How the checkPassword from PasswordUtil works?

artur9010 · Jun 9th 2019

I need to check that user password is correct.

I written some code, but it throws that error: Unable to determine password encryption

PHP

<?php
require_once('global.php');

if(check_is_right($_GET['user'], $_GET['password']) )
    echo "true";
else
    echo "false";
 
function check_is_right($username, $password){
    $sql = "SELECT username, password FROM wcf".WCF_N."_user WHERE username='".$username."'";
    $statement = \wcf\system\WCF::getDB()->prepareStatement($sql, 1);
    $statement->execute();
    $row = $statement->fetchSingleRow();
    if($row["password"] == null){
        return false;
    }
    
    if (wcf\util\PasswordUtil::checkPassword($row["username"], $password, $row["password"])){
        return true;
    }
    return false;
}
?>

Display More

Third argument for checkPassword is hashed password from database,

detectEncryption from PasswordUtil returns unknown, idk why.

Sorry, I don;t have permissions to post in support category :c

**Alexander Ebert** · Jun 9th 2019

Hello,

First things first, $row equals to false if your query does not match any user. Also, this code has a serious SQL injection vulnerability, because it injects the raw user input into the query. And a small hint, if there is no more code after the closing ?> php tag, then you should really leave it off. It's recommended not to include it whenever possible, it saves you from a lot of headaches.

PHP

<?php
require_once('global.php');

if(check_is_right($_GET['user'], $_GET['password']) )
    echo "true";
else
    echo "false";
 
function check_is_right($username, $password){
    $sql = "SELECT username, password FROM wcf".WCF_N."_user WHERE username = ?";
    $statement = \wcf\system\WCF::getDB()->prepareStatement($sql, 1);
    $statement->execute([$username]);
    $row = $statement->fetchSingleRow();
    if($row === false){
        return false;
    }
    
    if (\wcf\util\PasswordUtil::checkPassword($row["username"], $password, $row["password"])){
        return true;
    }
    return false;
}

Display More

The error message "Unable to determine password encryption" means that the system is unable to recognize the hash that is stored in the database. This may have been a result of the previous incorrect usage of $row, but if it persists, you should double-check the password hash for that particular user.

artur9010 · Jun 9th 2019

~~Ok, so I created a new account named "test" with "test1234" password. I copied hash from database and tried to check password~~

Code

\wcf\util\PasswordUtil::checkPassword("test", "test1234", "$2a$08$0lctPZhL82nDwdvK5/7ynOuZOchAmQyWJC/4Dj9t7OXNjoBpteMi6")

~~But it still throws that same error.~~

~~Error Type:~~
~~wcf\system\exception\SystemException~~
~~Error Message:~~
~~Unable to determine password encryption~~
~~File:~~
*/lib/util/PasswordUtil.class.php (125)
~~Stack Trace:~~
- ~~#0 */password-check.php (18):~~
- ~~wcf\util\PasswordUtil::checkPassword('test', 'test1234', '$2a$08$0lctPZhL82nDwdvK5/7ynOuZOchAmQyWJC/4Dj9t7OXNjoBpteMi6')~~

~~detectEncryption still returns `unknown`~~

~~WoltLab 3.1.9 pl 2~~

Ok, I'm stupid.

PHP

<?php
require_once('global.php');
use wcf\system\user\authentication\UserAuthenticationFactory;

$user = UserAuthenticationFactory::getInstance()->getUserAuthentication()->loginManually($_GET['user'], $_GET['password']);

That works.

How the checkPassword from PasswordUtil works?

Participate now!

Share