I am building a external application for which user login credentials will be taken from WordPress site database table 'users'
WordPress uses PHPass hashing , I am unable to validate username and password for my external application as the password in database table 'users' is hashed
I am trying to check plain password with hashed password using wp_check_password function but I am failing, nothing is written back with this code
<?php
$password = '965521425';
$hash = '$P$9jWFhEPMfI.KPByiNO9IyUzSTG7EZK0';
require_once('/home/nhtsoft/public_html/project/wp-includes/class-phpass.php');
function wp_check_password($password, $hash) {
global $wp_hasher;
if ( empty($wp_hasher) ) {
$wp_hasher = new PasswordHash(8, true);
}
$check = $wp_hasher->CheckPassword($password, $hash);
return apply_filters('check_password', $check, $password, $hash);
}
?>
this code is giving me an empty page.
How to check this password so that I can use these WordPress credentials for external app login?
you have passed wrong hash value , hash value for 965521425 is $P$BmI5G.LOoEx1iH.naNqVhWnSh5sMp31 and you just need to write below code into your file:
require_once($_SERVER['DOCUMENT_ROOT']."/wp-load.php");
$password = '965521425';
$hash = '$P$BmI5G.LOoEx1iH.naNqVhWnSh5sMp31';
var_dump(wp_check_password($password, $hash));
exit;
In your code, you include the wp library and it looks like you redefine a function named wp_check_password but you do not call any function at all. Add the following line before the closing php tag ("?>") and try again.
echo (wp_check_password($password, $hash) ? 'TRUE' : 'FALSE');
Keep an eye on the error logs in case you miss some dependencies.
i would simply do this <?php wp_check_password( $password, $hash, $user_id ) ?> Refer
$password_hashed = '$P$Bgf2Hpr5pOVOYAvQZUhUZeLIi/QuPr1';
$plain_password = '123456';
if ((wp_check_password($plain_password, $password_hashed)) == 1) {
echo "YES, Matched";
} else {
echo "No, Wrong Password";
}
Try this...
I work's fine for me
require_once( ABSPATH . WPINC . '/class-phpass.php');
$wp_hasher = new PasswordHash(8, TRUE);
$plain_password = trim($_POST['pass_current']); //user type password
$user = get_user_by('id', get_current_user_id());
$password_hashed = $user->user_pass;
if($wp_hasher->CheckPassword($plain_password, $password_hashed)) {
echo "YES, Matched";
}else{
echo "No, Wrong Password";
}
what Bhumi Shah wrote is correct you should add
require_once($_SERVER['DOCUMENT_ROOT']."/wp-load.php");
to your code .
but hashed value for any password(number or text) is not one solid thing , it could be many things that's why they can be compared only with wp_check_password
Related
I'm working on a custom system that works in parallell with my wordpress site, and the idea is that one can login to this system with the same credentials (username and password) as the ones they've made on my wordpress site.
So I already have a custom login-page for this system which, on submission, checks if the entered username and password exists in the wordpress database.
I've managed to do this, but it seems to generate a new string everytime it's run:
include_once( "../wp-config.php" );
include_once( "../wp-includes/class-phpass.php" );
$password = mysql_escape_string("password123");
$wp_hash = new PasswordHash( 8, TRUE );
echo $wp_hash->HashPassword( $password );
How can I do this?
$user = get_user_by( 'login', $username );
if ( $user && wp_check_password( $pass, $user->data->user_pass, $user->ID) )
echo "That's it";
else
echo "Nope";
you can see here
and if you define password's hash in your code;
require_once($_SERVER['DOCUMENT_ROOT']."/wp-load.php");
$password = '123456';
$hash = '$P$BpR40ssU1UobqMELuNlwzxVa4XgKNk1';
var_dump(wp_check_password($password, $hash));
note that be careful because you should define your password hash.
You can generate wordress pass hasher from here
This is my function to hash password on registration page.
function hashPassword($orgPassword){
srand(date("s"));
$chars = "abcdefghigklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
$salt = "";
$num = strlen($chars);
for($i=0;$i<15;$i++){
$salt.= $chars[rand()%$num];
}
$hashedPassword = "\$SHA\$".$salt."\$".hash('sha256',hash('sha256',$orgPassword).$salt);
return $hashedPassword;
}
This is my php for login.
<?php
$username = $_POST['user_name'];
$password = $_POST['user_password'];
$salt = "";
$hashed = "\$SHA\$".$salt."\$".hash('sha256',hash('sha256',$password).$salt);
$con=mysqli_connect("127.0.0.1", "root", "mypassword", "testdb");
if (mysqli_connect_errno($con)){
echo "MySql Error: " . mysqli_connect_error();
}
$query=mysqli_query($con,"SELECT * FROM user WHERE user_name='$username' && user_password='$hashed'");
$count=mysqli_num_rows($query);
$row=mysqli_fetch_array($query);
if ($count==1){
echo "success";
}else {
echo "Invaild Username Password";
}
mysqli_close($con);
?>
But login.php always give me "Invaild Username Password".
Thank you reading If you want to know more detail please ask because I'm not very well to explain in English.
I'm Thai but I will try to explain as best as I can.
You have an empty $salt in your login. The strings arent equal.
Additionally, you'd be better off using crypt(). Get the stored password based on the users name and compare the stored hash that way.
Why don't you write $hashed=hashPassword($password) to hash the user input?
EDIT: Your function uses random numbers and will generate a different hashed code everytime. To fix this, you should probably use inbuilt hash functions like sha512(). You can find a list of such functions here.
I've made encrypting of the password in my register script and they are stored in the database, and I have to use them to login, so I would want to use the unencrypted ones to login. I've read some of the threads in here but nothing is helping me. How can I add it in my login.php? The salt is also stored in the database.
This is my register.php script for encrypting
$hash = hash('sha256', $password1);
function createSalt()
{
$text = md5(uniqid(rand(), TRUE));
return substr($text, 0, 3);
}
$salt = createSalt();
$password = hash('sha256', $salt . $hash);
and this is my login.php with season
//Create query
$qry="SELECT * FROM member WHERE username='$username' AND password='$password'";
$result=mysql_query($qry);
//Check whether the query was successful or not
if($result) {
if(mysql_num_rows($result) > 0) {
//Login Successful
session_regenerate_id();
$member = mysql_fetch_assoc($result);
$_SESSION['SESS_MEMBER_ID'] = $member['id'];
$_SESSION['SESS_FIRST_NAME'] = $member['username'];
$_SESSION['SESS_LAST_NAME'] = $member['password'];
session_write_close();
header("location: profile.php");
exit();
}
else {
//Login failed
//error message
}
else {
die("Query failed");
}
These examples are from php.net. Thanks to you, I also just learned about the new php hashing functions.
Read the php documentation to find out about the possibilities and best practices:
http://www.php.net/manual/en/function.password-hash.php
Save a password hash:
$options = [
'cost' => 11,
];
// Get the password from post
$passwordFromPost = $_POST['password'];
$hash = password_hash($passwordFromPost, PASSWORD_BCRYPT, $options);
// Now insert it (with login or whatever) into your database, use mysqli or pdo!
Get the password hash:
// Get the password from the database and compare it to a variable (for example post)
$passwordFromPost = $_POST['password'];
$hashedPasswordFromDB = ...;
if (password_verify($passwordFromPost, $hashedPasswordFromDB)) {
echo 'Password is valid!';
} else {
echo 'Invalid password.';
}
According to php.net the Salt option has been deprecated as of PHP 7.0.0, so you should use the salt that is generated by default and is far more simpler
Example for store the password:
$hashPassword = password_hash("password", PASSWORD_BCRYPT);
Example to verify the password:
$passwordCorrect = password_verify("password", $hashPassword);
array hash_algos(void)
echo hash('sha384', 'Message to be hashed'.'salt');
Here is a link to reference http://php.net/manual/en/function.hash.php
You couldn't login because you did't get proper solt text at login time.
There are two options, first is define static salt, second is if you want create dynamic salt than you have to store the salt somewhere (means in database) with associate with user.
Than you concatenate user solt+password_hash string now with this you fire query with username in your database table.
I think #Flo254 chained $salt to $password1and stored them to $hashed variable. $hashed variable goes inside INSERT query with $salt.
You can't do that because you can not know the salt at a precise time. Below, a code who works in theory (not tested for the syntaxe)
<?php
$password1 = $_POST['password'];
$salt = 'hello_1m_#_SaLT';
$hashed = hash('sha256', $password1 . $salt);
?>
When you insert :
$qry="INSERT INTO member VALUES('$username', '$hashed')";
And for retrieving user :
$qry="SELECT * FROM member WHERE username='$username' AND password='$hashed'";
I'm using a script that ircmaxell wrote called password_compat. I thought I followed his instructions correctly, but I cannot seem to get my password verified using password_verify($password, $hash).
The hashed password saved in my database is;
$2y$10$zYpSzIj7kTPv3H7wDI/uXSYqi1se46b38uumP6SM4XGMmsjU3q
I'm using PDO to grab my hashed password and using password_verify($password, $hash) to compare what the login form is posting. It's my understanding that BRCYPT is not a hashing function so password_verify($password, $hash) will do it's magic. I have no idea how the salt is created, but I would think it creates a custom salt for every new password, but how it can compare it to my saved password baffles me. How does it match the correct salt with the password? This whole not saving the salt in my database kind of confuses me, lol. Here is the code I'm using;
bcrypt
if($login->verifyip($_SERVER['REMOTE_ADDR']))
{
require_once 'password.php'; //password_compat supplied file
$username = $_POST['username'];
$password = $_POST['password'];
$dbpassword = $login->GetPassword($username); // pull saved password from db
// verify posted password with saved password
if(password_verify($dbpassword, $password))
{
echo 'verified';
}
else
{
echo 'not verified';
}
}
PDO
public function GetPassword($username)
{
$passwordSQL = 'CALL get_password(:_user)'; // using stored procedure
try
{
$pdo = new PDO('my login stuff');
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$password = $pdo->prepare($passwordSQL);
$password->bindParam(':_user',$username);
$password->execute();
$fetch = $password->fetchColumn(0);
$password->closeCursor();
return $fetch;
}
catch(PDOException $e)
{
return 'error' . $e->getMessage();
exit();
}
}
I removed $hash like blender suggested.
Thanks for having a look :)
password_verify's arguments are the other way around:
password_verify($password, $dbpassword)
As for how it works, the hash is of this form:
$<algorithm>$<cost>$<salt>/<hash>
So from the hash:
$2y$10$zYpSzIj7kTPv3H7wDI/uXSYqi1se46b38uumP6SM4XGMmsjU3q
You can see that the cost is 10, the salt is zYpSzIj7kTPv3H7wDI and that bcrypt(salt + password) is uXSYqi1se46b38uumP6SM4XGMmsjU3q.
password_verify extracts that information from your supplied hash and just checks if bcrypt(salt + password) == hash.
I am trying to encrypt the given password to match one that is in a database. However using crypt() gives me a different result each time so it never matches. How can i make this work.
here is the statement that hashes the password given by the user.
if (empty($_POST) === false) {
$username = $_POST['username'];
$password = crypt($_POST['password']);
prior to this i manually made a user that had the crypt('password') but if I enter 'password' into the field it doesn not match.
Try below:
if (isset($_POST['username']) && isset($_POST['password'])) {
$username = $_POST['username'];
$password = $_POST['password'];
// get the hashed password from database
$hashed_password = get_from_db($username);
if (crypt($password, $hashed_password) == $hashed_password) {
echo "Password verified!";
}
}
Try like this,
//$pass_entered_from_login is the user entered password
//$crypted_pass is the encrypted password from the
//database or file
if(crypt($pass_entered_from_login,$crypted_pass)) == $crypted_pass)
{
echo("Welcome to my web site.")
}
Read more
crypt auto generates the salt each time you use it ............
so use the same salt for the user
do this while registering the user to your database and while checking tooo.
if (empty($_POST) === false) {
$username = $_POST['username'];
$password = crypt($_POST['password'],$_POST['username']);
}
NOTE: the 2nd parameter is the salt in crypt function .
hope it helps :)