phpBB • Free and Open Source Forum Software

• About

  • Features

    Learn about the features that phpBB has to offer.

  • Demo

    Give phpBB a try with a fully-featured demo board.

  • Showcase

    A showcase of popular and unique sites using phpBB.

  • Get Involved

    Learn how you can get involved with the project.

  • The Team

    Find out who is responsible for all the mayhem.

  • Contact Us

    Have a question the forums don't answer? Come here.

  • Advertising

    Information if you want to advertise on phpBB.com.

  Find out more about the project »
• Downloads

  • Latest Version

    Download the latest stable release of phpBB

  • Update Packages

    Automatic Update packages for your phpBB release

  • Language Packs

    Translate phpBB into (almost) any language you like.

  • Modifications

    Download validated MODs to extend phpBB’s functionality.

  • Styles

    Your forums need a new look? Browse our Styles DB.

  • Demo

    Give phpBB a try with a fully-featured demo board.
• Customise

  • Modifications

    Guides on how to use them and how to create your own.

  • Modification database

    Download and submit your work to the MOD database.

  • Development Wiki

    Share experience and learn more about the codebase.

  • Styles

    Guides on how to use them and to create your own Styles.

  • Styles database

    Download and submit your Styles to our Styles database.

  • Styles Demo

    Test drive all the Styles from our database.
• Support

  • Documentation

    Installation guide and the complete documentation.

  • Knowledge Base

    Team and user submitted ar­ticles covering support areas.

  • Flash Tutorials

    View Flash Tutorials that help you with the use of phpBB.

  • Support Forums

    Please use the search facility before posting a question.

  • IRC Support

    Old school? Visit the IRC support channel on freenode.

  • International Support

    Find a 3rd party support site in your first language.

  More information on support »
• Development

  • Area51 phpBB Development

    

    All Development Discussion takes place at Area51. Bug tracker, development wiki, continuous integration and other development tools are located here. Find out how to get involved in phpBB development.

  • phpBB Bug Tracker

    Report problems with phpBB here.

  • phpBB Projects Tracker

    Report issues with the Website, Customisation Database, and Team Tools here

  • Security Tracker

    The tracker for security issues in phpBB or validated MODs.

  • Development Wiki

    Share experience and learn more about the codebase.

  Participate in phpBB development now »
• Blog
• Community

  • Support Forums

    Help with installation & running phpBB – search first!

  • Modification Forums

    Discuss and view MODs that are available for download.

  • Styles Forums

    Discuss and view Styles that are available for download.

  • phpBB Discussion

    Discussions on all things phpBB: features, future, etc.

  • General Discussion

    General discussion and intelligent conversations.

  • Area51

    Bleeding edge testing and development discussion.

  … and many more forums »
• Hosting

• Search Tickets •
• Login

• Home ‹ Development ‹ Bug tracker ‹ phpBB 3.0.x ‹ Ticket #3696

Bug tracker

This ticket has been moved to our new tracker. Open Ticket PHPBB3-1449 now.

Passwords are escaped before hashing (fix completed in vcs)

At the moment passwords are escaped form before hashing is done. E.g.a & character is escaped to & before the md5 hash is calculated.

Because it is done when the password is set AND when the password is verified, everything seems to work as it should. But unless there is a strong reason to do the transformation I would suggest to hash the unescaped form because many forum systems probably use this form. (perhaps you know the phpBB 2.x forum software, which just uses the md5 over the original password )

Changing it now would prevent some broken passwords when the first official converters appear

Comments / History

Posted by Graham (Former Team Member) on Aug 10th 2006, 19:40

Every forum has some quirks in how it hashes the password, including phpBB 2 itself which does not hash the password directly as entered but an escaped form of it (although escaped differently).

So far I'm concerned it is unavoidable that there will be a number of passwords which will need resetting after a conversion ranging from a small number if coming from phpBB 2 (ie those with special characters in them) to all of them if coming from software which manipulates the hash in other ways before storing it.

So from the conversion perspective there is nothing to fix here - we cannot guarantee that 100% of passwords will work on a conversion unless we have the original password in plain text which clearly we won't have

There is however a possible concern with this code related to the authentication plugins which needs investigating and may be a valid bug

Posted by Umbra Obscura on Aug 10th 2006, 20:12

The forum passes the password in the escaped form to the auth plugin so any plugin which relies on external passwords would have to unescape it first before it checks the password - like the LDAP auth plugin or some 3rd party plugins

You could easily call this a feature but that would make the plugin interface somewhat unintuitive.

If you want to keep Olympus password compatibility, you could decode it for the plugin and reencode it in the plugin though

Posted by Graham (Former Team Member) on Aug 11th 2006, 18:00

naderman, to you as discussed re the plugins

Linked ticket with changeset: r6266

Action performed by naderman (Development Team Leader) on Aug 12th 2006, 01:58

Advertisements

	What:	Where:	Country: France Germany Italy The Netherlands SpainUnited Kingdom
vacatures php arbeit php jobs php lavoro php emploi php trabajo php jobs php arbeit php

 BlueHost.com • Web Hosting UK • HostMonster • Reseller Web Hosting UK • FastDomain Hosting • Advertise on phpBB.com