just have the username in the where, then use result password and the raw string in password_verify
Try echoing out a password_hash of the same value (e.g. password_hash('test'....). and you will see. You also need to account for using md5 is this is what you have done before. If this is a live system it will be difficult as you will basically need to make everyone change their password or write some routine to update it next time they log in (e.g. use the old verification method then password_hash() the password and update it). If this isn't production code yet just clear your your passwords and start again.
Also I just noticed you have said you want to log people in if the password verification returns false ,(!password_verify.... So your logic back to front
I created a website using WordPress. My website provides a registration page where users can enter several information in a form.
Is it possible to disable/delete the email and username at the registration page. Is there some php file or settings page where I can modify this behavior? I don't want such information to be required at all.
Any help is appreciated.
You must have atleast one of them fields i.e. either username or email, because you cannot login with just a password.
In the following example, I have used just username to register and ignored email field and registered a user via ajax call, this code is from functions.php file.
function register() {
global $wpdb;
$username = $_POST['username'];
$password = $_POST['password'];
$userdata = array('user_login' => $username, 'user_pass' => $password);
if (isset($username) && $username != '') {
$user_id = wp_insert_user($userdata);
wp_set_current_user($user_id, $username);
wp_set_auth_cookie($user_id, true, false);
$_SESSION['registered'] = 1;
update_user_meta($user_id, 'last_login', time());
if (is_wp_error($user_id)) {
$error_string = $user_id->get_error_message();
echo $error_string;
}
echo $user_id;
}
}
I've been trying to write a simple login for a couple of days now. After I'd thought I had it working, I realized that it would accept any input in the password field as being true so I scrapped it and started again. I'm trying to use the php function password_verify for the verification but no matter what I do, it always returns true still. Is there something I'm doing wrong? Here is my code (I know it's not secure, I just want it to recognize a wrong password for now)
if(isset($_POST['submit']))
{
$username = $_POST['username'];
$password = $_POST['password'];
$hash = password_hash($password, PASSWORD_DEFAULT);
if(password_verify($_POST['password'], $hash))
{
echo 0;
}
else
{
echo 1;
}
}
The reason it always returns true is because you are verifying a hash that you just created... it will always be verified correctly.
When you use the password_verify() function the $hash parameter has to come from somewhere else (usually a database of some kind).
// If this is a POST request then handle the form
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
// Get password from form
$pass = filter_input(INPUT_POST, 'password', FILTER_UNSAFE_RAW);
// Connect to a database of some kind
// Get a previously hashed password
$hash = 'A HASH FROM SOMEWHERE ELSE...';
// Verify the previously hashed password
// against the password provided by the user
if (password_verify($pass, $hash)) {
echo 'Password is valid!';
}
}
You are $password getting a $_POST['password'];
You are hash a $password which is $_POST['password'];
password_verify($_POST['password'], $hash)
You are comparing a $_POST['password'] with a hash. the hash is also $_POST['password'].
That's why they return always true.because the $passwod,hash are $_POST['password'] is same.
You check the post password with the post password. You should check the post password instead with a wanted password.
You're assigning $hash to the password you received through POST.
This is how password_verify works
boolean password_verify ( string $password , string $hash )
Verifies that the given $hash matches the password received.
So now you're checking the password stored in $hash with the password obtained in POST which are the same.
Hence always true.
I am building a external application for which user login credentials will be taken from WordPress site database table 'users'
WordPress uses PHPass hashing , I am unable to validate username and password for my external application as the password in database table 'users' is hashed
I am trying to check plain password with hashed password using wp_check_password function but I am failing, nothing is written back with this code
<?php
$password = '965521425';
$hash = '$P$9jWFhEPMfI.KPByiNO9IyUzSTG7EZK0';
require_once('/home/nhtsoft/public_html/project/wp-includes/class-phpass.php');
function wp_check_password($password, $hash) {
global $wp_hasher;
if ( empty($wp_hasher) ) {
$wp_hasher = new PasswordHash(8, true);
}
$check = $wp_hasher->CheckPassword($password, $hash);
return apply_filters('check_password', $check, $password, $hash);
}
?>
this code is giving me an empty page.
How to check this password so that I can use these WordPress credentials for external app login?
you have passed wrong hash value , hash value for 965521425 is $P$BmI5G.LOoEx1iH.naNqVhWnSh5sMp31 and you just need to write below code into your file:
require_once($_SERVER['DOCUMENT_ROOT']."/wp-load.php");
$password = '965521425';
$hash = '$P$BmI5G.LOoEx1iH.naNqVhWnSh5sMp31';
var_dump(wp_check_password($password, $hash));
exit;
In your code, you include the wp library and it looks like you redefine a function named wp_check_password but you do not call any function at all. Add the following line before the closing php tag ("?>") and try again.
echo (wp_check_password($password, $hash) ? 'TRUE' : 'FALSE');
Keep an eye on the error logs in case you miss some dependencies.
i would simply do this <?php wp_check_password( $password, $hash, $user_id ) ?> Refer
$password_hashed = '$P$Bgf2Hpr5pOVOYAvQZUhUZeLIi/QuPr1';
$plain_password = '123456';
if ((wp_check_password($plain_password, $password_hashed)) == 1) {
echo "YES, Matched";
} else {
echo "No, Wrong Password";
}
Try this...
I work's fine for me
require_once( ABSPATH . WPINC . '/class-phpass.php');
$wp_hasher = new PasswordHash(8, TRUE);
$plain_password = trim($_POST['pass_current']); //user type password
$user = get_user_by('id', get_current_user_id());
$password_hashed = $user->user_pass;
if($wp_hasher->CheckPassword($plain_password, $password_hashed)) {
echo "YES, Matched";
}else{
echo "No, Wrong Password";
}
what Bhumi Shah wrote is correct you should add
require_once($_SERVER['DOCUMENT_ROOT']."/wp-load.php");
to your code .
but hashed value for any password(number or text) is not one solid thing , it could be many things that's why they can be compared only with wp_check_password
I was looking for the best way to store the users' passwords, but I'm not really into security, so I've found a lot of information about encryption and things like that, using Google.
I don't like using snippets that I can get in blogs or sites on the Internet, I'd rather create my own solution, so I ended up developing two functions: One to create a hash and another one to check the "hashed" password.
I don't know if I'm doing right, or if I'm just increasing my problems, so take a look at the functions below.
// Creates a simple password's hash
function hashPassword( $password = false )
{
// Checks if the password has more than 6 characters
if( strlen( $password ) < 6 )
{
// Kills the script
exit('Password is too short.');
}
// Split the 4 first characters of the password
$salt = substr( $password, 0, 4 );
// Calculate the md5 hash of the salt
$salt = md5( $salt );
// Get the rest of the password
$password = substr( $password, 3, strlen( $password ) );
// Calculate the md5 hash of the password
$password = sha1( $salt . $password );
// Crypt the password
$password = crypt( $password );
return $password;
}
That's the password that I'm going to store. Now, check out the way I'm gonna check if the password's correct.
// Checks if a hashed password match a user input password
function checkHashedPassword( $password = false, $hashedPassword = false )
{
// Checks if the password has more than 6 characters
if( strlen( $password ) < 6 )
{
// Kills the script
exit('Password is too short.');
}
// Split the 4 first characters of the password
$salt = substr( $password, 0, 4 );
// Calculate the md5 hash of the salt
$salt = md5( $salt );
// Get the rest of the password
$password = substr( $password, 3, strlen( $password ) );
// Calculate the md5 hash of the password
$password = sha1( $salt . $password );
// Checks the password and hash
if( crypt( $password, $hashedPassword ) == $hashedPassword )
{
// Returns true
return true;
}
// Returns false by default
return false;
}
As you can notice, I'm going to create a variable storing the password, and the I can check if it's ok, like the code below:
$pass = hashPassword( $_POST['password'] );
if( !checkHashedPassword( $_POST['password'], $pass ) )
{
exit('Password incorrect!');
}
So, will it work securely?
If you are looking for a general and simple way Adding simple password hashing API is still in RFC for php but have very good implementation by ircmaxwell that you can use
Example
$hash = password_hash($password, PASSWORD_BCRYPT);
Verification
if (password_verify($password, $hash)) {
/* Valid */
} else {
/* Invalid */
}
Download Here
The Password Storage Cheat Sheet from OWASP provides good guidelines for password storage and hashing.
The key points are to use a strong salt, and iterate the hash (64,000 times or more currently).
A good and widely used PHP library for password hasing is the Portable PHP Password Hashing Framework by OpenWall, I recommend checking that out.
You can use:
$pass = <query password code>;
if( $pass != hashPassword( $_POST['password'] ); )
{
exit('Password incorrect!');
}