Still confused about password salting function

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Scam Warning
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
Locked
rtadams89
Registered User
Posts: 67
Joined: Sat Jun 14, 2008 7:24 am

Still confused about password salting function

Post by rtadams89 »

I'm trying to use the phpBB3 database to authenticate users for a custom application I am making. I've read several posts here and else where that talk about the salting function used in phpBB3 but still need help.

Ideally, I would like to create function, which when a plain text password is inputted, the salted/hashed password is returned. Does such a function already exist? If not, could someone explain how the salting in phpBB3 works (where the salt is derived from)? Any help?
User avatar
Phil
Former Team Member
Posts: 10403
Joined: Sat Nov 25, 2006 4:11 am
Name: Phil Crumm
Contact:

Re: Still confused about password salting function

Post by Phil »

You'll want to look at phpbb_hash() to generate a hash and phpbb_check_hash() to check them. Both can be found in functions.php.
Moving on, with the wind. | My Corner of the Web
rtadams89
Registered User
Posts: 67
Joined: Sat Jun 14, 2008 7:24 am

Re: Still confused about password salting function

Post by rtadams89 »

I had looked at those before, but were unable to get them to work. Perhaps I just did something wrong.

When I feed a password into phpbb_hash(), the returned result is clearly a hash, but it does not match what is in the database. Furthermore, it seems to change each time I run the script.

Any further guidance would be appreciated.
rtadams89
Registered User
Posts: 67
Joined: Sat Jun 14, 2008 7:24 am

Re: Still confused about password salting function

Post by rtadams89 »

I've been working on this for a while now, but still cancan't get it. Here's a bit more info:

My script was previously designed to work with a database where the passwords were stored as md5 hashes. My script creates a $password variable from a user's input. I then check if md5($password) matches what is in the database. How would I update this so it checks against the phpbb3 hashes?
User avatar
Phil
Former Team Member
Posts: 10403
Joined: Sat Nov 25, 2006 4:11 am
Name: Phil Crumm
Contact:

Re: Still confused about password salting function

Post by Phil »

You'll need to grab the hash from the database and run them both through phpbb_check_hash().
Moving on, with the wind. | My Corner of the Web
rtadams89
Registered User
Posts: 67
Joined: Sat Jun 14, 2008 7:24 am

Re: Still confused about password salting function

Post by rtadams89 »

I've been working on this so long that the code is getting jumbled in my head. Here is the relevant part of my script:

Code: Select all

# if login, and auth returns true, then refresh month view, and close window
if ($action == "login" 
	&& auth($_POST['username'], md5($_POST['password'])) ) {
	echo "<script language=\"JavaScript\">";
	echo "opener.location = \"index.php?month=$m&year=$y\";";
	echo "window.setTimeout('window.close()', 500);";
	echo "</script>";
} elseif ($action == "logout") {
	session_start();
	session_destroy();
	header ("Location: index.php?month=$m&year=$y");
}
You can see that it currently passes the md5 hash of the password entered into an HTML forum to the "auth()" function. What is the easiest way to change this so that is passes the appropriate phpbb3 hash of the password to the "auth()" function?
User avatar
Phil
Former Team Member
Posts: 10403
Joined: Sat Nov 25, 2006 4:11 am
Name: Phil Crumm
Contact:

Re: Still confused about password salting function

Post by Phil »

Try passing the phpbb_hash'd version, then alter your auth function to use phpbb_check_hash instead of a direct comparison.
Moving on, with the wind. | My Corner of the Web
rtadams89
Registered User
Posts: 67
Joined: Sat Jun 14, 2008 7:24 am

Re: Still confused about password salting function

Post by rtadams89 »

So you are suggesting I change my code to look like:

Code: Select all

# if login, and auth returns true, then refresh month view, and close window
   define("IN_PHPBB",true);
   require_once("./forum/includes/functions.php");
if ($action == "login" 
   && auth($_POST['username'], phpbb_hash($_POST['password'])) ) {
   echo "<script language=\"JavaScript\">";
   echo "opener.location = \"index.php?month=$m&year=$y\";";
   echo "window.setTimeout('window.close()', 500);";
   echo "</script>";
} elseif ($action == "logout") {
   session_start();
   session_destroy();
   header ("Location: index.php?month=$m&year=$y");
}
That would then pass the phpbb3 hashed value of the entered password to my auth() function, correct? If so, why would I need to use phpbb_check_hash in the auth() function?
rtadams89
Registered User
Posts: 67
Joined: Sat Jun 14, 2008 7:24 am

Re: Still confused about password salting function

Post by rtadams89 »

I think I got it. I ended up leaving the login script alone and just altering my auth() function to the following:

Code: Select all

function auth($login = '', $passwd = '') 
{
define("IN_PHPBB",true);
require_once("../forum/includes/functions.php");
	session_start();
	$auth     = 0;
	$register = false;
	$authdata = null;

	
	if (isset($_SESSION['authdata'])) {
		$authdata = $_SESSION['authdata'];
	}
	
	# return false if login neither passed to func, nor in session
	if (empty($login) && empty($authdata['login'])) {
		return 0;
	}

	# get login passed to function
	if (!empty($login)) {
		$username = $login;
		$pw       = $passwd;
		$register = true;
	} else {
		$username = $authdata['login'];
		$pw       = $authdata['password'];
	}
	
	mysql_connect(DB_HOST, DB_USER, DB_PASS) or die(mysql_error());
	mysql_select_db(DB_NAME) or die(mysql_error());
	
	$sql = "
		SELECT * FROM phpbb_users 
		WHERE username = '" . $username . "'";
	$result = mysql_query($sql) or die(mysql_error());
	$row = mysql_fetch_assoc($result);
	
	# validate login, and register session data if appropriate 
	if ( phpbb_check_hash($pw,$row['user_password']) && $row["group_id"] <= 8 ) {
		$auth = "1";

		if ($register) {
			$_SESSION['authdata'] = array(
				'login'     => $row['username'], 
				'password'  => $pw, 
				'userlevel' => "1", 
				'uid'       => $row['user_id'],
			);
		}
	} else {
		# if passwords didn't match, delete authdata session data 
		unset($_SESSION['authdata']);
	}
   	return $auth;
}
Locked

Return to “[3.0.x] Support Forum”