MD5 password hash... HELP!!!!!

Discussion forum for MOD Writers regarding MOD Development.
Locked
CancunManny
Registered User
Posts: 54
Joined: Mon Jan 25, 2010 7:32 pm

MD5 password hash... HELP!!!!!

Post by CancunManny »

So I am using my little programming knowledge to try and recreate an integration. I was able to modify the script to use phpbb3 instead of phpbb2. Today I decided that i might as well upgrade my dolphin software before I continue doing all types of mods.

I seem to have ran into a problem. This is the old code

Code: Select all


//*  This is the old code for dolphin, where it would change the PW and send email out with new PW //


				$mail_ret = sendMail( $recipient, $subject, $message, $memb_arr['ID'] );

				

				$sQuery = "UPDATE `Profiles` SET `Password` = md5(`Password`) WHERE `ID`='{$memb_arr['ID']}'";

				db_res( $sQuery );
				
				
				
							//*  Here is the mod that had been working good before with phpBB3 update users password | SAS modification ///////////
			$sQuery = "SELECT `NickName`, `Password` FROM `Profiles` WHERE `ID` = {$memb_arr['ID']}";
			$rResult = db_res($sQuery);
			while ( $aRow = mysql_fetch_array($rResult) ) {
				$sMemberName = $aRow['NickName'];
				$sMemberPass = $aRow['Password'];
			}
			if ($sMemberName and $sMemberPass) {
				$sQuery = "
					UPDATE 
						`Cancun_Forumusers`
					SET
						 `user_password` = '{$sMemberPass}'
					WHERE 
						`username` = '{$sMemberName}'
				";	
				db_res($sQuery);
			}
			//////////////////////////////////////////////////////////////*
If I am reading the code directly, before the phpbb3 MOD kicks in, the other code was grabbing the "password", doing a md5 on it, and saving it "Profiles" on the other table. Then the PHBbb3 MOD, would select user name and pw in md5 form, and copy it over to the PHPBB3 tables. Seems phpbb3 and my old dolphin were using the same hash to create the md5 pw file

The new dolphin software is using a more advance encryption, using salt. I am able to get the new pw (before encryption), and I am trying to do a md5 on that PW, then save it on my DB. Here is what I got

Code: Select all

//* phpBB2 update users password | SAS modification ///////////
			$sQuery = "SELECT `NickName`, `Password` FROM `Profiles` WHERE `ID` = '$ID' ";
			$rResult = db_res($sQuery);
			while ( $aRow = mysql_fetch_array($rResult) ) {
				$sMemberName = $aRow['NickName'];
				$sMemberPass = $aRow['Password'];
				$newPW = md5($sPwd);
			}
			if ($sMemberName and $sMemberPass) {
				$sQuery = "
					UPDATE 
						`Cancun_Forumusers`
					SET
						 `user_password` = '$newPW'
					WHERE 
						`username` = '{$sMemberName}'
				";	
				db_res($sQuery);
On my PHPBB3 table, I do get what seems to be the PW in md5 form. However when I try to log in, it doesn't accept the pw. Seems now I have two hash files maybe?

Before, I had dolphin on cancunwithme.com and phpbb3 on cancunwithme.com/Cancun_Forum

Now I have, dolphin on cancunwithme.com/cancun_tours and phpbb3 ../Cancun_Forum ... might this be the problem? Any ideas?
CancunManny
Registered User
Posts: 54
Joined: Mon Jan 25, 2010 7:32 pm

Re: MD5 password hash... HELP!!!!!

Post by CancunManny »

Update, everything seems to be working fine. Seems because of the failed log in attempts, it was taking my PW at log in, then asking me for user name and pw again with a captcha. I tried it again, and it worked.

Silly me
CancunManny
Registered User
Posts: 54
Joined: Mon Jan 25, 2010 7:32 pm

Re: MD5 password hash... HELP!!!!!

Post by CancunManny »

Ok, so since I am still not sure what I am talking about, the title should still apply.

I seem to have come to a dead end, making changes on dolphin to get the integration to work. In order to get the passwords working properly, I would have to make dolphin less secure, doing away with their stronger md5 with salt implementation.

In theory, it would make more sense for me to make phpbb more secure. How hard would it be to change the password authentication functions, specially if I can cut and paste them from the other program? If I get both of them to use the same encryption and decryption code, it becomes as easy as copying and pasting the pw keys between tables to do the updates.

Any ideas of how I could do this?
CancunManny
Registered User
Posts: 54
Joined: Mon Jan 25, 2010 7:32 pm

Re: MD5 password hash... HELP!!!!!

Post by CancunManny »

Ok, so now I am very confused. Seems PHPBB3 is also using some type of advanced encryption, not just md5.

Why does this work.

$temp = "PWTemp";
$md5pw = md5($temp);

then i store $md5pw in the users password field

I am then able to log in using the correct user name and "PWTemp" as the password.

Why does this work, if the pw encryption seems to be much more complex than a md5()

Is there an easy way to turn off ALL encryption on phpbb3 passwords? What would work great for my mod is to copy the encrypted pw from the other table onto phpbb3 as the user pw. Then be able to log in to PHPBB3 using the correct user name and the encrypted pw from the other table, as the actual pw.

This would help me prevent my users from logging in straight to PHPBB3 without loging in to my site first. The users would never know their actual PW for PHPBB3, since this would be the long encrypted pw that goes with their pw and salt. The only way for them to log in to the forum, would be by loggin in to my site. I do plan to disable the join form, login/out icons/links on PHPBB3. The goal is to have all login/outs done via dolphin
User avatar
ric323
Former Team Member
Posts: 22910
Joined: Tue Feb 06, 2007 12:33 am
Location: Melbourne, Australia
Name: Ric
Contact:

Re: MD5 password hash... HELP!!!!!

Post by ric323 »

--moved from General Support to "MOD Writers Discussion". This is a more appropriate area for people trying to write their own code.

Please do NOT reply to your own posts when no-one else has answered. That violates our 6-hour bump rule.
Just edit your previous post if you wish to add more information before anyone else replies.

Yes, phpBB3 uses a much more complex algorithm than just "MD5 plus salt".
e.g. see here: http://www.phpbb.com/community/viewtopi ... &t=1961175
The Knowledge Base contains solutions to many common problems!
How to fix "Doesn't have a default value" and "Incorrect string value: xxx for column 'post_text' " errors.
How to do a clean re-install of the latest phpBB3 version.
Problems with permissions? Read phpBB3 Permissions
comkidwizzer3
Registered User
Posts: 375
Joined: Fri Jul 13, 2007 8:24 am
Location: $user->data['user_location'];
Contact:

Re: MD5 password hash... HELP!!!!!

Post by comkidwizzer3 »

phpBB3 uses a hashing system called Portable Hashes/phpass, which generates a different hash every time you hash anything even if it is the same thing. It has a function which is used to check if the hash matches the password, so you would just use that function.

[ Linkie ]
~My MODs~
Login After Register - v1.0.0 | Custom Ranks MOD - RC

~!Hasher!~
User avatar
igorw
Former Team Member
Posts: 8024
Joined: Fri Dec 16, 2005 12:23 pm
Location: {postrow.POSTER_FROM}
Name: Igor Wiedler

Re: MD5 password hash... HELP!!!!!

Post by igorw »

CancunManny wrote:Why does this work.
It works because phpBB retains backwards-compatibility with phpBB2, this is needed for upgrades.
CancunManny wrote:I do plan to disable the join form, login/out icons/links on PHPBB3. The goal is to have all login/outs done via dolphin
You could create a custom authentication plugin.
Igor Wiedler | area51 | GitHub | trashbin | Formerly known as evil less than three
CancunManny
Registered User
Posts: 54
Joined: Mon Jan 25, 2010 7:32 pm

Re: MD5 password hash... HELP!!!!!

Post by CancunManny »

Thank you so much guys. I was able to create and load my own authentication. I did manage to lock myself out for a bit there. Had to rename the original auth same as my new auth, so I could log in with regular credentials.

To the moderator of site, thank you for your advice. Other sites don't like edits. I will use edits next time to do updates instead of self bumping
Diddy
Registered User
Posts: 3
Joined: Thu Feb 12, 2009 10:38 pm

Re: MD5 password hash... HELP!!!!!

Post by Diddy »

to CancunManny.
Hi,
can I ask you if you got it working with the integration?
Locked

Return to “[3.0.x] MOD Writers Discussion”