Important: these examples send passwords in clear text. Do not send any passwords that you use for anything else!
You need to copy the file /var/www/html/wordpress/wp-includes/class-phpass.php into your current directory. To do this:
cd public_html/
, also
as you would do when checking for php errors.
cp /var/www/html/wordpress/wp-includes/class-phpass.php .
(note the dot at the end!)
ls
to see the file list, you should see class-phpass.php
in that list.
Note that require_once
does not work for absolute paths.
You can use a relative path from your working directory (that involves
lots of ..), then you don't need to copy the file.
User fills in a form in a web page, the program checks the password, and if it is incorrect, re-displays the form. The password is checked against the one stored in the database.
Note that, although it is possible to distinguish between a wrong user name and a wrong password, the form diaplys a uniform message. This is often done for security reasons so that the form would not reveal user names.
<?php
// -------------- define functions -----------------
function isvalid($user, $password, $connection) {
// checking if the user's login name is in DB
// and if it is, checking if the hashed password in DB
// matches the hash of the given password
// get rid of extra spaces in user name
$user = trim($user);
// get the user's hashed password from the database
$password_q = "SELECT user_pass FROM wp_users WHERE user_login = '$user'";
if (! ($result = @mysql_query($password_q, $connection))) {
showerror();
}
// if the result is empty then the user's name is not in the
// database, i.e. is invalid
if (!$row = @mysql_fetch_assoc($result)) {
//print "<p>Invalid password</p>";
return false;
}
// if we got here, the user name is valid, and we get
// the hashed password
$pass_hash = $row['user_pass'];
// PASSWORD-CHECKING MAGIC BELOW:
// include the file that checks the password
require_once("class-phpass.php");
// create an object for checking the password
$wp_hasher = new PasswordHash(8, TRUE);
// call the function to check the password
// note the ->: this is an object-oriented approach
$check = $wp_hasher->CheckPassword($password, $pass_hash);
// true if the password checks out, false otherwise
return $check;
}
function print_login_form() {
$form_string = "
<form id=\"theform\" method=\"post\"
action=\"passwords_salt.php\">
<table border=\"0\">
<tr>
<td>Enter your user name:</td>
<td>
<input type = \"text\" name = \"user\" />
</td>
</tr>
<tr>
<td>Enter your password:</td>
<td>
<input type = \"password\" name = \"password\" />
</td>
</tr>
<tr>
<td>
<input type=\"submit\" name = \"submit\" value=\"submit\" />
</td>
</tr>
</table>
</form>
";
print $form_string;
}
function showerror()
{
die("Error ". mysql_errno(). " : " .mysql_error());
}
// ---------------- end of functions -----------------
// getting the form data
$user = $_POST['user'];
$password = $_POST['password'];?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!--
PHP functions
Author: Elena Machkasova
Last modified: 4/29/09
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<title>
Checking user's login name and password
</title>
</head>
<body>
<?php
// open DB conncetion
// connect to the server
if (! ($connection = @mysql_connect("localhost","1101readonly","spring1101read")))
die ("connection to the database failed");
// select a database
if (!@mysql_select_db("wordpress", $connection)) showerror();
if (isset($user)) {
if (isvalid($user, $password, $connection)) {
print "Welcome, $user!<br/>\n";
} else {
// if the password is incorrect or no such user,
// print an error message and display the form
print "<p>No such user or password invalid, please try again</p>";
print_login_form();
}
} else {
// print the login form the first time
print_login_form();
}
// close DB connection
@mysql_close($connection);
?>
</body>
</html>
http://csci1101sp10.morris.umn.edu/~elenam/1101_spring10/passwords/passwords_salt.php
Here the server sends a password pop-up form before the page is loaded. The password is then checked exactly the same way as in the previous example.
<?php
// -------------- define functions -----------------
function isvalid($user, $password, $connection) {
// checking if the user's login name is in DB
// and if it is, checking if the hashed password in DB
// matches the hash of the given password
// get rid of extra spaces in user name
$user = trim($user);
// get the user's hashed password from the database
$password_q = "SELECT user_pass FROM wp_users WHERE user_login = '$user'";
if (! ($result = @mysql_query($password_q, $connection))) {
showerror();
}
// if the result is empty then the user's name is not in the
// database, i.e. is invalid
if (!$row = @mysql_fetch_assoc($result)) {
//print "<p>Invalid password</p>";
return false;
}
// if we got here, the user name is valid, and we get
// the hashed password
$pass_hash = $row['user_pass'];
// PASSWORD-CHECKING MAGIC BELOW:
// include the file that checks the password
require_once("class-phpass.php");
// create an object for checking the password
$wp_hasher = new PasswordHash(8, TRUE);
// call the function to check the password
// note the ->: this is an object-oriented approach
$check = $wp_hasher->CheckPassword($password, $pass_hash);
// true if the password checks out, false otherwise
return $check;
}
function showerror()
{
die("Error ". mysql_errno(). " : " .mysql_error());
}
function send_headers() {
header("WWW-authenticate: Basic realm=\"1101 Blog\"");
header("HTTP/1.1 401 Unauthorized");
}
// ---------------- end of functions -----------------
// get the user's name, password (if any)
$user = $_SERVER['PHP_AUTH_USER'];
$password = $_SERVER['PHP_AUTH_PW'];
$message = "You are not authorized to access this page";
if (!isset($user)) {
// need to authenticate
send_headers();
} else {
// open connection to check the password
if (! ($connection = @mysql_connect("localhost","1101readonly","spring1101read"))) {
die ("connection to the database failed");
}
// select a database
if (!@mysql_select_db("wordpress", $connection)) showerror();
if (isvalid($user, $password, $connection)) {
// if the user, password are in the database
$message = "Welcome, $user!<br/>\n";
} else {
// invalid password
send_headers();
}
// close DB connection
@mysql_close($connection);
}
?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!--
Checking if the user's login name and password are in the database
Author: Elena Machkasova elenam@morris.umn.edu
Last modified: 4/30/09
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<title>
Checking user's login name and password
</title>
</head>
<body>
<?php
// will display the message if the user is successfully logged in or if
// clicked "Cancel"
print $message;
?>
</body>
</html>
http://csci1101sp10.morris.umn.edu/~elenam/1101_spring10/passwords/server_password.php