Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- require 'PasswordHash.php';
- // Base-2 logarithm of the iteration count used for password stretching
- $hash_cost_log2 = 8;
- // Do we require the hashes to be portable to older systems (less secure)?
- $hash_portable = FALSE;
- // Are we debugging this code? If enabled, OK to leak server setup details.
- $debug = TRUE;
- function fail($pub, $pvt = '')
- {
- global $debug;
- $msg = $pub;
- if ($debug && $pvt !== '')
- $msg .= ": $pvt";
- /* The $pvt debugging messages may contain characters that would need to be
- * quoted if we were producing HTML output, like we would be in a real app,
- * but we're using text/plain here. Also, $debug is meant to be disabled on
- * a "production install" to avoid leaking server setup details. */
- exit("An error occurred ($msg).\n");
- }
- function get_post_var($var)
- {
- $val = $_POST[$var];
- if (get_magic_quotes_gpc())
- $val = stripslashes($val);
- return $val;
- }
- header('Content-Type: text/plain');
- $op = $_POST['op'];
- if ($op !== 'new' && $op !== 'login' && $op !== 'change')
- fail('Unknown request');
- $user = get_post_var('user');
- /* Sanity-check the username, don't rely on our use of prepared statements
- * alone to prevent attacks on the SQL server via malicious usernames. */
- if (!preg_match('/^[a-zA-Z0-9_]{1,60}$/', $user))
- fail('Invalid username');
- $pass = get_post_var('pass');
- /* Don't let them spend more of our CPU time than we were willing to.
- * Besides, bcrypt happens to use the first 72 characters only anyway. */
- if (strlen($pass) > 72)
- fail('The supplied password is too long');
- $conn_string = "host=localhost port=5432 dbname=mytestingdb user=mytestaccount password=mysecretpass";// In a real application, should be in a config file instead
- $dbconn = pg_connect($conn_string) or die("Could not connect");
- $stat = pg_connection_status($dbconn);
- if ($stat === PGSQL_CONNECTION_OK) {
- echo 'Connection status ok ';
- } else {
- echo 'Connection status bad ';
- }
- $hasher = new PasswordHash($hash_cost_log2, $hash_portable);
- if ($op === 'new') {
- $hash = $hasher->HashPassword($pass);
- if (strlen($hash) < 20)
- fail('Failed to hash new password');
- unset($hasher);
- // Prepare a query for execution
- $result = pg_prepare($dbconn, "my_query", 'INSERT INTO users VALUES($1, $2)') or fail('pg_prepare failed ',pg_last_error($dbconn));
- if (!pg_execute($dbconn, "my_query", array($user, $hash))) {
- /* Figure out why this failed - maybe the username is already taken?
- * It could be more reliable/portable to issue a SELECT query here. We would
- * definitely need to do that (or at least include code to do it) if we were
- * supporting multiple kinds of database backends, not just MySQL. However,
- * the prepared statements interface we're using is MySQL-specific anyway. */
- if (pg_last_error($dbconn) === 1062 /* ER_DUP_ENTRY */)
- fail('This username is already taken');
- else
- fail('pg_execute failed ',pg_last_error($dbconn));
- }
- $what = 'User created';
- } else {
- $hash = '*'; // In case the user is not found
- pg_prepare($dbconn, "quser", 'SELECT pass FROM users WHERE pk_users=$1') or fail('pg_prepare failed ',pg_last_error($dbconn));
- $hashx = pg_execute($dbconn, "quser", array($user)) or fail('pg_execute failed ',pg_last_error($dbconn));
- $hash = pg_fetch_result($hashx, 0, 'pass');
- if (!$hash && pg_last_error($dbconn))
- fail('pg_execute failed.2 ',pg_last_error($dbconn));
- if ($hasher->CheckPassword($pass, $hash)) {
- $what = 'Authentication succeeded';
- } else {
- $what = 'Authentication failed';
- $op = 'fail'; // Definitely not 'change'
- }
- if ($op === 'change') {
- $newpass = get_post_var('newpass');
- if (strlen($newpass) > 72)
- fail('The new password is too long');
- $hash = $hasher->HashPassword($newpass);
- if (strlen($hash) < 20)
- fail('Failed to hash new password');
- unset($hasher);
- pg_prepare($dbconn, "qupuser", 'UPDATE users SET pass=$1 WHERE pk_users=$2') or fail('pg_prepare failed.3 ',pg_last_error($dbconn));
- pg_execute($dbconn, "qupuser", array($hash,$user)) or fail('pg_execute failed.3 ',pg_last_error($dbconn));
- $what = 'Password changed';
- }
- unset($hasher);
- }
- pg_close($dbconn);
- echo "$what\n";
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement