Custom PHP function to verify correct password in

2019-04-12 01:10发布

站内问答 / PHP
1186 5 4

I created a script outside of Joomla that can successfully generate a Joomla password:

// I copied the JUserHelper class from Joomla here
$salt = JUserHelper::genRandomPassword(32);
$crypt = JUserHelper::getCryptedPassword($password, $salt);
$psw = $crypt.':'.$salt;

My question is, how can I compare this new crypt:salt I generate above to a password of an existing user in the Joomla database, and know if the password supplied to the script above is the correct password for that user in the database?

5条回答
Juvenile、少年°
2楼-- · 2019-04-12 01:33

This is how Joomla 2.5 Validates a password

See the plugin file : \plugins\authentication\joomla\joomla.php

function onUserAuthenticate($credentials, $options, &$response)
    {
        $response->type = 'Joomla';
        // Joomla does not like blank passwords
        if (empty($credentials['password'])) {
            $response->status = JAuthentication::STATUS_FAILURE;
            $response->error_message = JText::_('JGLOBAL_AUTH_EMPTY_PASS_NOT_ALLOWED');
            return false;
        }

        // Initialise variables.
        $conditions = '';

        // Get a database object
        $db     = JFactory::getDbo();
        $query  = $db->getQuery(true);

        $query->select('id, password');
        $query->from('#__users');
        $query->where('username=' . $db->Quote($credentials['username']));

        $db->setQuery($query);
        $result = $db->loadObject();

        if ($result) {
            $parts  = explode(':', $result->password);
            $crypt  = $parts[0];
            $salt   = @$parts[1];
            $testcrypt = JUserHelper::getCryptedPassword($credentials['password'], $salt);

            if ($crypt == $testcrypt) {
                $user = JUser::getInstance($result->id); // Bring this in line with the rest of the system
                $response->email = $user->email;
                $response->fullname = $user->name;
                if (JFactory::getApplication()->isAdmin()) {
                    $response->language = $user->getParam('admin_language');
                }
                else {
                    $response->language = $user->getParam('language');
                }
                $response->status = JAuthentication::STATUS_SUCCESS;
                $response->error_message = '';
            } else {
                $response->status = JAuthentication::STATUS_FAILURE;
                $response->error_message = JText::_('JGLOBAL_AUTH_INVALID_PASS');
            }
        } else {
            $response->status = JAuthentication::STATUS_FAILURE;
            $response->error_message = JText::_('JGLOBAL_AUTH_NO_USER');
        }
    }
查看更多
0人赞 添加讨论(0) 举报
聊天终结者
3楼-- · 2019-04-12 01:34

EDIT: I posted this before the previous reply showed.

You could always break apart the stored password from the salt as they're just separated by a ':' ?

If the page is outside of the Joomla framework you will need to include the framework which should be able to be accomplished with this (reference - codeblock below). If you are inside of the Joomla framework, skip past this block. However, I didn't test the referenced codeblock:

define( '_JEXEC', 1 );

define( 'DS', DIRECTORY_SEPARATOR );
define('JPATH_BASE', dirname(__FILE__).DS."..".DS.".." );

require_once ( JPATH_BASE.DS.'includes'.DS.'defines.php' );
require_once ( JPATH_BASE.DS.'includes'.DS.'framework.php' );

$mainframe =& JFactory::getApplication('site');
$mainframe->initialise();

In the framework you will need to look up the user by ID or username:

$user  =& JFactory::getUser(username or id goes here);

Then if you have a match for $user you can simply do this access that user's password:

$user->password;

Then you can just compare with what your $psw

I believe that should help you on your way.

Are you looking to use this to log a user in with Joomla credentials to an external site or are you looking to log them in to a Joomla site?

查看更多
0人赞 添加讨论(0) 举报
男人必须洒脱
4楼-- · 2019-04-12 01:34

In joomla 3.4.5:

if (!class_exists("JFactory")) {
    define('_JEXEC', 1);
    define('JPATH_BASE', dirname(__FILE__)); // specify path to joomla base directory here
    define('DS', DIRECTORY_SEPARATOR);

    require_once ( JPATH_BASE . DS . 'includes' . DS . 'defines.php' );
    require_once ( JPATH_BASE . DS . 'includes' . DS . 'framework.php' );

    $mainframe = & JFactory::getApplication('site');
    $mainframe->initialise();
}

$user = JFactory::getUser(); // or: getUser($id) to get the user with ID $id
$passwordMatch = JUserHelper::verifyPassword($entered_password, $user->password, $user->id);
查看更多
0人赞 添加讨论(0) 举报
5楼-- · 2019-04-12 01:48

I am sorry to say that the above solution suggested is the worst

because JUserHelper::genRandomPassword(32) function is used to generate random passwords and it will be the different password each time when it is generated So different password will be saved in the db while registering with the user when compared to the one which will be generted at the time of checking which will obviously doesn't match in any ways

查看更多
0人赞 添加讨论(0) 举报
Melony?
6楼-- · 2019-04-12 01:50

One way would be to query the Joomla database directly to get a user's (salted and hashed) password, then compare. I think the below query should work for that, based on what I have seen from a few google searches. I have done this in Wordpress, so I'm assuming Joomla would be similar.

select 'password' from `jos_users` WHERE `username` = "Bob";
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)