Guest User

Untitled

a guest
Feb 15th, 2013
35
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2.  
  3. require 'PasswordHash.php';
  4.  
  5. // Base-2 logarithm of the iteration count used for password stretching
  6. $hash_cost_log2 = 8;
  7. // Do we require the hashes to be portable to older systems (less secure)?
  8. $hash_portable = FALSE;
  9.  
  10. // Are we debugging this code?  If enabled, OK to leak server setup details.
  11. $debug = TRUE;
  12.  
  13. function fail($pub, $pvt = '')
  14. {
  15.     global $debug;
  16.     $msg = $pub;
  17.     if ($debug && $pvt !== '')
  18.         $msg .= ": $pvt";
  19. /* The $pvt debugging messages may contain characters that would need to be
  20.  * quoted if we were producing HTML output, like we would be in a real app,
  21.  * but we're using text/plain here.  Also, $debug is meant to be disabled on
  22.  * a "production install" to avoid leaking server setup details. */
  23.     exit("An error occurred ($msg).\n");
  24. }
  25.  
  26. function get_post_var($var)
  27. {
  28.     $val = $_POST[$var];
  29.     if (get_magic_quotes_gpc())
  30.         $val = stripslashes($val);
  31.     return $val;
  32. }
  33.  
  34. header('Content-Type: text/plain');
  35.  
  36. $op = $_POST['op'];
  37. if ($op !== 'new' && $op !== 'login' && $op !== 'change')
  38.     fail('Unknown request');
  39.  
  40. $user = get_post_var('user');
  41. /* Sanity-check the username, don't rely on our use of prepared statements
  42.  * alone to prevent attacks on the SQL server via malicious usernames. */
  43. if (!preg_match('/^[a-zA-Z0-9_]{1,60}$/', $user))
  44.     fail('Invalid username');
  45.  
  46. $pass = get_post_var('pass');
  47. /* Don't let them spend more of our CPU time than we were willing to.
  48.  * Besides, bcrypt happens to use the first 72 characters only anyway. */
  49. if (strlen($pass) > 72)
  50.     fail('The supplied password is too long');
  51.  
  52. $conn_string = "host=localhost port=5432 dbname=mytestingdb user=mytestaccount password=mysecretpass";// In a real application, should be in a config file instead
  53. $dbconn = pg_connect($conn_string) or die("Could not connect");
  54. $stat = pg_connection_status($dbconn);
  55. if ($stat === PGSQL_CONNECTION_OK) {
  56.     echo 'Connection status ok ';
  57. } else {
  58.     echo 'Connection status bad ';
  59. }
  60.  
  61. $hasher = new PasswordHash($hash_cost_log2, $hash_portable);
  62.  
  63. if ($op === 'new') {
  64.     $hash = $hasher->HashPassword($pass);
  65.     if (strlen($hash) < 20)
  66.         fail('Failed to hash new password');
  67.     unset($hasher);
  68.  
  69. // Prepare a query for execution
  70. $result = pg_prepare($dbconn, "my_query", 'INSERT INTO users VALUES($1, $2)') or fail('pg_prepare failed ',pg_last_error($dbconn));
  71.  
  72.     if (!pg_execute($dbconn, "my_query", array($user, $hash))) {
  73. /* Figure out why this failed - maybe the username is already taken?
  74.  * It could be more reliable/portable to issue a SELECT query here.  We would
  75.  * definitely need to do that (or at least include code to do it) if we were
  76.  * supporting multiple kinds of database backends, not just MySQL.  However,
  77.  * the prepared statements interface we're using is MySQL-specific anyway. */
  78.         if (pg_last_error($dbconn) === 1062 /* ER_DUP_ENTRY */)
  79.             fail('This username is already taken');
  80.         else
  81.             fail('pg_execute failed ',pg_last_error($dbconn));
  82.     }
  83.  
  84.     $what = 'User created';
  85. } else {
  86.     $hash = '*'; // In case the user is not found
  87.     pg_prepare($dbconn, "quser", 'SELECT pass FROM users WHERE pk_users=$1') or fail('pg_prepare failed ',pg_last_error($dbconn));
  88.     $hashx = pg_execute($dbconn, "quser", array($user)) or fail('pg_execute failed ',pg_last_error($dbconn));
  89.     $hash = pg_fetch_result($hashx, 0, 'pass');
  90.    
  91.     if (!$hash && pg_last_error($dbconn))
  92.         fail('pg_execute failed.2 ',pg_last_error($dbconn));
  93.  
  94.     if ($hasher->CheckPassword($pass, $hash)) {
  95.         $what = 'Authentication succeeded';
  96.     } else {
  97.         $what = 'Authentication failed';
  98.         $op = 'fail'; // Definitely not 'change'
  99.     }
  100.  
  101.     if ($op === 'change') {
  102.  
  103.         $newpass = get_post_var('newpass');
  104.         if (strlen($newpass) > 72)
  105.             fail('The new password is too long');
  106.         $hash = $hasher->HashPassword($newpass);
  107.         if (strlen($hash) < 20)
  108.             fail('Failed to hash new password');
  109.         unset($hasher);
  110.  
  111.         pg_prepare($dbconn, "qupuser", 'UPDATE users SET pass=$1 WHERE pk_users=$2') or fail('pg_prepare failed.3 ',pg_last_error($dbconn));
  112.         pg_execute($dbconn, "qupuser", array($hash,$user)) or fail('pg_execute failed.3 ',pg_last_error($dbconn));
  113.  
  114.         $what = 'Password changed';
  115.     }
  116.  
  117.     unset($hasher);
  118. }
  119.  
  120. pg_close($dbconn);
  121.  
  122. echo "$what\n";
  123.  
  124. ?>
RAW Paste Data