Tuto, pasar de MD5 a BCrypt . Versión 9.15
72 views
Skip to first unread message
Williams Tuate
Jul 12, 2024, 9:08:35 AM7/12/24
to Comunidad ScriptCase Latino
En desarrollo...
Williams Tuate
Jul 12, 2024, 9:44:50 AM7/12/24
to Comunidad ScriptCase Latino
En primera instancia , si ya disponen de una versión de scriptcase como la 9.10 , seguramente no tienen esta tabla. Asi que fijarse .....
Vemos que tablas vamos a tratar a continuación: ( si no la tenemos crearlas, sinó editarlas. )
Creamos la tabla sc_logged
campos:: login varchar 255
date_login varchar 128
sc_session varchar 32
ip varchar 32
fecha_alta timestamp
todos los campos serán predeterminado en NULL
=====
Un trigger before insert de la misma tabla ... Aqui el codigo:
BEGIN
IF NEW.fecha_alta IS NULL THEN
SET NEW.fecha_alta = CURRENT_TIMESTAMP();
END IF;
END
IF NEW.fecha_alta IS NULL THEN
SET NEW.fecha_alta = CURRENT_TIMESTAMP();
END IF;
END
=====
Tabla sec_settings
campos : set_name VARCHAR 255
set_value VARCHAR 255
=====
Tabla sec_user
Agregar los campos:
picture LONGBLOB
role VARCHAR 128
phone VARCHAR 64
psw_last_updated TIMESTAMP
mfa_last_updated TIMESTAMP
mfa VARCHAR 255
pswd (editar, importante cambiar su longitud a 255)
login ( editar, si usarán para loguearse el correo, cambiar su longitud, sinó no hace falta)
=====
Crear el módulo de seguridad, pueden guiarse desde
Usar otra carpeta de seguridad para guardar todo el módulo, si hicieron bien el tema de las tablas , no deberian tener problemas con el modulo.
=====
Pasamos a los scripts , archivos a editar, en este ejemplo yo usé para la creación de archivos el prefijo "sec1" esa fué mi selección al crear el módulo de seguridad:
1) Para el archivo app1_Login:
en onValidate : $slogin = sc_sql_injection({login});
#$spswd = sc_sql_injection(hash("md5",{pswd}));En esta parte del código siguiente, lo uso a mi gusto, no significa que uds, deban hacer lo mismo:
//*********** global destinada a grupos de usuarios
$sql2 = "SELECT *
FROM sec_users_groups
WHERE
".$str_login_validate."";
sc_lookup(rs2, $sql2);
if ({rs2} === false)
{
echo "Access error. Message=". {rs2_erro} ;
}
elseif (empty({rs2}))
{
echo "La consulta viene vacía";
}
else
{
$login = {rs2[0][0]};
$group_id = {rs2[0][1]};
}
sc_set_global($group_id);
//*********** fin de global destinada a grupos de usuarios
$sql2 = "SELECT *
FROM sec_users_groups
WHERE
".$str_login_validate."";
sc_lookup(rs2, $sql2);
if ({rs2} === false)
{
echo "Access error. Message=". {rs2_erro} ;
}
elseif (empty({rs2}))
{
echo "La consulta viene vacía";
}
else
{
$login = {rs2[0][0]};
$group_id = {rs2[0][1]};
}
sc_set_global($group_id);
//*********** fin de global destinada a grupos de usuarios
Todo lo que sigue , es exactamente como les debe quedar, vean por favor si ya lo tienen así( cosa q no creeo), no haría falta editar.
$sql = "SELECT
priv_admin,
active,
name,
email,
mfa,
pswd_last_updated,
login,
phone,
picture,
mfa_last_updated,
pswd,
origen,
caja
FROM sec_users
WHERE
".$str_login_validate."";
sc_lookup(rs, $sql);
if ( ({rs} === false) || (!is_array({rs}) ) || (empty({rs})) )
{
sc_log_add('login Fail', {lang_login_fail} . {login});
sc_logged_in_fail({login});
sc_error_message({lang_error_login});
}else{
$storedPasswordHash = $rs[0][10];
if (password_verify({pswd}, $storedPasswordHash)) {
if({rs[0][1]} == 'Y')
{
[usr_login] = {rs[0][6]};
[usr_priv_admin] = ({rs[0][0]} == 'Y') ? TRUE : FALSE;
[usr_name] = {rs[0][2]};
[usr_email] = {rs[0][3]};
[usr_phone] = {rs[0][7]};
[remember_me] = {remember_me};
[usr_picture] = '';
[usr_origen] = {rs[0][11]};
[usr_caja] = {rs[0][12]};
// Write image
if(!empty({rs[0][8]})){
$path_img = $_SESSION['scriptcase']['app1_Login']['glo_nm_path_imag_temp'] .'/sc_img_'. [usr_login] . hash("md5",date('YmdHis')) . '.png';
file_put_contents($this->Ini->root . $path_img, {rs[0][8]});
[usr_picture] = $path_img;
}
if( [sett_pswd_last_updated] != 0 ){
$diff = sc_date_dif(date("Y-m-d", strtotime({rs[0][5]} . " +".[sett_pswd_last_updated]. "days") ), "aaaa-mm-dd", date("Y-m-d"), "aaaa-mm-dd");
if($diff <= 0){
$code = hash("md5",date("YmdHis"));
sc_exec_sql("UPDATE sec_users SET activation_code=".sc_sql_injection($code) . " WHERE login=". sc_sql_injection([usr_login]));
sc_commit_trans();
sc_redir("app1_change_pswd", act_code=$code; pswd_expired=1);
}
}
//mfa
if( isset([sett_enable_2fa]) && [sett_enable_2fa] == 'Y' ){
if(!empty({rs[0][4]})){
$mfa_key = ($_SERVER['HTTP_ACCEPT_LANGUAGE'] ?? '').($_SERVER['REMOTE_ADDR'] ?? '' ). ($_SERVER['HTTP_HOST'] ?? '') . ($_SERVER['SERVER_NAME'] ?? '') . ($_SERVER['HTTP_USER_AGENT'] ?? '');
$mfa_key = '_'.hash("md5",$mfa_key);
$diff = 0;
if( [sett_mfa_last_updated] != 0 && !empty({rs[0][9]}) ){
$diff = sc_date_dif(
date("Y-m-d", strtotime({rs[0][9]} . " +".[sett_mfa_last_updated]. "days") ),
"aaaa-mm-dd",
date("Y-m-d"),
"aaaa-mm-dd");
}
$diff_cookie = 0;
if(isset($_COOKIE[ $mfa_key ]) && !empty($_COOKIE[ $mfa_key ])){
$diff_cookie = sc_date_dif(
date("Y-m-d", strtotime(sc_decode($_COOKIE[ $mfa_key ]) . " +".[sett_mfa_last_updated]. "days") ),
"aaaa-mm-dd",
date("Y-m-d"),
"aaaa-mm-dd");
}
if($diff <= 0 || $diff_cookie <= 0){
sc_redir('app1_control_2fa');
}
}
else if([sett_enable_2fa_mode] == 'all'){
sc_apl_status('app1_add_2fa', 'on');
sc_redir('app1_add_2fa',redir_menu=1);
}
}
// END mfa
remember_me_validate();
}
else
{
sc_error_message({lang_error_not_active});
sc_error_exit();
}
}else {
// Contraseña incorrecta
sc_error_message({lang_error_login});
}
}
priv_admin,
active,
name,
email,
mfa,
pswd_last_updated,
login,
phone,
picture,
mfa_last_updated,
pswd,
origen,
caja
FROM sec_users
WHERE
".$str_login_validate."";
sc_lookup(rs, $sql);
if ( ({rs} === false) || (!is_array({rs}) ) || (empty({rs})) )
{
sc_log_add('login Fail', {lang_login_fail} . {login});
sc_logged_in_fail({login});
sc_error_message({lang_error_login});
}else{
$storedPasswordHash = $rs[0][10];
if (password_verify({pswd}, $storedPasswordHash)) {
if({rs[0][1]} == 'Y')
{
[usr_login] = {rs[0][6]};
[usr_priv_admin] = ({rs[0][0]} == 'Y') ? TRUE : FALSE;
[usr_name] = {rs[0][2]};
[usr_email] = {rs[0][3]};
[usr_phone] = {rs[0][7]};
[remember_me] = {remember_me};
[usr_picture] = '';
[usr_origen] = {rs[0][11]};
[usr_caja] = {rs[0][12]};
// Write image
if(!empty({rs[0][8]})){
$path_img = $_SESSION['scriptcase']['app1_Login']['glo_nm_path_imag_temp'] .'/sc_img_'. [usr_login] . hash("md5",date('YmdHis')) . '.png';
file_put_contents($this->Ini->root . $path_img, {rs[0][8]});
[usr_picture] = $path_img;
}
if( [sett_pswd_last_updated] != 0 ){
$diff = sc_date_dif(date("Y-m-d", strtotime({rs[0][5]} . " +".[sett_pswd_last_updated]. "days") ), "aaaa-mm-dd", date("Y-m-d"), "aaaa-mm-dd");
if($diff <= 0){
$code = hash("md5",date("YmdHis"));
sc_exec_sql("UPDATE sec_users SET activation_code=".sc_sql_injection($code) . " WHERE login=". sc_sql_injection([usr_login]));
sc_commit_trans();
sc_redir("app1_change_pswd", act_code=$code; pswd_expired=1);
}
}
//mfa
if( isset([sett_enable_2fa]) && [sett_enable_2fa] == 'Y' ){
if(!empty({rs[0][4]})){
$mfa_key = ($_SERVER['HTTP_ACCEPT_LANGUAGE'] ?? '').($_SERVER['REMOTE_ADDR'] ?? '' ). ($_SERVER['HTTP_HOST'] ?? '') . ($_SERVER['SERVER_NAME'] ?? '') . ($_SERVER['HTTP_USER_AGENT'] ?? '');
$mfa_key = '_'.hash("md5",$mfa_key);
$diff = 0;
if( [sett_mfa_last_updated] != 0 && !empty({rs[0][9]}) ){
$diff = sc_date_dif(
date("Y-m-d", strtotime({rs[0][9]} . " +".[sett_mfa_last_updated]. "days") ),
"aaaa-mm-dd",
date("Y-m-d"),
"aaaa-mm-dd");
}
$diff_cookie = 0;
if(isset($_COOKIE[ $mfa_key ]) && !empty($_COOKIE[ $mfa_key ])){
$diff_cookie = sc_date_dif(
date("Y-m-d", strtotime(sc_decode($_COOKIE[ $mfa_key ]) . " +".[sett_mfa_last_updated]. "days") ),
"aaaa-mm-dd",
date("Y-m-d"),
"aaaa-mm-dd");
}
if($diff <= 0 || $diff_cookie <= 0){
sc_redir('app1_control_2fa');
}
}
else if([sett_enable_2fa_mode] == 'all'){
sc_apl_status('app1_add_2fa', 'on');
sc_redir('app1_add_2fa',redir_menu=1);
}
}
// END mfa
remember_me_validate();
}
else
{
sc_error_message({lang_error_not_active});
sc_error_exit();
}
}else {
// Contraseña incorrecta
sc_error_message({lang_error_login});
}
}
En onValidateSuccess , pues solamente debe quedar esta linea:
sc_validate_success();
Siguiente sección --->
El Friday, July 12, 2024 a la(s) 10:08:35 AM UTC-3, Williams Tuate escribió:
En desarrollo...
Reply all
Reply to author
Forward
0 new messages