These are chat archives for ushahidi/Community

4th
Oct 2016
Danny Lin
@yuchenglin
Oct 04 2016 01:48
@Zkage my prior problem was I cannot connect to the endpoint /api/v3/....(overwirite permission). Yours seem different from mine I think
Ushbot
@ushbot
Oct 04 2016 12:18
[David, Ushahidi] Hello Ush. David here. I checked in yesterday to see if you could help us (RJ) with some challenges we are having with using your hasher in our password. As far as I know, RJ has tried your recommendations with no success. You have been a big help in the past,,, I would be so grateful if you could give us some insight as to what we are missing. :)
[Angela Oduor Lungati, Ushahidi] Hi David, flagging this for the dev team once more
[Angela Oduor Lungati, Ushahidi] @rjmackay @jason @will could we help David and his team out?
Ushbot
@ushbot
Oct 04 2016 12:28
[Jason Mule, Ushahidi] David what issues are you seeing at the moment?
[Jason Mule, Ushahidi] s/issues/errors
[Rj Quirit, Ushahidi] Good day everyone
[Rj Quirit, Ushahidi] I would like to ask your help on the encryption of the pasword
Ushbot
@ushbot
Oct 04 2016 12:33
[Rj Quirit, Ushahidi] password was encrypted like this
[Rj Quirit, Ushahidi] but when i tried to copy paste it to my code
[Rj Quirit, Ushahidi] unfortunately, its not working...
[Rj Quirit, Ushahidi] I need your big help friends
Ushbot
@ushbot
Oct 04 2016 12:48
[David, Ushahidi] Hello programming staff--@rjmackay @jason @will. I again thank you for your past help. RJ has posted some challenges with password encryption. Any thoughts, wisdom or idea on how to proceed would be appreciated... :)
[David, Ushahidi] Many thanks Angela for flagging the dev team. You guys are awesome!
[Jason Mule, Ushahidi] @RJ Could you provide more information about how this is failing for you?
[Rj Quirit, Ushahidi] Thank you so much...
[Rj Quirit, Ushahidi] for your response..
[Rj Quirit, Ushahidi] I have this code to login the ushahidi app using the mobile app

[Rj Quirit, Ushahidi] if(isset($_SERVER['HTTP_ORIGIN'])){
header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}");
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Max-Age: 86400');
}
if($_SERVER['REQUEST_METHOD']=='OPTIONS'){
if(isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD'])){
header("Access-Control-Allow-Methods: GET, POST, OPTIONS"); }

    if\(isset\($\_SERVER\['HTTP\_ACCESS\_CONTROL\_REQUEST\_HEADERS'\]\)\){
    header\("Access-Control-Allow-Headers: {$\_SERVER\['HTTP\_ACCESS\_CONTROL\_REQUEST\_HEADERS'\]}"\);      }

    exit\(0\);

}
$data=file_get_contents("php://input");
if(isset($data)){
$req=json_decode($data);
$uname=$req->username;
$pass=$req->pass;

    if\($uname!="" && $pass!=""\){
                    $pass1=md5\($pass\);
                    $cn=mysqli\_connect\("localhost","ushahidi\_user","ushahidi-db-password","ushahidi\_db"\);
                    if\(mysqli\_connect\_errno\(\)\)echo mysqli\_connect\_error\(\);
                    //else echo "Succes Connection";
                    $check=$cn->query\("select email,password from users where email='$uname' and password='$pass1'"\);
                    $rowcount=mysqli\_num\_rows\($check\);
                    if\($rowcount==1\) echo "Welcome";
                    else echo "Invalid Username or Password";

    }else{echo "Please complete all information.";}

}else{
echo "Fatal Error: Improperly Called.";
}
function hash($pwd){
return password_hash($pwd,PASSWORD_BCRYPT,['cost'=>12]);
}

[Rj Quirit, Ushahidi] $pass1=md5($pass); should be $pass1=hash($pass);
Ushbot
@ushbot
Oct 04 2016 12:54
[Rj Quirit, Ushahidi] but $pass1=hash($pass).... doesn't work
[Jason Mule, Ushahidi] what PHP version are you using?
[Jason Mule, Ushahidi] I think you need 5.5 or greater to use password_hash
Ushbot
@ushbot
Oct 04 2016 13:05
[Rj Quirit, Ushahidi] Thank you for the suggestion.
I just check the version @ http://php.net/manual/en/function.phpinfo.php
PHP Version 5.5.9-1ubuntu4.14

[Link, Ushahidi]

PHP: phpinfo - Manual

(PHP 4, PHP 5, PHP 7)

[Rj Quirit, Ushahidi] but when I view the script in the server
[Jason Mule, Ushahidi] Also, what error do you get?
Ushbot
@ushbot
Oct 04 2016 13:10
[Rj Quirit, Ushahidi] this is the error I get
[Rj Quirit, Ushahidi]
Fatal error: Cannot redeclare hash() in D:\WEB\htdocs\test.php on line 52
[Jason Mule, Ushahidi] Could you use php -a on that server to test it interactively?
[Jason Mule, Ushahidi] also please post info on this chat with care because it's a public chat room.
[Rj Quirit, Ushahidi] interactive mode enable
[Rj Quirit, Ushahidi] Thank you for the suggestion...
[Jason Mule, Ushahidi] run echo password_hash('test', PASSWORD_BCRYPT, ['cost' => 12]); and see what that gives you...
[Rj Quirit, Ushahidi] PHP Notice: Use of undefined constant PASSWORD_BRYPT - assumed 'PASSWORD_BRYPT' in php shell code on line 1
PHP Warning: password_hash() expects parameter 2 to be long, string given in php shell code on line 1
[Rj Quirit, Ushahidi] sorry for that error
[Rj Quirit, Ushahidi] here is the output
[Rj Quirit, Ushahidi] $2y$12$B7kTBC.7OnPbLrstBLFi9OmDtQjhV4UE05Hose//twjx8Ba39XmKCphp >
Ushbot
@ushbot
Oct 04 2016 13:21
[Jason Mule, Ushahidi] have you declared hash elsewhere?
Ushbot
@ushbot
Oct 04 2016 13:27
[Jason Mule, Ushahidi] Please check that you have declared your functions correctly. You could refer to the PHP manual/ online as well...
Ushbot
@ushbot
Oct 04 2016 13:33
[Rj Quirit, Ushahidi] Thank you very much sir
[Rj Quirit, Ushahidi] I worked well
[Rj Quirit, Ushahidi] unfortunately
[Rj Quirit, Ushahidi] its not the same
[Rj Quirit, Ushahidi] using the ushahidi app in registering an account...
[Rj Quirit, Ushahidi] it shows this password
[Rj Quirit, Ushahidi] in the database
[Rj Quirit, Ushahidi] $2y$12$EkniLasAr8kYw5W7UbayQO4FUN9Q2a4mlDoY2uQRwGNu9FTiQ3Uou
[Rj Quirit, Ushahidi] but in using the password_hash... it will show this password
[Rj Quirit, Ushahidi] $2y$12$vngNnCuUtaeZI16DfE/TyuBPQfGvfNGx.9sxvw0okymlYxhE6K5B6
[Rj Quirit, Ushahidi] but same password is used
[Rj Quirit, Ushahidi] only different output
Ushbot
@ushbot
Oct 04 2016 13:43
[Jason Mule, Ushahidi] I suggest looking at the PHP manual to understand how that is generated. To verify a password generated using password_hash, please take a look at password_verify (http://php.net/manual/en/function.password-verify.php)
[Jason Mule, Ushahidi] Hope that answers your questions...
[Rj Quirit, Ushahidi] so simple sql query like column_password=hash(passowrd)
[Rj Quirit, Ushahidi] i mean select * from tbl_user where clm_password=hash(password)..... will not work?
[Jason Mule, Ushahidi] You are using the PHP password API not the MySQL one...
Ushbot
@ushbot
Oct 04 2016 13:49
[Rj Quirit, Ushahidi] I am so sorry. I am so confused... can you explain it further?
[Jason Mule, Ushahidi] So we use password_hash function to hash the password before storing it right?
[Jason Mule, Ushahidi] To check whether a user has given you a correct password, you will need to verify it using password_verify. This function verifies passwords that were generated using password_hash
[Rj Quirit, Ushahidi] Thank you so much... but password_verify ( string $password , string $hash ).... requires 2 string to compare... compare the "input_password" from "stored_password"
[Rj Quirit, Ushahidi] therefore... what should I do first is to
  1. retrieve the stored password
  2. hash the inputed password
  3. compare the two password
[Rj Quirit, Ushahidi] I am i getting it right?
Ushbot
@ushbot
Oct 04 2016 13:55
[Jason Mule, Ushahidi] No, retrieve the hash and check whether it is correct, by using password_verify($password, $hash)
[Rj Quirit, Ushahidi] oh like this.... (like the one you sample before)
password_verify('test','$2y$12$B7kTBC.7OnPbLrstBLFi9OmDtQjhV4UE05Hose//twjx8Ba39XmKC')
[Rj Quirit, Ushahidi] Thank you very much
[Rj Quirit, Ushahidi] if it returns false... what should i do?
Ushbot
@ushbot
Oct 04 2016 14:08
[Rj Quirit, Ushahidi] I got the concept of password_verify...
[Rj Quirit, Ushahidi] when I test it...
[Rj Quirit, Ushahidi] every time I refresh the page....
[Rj Quirit, Ushahidi] the hash changes.... every refresh
[Rj Quirit, Ushahidi] if everytime hash is created it changes... how can I compare it to the stored password in the database sir?
Ushbot
@ushbot
Oct 04 2016 14:16
[Jason Mule, Ushahidi] You use password_verify. Could you take a look at the documentation for these functions in the PHP manual? This implementation is not specific to the Ushahidi API.
[Rj Quirit, Ushahidi] I finally got the concept. I am so sorry I've been so slow.... Thank you very much sir Jason. Thank you
Ushbot
@ushbot
Oct 04 2016 14:21
[Jason Mule, Ushahidi] Np. Glad to help...
Ushbot
@ushbot
Oct 04 2016 14:26
[Rj Quirit, Ushahidi] Thank you so much... more power to all of you...