Custom password encryption (password_hash)

Tips submitted by PHPMaker users

Custom password encryption (password_hash)

Postby leeb9334 » Tue Mar 18, 2014 5:18 pm

Hello everyone,

I successfully switched from MD5 encryption to Bcrypt-based password_hash encryption. Please be aware that this modification only works on servers that have ***PHP 5.5 or newer***.

The following instructions work in a scenario where you have a table (in this example: 'users') that has 'username' and 'password' fields. We will first disable PHPMaker's MD5 encryption and then modify the phpfn.php file in the template. Also, the password field should be made Optional in your database, as well as in PHPMaker 'password' field settings. This is because when you Edit a page, you want password to be blank.

First, make these changes on PHPMaker:

0) Make 'password' field optional in your SQL database, also make it VARCHAR(255). Make it optional in PHPMaker field settings.

1) Go to SECURITY > ADVANCED > USER LOGIN OPTIONS and disable "MD5 Password" under the PASSWORD fieldset.

2) Go to your table ('users' in this example) and click on "Code (Server Events, Client Scripts and Custom Templates)".

2a) Find "Row_Inserting" under SERVER EVENTS > TABLE-SPECIFIC > COMMON, and paste this code:
if (isset($rsnew['password']) && !empty($rsnew['password'])){
$rsnew['password'] = password_hash($rsnew['password'], PASSWORD_DEFAULT);
}

2b) Find "Row_Updating" under SERVER EVENTS > TABLE-SPECIFIC > COMMON, and paste this code:
if (isset($rsnew['password']) && !empty($rsnew['password'])){
$rsnew['password'] = password_hash($rsnew['password'], PASSWORD_DEFAULT);
}else{
unset($rsnew['password']);
}

3) Find "Form_CustomValidate" under SERVER EVENTS > TABLE-SPECIFIC > ADD/COPY PAGE, and paste the following code. This is to make the password field REQUIRED only when adding a user.
$rs = $this->GetFieldValues("FormValue"); // Get the form values as array
if ( !isset($rs["password"]) || empty($rs["password"]) ) {
// Return error message in $CustomError
$CustomError = "Password must be set";
return FALSE;
} else {
return TRUE;
}

4) Find "Page_DataRendering" under SERVER EVENTS > TABLE-SPECIFIC > EDIT PAGE, and paste the following code:
global $admins;
$admins->password->EditValue = "";

5) Modify the phpfn.php file located in "C:\Program Files (x86)\PHPMaker 10\template\phpv100.zip" and replace the following 2 functions:
// Encrypt password
function ew_EncryptPassword($input, $salt = '') {
return password_hash($input, PASSWORD_DEFAULT);
}

// Compare password
// Note: If salted, password must be stored in '<hashedstring>:<salt>' format
function ew_ComparePassword($pwd, $input) {
@list($crypt, $salt) = explode(":", $pwd, 2);
if (EW_CASE_SENSITIVE_PASSWORD) {
if (EW_ENCRYPTED_PASSWORD) {
return (password_verify($input, $pwd))?TRUE:FALSE;
} else {
//return ($pwd == $input);
return password_verify($input, $pwd);
}
} else {
if (EW_ENCRYPTED_PASSWORD) {
//return ($pwd == ew_EncryptPassword(strtolower($input), @$salt));
return (password_verify(strtolower($input), $pwd))?TRUE:FALSE;
} else {
//return (strtolower($pwd) == strtolower($input));
return (password_verify(strtolower($input), $pwd))?TRUE:FALSE;
}
}
}


That's it! Now, each time you create/update a user, the password will be saved in the database as a one-way encrypted string.

I really hope this will help someone in the future because it took me 2 days to figure this out.
leeb9334
 
Posts: 6
Joined: Mon Mar 17, 2014 12:48 am

Re: Custom password encryption (password_hash)

Postby EpicFart » Tue Apr 22, 2014 12:39 pm

Very good - thanks...
Two things are missing though (I cannot work out how to fix - perhaps you can post)...

1. If the user changes their OWN password, it's being stored in the DB as clear text... and the user can no longer log in, as obviously the hash to clear text dont compare.
2. If the user does a PASSWORD RECOVERY, the prog is sending the exact value of what is in the DB password field... which does not allow the user to log in, as this would then hash the hash - which doesn't compare with itself... My suggestion is to RESET the password, save the hash, and email the cleartext... but HOW (as my programming skills are poor)

Please help
Thanks
EpicFart
 
Posts: 8
Joined: Mon Apr 21, 2014 7:50 am

Re: Custom password encryption (password_hash)

Postby EpicFart » Tue Apr 22, 2014 1:43 pm

OK - I have a solution...

FORGET ALL of steps 1 through 4.... ONLY perform step 5 (and make password varchar(255) AND REQUIRED) - everything works perfectly.
EpicFart
 
Posts: 8
Joined: Mon Apr 21, 2014 7:50 am

Re: Custom password encryption (password_hash)

Postby richardelima » Tue Sep 30, 2014 3:17 am

Does it work for use as data encryption for a field or table , other than login??
thanks..
richardelima
 
Posts: 12
Joined: Mon Sep 09, 2013 11:10 pm

Re: Custom password encryption (password_hash)

Postby EpicFart » Sat Oct 01, 2016 2:30 pm

2016 update to using Bcrypt-based password_hash encryption (not sure why the authors of PHPMAKER dont use this - it's FAR easier to maintain (no code required... just native php functions) - and more secure than MD5):
In phpfn12.php, simply REPLACE the "Encrypt password" and "Compare password" functions with the following:

// Encrypt password
function ew_EncryptPassword($input, $salt = '') {
return password_hash($input, PASSWORD_DEFAULT);
}

// Compare password
function ew_ComparePassword($pwd, $input, $encrypted = FALSE) {
return (password_verify($input, $pwd));


=================
Done!
Enjoy
EpicFart
 
Posts: 8
Joined: Mon Apr 21, 2014 7:50 am

Re: Custom password encryption (password_hash)

Postby EpicFart » Sat Oct 01, 2016 2:40 pm

Oops - forgot to mention that your user_password field in your DB needs to be varchar(225)

NOTE: Making this modification will break any existing password (as the hash is obviously different)
EpicFart
 
Posts: 8
Joined: Mon Apr 21, 2014 7:50 am


Return to User Submitted Tips (PHPMaker)