Remove salt restriction

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Remove salt restriction

      This is very simple, though only possible with php 7.0 i believe.

      If you want to do cross-login or same user auth between forum and game, you have 2 options: remove salt restriction or do a cronjob to insert new user and password identical with 2moons.

      A cronjob would be like this, in example, for Flarum (note, I made this now, it's very simple, you may wanted to optimize query speed with inner joins or not in SQL)

      PHP Source Code

      1. function CreateAccount()
      2. {
      3. $DB = Database::get()->select('SELECT id, username, email, password FROM %%USERS%%', array(
      4. ));
      5. foreach($DB as $Vars)
      6. {
      7. $AccountExistance = Database::get()->selectSingle("SELECT COUNT(*) as count FROM forum_users WHERE username = :username", array(
      8. ':username' => $Vars['username']
      9. ), 'count');
      10. if($AccountExistance == 0)
      11. {
      12. #### Validate account in database
      13. $params = array(
      14. ':username' => $Vars['username'],
      15. ':email' => $Vars['email'],
      16. ':password' => $Vars['password'],
      17. ':active' => 1,
      18. );
      19. $sql = 'INSERT INTO forum_users SET username = :username, email = :email, password = :password, is_activated = :active;';
      20. Database::get()->insert($sql, $params);
      21. }else{
      22. // No account is created because already exists
      23. }
      24. }
      25. }
      Display All





      That would be a workaround for Flarum since it does not use salt restriction, but for other scripts that uses blowfish you had to do the following

      PHP Source Code: includes/classes/PlayerUtil.class.php

      1. // Original
      2. /*
      3. static public function cryptPassword($password)
      4. {
      5. $salt = NULL;
      6. // @see: http://www.phpgangsta.de/schoener-hashen-mit-bcrypt
      7. require 'includes/config.php';
      8. if(!CRYPT_BLOWFISH || is_null($salt)) {
      9. return md5($password);
      10. } else {
      11. return crypt($password, '$2a$09$'.$salt.'$');
      12. }
      13. }
      14. */
      15. // Replace with
      16. static public function cryptPassword($password)
      17. {
      18. return password_hash($password, PASSWORD_DEFAULT);
      19. }
      Display All

      It's not finished yet. Some pages are still using the old salt system, that means even if you enter the correct password, it won't have any effect. For this go to the following files.

      PHP Source Code: includes/pages/login/ShowLoginPage.class.php

      1. // Original
      2. // $hashedPassword = PlayerUtil::cryptPassword($password);
      3. // Replace with
      4. $hashedPassword = password_verify($password, $loginData['password']);

      PHP Source Code: includes/pages/adm/ShowLoginPage.php

      1. // Original
      2. // $password = PlayerUtil::cryptPassword($_REQUEST['admin_pw']);
      3. // Replace with
      4. $password = password_verify($_REQUEST['admin_pw'], $USER['password']);

      PHP Source Code: includes/pages/game/ShowSettingsPage.class.php

      1. // Original
      2. /*
      3. if (!empty($newpassword) && PlayerUtil::cryptPassword($password) == $USER["password"] && $newpassword == $newpassword2)
      4. {
      5. $newpass = PlayerUtil::cryptPassword($newpassword);
      6. $sql = "UPDATE %%USERS%% SET password = :newpass WHERE id = :userID;";
      7. $db->update($sql, array(
      8. ':newpass' => $newpass,
      9. ':userID' => $USER['id']
      10. ));
      11. Session::load()->delete();
      12. }
      13. if (!empty($email) && $email != $USER['email'])
      14. {
      15. if(PlayerUtil::cryptPassword($password) != $USER['password'])
      16. {
      17. $this->printMessage($LNG['op_need_pass_mail'], array(array(
      18. 'label' => $LNG['sys_back'],
      19. 'url' => 'game.php?page=settings'
      20. )));
      21. }
      22. */
      23. [.....]
      24. // Replace with
      25. $password = password_verify($password, $USER["password"]); // Define password
      26. if (!empty($newpassword) && $password == $USER["password"] && $newpassword == $newpassword2)
      27. {
      28. $newpass = PlayerUtil::cryptPassword($newpassword);
      29. $sql = "UPDATE %%USERS%% SET password = :newpass WHERE id = :userID;";
      30. $db->update($sql, array(
      31. ':newpass' => $newpass,
      32. ':userID' => $USER['id']
      33. ));
      34. Session::load()->delete();
      35. }
      36. if (!empty($email) && $email != $USER['email'])
      37. {
      38. if($password != $USER['password'])
      39. {
      40. $this->printMessage($LNG['op_need_pass_mail'], array(array(
      41. 'label' => $LNG['sys_back'],
      42. 'url' => 'game.php?page=settings'
      43. )));
      44. }
      45. [...]
      Display All
      And voilá, it's done.

      You can read more here: php.net/manual/en/function.password-hash.php and php.net/manual/en/password.constants.php
      If omitted, a random salt will be generated by password_hash() for each password hashed. This is the intended mode of operation.

      Warning: The salt option has been deprecated as of PHP 7.0.0. It is now preferred to simply use the salt that is generated by default
      The good of this is, everytime you update PHP version and better encryption systems are used, your game will use them too. When PHP in future changes PASSWORD_DEFAULT constant from PASSWORD_BCRYPT (what we use) for another, I'll do a tutorial of how to patch. (you can imagine already looking at includes/pages/login/ShowLoginPage.class.php when user fails password or using database from ver 1.7 where you have "if($loginData['password'] == md5($password))"

      Again, the reason of using this is if you want to sync your game with other projects like forums etc.

      The post was edited 9 times, last by Qwa: removed many source code tags from post. ().