This is very simple, though only possible with php 7.0 i believe.
If you want to do cross-login or same user auth between forum and game, you have 2 options: remove salt restriction or do a cronjob to insert new user and password identical with 2moons.
A cronjob would be like this, in example, for Flarum (note, I made this now, it's very simple, you may wanted to optimize query speed with inner joins or not in SQL)
Display All
That would be a workaround for Flarum since it does not use salt restriction, but for other scripts that uses blowfish you had to do the following
Display All
It's not finished yet. Some pages are still using the old salt system, that means even if you enter the correct password, it won't have any effect. For this go to the following files.
Display All
And voilá, it's done.
You can read more here: php.net/manual/en/function.password-hash.php and php.net/manual/en/password.constants.php
Again, the reason of using this is if you want to sync your game with other projects like forums etc.
If you want to do cross-login or same user auth between forum and game, you have 2 options: remove salt restriction or do a cronjob to insert new user and password identical with 2moons.
A cronjob would be like this, in example, for Flarum (note, I made this now, it's very simple, you may wanted to optimize query speed with inner joins or not in SQL)
PHP Source Code
- function CreateAccount()
- {
- $DB = Database::get()->select('SELECT id, username, email, password FROM %%USERS%%', array(
- ));
- foreach($DB as $Vars)
- {
- $AccountExistance = Database::get()->selectSingle("SELECT COUNT(*) as count FROM forum_users WHERE username = :username", array(
- ':username' => $Vars['username']
- ), 'count');
- if($AccountExistance == 0)
- {
- #### Validate account in database
- $params = array(
- ':username' => $Vars['username'],
- ':email' => $Vars['email'],
- ':password' => $Vars['password'],
- ':active' => 1,
- );
- $sql = 'INSERT INTO forum_users SET username = :username, email = :email, password = :password, is_activated = :active;';
- Database::get()->insert($sql, $params);
- }else{
- // No account is created because already exists
- }
- }
- }
That would be a workaround for Flarum since it does not use salt restriction, but for other scripts that uses blowfish you had to do the following
PHP Source Code: includes/classes/PlayerUtil.class.php
- // Original
- /*
- static public function cryptPassword($password)
- {
- $salt = NULL;
- // @see: http://www.phpgangsta.de/schoener-hashen-mit-bcrypt
- require 'includes/config.php';
- if(!CRYPT_BLOWFISH || is_null($salt)) {
- return md5($password);
- } else {
- return crypt($password, '$2a$09$'.$salt.'$');
- }
- }
- */
- // Replace with
- static public function cryptPassword($password)
- {
- return password_hash($password, PASSWORD_DEFAULT);
- }
It's not finished yet. Some pages are still using the old salt system, that means even if you enter the correct password, it won't have any effect. For this go to the following files.
PHP Source Code: includes/pages/game/ShowSettingsPage.class.php
- // Original
- /*
- if (!empty($newpassword) && PlayerUtil::cryptPassword($password) == $USER["password"] && $newpassword == $newpassword2)
- {
- $newpass = PlayerUtil::cryptPassword($newpassword);
- $sql = "UPDATE %%USERS%% SET password = :newpass WHERE id = :userID;";
- $db->update($sql, array(
- ':newpass' => $newpass,
- ':userID' => $USER['id']
- ));
- Session::load()->delete();
- }
- if (!empty($email) && $email != $USER['email'])
- {
- if(PlayerUtil::cryptPassword($password) != $USER['password'])
- {
- $this->printMessage($LNG['op_need_pass_mail'], array(array(
- 'label' => $LNG['sys_back'],
- 'url' => 'game.php?page=settings'
- )));
- }
- */
- [.....]
- // Replace with
- $password = password_verify($password, $USER["password"]); // Define password
- if (!empty($newpassword) && $password == $USER["password"] && $newpassword == $newpassword2)
- {
- $newpass = PlayerUtil::cryptPassword($newpassword);
- $sql = "UPDATE %%USERS%% SET password = :newpass WHERE id = :userID;";
- $db->update($sql, array(
- ':newpass' => $newpass,
- ':userID' => $USER['id']
- ));
- Session::load()->delete();
- }
- if (!empty($email) && $email != $USER['email'])
- {
- if($password != $USER['password'])
- {
- $this->printMessage($LNG['op_need_pass_mail'], array(array(
- 'label' => $LNG['sys_back'],
- 'url' => 'game.php?page=settings'
- )));
- }
- [...]
You can read more here: php.net/manual/en/function.password-hash.php and php.net/manual/en/password.constants.php
The good of this is, everytime you update PHP version and better encryption systems are used, your game will use them too. When PHP in future changes PASSWORD_DEFAULT constant from PASSWORD_BCRYPT (what we use) for another, I'll do a tutorial of how to patch. (you can imagine already looking at includes/pages/login/ShowLoginPage.class.php when user fails password or using database from ver 1.7 where you have "if($loginData['password'] == md5($password))"If omitted, a random salt will be generated by password_hash() for each password hashed. This is the intended mode of operation.
Warning: The salt option has been deprecated as of PHP 7.0.0. It is now preferred to simply use the salt that is generated by default
Again, the reason of using this is if you want to sync your game with other projects like forums etc.
The post was edited 9 times, last by Qwa: removed many source code tags from post. ().