API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Feb 15th, 2013
58
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 4.15 KB | None | 0 0
raw download clone embed print report diff
  1. <?php
  2.  
  3. require 'PasswordHash.php';
  4.  
  5. // Base-2 logarithm of the iteration count used for password stretching
  6. $hash_cost_log2 = 8;
  7. // Do we require the hashes to be portable to older systems (less secure)?
  8. $hash_portable = FALSE;
  9.  
  10. // Are we debugging this code?  If enabled, OK to leak server setup details.
  11. $debug = TRUE;
  12.  
  13. function fail($pub, $pvt = '')
  14. {
  15.     global $debug;
  16.     $msg = $pub;
  17.     if ($debug && $pvt !== '')
  18.         $msg .= ": $pvt";
  19. /* The $pvt debugging messages may contain characters that would need to be
  20.  * quoted if we were producing HTML output, like we would be in a real app,
  21.  * but we're using text/plain here.  Also, $debug is meant to be disabled on
  22.  * a "production install" to avoid leaking server setup details. */
  23.     exit("An error occurred ($msg).\n");
  24. }
  25.  
  26. function get_post_var($var)
  27. {
  28.     $val = $_POST[$var];
  29.     if (get_magic_quotes_gpc())
  30.         $val = stripslashes($val);
  31.     return $val;
  32. }
  33.  
  34. header('Content-Type: text/plain');
  35.  
  36. $op = $_POST['op'];
  37. if ($op !== 'new' && $op !== 'login' && $op !== 'change')
  38.     fail('Unknown request');
  39.  
  40. $user = get_post_var('user');
  41. /* Sanity-check the username, don't rely on our use of prepared statements
  42.  * alone to prevent attacks on the SQL server via malicious usernames. */
  43. if (!preg_match('/^[a-zA-Z0-9_]{1,60}$/', $user))
  44.     fail('Invalid username');
  45.  
  46. $pass = get_post_var('pass');
  47. /* Don't let them spend more of our CPU time than we were willing to.
  48.  * Besides, bcrypt happens to use the first 72 characters only anyway. */
  49. if (strlen($pass) > 72)
  50.     fail('The supplied password is too long');
  51.  
  52. $conn_string = "host=localhost port=5432 dbname=mytestingdb user=mytestaccount password=mysecretpass";// In a real application, should be in a config file instead
  53. $dbconn = pg_connect($conn_string) or die("Could not connect");
  54. $stat = pg_connection_status($dbconn);
  55. if ($stat === PGSQL_CONNECTION_OK) {
  56.     echo 'Connection status ok ';
  57. } else {
  58.     echo 'Connection status bad ';
  59. }
  60.  
  61. $hasher = new PasswordHash($hash_cost_log2, $hash_portable);
  62.  
  63. if ($op === 'new') {
  64.     $hash = $hasher->HashPassword($pass);
  65.     if (strlen($hash) < 20)
  66.         fail('Failed to hash new password');
  67.     unset($hasher);
  68.  
  69. // Prepare a query for execution
  70. $result = pg_prepare($dbconn, "my_query", 'INSERT INTO users VALUES($1, $2)') or fail('pg_prepare failed ',pg_last_error($dbconn));
  71.  
  72.     if (!pg_execute($dbconn, "my_query", array($user, $hash))) {
  73. /* Figure out why this failed - maybe the username is already taken?
  74.  * It could be more reliable/portable to issue a SELECT query here.  We would
  75.  * definitely need to do that (or at least include code to do it) if we were
  76.  * supporting multiple kinds of database backends, not just MySQL.  However,
  77.  * the prepared statements interface we're using is MySQL-specific anyway. */
  78.         if (pg_last_error($dbconn) === 1062 /* ER_DUP_ENTRY */)
  79.             fail('This username is already taken');
  80.         else
  81.             fail('pg_execute failed ',pg_last_error($dbconn));
  82.     }
  83.  
  84.     $what = 'User created';
  85. } else {
  86.     $hash = '*'; // In case the user is not found
  87.     pg_prepare($dbconn, "quser", 'SELECT pass FROM users WHERE pk_users=$1') or fail('pg_prepare failed ',pg_last_error($dbconn));
  88.     $hashx = pg_execute($dbconn, "quser", array($user)) or fail('pg_execute failed ',pg_last_error($dbconn));
  89.     $hash = pg_fetch_result($hashx, 0, 'pass');
  90.    
  91.     if (!$hash && pg_last_error($dbconn))
  92.         fail('pg_execute failed.2 ',pg_last_error($dbconn));
  93.  
  94.     if ($hasher->CheckPassword($pass, $hash)) {
  95.         $what = 'Authentication succeeded';
  96.     } else {
  97.         $what = 'Authentication failed';
  98.         $op = 'fail'; // Definitely not 'change'
  99.     }
  100.  
  101.     if ($op === 'change') {
  102.  
  103.         $newpass = get_post_var('newpass');
  104.         if (strlen($newpass) > 72)
  105.             fail('The new password is too long');
  106.         $hash = $hasher->HashPassword($newpass);
  107.         if (strlen($hash) < 20)
  108.             fail('Failed to hash new password');
  109.         unset($hasher);
  110.  
  111.         pg_prepare($dbconn, "qupuser", 'UPDATE users SET pass=$1 WHERE pk_users=$2') or fail('pg_prepare failed.3 ',pg_last_error($dbconn));
  112.         pg_execute($dbconn, "qupuser", array($hash,$user)) or fail('pg_execute failed.3 ',pg_last_error($dbconn));
  113.  
  114.         $what = 'Password changed';
  115.     }
  116.  
  117.     unset($hasher);
  118. }
  119.  
  120. pg_close($dbconn);
  121.  
  122. echo "$what\n";
  123.  
  124. ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!