[Add-on] RevCMS Bcrypt

[Oliveri]

Hi,

Today I release my version of bcrypt in RevCMS. It's just an add-on, and yeah it has been released somewhere else. It's just not out in the open and the threads that do have it are a bit confusing I guess. I don't honestly recommend bcrypt for retros that know how to defend their DB, I think it only works with retros that have a reputation of weak websites. Like injection etc.

Go to app/class.core.php and find this line:

PHP Code:

final public function hashed($password)
    {
        return md5($password);
    } 


and change it to:

PHP Code:

final public function hashed($password)
    {
        return password_hash($password, PASSWORD_BCRYPT);
    } 


Step 2, go to class.users.php and find something similar to:

PHP Code:

final public function userValidation($username, $password)    {                 global $engine;         if($engine->num_rows("SELECT * FROM users WHERE username = '" . $username . "' AND password = '" . $password . "' LIMIT 1") > 0)        {            return true;        }                      return false;    } 


then change it to:

PHP Code:

final public function userValidation($username, $password)    {                 global $engine;         if($engine->num_rows("SELECT * FROM users WHERE username = '" . $username . "' AND password = '" . $password . "' LIMIT 1") > 0)        return password_verify($password);    } 


[MentaL]

[Aamiainen]

I think you should also include the code for logging in, i'm pretty sure that if u only use this you just make your site unable to be logged in :D

atm it looks something like this:

Code:

function auth_login(){
   if($hashfromdb == hashed($_POST['passu'])){
       return true;
}else{
 return false;
}

Wont work because every time you do password_hash($x) it returns a different hash. You should be using password_verify() instead.

Code:

function auth_login(){
   if(password_verify($_POST['passu'], $hashfromdb)){
       return true;
}else{
 return false;
}

[Jonteh]

Good shit, although people should be moving away from this CMS and not extending it's life.

[Oliveri]

I think you should also include the code for logging in, i'm pretty sure that if u only use this you just make your site unable to be logged in :D

atm it looks something like this:

Code:

function auth_login(){
   if($hashfromdb == hashed($_POST['passu'])){
       return true;
}else{
 return false;
}

Wont work because every time you do password_hash($x) it returns a different hash. You should be using password_verify() instead.

Code:

function auth_login(){
   if(password_verify($_POST['passu'], $hashfromdb)){
       return true;
}else{
 return false;
}

Thanks for reminding me lol.

Fixed post - includes password_verify($password) now. (RZ kinda fucked the styling, easy fix.)

[Aamiainen]

still unusable

boolean password_verify ( string $password , string $hash )

[MrSpooks]

@Jonteh has a good point, or tho this is a decent upgrade users should be moving away from Rev, Yes it was a good CMS but has now become outdated.

[Keiz]

Bcrypt never let me down, for sure less decryptable than md5. Thanks!
Do note you can't simply change the hashing method if your hotel already has a user base. Old users will not be able to login again.

[Oliveri]

@Jonteh has a good point, or tho this is a decent upgrade users should be moving away from Rev, Yes it was a good CMS but has now become outdated.

Indeed. This is very outdated code, although from the releases it's still the easiest to use.
From my point of view I see 4 usable CMS's: Chocolatey, RevCMS, BainCMS. Chocolatey uses framework and it actually crashed my hotel several times. BrainCMS I have never used, so can't really say anything about it. I don't personally like RevCMS, I believe it's just easier to use for people.

[NoBrain]

Chocolatey uses framework and it actually crashed my hotel several times.

I don't quite understand how a CMS could crash your Hotel? I understand he's butchered the Lumen Framework but even so, your hotels configuration must be terrible.

[Emily]

Indeed. This is very outdated code, although from the releases it's still the easiest to use.
From my point of view I see 4 usable CMS's: Chocolatey, RevCMS, BainCMS. Chocolatey uses framework and it actually crashed my hotel several times. BrainCMS I have never used, so can't really say anything about it. I don't personally like RevCMS, I believe it's just easier to use for people.

Wait. A CMS crashed your hotel? I'm sure something's wrong in your hotel configuration...

[Jonteh]

I don't quite understand how a CMS could crash your Hotel? I understand he's butchered the Lumen Framework but even so, your hotels configuration must be terrible.

This guy sounds to me like he had an issue so instead of figuring out what actually caused the problem he's just blaming the first thing that comes to mind.

A CMS crashing a hotel. Fantastic.

[Aamiainen]

Knowing the userbase on thefts hotels i'd say it's most likely possible that someone has exploited the cms to crash the emu. But idk if thats even possible, never used chocolatey myself.

[maritnmine]

I don't quite understand how a CMS could crash your Hotel?

Never underestimate the true power of PhP.

[Yesser]

I don't quite understand how a CMS could crash your Hotel?

Never underestimate the true power of PhP.

That might be the main reason lord @maritnmine made a CMS in ASP.NET in the past.

[maritnmine]

That might be the main reason lord @maritnmine made a CMS in ASP in the past.

It was in ASP.NET, not ASP.