I have the InputStream of an incoming Http connection (arriving via an javax.servlet.http.HttpServletRequest object). While it is used/processed, a SHA_512 message digest is created from it. This is the current state of the implementation, which I cannot alter.
Due to the requirements of my task, I need to ALSO calculate a MD5 digest signature of the same content.
The only way I was able to do this was saving the original content in a byte array, and then simply creating two distinct ByteArrayInputStreams from it, and digesting them.
ByteArrayOutputStream baos = new ByteArrayOutputStream();IOUtils.copy(request.getInputStream(), baos);byte[] originalContent = baos.toByteArray();InputStream is1 = new ByteArrayInputStream(originalContent);// is1 being processed, SHA_512 calculated...DigestInputStream dis2 = new DigestInputStream(new ByteArrayInputStream(originalContent), MessageDigest.getInstance("MD5"));IOUtils.toByteArray(dis);String myMD5 = BinaryUtils.toHex(dis.getMessageDigest().digest());Is there any other more efficient way possible ?
Thanks.
So I have been using this login and register script for about 3 projects and it worked great. But for the current project its creating certain problems. The generated password doesnt match with the one in the DB and hence couldnt login.
The register page is given below
<?phpinclude_once 'includes/register.inc.php';include_once 'includes/functions.php';?><html> <head> <meta charset="UTF-8"> <title>Secure Login: Registration Form</title> <script type="text/JavaScript" src="js/sha512.js"></script> <script type="text/JavaScript" src="js/forms.js"></script> <link rel="stylesheet" href="styles/main.css" /> </head> <body> <?php if (!empty($error_msg)) { echo $error_msg; } ?> <form action="<?php echo esc_url($_SERVER['PHP_SELF']); ?>" method="post" name="registration_form"> Username: <input type='text' name='username' id='username' /><br> Email: <input type="text" name="email" id="email" /><br> Password: <input type="password" name="password" id="password"/><br> Confirm password: <input type="password" name="confirmpwd" id="confirmpwd" /><br> <input type="button" value="Register" onclick="return regformhash(this.form, this.form.username, this.form.email, this.form.password, this.form.confirmpwd);" /> </form> <p>Return to the <a href="index.php">login page</a>.</p> </body></html>register.inc.php Page given below
<?phpinclude_once 'db_connect.php';include_once 'psl-config.php';$error_msg = "";if (isset($_POST['username'], $_POST['email'], $_POST['p'])) { // Sanitize and validate the data passed in $username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING); $email = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_EMAIL); $email = filter_var($email, FILTER_VALIDATE_EMAIL); if (!filter_var($email, FILTER_VALIDATE_EMAIL)) { // Not a valid email $error_msg .= '<p class="error">The email address you entered is not valid</p>'; } $password = filter_input(INPUT_POST, 'p', FILTER_SANITIZE_STRING); if (strlen($password) != 128) { // The hashed pwd should be 128 characters long. // If it's not, something really odd has happened $error_msg .= '<p class="error">Invalid password configuration.</p>'; } // Username validity and password validity have been checked client side. // This should should be adequate as nobody gains any advantage from // breaking these rules. // $prep_stmt = "SELECT license_num FROM doctor_details WHERE email = ? LIMIT 1"; $stmt = $mysqli->prepare($prep_stmt); // check existing email if ($stmt) { $stmt->bind_param('s', $email); $stmt->execute(); $stmt->store_result(); if ($stmt->num_rows == 1) { // A user with this email address already exists $error_msg .= '<p class="error">A user with this email address already exists.</p>'; $stmt->close(); } $stmt->close(); } else { $error_msg .= '<p class="error">Database error Line 39</p>'; $stmt->close(); } // check existing username $prep_stmt = "SELECT license_num FROM doctor_details WHERE username = ? LIMIT 1"; $stmt = $mysqli->prepare($prep_stmt); if ($stmt) { $stmt->bind_param('s', $username); $stmt->execute(); $stmt->store_result(); if ($stmt->num_rows == 1) { // A user with this username already exists $error_msg .= '<p class="error">A user with this username already exists</p>'; $stmt->close(); } $stmt->close(); } else { $error_msg .= '<p class="error">Database error line 55</p>'; $stmt->close(); } // TODO: // We'll also have to account for the situation where the user doesn't have // rights to do registration, by checking what type of user is attempting to // perform the operation. if (empty($error_msg)) { // Create a random salt //$random_salt = hash('sha512', uniqid(openssl_random_pseudo_bytes(16), TRUE)); // Did not work $random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true)); // Create salted password $password = hash('sha512', $password . $random_salt); // Insert the new user into the database if ($insert_stmt = $mysqli->prepare("INSERT INTO doctor_details (username, email, password, salt) VALUES (?, ?, ?, ?)")) { $insert_stmt->bind_param('ssss', $username, $email, $password, $random_salt); // Execute the prepared query. if (! $insert_stmt->execute()) { header('Location: ../error.php?err=Registration failure: INSERT'); } } header('Location: ./register_success.php'); }}?>The registering work fine.. and the data gets entered onto DB. for illustration i have created a test record with email = test@testing.compassword = Pass123
Password and Salt as entered in DBPassword : 1ca2a523757d457a4df261c647dc45349ca8c721f76fa2b54e
Salt :ae2788757a98b0750d0aaecb9735cc27d92d29413cab1c89fb741cf735fd551322f94993b7cb79cd4ade2dea221142dcac7aa380b776db7fa05bf6c6b5d32056
The hashed password when i try to login is
d01feaafb5359e1fa2c020a76ebb526fc75786b0b837e0c9a4dcabd58ad734efa469513cf66a272d5ef4b1b9646b4b39f50807afc8f8663e1c6bb23552b04cd6Login Page
if (isset($_POST['email'], $_POST['p'])) { $email = $_POST['email']; $password = $_POST['p']; // The hashed password. if (login($email, $password, $mysqli) == true) { // Login success header('Location: ../protected_page.php'); } else { // Login failed header('Location: ../login.php?error=1'); }}Login Function given below
function login($email, $password, $mysqli) { // Using prepared statements means that SQL injection is not possible. if ($stmt = $mysqli->prepare("SELECT license_num, username, password, salt FROM doctor_details WHERE email = ? LIMIT 1")) { $stmt->bind_param('s', $email); // Bind "$email" to parameter. $stmt->execute(); // Execute the prepared query. $stmt->store_result(); // get variables from result. $stmt->bind_result($user_id, $username, $db_password, $salt); $stmt->fetch(); // hash the password with the unique salt. $password = hash('sha512', $password . $salt); if ($stmt->num_rows == 1) { // If the user exists we check if the account is locked // from too many login attempts if (checkbrute($user_id, $mysqli) == true) { // Account is locked // Send an email to user saying their account is locked return false; } else { // Check if the password in the database matches // the password the user submitted. if ($db_password == $password) { // Password is correct! // Get the user-agent string of the user. $user_browser = $_SERVER['HTTP_USER_AGENT']; // XSS protection as we might print this value $user_id = preg_replace("/[^0-9]+/", "", $user_id); $_SESSION['user_id'] = $user_id; // XSS protection as we might print this value $username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username); $_SESSION['username'] = $username; $_SESSION['login_string'] = hash('sha512', $password . $user_browser); // Login successful. return true; } else { // Password is not correct // We record this attempt in the database $now = time(); $mysqli->query("INSERT INTO login_attempts(user_id, time) VALUES ('$user_id', '$now')"); return false; } } } else { // No user exists. return false; } }}The DB structure is
license_num ( Primary)emailpasswordusernamesalt
Is it because license_num is not Auto Increment?
Thanks if you could help out
I am using the react-native-sha512 package for hashing the text and trying to send the text to the backend after hashing it.Below is the piece of the code I am using to hash the text -
import { sha512 } from 'react-native-sha512';constructor(props){ this.state = {password: ""}}sha512("Test").then(hash => { this.setState({ password: hash })})this.props.login(username.toLowerCase(), this.state.password);where Test is the text I am trying to hash, but it is giving me the following error -
undefined is not an object(evaluating 'u.sha12')
Do I need to add anything else apart from the above piece of code for hashing?
Thank you in advance!
I need to hash string in angular 2+ with SHA512, but i couldn't find any library or function to do that. Do you know of any solution to that?
I have a file, and I need to calculate the SHA512 value for it. I've found plenty of sites offering to do it for me, but I'd like to do it programmatically in Java (well, Groovy, but it's the same thing).
For those curious, I'm running Oracle's TZUpdater tool and pointing it at a local file. This requires a file that contains the SHA512 value for that file.http://www.oracle.com/technetwork/java/javase/tzupdater-readme-136440.html
Please note that by viewing our site you agree to our use of cookies (see خلوت for details). You will only see this message once.