Autor Zpráva
Baterie
Profil
#1 · Zasláno: 24. 3. 2013, 19:22:12 · Upravil/a: Moderátor (editace znemožněna) 24. 3. 2013, 22:34:38
Odpovědět Citovat
Ahoj lidi, Mám na Vás mega prosbu. Mám skript z www.hotscripts.com/listing/php-login-script-v3, který využívám na webu www.voxelcraft.cz/public/index.php. Hledal jsem už všude, ale moje znalosti v PHP nestačí na to, abych dokázal změnit zbůsob hashování hesel tohoto skriptu. Potřeboval bych změnit ten hash, který používá tento skript (SHA1+usersalt) na obyčejný MD5, nebo SHA1.
Prosím poraďte mi jak na to.. Zde máte stránku, na které se hashe generují(Alespon mysím) 
<?php
/**
 * Database.php
 * 
 * The Database class is meant to simplify the task of accessing
 * information from the website's database.
 *
 * Updated by: The Angry Frog
 * Last Updated: April 04, 2012
 */
include("constants.php");
      
class MySQLDB
{
   public $connection;         //The MySQL database connection
   public $num_active_users;   //Number of active users viewing site
   public $num_active_guests;  //Number of active guests viewing site
   public $num_members;        //Number of signed-up users
   /* Note: call getNumMembers() to access $num_members! */
   
 /* Class constructor */
   function MySQLDB(){
      /* Make connection to database */
       try {
           # MySQL with PDO_MYSQL
        $this->connection = new PDO('mysql:host='.DB_SERVER.';dbname='.DB_NAME, DB_USER, DB_PASS);
           $this->connection->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION ); 
       }
       catch(PDOException $e) {  
    echo "Error connecting to database.";   
    }  
            
    /**
       * Only query database to find out number of members
       * when getNumMembers() is called for the first time,
       * until then, default value set.
       */
      $this->num_members = -1;
      $config = $this->getConfigs();
      if($config['TRACK_VISITORS']){
         /* Calculate number of users at site */
         $this->calcNumActiveUsers();      
         /* Calculate number of guests at site */
         $this->calcNumActiveGuests();
      }
    } // MySQLDB function
   
  /**
    * Gather together the configs from the database configuration table.
    */ 
   function getConfigs(){
   $config = array();  
   $sql = $this->connection->query("SELECT * FROM ".TBL_CONFIGURATION);
   while($row = $sql->fetch()) {
             $config[$row['config_name']] = $row['config_value'];
         }
         return $config;
   }
   
  /**
    * Update Configs - updates the configuration table in the database
    * 
    */ 
   function updateConfigs($value,$configname){
   $query = "UPDATE ".TBL_CONFIGURATION." SET config_value = :value WHERE config_name = :configname";
   $stmt = $this->connection->prepare($query);
   return $stmt->execute(array(':value' => $value, ':configname' => $configname));
   }
   
  /**
    * confirmUserPass - Checks whether or not the given username is in the database, 
    * if so it checks if the given password is the same password in the database
    * for that user. If the user doesn't exist or if the passwords don't match up, 
    * it returns an error code (1 or 2). On success it returns 0.
    */
   function confirmUserPass($username, $password){
      /* Add slashes if necessary (for query) */
      if(!get_magic_quotes_gpc()) {
          $username = addslashes($username);
      }

    /* Verify that user is in database */
      $query = "SELECT password, userlevel, usersalt FROM ".TBL_USERS." WHERE username = :username";
      $stmt = $this->connection->prepare($query);
      $stmt->execute(array(':username' => $username));
      $count = $stmt->rowCount();
    
    if(!$stmt || $count < 1){
        return 1; //Indicates username failure
      }

    /* Retrieve password and userlevel from result, strip slashes */
      $dbarray = $stmt->fetch();
       
    $dbarray['userlevel'] = stripslashes($dbarray['userlevel']);
      $dbarray['usersalt'] = stripslashes($dbarray['usersalt']);
      $password = stripslashes($password);
      
    $sqlpass = sha1($dbarray['usersalt'].$password);

    /* Validate that password matches and check if userlevel is equal to 1 */
      if(($dbarray['password'] == $sqlpass)&&($dbarray['userlevel'] == 1)){
        return 3; //Indicates account has not been activated
      }
      
    /* Validate that password matches and check if userlevel is equal to 2 */
      if(($dbarray['password'] == $sqlpass)&&($dbarray['userlevel'] == 2)){
        return 4; //Indicates admin has not activated account
      }

    /* Validate that password is correct */
      if($dbarray['password'] == $sqlpass){
      return 0; //Success! Username and password confirmed
      }
      else{
         return 2; //Indicates password failure
      }
   }
   
 /**
    * confirmUserID - Checks whether or not the given username is in the database, 
    * if so it checks if the given userid is the same userid in the database
    * for that user. If the user doesn't exist or if the userids don't match up, 
    * it returns an error code (1 or 2). On success it returns 0.
    */
   function confirmUserID($username, $userid){
      /* Add slashes if necessary (for query) */
      if(!get_magic_quotes_gpc()) {
          $username = addslashes($username);
      }

    /* Verify that user is in database */
    $query = "SELECT userid FROM ".TBL_USERS." WHERE username = :username";
    $stmt = $this->connection->prepare($query);
    $stmt->execute(array(':username' => $username));
    $count = $stmt->rowCount();
      
    if(!$stmt || $count < 1){
         return 1; //Indicates username failure
      }
      
    $dbarray = $stmt->fetch(); 

    /* Retrieve userid from result, strip slashes */
      $dbarray['userid'] = stripslashes($dbarray['userid']);
      $userid = stripslashes($userid);

    /* Validate that userid is correct */
      if($userid == $dbarray['userid']){
         return 0; //Success! Username and userid confirmed
      }
      else{
         return 2; //Indicates userid invalid
      }
   }
   
 /**
    * usernameTaken - Returns true if the username has been taken by another user, false otherwise.
    */
   function usernameTaken($username){
         if(!get_magic_quotes_gpc()){ $username = addslashes($username); }
      $query = "SELECT username FROM ".TBL_USERS." WHERE username = :username";
      $stmt = $this->connection->prepare($query);
      $stmt->execute(array(':username' => $username));
      $count = $stmt->rowCount();    
      return ($count > 0);
   }
   
 /**
    * usernameBanned - Returns true if the username has been banned by the administrator.
    */
   function usernameBanned($username){
      if(!get_magic_quotes_gpc()){ $username = addslashes($username); }
      $query = "SELECT username FROM ".TBL_BANNED_USERS." WHERE username = :username";
      $stmt = $this->connection->prepare($query);
      $stmt->execute(array(':username' => $username));
      $count = $stmt->rowCount();    
      return ($count > 0);
   }
   
 /**
    * addNewUser - Inserts the given (username, password, email) info into the database. 
    * Appropriate user level is set. Returns true on success, false otherwise.
    */
   function addNewUser($username, $password, $email, $token, $usersalt){
      $time = time();
      $config = $this->getConfigs();
      /* If admin sign up, give admin user level */
      if(strcasecmp($username, ADMIN_NAME) == 0){
         $ulevel = ADMIN_LEVEL;
      /* Which validation is on? */
      }else if ($config['ACCOUNT_ACTIVATION'] == 1) {
           $ulevel = REGUSER_LEVEL; /* No activation required */
      }else if ($config['ACCOUNT_ACTIVATION'] == 2) {
         $ulevel = ACT_EMAIL; /* Activation e-mail will be sent */
      }else if ($config['ACCOUNT_ACTIVATION'] == 3) {
         $ulevel = ADMIN_ACT; /* Admin will activate account */   
         }

   $password = sha1($usersalt.$password);
     $userip = $_SERVER['REMOTE_ADDR'];
      
   $query = "INSERT INTO ".TBL_USERS." SET username = :username, password = :password, usersalt = :usersalt, userid = 0, userlevel = $ulevel, email = :email, timestamp = $time, actkey = :token, ip = '$userip', regdate = $time";
     $stmt = $this->connection->prepare($query);
     return $stmt->execute(array(':username' => $username, ':password' => $password, ':usersalt' => $usersalt, ':email' => $email, ':token' => $token));
   }
   
 /**
    * updateUserField - Updates a field, specified by the field
    * parameter, in the user's row of the database.
    */
   function updateUserField($username, $field, $value){
   $query = "UPDATE ".TBL_USERS." SET ".$field." = :value WHERE username = :username";
   $stmt = $this->connection->prepare($query);
   return $stmt->execute(array(':username' => $username, ':value' => $value));
   }
Alphard
Profil
#2 · Zasláno: 24. 3. 2013, 19:59:52 · Upravil/a: Alphard 24. 3. 2013, 22:35:28
Odpovědět Citovat
Zbytek kódu z Baterie [#1]: 

 /**
    * getUserInfo - Returns the result array from a mysql
    * query asking for all information stored regarding
    * the given username. If query fails, NULL is returned.
    */
    function getUserInfo($username){
    $query = "SELECT * FROM ".TBL_USERS." WHERE username = :username";
    $stmt = $this->connection->prepare($query);
    $stmt->execute(array(':username' => $username));
    $dbarray = $stmt->fetch();  
      /* Error occurred, return given name by default */
    $result = count($dbarray);
      if(!$dbarray || $result < 1){
         return NULL;
      }
      /* Return result array */
      return $dbarray;
   }
   
 /**
    * checkUserEmailMatch - Checks whether username
    * and email match in forget password form.
    */
   function checkUserEmailMatch($username, $email){
       
  $query = "SELECT username FROM ".TBL_USERS." WHERE username = :username AND email = :email";
    $stmt = $this->connection->prepare($query);
    $stmt->execute(array(':username' => $username, ':email' => $email));
    $number_of_rows = $stmt->rowCount();
        
    if(!$stmt || $number_of_rows < 1){
         return 0;
      } else  { 
 return 1; 
 } 
 }
Z té části, která se sem vešla, nestačí upravit 
$password = sha1($usersalt.$password);
a 
$sqlpass = sha1($dbarray['usersalt'].$password);
(píši na první rychlý pohled)?
Baterie
Profil
#3 · Zasláno: 24. 3. 2013, 20:39:28 · Upravil/a: Baterie
Odpovědět Citovat
No to vím, proto potřebuju pomoct


aha jo takhle


:D no zkusim to


nefunguje to...
Změnil jsem to na: 
 $password = sha1($password);
 $sqlpass = md5($password);

Při registraci není žádná změna a při loginu mi skript odepíše, že jsem zadal špatné údaje.
Virtus
Profil
#4 · Zasláno: 24. 3. 2013, 21:50:17 · Upravil/a: Virtus o 15 minut později
Odpovědět Citovat
ještě upravte tohle: 
$query = "INSERT INTO ".TBL_USERS." SET username = :username, password = :password, usersalt = :usersalt, userid = 0, userlevel = $ulevel, email = :email, timestamp = $time, actkey = :token, ip = '$userip', regdate = $time";
$stmt = $this->connection->prepare($query);
return $stmt->execute(array(':username' => $username, ':password' => $password, ':usersalt' => $usersalt, ':email' => $email, ':token' => $token));
na tohle: 
$query = "INSERT INTO ".TBL_USERS." SET username = :username, password = :password, usersalt = :usersalt, userid = 0, userlevel = $ulevel, email = :email, timestamp = $time, actkey = :token, ip = '$userip', regdate = $time";
$stmt = $this->connection->prepare($query);
return $stmt->execute(array(':username' => $username, ':password' => $password, ':usersalt' => '', ':email' => $email, ':token' => $token));

Pro nově vytvořené uživatele by to mělo fungovat už bez saltu a to i v případě, že zbytek kódu zůstatne nezměněn
Edit: tak ponechte úpravy z [#3], minimálně tu proměnnou $password, bez té by to nefungovalo
Časová prodleva: 13 let

Vaše odpověď

Mohlo by se hodit


Prosím používejte diakritiku a interpunkci.

Ochrana proti spamu. Napište prosím číslo dvě-sta čtyřicet-sedm:

0