Kevin Bruce | Web and Print Designer/PHP Developer

Happy New Year!

Fri, 01 Jan 2010 00:21:22 -0500

Just a quick "Happy New Year" to everyone out there! May 2010 be a wonderful and prosperous year for us all!

PHP5 - Recreating .NET's membership password hash algorithm

Thu, 12 Nov 2009 16:53:32 -0500

Premise:

I'm writing a php app that runs alongside ASP .NET site. I want to utilize the existing users and roles tables in the MSSQL server and can, except for one thing- matching the hashed passwords in the database. I found a blog that shows how .NET does the hashing (with salt) so I can try to recreate it in PHP.

A developer on Twitter sent me this link which shows the .NET membership procedure for developing the hashes for passwords.

private static HashAlgorithm passwordHasher = HashAlgorithm.Create("SHA1");

private bool ValidateUser(string username, string password)
{

var user = GlobalApplication.Database.Users.FirstOrDefault(u => u.UserName == username);
if (user == null) return false;

byte[] saltBytes = Convert.FromBase64String(user.Membership.PasswordSalt);
byte[] passwordBytes = Encoding.UTF8.GetBytes(password);
byte[] bytesToHash = new byte[saltBytes.Length + passwordBytes.Length];
saltBytes.CopyTo(bytesToHash, 0);
passwordBytes.CopyTo(bytesToHash, saltBytes.Length);
byte[] hash = passwordHasher.ComputeHash(bytesToHash);
string base64Hash = Convert.ToBase64String(hash);
return user.Membership.Password == base64Hash;

}

This was very useful is seeing what is done in C# and clues me into the procedures needed to replicate it in PHP
I've gleemed over search results that SHA1 is the hash algorithm used (and PHP has implementations of this).

However a couple of hurdles I've run into:

converting the UTF-8 password into bytes in PHP comes back as a string of 1's and 0's and the salt unpacks as true binary (returning +7ªætR<_9deji|Ï) not sure the "copyTo()" method is easily replaced by straight out concatenation

Thoughts?

my PHP code version of above:
----

$hash_password = "bgT8AutbQgtlec0VNhhtmAXdXxvI0V/96Vj48KRz26E=";
$salt = "KzeqXOZ0UjwYOWRlaml8zw==";

$password = "church";

$salt = base64_decode($salt); //convert salt back to it's binary state

$passwordBytes = bstr2bin(utf8_encode($password)); //convert password to utf8 then binary

echo "$salt"; //prints "+7ªætR<9deji|Ï"
echo "$passwordBytes"; //prints 11000110110100001110101011100100110001101101000

$bytesToHash = $salt . $passwordBytes; //combine the 2 binary objs
$hash = sha1($bytesToHash, true); //sha1 hash it
$hashedpassword = base64_encode($hash); //base64 encode it into a string

echo "$hashedpassword
$hash_password";

function bstr2bin($input)

// Binary representation of a binary-string

{

if (!is_string($input)) return null; // Sanity check

// Unpack as a hexadecimal string

$value = unpack('H*', $input);

// Output binary representation

return base_convert($value[1], 16, 2);

}

function bin2bstr($input)

// Convert a binary expression (e.g., "100111") into a binary-string

{

if (!is_string($input)) return null; // Sanity check

// Pack into a string

return pack('H*', base_convert($input, 2, 16));

}

---
last "echo" prints:
2mOfuA7gRcDEYNJF9fjN83em+Jw=
bgT8AutbQgtlec0VNhhtmAXdXxvI0V/96Vj48KRz26E=

Twitter Down, 2012 Arrives Early

Thu, 06 Aug 2009 10:03:04 -0400

Well, Twitter has been down for about an hour so far. I'm feeling a little weak, but I'm fine. The weakness is probably due to the lack of movement from my desk since I first started Tweeting. Life without Twitter is possible, because we have blogs! ;)

The Problem with Discipline

Mon, 22 Jun 2009 11:33:28 -0400

Apparently evil must be inherent in humans, because what else would cause my little boy (light of my life and fruit of my loins) to laugh out loud at my wife's pained yelling after he scratches her face. *sigh* I know it's the terrible two's and all, but that's just plain evil!

We're trying to raise him without the use of spanking, because we think it's a little hypocritical to hit him for... well, hitting people. I tell you, though- there are times I think a good, old-fashioned ass kick'n would get it into his head :P We've tried reasoning, though with a 2.5 year old, it's fruitless. I've even tried a little home exorcism- "In the name of Jesus Christ, begone from my son, ye demons of the underworld!" (Dora and boots, coming to mind while I'm saying this). Nothing- he just laughs his merry little laugh. A jolly little demon, is he.

Time-out seems to be the only thing that does any good. Though I see, it too, is waning in effect.

At 2 and a half. the arsenal is getting a bit thin. I spoke with my big brother and he said if we were going to implement spanking, it'd better be soon or it'll freak him out much more than you'd want. I love this little guy to death and would throw myself in front of a bullet for him, but I want him raised right and raised to respect others.

He's also been doing the "it's fun to disobey mommy and daddy because I get a reaction" thing, and this includes running away from Mommy in the parking lot! This has given us both of nightmares!

UGH! I love being a Dad (sarcasm, optional)!

Web Technology Group of Frederick

Sat, 30 May 2009 14:44:01 -0400

Click here to check out
The Web Technology of Frederick!

After several conversations on Twitter, it was decided that Frederick, and the surrounding area was very underserved for geeky exchange groups. So I signed up a meetup group at meetup.com. For those that follw my sporratic blog, you know that I have occasioned the Columbia PHP meetup and have gotten alot out of the meetings. I feel that the web geeks of Frederick at least have the same talent. Frederick hosts several PHP only houses and a few design firms with PHP devs in them! Nick at Orases has graciously offer to host a few of the events and my wife has offered to bake some goodies :)

Brush up on the Social!

Fri, 08 May 2009 16:48:26 -0400

When you're both the producer and the customer service (AKA "freelancer"), it's hard to switch hats. You work all day (and nights) on projects in solitude, answer and send emails, twitter and research. What is easy to forget is that customer service is king! You have to keep that line of communication open! In my years of dealing directly with customers, I've found that their main concern is being kept in the loop with their project. Daily emails, phone calls or even tweets do more to make the customer happy than making a deadline.

I have an invoicing system that I wrote for myself and tweaked it to have an automatic email sent to the client when I posted what was done during the day, and the hours spent on the project. He was happier than a dog in a butcher shop!

When the project is done, call the customer back occasionally to see how the site is going. Ask them what they would've done differently, having used the site for some time now. Give them freebies every once and a while- they LOVE that!

Have genuine interest in the project and their goals to success- after all, their success means your success.

Apple TV

Wed, 08 Apr 2009 13:17:05 -0400

Just got my new AppleTV this week. Pretty sweet! The downside is My old G4 (Dig Audio) has 802.11b and it has taken approximately 14 hours to get to 60% sync completion! I'm not upgrading anything on that Mac at this point. We'll just have to wait til a real upgrade.

Happy Birthday to Me

Wed, 18 Mar 2009 21:21:04 -0400

Well, I spent my 41st birthday at home with a cold. Not all that bad a thing. I got to potter around the house, tinker with facebook and twitter. I also fit a movie in (onDemand) - the 3rd Mummy movie. While the movie was entertaining, I really missed Rachel Weis. They replaced her with another actress, probably because Rachel had put her foot down.

I made myself a cheesesteak and tomato soup and vegged in front of the movie. Not a bad day :)

Volt

Sat, 14 Mar 2009 21:33:57 -0400

mmm.... Cathy and I went to volt restaurant here in Frederick tonight. It was the second time we've been there since it opened last summer. The first time we were there, the staff seemed professional, but a bit stilted. They had only been open for a month or so and I think they were still trying to find their center. This time we went, it was clear that they had. The staff was still professional, but warm and natural.

It's going to be my birthday Wednesday, so this was my birthday meal. It was a spectacular trip into complex tastes and beautifully arranged dishes. We had A great Zin called Paradox (not sure it was spelled that way). Cathy had the lamb and I was totally unimaginative and had the same beef dish I had before (I really feel bad about that).

To make a 2.5 hour meal short, it was fabulous. Fabulous food with a fabulous girl. I love our little boy, but I do miss going out with Cathy like we used to- at least we can do it twice a year:)

Refactoring

Thu, 05 Mar 2009 13:27:41 -0500

I've been looking into what paths to take to refactor my communityCMS from procedural to OOP. I'm setting up the code base to be below the web root as well as the uploads folder (having the file uploads below the web root plugs a common security hole). This comes from reading the PHP In Action book. I'm finding that, while there are some new and strange (to me) concepts, OOP is quite doable and very interesting. The more I read, the more I want to tinker and build!

I'm building a basic DB connection class that will enable you to use the same class with different Database engines (MySQL, Postgres, MSSQL). Of course, this is standard on alot of modern systems, but it's new in my system, which has mysql calls hard coded in.

Th uploads folder being moved to below the web root will mean some changes to the current upload function (thank God I thought to make it a centrally located function!), but I thought it was time to update the WYSIWYG editor. I'm moving from Innova Studio (http://www.innovastudio.com/editor.asp) to tinyMCE. The downside is that, while the editor is free, the uploaded media center isn't. Seeing as I'm a cheap bastard and I love to build apps, I'm building a media manager to plug into it.

I'm finding that code writing is alot like home remodeling- when you think it's going to take a couple of hours, count on 3 weeks!