I’m trying out IHP for a new application, where we lock everything behind authentication and only allow existing users to sign up other new users… what is the best way to seed a user, or at least create a user outside of the application? Can a Script take user input? It looks like it doesn’t wait for input from the user (and requires a redirect from stdin, which isn’t the worst thing in the world), and doesn’t take arguments, so I’m wondering if there’s an alternative?
By design, IHP scripts do not allow for user input.
It was suggested to insert into the database directly to initially seed a user.
We can use hash-password from the command line to generate a hash and insert into the database.
I was able to use the IHP web IDE to execute the INSERT statement successfully.
Another options is something like echo "INSERT INTO users (..) VALUES (..)" | psql "$DATABASE_URL" directly
You can use this if you want to create a user account using IHP Script:
run :: Script
run = do
let username = "admin"
password = "admin"
hashed <- hashPassword password
existingUser <- query #User
|> findMaybeBy #email username
user <- case existingUser of
Just user -> do
putStrLn $ username ++ " already existing, skipping..."
return user
_ -> do
putStrLn $ "Inserting " ++ username ++ "..."
hashed <- hashPassword password
user <- newRecord #User
|> set #email username
|> set #passwordHash hashed
|> createRecord
putStrLn $ "Inserted " ++ username
return user
return ()
You can easily change the default values above to accept an input from the user but yes, as Micheal mentioned above, IHP Scripts aren't designed to handle user inputs and using the IHP IDE would be better to create user.
Related
I want to parameterise the login feature file so that is can be used for multiple user credentials. Can anyone please help me here? Below is the code that I am using:
Given url baseUrl
And form field username = 'admin'
And form field password = 'admin'
When method GET
Then status 200
I want to parameterise the value for username and password so that it can be passed from another feature file and can be reused again.
I have my Ldap working the only issue i'm facing was when I try to login with email that is when I land in the else part in the below code. If my username is different from email then it throws error. i.e if my email is 'skumar#gmail.com' and my username is 'saurakumar' then it will through invalid username password error.
As internally I'm using username to make email i.e if the user login with name 'karan' then i'm expecting the email to be karan #gmail.com which is not true in many scenario and the Authentication fails. I'm looking for some solution wherein I can login either via email or via username I'll be able to authenticate user. Below is the snippet of my code. Please suggest?
ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY, initialContextFactory);
ldapEnv.put(Context.PROVIDER_URL, url);
ldapEnv.remove(Context.SECURITY_PROTOCOL);
if (email == null) {
lContext = new InitialLdapContext(ldapEnv, null);
entryResult = searchUserEntry(lContext, user, searchCtrls);
final String usrDN = ((Context) entryResult.getObject()).getNameInNamespace();
lContext.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
lContext.addToEnvironment(Context.SECURITY_PRINCIPAL, usrDN);
lContext.addToEnvironment(Context.SECURITY_CREDENTIALS, pass);
lContext.reconnect(null);
} else {
ldapEnv.put(Context.SECURITY_PRINCIPAL, email);
ldapEnv.put(Context.SECURITY_CREDENTIALS, credentials);
lContext = new InitialLdapContext(ldapEnv, null);
return lContext;
searchUserEntry(lContext, user, searchCtrls);
}
Normally this is a 3-step process:
Bind to LDAP as an administrative user. Note that this should not be the master user defined in the configuration file: that's for OpenLDAP's use itself. Instead it should be a user mentioned in the DIT that has the appropriate search access for the next step.
Search for the user via some unique attribute, e.g. in your case email.
Using the found DN of the user and the password he specified, attempt to bind as that user (with the reconnect() method, after changing the environment of the context appropriately).
If all that succeeds, you have a login success. If (2) or (3) fail, you have a failure, and note that you should not tell the user which it was: otherwise you are leaking information to attackers. You should not mention whether it was the username (email) or the password that was wrong.
Using either the phpass test program http://www.openwall.com/phpass/phpass-0.3.tar.gz , or python-phpass, and using C?*|Y[j"KQ'%gf for the plain text password, and $P$9kS6tD8tVxajypvJ5837.bt2emepD8/ as the hash, doing:
<?php
#
# This is a test program for the portable PHP password hashing framework.
#
# Written by Solar Designer and placed in the public domain.
# See PasswordHash.php for more information.
#
require 'PasswordHash.php';
header('Content-type: text/plain');
$t_hasher = new PasswordHash(8, FALSE);
$correct2 = 'C?*|Y[j"KQ\'%gf';
$hash2 = '$P$9kS6tD8tVxajypvJ5837.bt2emepD8/';
print 'Hash: [' . $hash2 . "]\n";
print 'correct: [' . $correct2 . "]\n";
$check = $t_hasher->CheckPassword($correct2, $hash2);
if ($check)
{
print "Check IF THIS WORKScorrect: '" . $check . "' (should be '1')\n";
}
else
{
print "IT FAILED!!!!!!!!\n\n\n";
}
?>
The hash was from phpBB3 (3.0.10), and when I supply that password to phpBB3, it does work correctly.
phpBB3 is supposed to be using phpass itself, doing $H$ instead of $P$.
The database entry in phpBB3 for this example is:
qlc4pi000000";0;"127.0.0.1";1351902499;"testpass";"testpass";"$H$9kS6tD8tVxajypvJ5837.bt2emepD8/";1351902499;0;"tp#inva.lid.com";266402289712;"''";1351902544;1351902499;0;"''";"''";0;0;0;0;0;0;0;"en";0.00;0;"D M d, Y g:i a";2;0;"''";0;0;0;0;-3;0;0;"t";"d";0;"t";"a";0;1;0;1;1;1;1;230271;"''";0;0;0;"''";"''";"''";"''";"''";"''";"''";"''";"''";"''";"''";"''";"''";"''";"bf4ae169a5a21313";1;0;0
The plain text password used in phpBB3 is [C?*|Y[j"KQ'%gf] and the hash (converted from phpBB3 format is [$P$9kS6tD8tVxajypvJ5837.bt2emepD8/] (both password & hash are between the [])
Can anyone shed some light on what is going on, and why this doesn't work with phpass ?
This is on the same machine that the forums are on, and again, it does work on the phpBB3 forums, so I can login fine. It just I can't authenticate with phpass externally when I access the phpBB3 database directly. It does work on other accounts though, it is only certain accounts it fails on.
Turns out the issue is, phpBB3 converts the password to use html escape codes.
Now, once the password is converted, it matches the hash stored in phpBB3.
The phpBB3 most likely applies PHP function htmlspecialchars (with no flags) to the password.
This fact noted by phpBoing was also noticed in discussion of question https://stackoverflow.com/a/12543884/1148030 .
The nonstandard identifier $H$ is useful. When $H$ is present implementation can know to apply escaping to support phpBB3.
I am new to asp.net development
I develop login form with username and password
I finished off with my work but any how my login table has injected with sort of script as
username
"> </title><script src="http://it
password
"> </title><script src="http://it
I have written simple query as
SELECT * FROM user WHERE userid = 'admin' AND password = 'ms2012'
I thought some body has injected in a username and password textbox
But I don't understand how they did. Can anybody explain how they have updated it and what should I do to avoid it?
There are 3 basic things to consider if you want to the application to be secured from SQL Injection:
Paramterized Queries
Stored Procedures
Sanitizing all input data
Using Apache mod_auth_basic and mod_authn_dbd you can authenticate a user by looking up that user's password in the database. I see that working if the password is held in clear, but what if we use a random string as a salt (also stored in the database) then store the hash of the concatenation?
mod_authn_dbd requires you to specify a query to select that password not to decide if the user is authenticated of not. So you cannot use that query to concatenate the user provided password with the salt then compare with the stored hash.
AuthDBDUserRealmQuery "SELECT password FROM authn WHERE user = %s AND realm = %s"
Is there a way to make this work?
Looking at the Password Formats for Basic Auth it seemed that I could make this work if the hash is done using the apr_md5_encode function.
Found another question that relates to this and links to a Java implementation. I used that implementation with a small change to calculate the database hash inside my website normal user-creation flow. After this i could use mod_authn_dbd with this query:
AuthDBDUserRealmQuery "SELECT CONCAT('$apr1$',password_salt,'$',password_hash) FROM users WHERE user = %s AND realm = %s"