#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Location
    America (But which one?)
    Posts
    43
    Rep Power
    1

    How do I run PASSWORD_BCRYPT?


    Per the suggestion of Jacques1, I am looking to hash my passwords using the password_compat here. I've spent the past two hours reading documentation on their site, a few posts here on the forums, as well as a few other various websites, and I can't find anything that tells me where to run this script!

    I understand it is PHP, but I'm assuming I need some sort of console to run it in? Python? Ruby? I even checked the plethora of features available from my host (bluehost); PHP is supported (I've already known this), but I don't see any way I can run this script with a password I've inputted in order to hash it!

    This is all for my PHP log in page. Log in credentials are being created solely by me; there is no sign up page, and credentials are being saved in a json file.

    So how in the world do I hash my passwords?
  2. #2
  3. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,846
    Rep Power
    6351
    It's to be used inside of your existing PHP scripts. It's a series of PHP functions which you build manually into your existing app. It's not a thing you just point at a database and pull the trigger. It's a library for use within your code.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  4. #3
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Hi,

    this library provides a bunch of PHP functions. You include the library script in one of your own PHP scripts, and then you can use those functions. Just like I did in my login example.

    Since you don't have a registration page, all you need to do is set up a simple script which calls password_hash() for a given password and prints the hash on the screen. Then you can take this hash and paste it into the JSON file.

    bcrypt.php
    PHP Code:
    <?php

    // that's the library script
    require_once __DIR__ '/password.php';


    if ( !empty(
    $_POST['password']) )
    {
            
    $hash password_hash($_POST['password'], PASSWORD_BCRYPT, array('cost' => 10));
    }
    ?>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
            "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <title>Bcrypt hash generator</title>
        <meta http-equiv="content-type" content="text/html;charset=utf-8" />
    </head>
    <body>
        <div><?php if (!empty($hash)) echo $hash ?></div>
        <form action="bcrypt.php" method="post">
            <fieldset>
                <label for="password">Password: </label><input id="password" name="password" type="text" />
            </fieldset>
            <div>
                <input type="submit" />
            </div>
        </form>
    </body>
    </html>
    Of course you use this script offline on your local PC.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Location
    America (But which one?)
    Posts
    43
    Rep Power
    1
    Thank you very much for your reply Jacques.

    I'm so close to getting that working, I can taste it. However, it isn't working and I can't figure out why! I have three files uploaded to a bcrypt folder on my server;

    bcrypt.php
    PHP Code:
    <?php

    // that's the library script
    require_once __DIR__ '/password.php';


    if ( !empty(
    $_POST['password']) )
    {
            
    $hash password_hash($_POST['password'], PASSWORD_BCRYPT, array('cost' => 10));
    }
    ?>
    bcrypt.html
    Code:
    <?php session_start() ?>
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
            "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <title>Bcrypt hash generator</title>
        <meta http-equiv="content-type" content="text/html;charset=utf-8" />
    </head>
    <body>
        <div><?php if (!empty($hash)) echo $hash ?></div>
        <form action="bcrypt.php" method="post">
            <fieldset>
                <label for="password">Password: </label><input id="password" name="password" type="text" />
            </fieldset>
            <div>
                <input type="submit" />
            </div>
        </form>
    </body>
    </html>
    And then the password.php file from the password_compat site your provided me (from the lib folder).

    I input the password, and then, depending on the browser, I get various errors or a blank page.

    What in the world did I screw up?!?
  8. #5
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    First of all, you shouldn't have test scripts on your server. Unfinished scripts often have all kinds of bugs and security holes, and the last thing you want is that somebody finds them and uses them to break into your server. An attacker doesn't care about whether this is a test server or a production site.

    For testing, use a local server environment like XAMPP.

    I'm not sure why you ripped apart the original script. Do you understand what it does? This is a simple helper script to be run on your own PC. All it's supposed to do is generate a hash so that you can copy it and paste it into your JSON file. It's not for your website. It's just a tool for you.

    If -- for whatever reason -- you actually want two separate files, you need to adjust the script accordingly. You can't have PHP code in an HTML file. And the target page has to actually output something. Otherwise it's only natural that you get a blank page.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Location
    America (But which one?)
    Posts
    43
    Rep Power
    1

    Unhappy


    Sadly I have no administrative rights on my work computer, I can't gain them, and I can't get XAMPP past the firewall. You'd love our network security Jacques; plug in an external storage device, and the phone rings with an IT guy on the other end screaming at you.

    This isn't my primary job; just a favor for another department, so I have to work with what I have, hence me uploading potential security risks to my own host. Which I plan to delete as soon as I have it figured out.

    I split the original script into two files because on first (and second, and third) attempt, the only thing it displayed was a blank page.

    Sadly, I wouldn't even consider myself a PHP amateur and make no claims to know what I am doing in this regard, so I don't even know how to make my target page output the hash. I've performed a few searches and can't find what I need.

    I really hope I am not being a pain, but can you possibly tell me how to make it output the hash?
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Location
    America (But which one?)
    Posts
    43
    Rep Power
    1
    I'm stuck. I've tried multiple 'echo' commands directly after the php provided (but still within the PHP markers), and I can't get it to display a single line of HTML, let alone the actual hash.

    Can anyone look at the PHP given above and tell me how to make that page display the hash that it generates?

    It would be greatly appreciated!!!

    -DZ
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Oct 2009
    Location
    Nebraska, USA
    Posts
    862
    Rep Power
    275
    Jacques1' bcrypt.php script works fine AS IS (as long as you have the password.php file from password_compat in same directory).

    Just copy/paste his code into a text file and rename the file as bcrypt.php, place it in same folder as password.php, upload that folder to the webserver and run the bcrypt.php file..enter your password and pres the submit button. You should see your encrypted password right above the form.

    And, honestly, just my 2cents here, but, if you are having this much issue with running this simple script, I don't see how you think you'll be able to manage creating your own DB-less CMS.
  16. #9
  17. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Location
    America (But which one?)
    Posts
    43
    Rep Power
    1
    I've done precisely what you have advised, and all I get is a blank page. I have the password.php file in the same directory, and it doesn't even allow me to enter a password (as I said, the page is blank).

    You can see for yourself at http://intelligenceordeath.com/bcrypt/bcrypt.php if you like. I just don't understand why it isn't working

    I know I have no clue what I am doing, but there is no harm in me trying and attempting to learn a few pieces of PHP.
  18. #10
  19. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    It's not a blank page, it's a server error (status code 500).

    You need to look into the error log (as defined in the php.ini). If it's empty, you need to turn your error reporting on (also in the php.ini).

    If you're running an outdated PHP, then the error is probably caused by the __DIR__. Try replacing it with dirname(__FILE__).
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  20. #11
  21. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Location
    America (But which one?)
    Posts
    43
    Rep Power
    1
    Thank you very much for your reply Jacques1.

    For starters, I took a look at the error log, and it was relating to the __DIR__ and finding the file (password.php). So I tested implemented dirname(__FILE__) so that that particular line looked like this:

    PHP Code:
    require_once dirname(__FILE__) . '/password.php'
    I then deleted my error log, loaded up my new bcrypt.php and tested it out. This time I finally got the form to show up. I typed in my name to try to create a test password, and nothing. I checked to see if a new error log was created, and there wasn't. I tried a few more times (definition of insanity?), with no luck.

    I can send my host my old error log that I saved, but it is no longer relevant seeing as the only error was relating to__DIR__.

    This was the exact error by the way:
    [26-Jul-2013 11:26:25] PHP Warning: require_once(__DIR__/password.php) [<a href='function.require-once'>function.require-once</a>]: failed to open stream: No such file or directory in /home1/intelly1/public_html/bcrypt/bcrypt.php on line 4

    [26-Jul-2013 11:26:25] PHP Fatal error: require_once() [<a href='function.require'>function.require</a>]: Failed opening required '__DIR__/password.php' (include_path='.:/usr/lib64/php:/usr/lib/php:/usr/share/pear') in /home1/intelly1/public_html/bcrypt/bcrypt.php on line 4
    The file, password.php, is most definitely in the same exact directory!

    What else can you suggest Jacques? Or anyone else that knows what they are doing!
  22. #12
  23. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    1. Set your error_reporting to -1 to catch all errors.
    2. Put a var_dump($hash) right after the $hash = .... What does it say? What does the error log say?
    3. What's your PHP version?
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  24. #13
  25. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Location
    America (But which one?)
    Posts
    43
    Rep Power
    1
    Good morning Jacques and thank you again for your reply.

    EDIT 2: I changed my PHP version to 5.4 and this finally works!!!! Time for me to get the log-in form working correctly now! Thank you so much for all of your help Jacques, I would have never known to look at the PHP version (and therefor change it) if it were not for you asking what version I was running!

    1. I sadly couldn't find my php.ini file (even after conducting a search via the supplied file search engine). I'm fairly certain that is where I would change the error reporting settings, please correct me if I'm wrong!

    2. When I implemented the var_dump($hash), the page comes up blank in my browser, however, here is the error in the log:
    [30-Jul-2013 06:01:23] PHP Parse error: syntax error, unexpected '}' in /home1/intelly1/public_html/bcrypt/bcrypt.php on line 10
    Line 10 is directly after the new line of PHP I implemented, and all it contains is the above stated bracket.

    3. Bluehosts's PHP version is 5.2.17, though they state that have up to PHP 5.4 available. Should I look into how I can get 5.4 installed?

    EDIT 1: I can change my PHP into any of the following versions:

    5.2
    5.2 (Single php.ini)
    5.2 (FastCGI)
    5.3
    5.3 (Single php.ini)
    5.4
    5.4 (Single php.ini)
    5.4 (fastCGI)

IMN logo majestic logo threadwatch logo seochat tools logo