How the checkPassword from PasswordUtil works?

  • I need to check that user password is correct.


    I written some code, but it throws that error: Unable to determine password encryption



    Third argument for checkPassword is hashed password from database,

    detectEncryption from PasswordUtil returns unknown, idk why.


    Sorry, I don;t have permissions to post in support category :c

  • Hello,


    First things first, $row equals to false if your query does not match any user. Also, this code has a serious SQL injection vulnerability, because it injects the raw user input into the query. And a small hint, if there is no more code after the closing ?> php tag, then you should really leave it off. It's recommended not to include it whenever possible, it saves you from a lot of headaches.



    The error message "Unable to determine password encryption" means that the system is unable to recognize the hash that is stored in the database. This may have been a result of the previous incorrect usage of $row, but if it persists, you should double-check the password hash for that particular user.

  • Ok, so I created a new account named "test" with "test1234" password. I copied hash from database and tried to check password


    Code
    1. \wcf\util\PasswordUtil::checkPassword("test", "test1234", "$2a$08$0lctPZhL82nDwdvK5/7ynOuZOchAmQyWJC/4Dj9t7OXNjoBpteMi6")

    But it still throws that same error.


    • Error Type:

      wcf\system\exception\SystemException

    • Error Message:

      Unable to determine password encryption

    • File:

      */lib/util/PasswordUtil.class.php (125)


    • Stack Trace:
      • #0 */password-check.php (18):
      • wcf\util\PasswordUtil::checkPassword('test', 'test1234', '$2a$08$0lctPZhL82nDwdvK5/7ynOuZOchAmQyWJC/4Dj9t7OXNjoBpteMi6')


    detectEncryption still returns `unknown`


    WoltLab 3.1.9 pl 2


    Ok, I'm stupid.


    PHP
    1. <?php
    2. require_once('global.php');
    3. use wcf\system\user\authentication\UserAuthenticationFactory;
    4. $user = UserAuthenticationFactory::getInstance()->getUserAuthentication()->loginManually($_GET['user'], $_GET['password']);

    That works.