3v4l.org

run code in 150+ php & hhvm versions
Bugs & Features
<?php /** * Zend Framework (http://framework.zend.com/) * * @link http://github.com/zendframework/zf2 for the canonical source repository * @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com) * @license http://framework.zend.com/license/new-bsd New BSD License */ namespace Zend\Stdlib { use Traversable; /** * Utility class for testing and manipulation of PHP arrays. * * Declared abstract, as we have no need for instantiation. */ abstract class ArrayUtils { /** * Test whether an array contains one or more string keys * * @param mixed $value * @param bool $allowEmpty Should an empty array() return true * @return bool */ public static function hasStringKeys($value, $allowEmpty = false) { if (!is_array($value)) { return false; } if (!$value) { return $allowEmpty; } return count(array_filter(array_keys($value), 'is_string')) > 0; } /** * Test whether an array contains one or more integer keys * * @param mixed $value * @param bool $allowEmpty Should an empty array() return true * @return bool */ public static function hasIntegerKeys($value, $allowEmpty = false) { if (!is_array($value)) { return false; } if (!$value) { return $allowEmpty; } return count(array_filter(array_keys($value), 'is_int')) > 0; } /** * Test whether an array contains one or more numeric keys. * * A numeric key can be one of the following: * - an integer 1, * - a string with a number '20' * - a string with negative number: '-1000' * - a float: 2.2120, -78.150999 * - a string with float: '4000.99999', '-10.10' * * @param mixed $value * @param bool $allowEmpty Should an empty array() return true * @return bool */ public static function hasNumericKeys($value, $allowEmpty = false) { if (!is_array($value)) { return false; } if (!$value) { return $allowEmpty; } return count(array_filter(array_keys($value), 'is_numeric')) > 0; } /** * Test whether an array is a list * * A list is a collection of values assigned to continuous integer keys * starting at 0 and ending at count() - 1. * * For example: * <code> * $list = array('a', 'b', 'c', 'd'); * $list = array( * 0 => 'foo', * 1 => 'bar', * 2 => array('foo' => 'baz'), * ); * </code> * * @param mixed $value * @param bool $allowEmpty Is an empty list a valid list? * @return bool */ public static function isList($value, $allowEmpty = false) { if (!is_array($value)) { return false; } if (!$value) { return $allowEmpty; } return (array_values($value) === $value); } /** * Test whether an array is a hash table. * * An array is a hash table if: * * 1. Contains one or more non-integer keys, or * 2. Integer keys are non-continuous or misaligned (not starting with 0) * * For example: * <code> * $hash = array( * 'foo' => 15, * 'bar' => false, * ); * $hash = array( * 1995 => 'Birth of PHP', * 2009 => 'PHP 5.3.0', * 2012 => 'PHP 5.4.0', * ); * $hash = array( * 'formElement, * 'options' => array( 'debug' => true ), * ); * </code> * * @param mixed $value * @param bool $allowEmpty Is an empty array() a valid hash table? * @return bool */ public static function isHashTable($value, $allowEmpty = false) { if (!is_array($value)) { return false; } if (!$value) { return $allowEmpty; } return (array_values($value) !== $value); } /** * Checks if a value exists in an array. * * Due to "foo" == 0 === TRUE with in_array when strict = false, an option * has been added to prevent this. When $strict = 0/false, the most secure * non-strict check is implemented. if $strict = -1, the default in_array * non-strict behaviour is used. * * @param mixed $needle * @param array $haystack * @param int|bool $strict * @return bool */ public static function inArray($needle, array $haystack, $strict = false) { if (!$strict) { if (is_int($needle) || is_float($needle)) { $needle = (string) $needle; } if (is_string($needle)) { foreach ($haystack as &$h) { if (is_int($h) || is_float($h)) { $h = (string) $h; } } } } return in_array($needle, $haystack, $strict); } /** * Convert an iterator to an array. * * Converts an iterator to an array. The $recursive flag, on by default, * hints whether or not you want to do so recursively. * * @param array|Traversable $iterator The array or Traversable object to convert * @param bool $recursive Recursively check all nested structures * @throws Exception\InvalidArgumentException if $iterator is not an array or a Traversable object * @return array */ public static function iteratorToArray($iterator, $recursive = true) { if (!is_array($iterator) && !$iterator instanceof Traversable) { throw new Exception\InvalidArgumentException(__METHOD__ . ' expects an array or Traversable object'); } if (!$recursive) { if (is_array($iterator)) { return $iterator; } return iterator_to_array($iterator); } if (method_exists($iterator, 'toArray')) { return $iterator->toArray(); } $array = array(); foreach ($iterator as $key => $value) { if (is_scalar($value)) { $array[$key] = $value; continue; } if ($value instanceof Traversable) { $array[$key] = static::iteratorToArray($value, $recursive); continue; } if (is_array($value)) { $array[$key] = static::iteratorToArray($value, $recursive); continue; } $array[$key] = $value; } return $array; } /** * Merge two arrays together. * * If an integer key exists in both arrays, the value from the second array * will be appended the the first array. If both values are arrays, they * are merged together, else the value of the second array overwrites the * one of the first array. * * @param array $a * @param array $b * @return array */ public static function merge(array $a, array $b) { foreach ($b as $key => $value) { if (array_key_exists($key, $a)) { if (is_int($key)) { $a[] = $value; } elseif (is_array($value) && is_array($a[$key])) { $a[$key] = static::merge($a[$key], $value); } else { $a[$key] = $value; } } else { $a[$key] = $value; } } return $a; } } } namespace Zend\Crypt\Password { interface PasswordInterface { /** * Create a password hash for a given plain text password * * @param string $password The password to hash * @return string The formatted password hash */ public function create($password); /** * Verify a password hash against a given plain text password * * @param string $password The password to hash * @param string $hash The supplied hash to validate * @return bool Does the password validate against the hash */ public function verify($password, $hash); } } /** * Zend Framework (http://framework.zend.com/) * * @link http://github.com/zendframework/zf2 for the canonical source repository * @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com) * @license http://framework.zend.com/license/new-bsd New BSD License */ namespace Zend\Math\Exception { class RuntimeException extends \Exception {} } namespace Zend\Math { use RandomLib; /** * Pseudorandom number generator (PRNG) */ abstract class Rand { /** * Alternative random byte generator using RandomLib * * @var RandomLib\Generator */ protected static $generator = null; /** * Generate random bytes using OpenSSL or Mcrypt and mt_rand() as fallback * * @param int $length * @param bool $strong true if you need a strong random generator (cryptography) * @return string * @throws Exception\RuntimeException */ public static function getBytes($length, $strong = false) { if ($length <= 0) { return false; } $bytes = ''; if (function_exists('openssl_random_pseudo_bytes') && (version_compare(PHP_VERSION, '5.3.4') >= 0 || strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN') ) { $bytes = openssl_random_pseudo_bytes($length, $usable); if (true === $usable) { return $bytes; } } if (function_exists('mcrypt_create_iv') && (version_compare(PHP_VERSION, '5.3.7') >= 0 || strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN') ) { $bytes = mcrypt_create_iv($length, MCRYPT_DEV_URANDOM); if ($bytes !== false && strlen($bytes) === $length) { return $bytes; } } $checkAlternatives = (file_exists('/dev/urandom') && is_readable('/dev/urandom')) || class_exists('\\COM', false); if (true === $strong && false === $checkAlternatives) { throw new Exception\RuntimeException ( 'This PHP environment doesn\'t support secure random number generation. ' . 'Please consider installing the OpenSSL and/or Mcrypt extensions' ); } $generator = self::getAlternativeGenerator(); return $generator->generate($length); } /** * Retrieve a fallback/alternative RNG generator * * @return RandomLib\Generator */ public static function getAlternativeGenerator() { if (!is_null(static::$generator)) { return static::$generator; } if (!class_exists('RandomLib\\Factory')) { throw new Exception\RuntimeException( 'The RandomLib fallback pseudorandom number generator (PRNG) ' . ' must be installed in the absence of the OpenSSL and ' . 'Mcrypt extensions' ); } $factory = new RandomLib\Factory; $factory->registerSource( 'HashTiming', 'Zend\Math\Source\HashTiming' ); static::$generator = $factory->getMediumStrengthGenerator(); return static::$generator; } /** * Generate random boolean * * @param bool $strong true if you need a strong random generator (cryptography) * @return bool */ public static function getBoolean($strong = false) { $byte = static::getBytes(1, $strong); return (bool) (ord($byte) % 2); } /** * Generate a random integer between $min and $max * * @param int $min * @param int $max * @param bool $strong true if you need a strong random generator (cryptography) * @return int * @throws Exception\DomainException */ public static function getInteger($min, $max, $strong = false) { if ($min > $max) { throw new Exception\DomainException( 'The min parameter must be lower than max parameter' ); } $range = $max - $min; if ($range == 0) { return $max; } elseif ($range > PHP_INT_MAX || is_float($range)) { throw new Exception\DomainException( 'The supplied range is too great to generate' ); } $log = log($range, 2); $bytes = (int) ($log / 8) + 1; $bits = (int) $log + 1; $filter = (int) (1 << $bits) - 1; do { $rnd = hexdec(bin2hex(self::getBytes($bytes, $strong))); $rnd = $rnd & $filter; } while ($rnd > $range); return ($min + $rnd); } /** * Generate random float (0..1) * This function generates floats with platform-dependent precision * * PHP uses double precision floating-point format (64-bit) which has * 52-bits of significand precision. We gather 7 bytes of random data, * and we fix the exponent to the bias (1023). In this way we generate * a float of 1.mantissa. * * @param bool $strong true if you need a strong random generator (cryptography) * @return float */ public static function getFloat($strong = false) { $bytes = static::getBytes(7, $strong); $bytes[6] = $bytes[6] | chr(0xF0); $bytes .= chr(63); // exponent bias (1023) list(, $float) = unpack('d', $bytes); return ($float - 1); } /** * Generate a random string of specified length. * * Uses supplied character list for generating the new string. * If no character list provided - uses Base 64 character set. * * @param int $length * @param string|null $charlist * @param bool $strong true if you need a strong random generator (cryptography) * @return string * @throws Exception\DomainException */ public static function getString($length, $charlist = null, $strong = false) { if ($length < 1) { throw new Exception\DomainException('Length should be >= 1'); } // charlist is empty or not provided if (empty($charlist)) { $numBytes = ceil($length * 0.75); $bytes = static::getBytes($numBytes, $strong); return substr(rtrim(base64_encode($bytes), '='), 0, $length); } $listLen = strlen($charlist); if ($listLen == 1) { return str_repeat($charlist, $length); } $bytes = static::getBytes($length, $strong); $pos = 0; $result = ''; for ($i = 0; $i < $length; $i++) { $pos = ($pos + ord($bytes[$i])) % $listLen; $result .= $charlist[$pos]; } return $result; } } } /** * Zend Framework (http://framework.zend.com/) * * @link http://github.com/zendframework/zf2 for the canonical source repository * @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com) * @license http://framework.zend.com/license/new-bsd New BSD License */ namespace Zend\Crypt\Password { use Traversable; use Zend\Math\Rand; use Zend\Stdlib\ArrayUtils; /** * Bcrypt algorithm using crypt() function of PHP */ class Bcrypt implements PasswordInterface { const MIN_SALT_SIZE = 16; /** * @var string */ protected $cost = '14'; /** * @var string */ protected $salt; /** * @var bool */ protected $backwardCompatibility = false; /** * Constructor * * @param array|Traversable $options * @throws Exception\InvalidArgumentException */ public function __construct($options = array()) { if (!empty($options)) { if ($options instanceof Traversable) { $options = ArrayUtils::iteratorToArray($options); } elseif (!is_array($options)) { throw new Exception\InvalidArgumentException( 'The options parameter must be an array or a Traversable' ); } foreach ($options as $key => $value) { switch (strtolower($key)) { case 'salt': $this->setSalt($value); break; case 'cost': $this->setCost($value); break; } } } } /** * Bcrypt * * @param string $password * @throws Exception\RuntimeException * @return string */ public function create($password) { if (empty($this->salt)) { $salt = Rand::getBytes(self::MIN_SALT_SIZE); } else { $salt = $this->salt; } $salt64 = substr(str_replace('+', '.', base64_encode($salt)), 0, 22); /** * Check for security flaw in the bcrypt implementation used by crypt() * @see http://php.net/security/crypt_blowfish.php */ if ((version_compare(PHP_VERSION, '5.3.7') >= 0) && !$this->backwardCompatibility) { $prefix = '$2y$'; } else { $prefix = '$2a$'; // check if the password contains 8-bit character if (preg_match('/[\x80-\xFF]/', $password)) { throw new Exception\RuntimeException( 'The bcrypt implementation used by PHP can contain a security flaw ' . 'using password with 8-bit character. ' . 'We suggest to upgrade to PHP 5.3.7+ or use passwords with only 7-bit characters' ); } } $hash = crypt($password, $prefix . $this->cost . '$' . $salt64); if (strlen($hash) < 13) { throw new Exception\RuntimeException('Error during the bcrypt generation'); } return $hash; } /** * Verify if a password is correct against an hash value * * @param string $password * @param string $hash * @throws Exception\RuntimeException when the hash is unable to be processed * @return bool */ public function verify($password, $hash) { $result = crypt($password, $hash); if ($result === $hash) { return true; } if (strlen($result) <= 13) { /* This should only happen if the algorithm that generated hash is * either unsupported by this version of crypt(), or is invalid. * * An example of when this can happen, is if you generate * non-backwards-compatible hashes on 5.3.7+, and then try to verify * them on < 5.3.7. * * This is needed, because version comparisons are not possible due * to back-ported functionality by some distributions. */ throw new Exception\RuntimeException( 'The supplied password hash could not be verified. Please check ' . 'backwards compatibility settings.' ); } return false; } /** * Set the cost parameter * * @param int|string $cost * @throws Exception\InvalidArgumentException * @return Bcrypt */ public function setCost($cost) { if (!empty($cost)) { $cost = (int) $cost; if ($cost < 4 || $cost > 31) { throw new Exception\InvalidArgumentException( 'The cost parameter of bcrypt must be in range 04-31' ); } $this->cost = sprintf('%1$02d', $cost); } return $this; } /** * Get the cost parameter * * @return string */ public function getCost() { return $this->cost; } /** * Set the salt value * * @param string $salt * @throws Exception\InvalidArgumentException * @return Bcrypt */ public function setSalt($salt) { if (strlen($salt) < self::MIN_SALT_SIZE) { throw new Exception\InvalidArgumentException( 'The length of the salt must be at least ' . self::MIN_SALT_SIZE . ' bytes' ); } $this->salt = $salt; return $this; } /** * Get the salt value * * @return string */ public function getSalt() { return $this->salt; } /** * Set the backward compatibility $2a$ instead of $2y$ for PHP 5.3.7+ * * @param bool $value * @return Bcrypt */ public function setBackwardCompatibility($value) { $this->backwardCompatibility = (bool) $value; return $this; } /** * Get the backward compatibility * * @return bool */ public function getBackwardCompatibility() { return $this->backwardCompatibility; } } } namespace MyStuff { try { $key = '123456'; echo "{$key}<br />"; $crypt = new \Zend\Crypt\Password\Bcrypt(); $crypt->setCost(14); $hash = $crypt->create($key); echo "{$hash}<br />"; var_dump($crypt->verify($key, $hash)); } catch (\Exception $e) { echo $e->getMessage(); } }

Abusive script

This script was stopped while abusing our resources