How to Encrypt password with the new system?

Discussion forum for MOD Writers regarding MOD Development.
aleee
Registered User
Posts: 9
Joined: Mon Oct 15, 2007 9:47 pm

How to Encrypt password with the new system?

Post by aleee » Tue Oct 16, 2007 1:43 am

Alright, I kinda coded my website using phpBB as forum and as user management system, and since i do NOT use phpBB control panel and I have my own page to change the passwords, i wanted to know how do I encrypt the passwords with the new hash system.

Does anybody got an example on how to encrypt a password on the new phpBB RC7?

Thanks!
Last edited by aleee on Tue Oct 16, 2007 4:27 am, edited 1 time in total.

User avatar
calebrw
Registered User
Posts: 679
Joined: Mon May 10, 2004 1:44 am
Location: Minneapolis, Minnesota
Contact:

Re: How to Encrypt password with the new system?

Post by calebrw » Tue Oct 16, 2007 2:55 am

If you need to compare two stings, you need to extract the value from the DB. I can't do this in phpBB, but after that you need to do compare it to the value in your database.

Code: Select all

IF ($phpBB_DB_value === $your_db_value) {
    //Execute me if the values match
} ELSE {
    //Execute me if they don't
}
Caleb Williams
My Photography:
http://blog.calebwilliamsphotography.com

aleee
Registered User
Posts: 9
Joined: Mon Oct 15, 2007 9:47 pm

Re: How to Encrypt password with the new system?

Post by aleee » Tue Oct 16, 2007 4:08 am

Of course I know about that, I'm asking HOW to do the encryption with the new system.

User avatar
calebrw
Registered User
Posts: 679
Joined: Mon May 10, 2004 1:44 am
Location: Minneapolis, Minnesota
Contact:

Re: How to Encrypt password with the new system?

Post by calebrw » Tue Oct 16, 2007 4:14 am

The password is encrypted with the following:
includes/ucp/ucp_register.php

Code: Select all

'user_password'			=> phpbb_hash($data['new_password']),
The function is:
includes/functions.php

Code: Select all

function phpbb_hash($password)
{
	$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';

	$random_state = unique_id();
	$random = '';
	$count = 6;

	if (($fh = @fopen('/dev/urandom', 'rb')))
	{
		$random = fread($fh, $count);
		fclose($fh);
	}

	if (strlen($random) < $count)
	{
		$random = '';

		for ($i = 0; $i < $count; $i += 16)
		{
			$random_state = md5(unique_id() . $random_state);
			$random .= pack('H*', md5($random_state));
		}
		$random = substr($random, 0, $count);
	}

	$hash = _hash_crypt_private($password, _hash_gensalt_private($random, $itoa64), $itoa64);

	if (strlen($hash) == 34)
	{
		return $hash;
	}

	return md5($password);
}
Caleb Williams
My Photography:
http://blog.calebwilliamsphotography.com

aleee
Registered User
Posts: 9
Joined: Mon Oct 15, 2007 9:47 pm

Re: How to Encrypt password with the new system?

Post by aleee » Tue Oct 16, 2007 4:24 am

I already tried this :P phpbb_hash(string); will return

Code: Select all

Fatal error: Call to a member function sql_escape() on a non-object in forum/includes/functions.php on line 145

User avatar
Marshalrusty
Project Manager
Project Manager
Posts: 29253
Joined: Mon Nov 22, 2004 10:45 pm
Location: New York City
Name: Yuriy Rusko
Contact:

Re: How to Encrypt password with the new system?

Post by Marshalrusty » Tue Oct 16, 2007 4:46 am

That's because it should either be:

Code: Select all

phpbb_hash('string');
or:

Code: Select all

phpbb_hash($string);
Have comments/praise/complaints/suggestions? Please feel free to PM me.

Need private help? Hire me for all your phpBB and web development needs

aleee
Registered User
Posts: 9
Joined: Mon Oct 15, 2007 9:47 pm

Re: How to Encrypt password with the new system?

Post by aleee » Tue Oct 16, 2007 12:14 pm

Still returns me the same error.

User avatar
ameeck
Former Team Member
Posts: 6559
Joined: Mon Mar 21, 2005 6:57 pm

Re: How to Encrypt password with the new system?

Post by ameeck » Tue Oct 16, 2007 3:37 pm

Yeah..I got this hash:
$H$7rssbSMgLmkpWoRKZMdk6ERZ4Fhrkq1

natatkinson
Registered User
Posts: 30
Joined: Thu Nov 10, 2005 2:00 am
Location: Illinois, USA
Contact:

Re: How to Encrypt password with the new system?

Post by natatkinson » Wed Oct 17, 2007 4:05 am

Thanks alot for this, I am still trying to implment it on my system. Here is what I used to have:

Code: Select all

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from signup form 
$myusername=$_POST['myusername']; 
$mypassword=md5($_POST['mypassword']); 

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and user_password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if ($count != 0) 
	{
		while ($sql = mysql_fetch_object($result)) 
		{
			$_SESSION[myusername] 	= $sql -> username;       
			$_SESSION[mypassword] 	= $sql -> user_password;
			$_SESSION[rank]	 	    = $sql -> user_rank;
			$_SESSION[email] 		= $sql -> user_email;
			$_SESSION[active]		= $sql -> user_inactive_reason;
		}
	}


I am having some trouble implemting the new hash, but it is late and I am tired. I will keep trying. Thanks again for you help!!!!

natatkinson
Registered User
Posts: 30
Joined: Thu Nov 10, 2005 2:00 am
Location: Illinois, USA
Contact:

Re: How to Encrypt password with the new system?

Post by natatkinson » Wed Oct 17, 2007 2:47 pm

mecu wrote:Alternatively, perhaps we could force logout all users then making them have to log back in to the forums and it would take care of most of the users? The problem then would still be someone that doesn't login to the forums but still tries to use your custom script, so you could check with the new hash password, and if that fails, check with the old md5 method. I'm choosing to just require them to logout and login so they are all updated and more secure.
I noticed that too, so now a handful of my users have the new hash, while the rest have md5 hash. I am still trying to figure out how to have my users input their password, and hash their input to the new hash to compare it to their password in the database.

natatkinson
Registered User
Posts: 30
Joined: Thu Nov 10, 2005 2:00 am
Location: Illinois, USA
Contact:

Re: How to Encrypt password with the new system?

Post by natatkinson » Wed Oct 17, 2007 3:55 pm

Yes, you did, it just took me a while to adapt it to my system. Thank you very much for your help. My login system works better then ever (i made a few other changes while I was at it :D ).

Aline
Registered User
Posts: 1
Joined: Thu Oct 18, 2007 11:54 am

Re: How to Encrypt password with the new system?

Post by Aline » Thu Oct 18, 2007 12:29 pm

Hello.

Then, with the RC7 I installed, nobody of my members (5200) inclused myself, is able to access the Forum (nore the Administration Panel) ?
With the automatic upload, you would have to create an automatic download.
Regards.

Alain

axn
Registered User
Posts: 3
Joined: Mon Oct 15, 2007 6:11 pm

Re: How to Encrypt password with the new system?

Post by axn » Thu Oct 18, 2007 3:17 pm

I've tried to hash a password with that function,

Code: Select all

$pass = testing;
HashPassword($pass);
And i get this: Parse error: syntax error, unexpected T_VARIABLE, expecting T_FUNCTION in C:\wamp\www\axnirc\hash.php on line 246

User avatar
ciprianmp
Registered User
Posts: 15
Joined: Fri May 07, 2004 9:36 pm
Location: Bucharest, Romania
Contact:

Re: How to Encrypt password with the new system?

Post by ciprianmp » Sat Oct 20, 2007 8:55 pm

I'm just wondering....
Have you ever thought about colaboration between phpbb (2 or 3) and other apps? Like CMSs, Chats, Galleries, and so on?
Or this is your purpose: to make it impossible to integrate users from one to another?

Who will ever try to hack in a strong enough password, encrypted only with md5, just to get to your forum under some one else's name?

What kind of obsession is this? You've encrypted a forum password like it would be used for a bank account. Come on, for the God sake... it's just a forum! And you just made it so phpbb will never get integrated into other software or viceversa... while I have hundreds of users asking for integration of my app into phpbb. I will just have to offer them the PHP-Nuke integration, which is doable because passwords are compatible.
I was thinking of phpbb too, but it's impossible for me to even understand what you do in that functions.php file... lmao - that's insanity, no offence.
You've even put conditions for php5 and php4 for using different alghoritms, while the simplest md5 hash will never change! And no one can break it, unless you give away your password... which is a different situation - even your encryption won't help. So... why so complicated?

If any of your "hashing experts" from phpbb would like to get in touch with me and clarify a bit - for future colaboration's sake - please feel free to contact me, either by a pm or at my email address.
Thanks, and again, no offence...
Ciprian M.

Swirlsky
Registered User
Posts: 23
Joined: Sat Oct 14, 2006 1:42 pm
Location: Szombathely, Hungary

Post by Swirlsky » Sun Oct 21, 2007 4:38 pm

I have a lots of php applications that use the forum's database to compare the password that the user entered with the password that is in the database. Up to now I could use just the md5() function to the comparison but now it doesn't work.

So please, somebody expound me lucidly how I can do that now! It is very important to me, because my php applications doesn't work now.. :(

Locked

Return to “[3.0.x] MOD Writers Discussion”