password encryption algo

[fresher]

Hello all,

pls can u tell me what algo you are using for encryption of passoword that is save in the Date base..

thankd..

[_CONEJO]

Hi fresher,

The algorithm is sha1.

[Anvar.in]

Hello

This is my password and once i check with the hash it's not working.

I want to setup mobile application. And once user login I can get his ads details.

<?php
$pass = '$2y$15$U4Xe4efFvAjQjhVoT0XPX.qexIb1c7USslh4u5Ms5TgrK8acmoWUK';

if ($pass == sha1('***')){
echo "True";}
else{
echo "False";
}

$pass1 = '438a30cac93a3b2a24d2a39f1aa51b1c746508c9';
if ($pass1 == sha1('***')){
echo "True";}
else{
echo "False";
}

Result
============
False
True

============

It's showing false with sha1() and if i change the password without hash it's working properly.

I want to login with user details with external file of php script. There have any solution for this ?

[_CONEJO]

SHA1 is no longer used for password, Osclass uses bcrypt instead,

https://github.com/osclass/Osclass/blob/master/oc-includes/osclass/helpers/hSecurity.php#L241

Use osc_verify_password to verify the plain text password and hash match and osc_hash_password to hash it

PS: No need to post the same message three times

[Anvar.in]

Thanks _CONEJO

I want to access the user details for mobile application externally. like with custom code not related to osclass. Is it possible ?

Can I verify the password external with a php file ?

[_CONEJO]

Yes, it's possible, just load the oc-load.php file from osclass's folder and you'll have access to all the helpers and classes from Osclss

[Anvar.in]

Thanks  _CONEJO

I am a osclass and php beginner if you don't mind can you just give an example of that.

I am not expert on Osclass and i am just started on osclass

Thanks in Advance

[Anvar.in]

Yes.. 

You can load the oc-load.php from the home directory of osclass installation (public_html/oc-load.php)

require_once "oc-load.php";

echo osc_hash_password('osclass') . PHP_EOL;
echo "<br>";
echo (osc_verify_password('osclass', '$2y$15$BnXiEwc8A0nXB/YlXWsBFutvInchAI4nfpVE1LsUoWoOOkMTIdT6q')?"TRUE":"FALSE") . PHP_EOL; //bcrypt

Result:
$2y$15$kj6GWlnJdR76/qpS375zjuReN5ldVc1L7oj9mftqAID1yKztTC.y6
TRUE

I think this is helpful to osclass beginners

[Anvar.in]

<?php

require_once "../oc-load.php";
require_once LIB_PATH . 'osclass/UserActions.php';
osc_run_hook('before_validating_login');

$email = "info@osclass.org"; //$_POST['email'];
$pass = "osclass"; //$_POST['pass'];

$user = User::newInstance()->findByEmail($email);

if(osc_verify_password($pass,$user['s_password'])) {
echo "Everything OK, Go Ahead <br>";
echo " User Id : ".osc_logged_user_id();
}else{
echo "There is some problems is user details";
}

[_CONEJO]

Instead of $_POST or $_GET use the Params class
Params::getParam('whatever')

[sky]

In 2004, it reported successful attacks on hash functions having a structure similar to SHA-1 which raised the issue of long-term security of SHA-1. Between 2005 and 2008 they published a series of attacks, both on a simplified version of SHA-1, and complete. The best of these attacks requires only about 263 operations functions compression (compared to 280 brute-force). NIST has announced that by 2010 cessation of use SHA-1 for the different variants of SHA-2 [1].

[_CONEJO]

In 2013 we stopped using SHA1 and switched to bcrypt