How to Encrypt password with the new system?

eight9offsuit · Post by **eight9offsuit** » Fri Dec 14, 2007 7:53 pm

Acyd Burn wrote:phpbb_check_hash($password, $hash) is the key function (my script is to show the basic working, it is not meant as a copy & paste script you can use - i expect those programming able to think a bit for themselves. ).

Thank you very much Acyd for the script, it set me on the right path. A little bit of alteration and it worked like a charm. Thanks for making it so simple.

RoXur777 · Post by **RoXur777** » Fri Dec 14, 2007 11:21 pm

Open:

Code: Select all

includes/functions.php

Change:

Code: Select all

function phpbb_hash($password)
{
   $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';

   $random_state = unique_id();
   $random = '';
   $count = 6;

   if (($fh = @fopen('/dev/urandom', 'rb')))
   {
      $random = fread($fh, $count);
      fclose($fh);
   }

   if (strlen($random) < $count)
   {
      $random = '';

      for ($i = 0; $i < $count; $i += 16)
      {
         $random_state = md5(unique_id() . $random_state);
         $random .= pack('H*', md5($random_state));
      }
      $random = substr($random, 0, $count);
   }

   $hash = _hash_crypt_private($password, _hash_gensalt_private($random, $itoa64), $itoa64);

   if (strlen($hash) == 34)
   {
      return $hash;
   }

   return md5($password);
}

To:

Code: Select all

function phpbb_hash($password)
{
   return md5($password);
}

This will use the old phpBB2 hashing system.

ameeck · Post by **ameeck** » Sat Dec 15, 2007 7:53 am

Yes just be careful about having half of the passwords in md5 and the other half in the phpbb_hash

Swirlsky · Post by **Swirlsky** » Fri Dec 21, 2007 3:14 pm

So can this code:

Code: Select all

$password = $_POST["Password"];

define('IN_PHPBB', true);
$phpbb_root_path = 'forums/';

$phpEx = substr(strrchr(__FILE__, '.'), 1);
include($phpbb_root_path . 'common.php');
include($phpbb_root_path . 'includes/functions_user.php');
include($phpbb_root_path . 'includes/ucp/ucp_register.php');

if (phpbb_check_hash($password, $hash)) { echo "match"; }

be used instead of PasswordHash.php to compare the password that the user posted with the password in the database?

Acyd Burn · Post by **Acyd Burn** » Fri Dec 21, 2007 3:40 pm

Yes, but a bit differently (never set variables before the header initiation and use request_var())

Code: Select all

define('IN_PHPBB', true);
$phpbb_root_path = 'forums/';

$phpEx = substr(strrchr(__FILE__, '.'), 1);
include($phpbb_root_path . 'common.php');
include($phpbb_root_path . 'includes/functions_user.php');
include($phpbb_root_path . 'includes/ucp/ucp_register.php');

$password = request_var('Password', '');

if (phpbb_check_hash($password, $hash)) { echo "match"; }

Swirlsky · Post by **Swirlsky** » Fri Dec 21, 2007 4:19 pm

Thank you for your reply, but unfortunately it doesn't work for me.
I try to use it in a function like this:

Code: Select all

function CheckPass($Pass) {

	define('IN_PHPBB', true);
	$phpbb_root_path = 'forums/';

	$phpEx = substr(strrchr(__FILE__, '.'), 1);
	include($phpbb_root_path . 'common.php');
	include($phpbb_root_path . 'includes/functions_user.php');
	include($phpbb_root_path . 'includes/ucp/ucp_register.php');

	if(phpbb_check_hash(request_var($Pass, ""), $hash)) { echo "match"; }
}

CheckPass($_POST["Password"]);

and I receive the following error message:

The config.php file could not be found.
Click here to install phpBB

What am I doing wrong? Is it possible to use it inside a function?

Acyd Burn · Post by **Acyd Burn** » Fri Dec 21, 2007 4:29 pm

Of course it is possible, but the header instructions should not be put in a function.

They are meant to be put within the files, at the header.

I suggest to read the coding guidelines and the MOD documents on how to do phpBB pages. You only need this bit:

Code: Select all

if (phpbb_check_hash($password, $hash)) { echo "match"; }

The rest is just the code for constructing a full page.

Swirlsky · Post by **Swirlsky** » Fri Dec 21, 2007 4:51 pm

Thank you for your help, I will read the documentation.

dabuzz · Post by **dabuzz** » Mon Dec 31, 2007 5:56 pm

Has anybody converted or able to convert this hashing function to vb.net or c#?
I have a system that i want to use along with phbb database for authentication.

Puntadelanza · Post by **Puntadelanza** » Thu Jan 03, 2008 11:00 am

I only want to say, thanks to mecu.
His information was very helpfully to me. Thanks!

Grashopper · Post by **Grashopper** » Sat Jan 12, 2008 12:38 am

Can anyone help me? I have been trying to get a web app that worked with RC1 and prior just fine, but has since "broken" b/c of the new hash.

here's what's I've been trying thus far: http://www.phpbb.com/community/viewtopi ... &sk=t&sd=a

When I try to use the line:

Code: Select all

include("../phpBB3/includes/functions.php");

It gives me a blank screen. Do I need to load something else? Please help!

nogoer · Post by **nogoer** » Tue Mar 04, 2008 6:45 pm

I also get a blank page when trying to include the functions so i can compare passwords with the new hash.

This new hash method basically hosed everyone who was integrating phpbb with another site. Unless your doing your hash compares from within phpbb this just doesnt look like its going to work. Before it was fine, md5 was a native function to php now the new "secure" built in functions are only within phpbb and if you need to integrate an app that uses phpbb you're stuck.

This one little change basically made phpbb no longer an app that can be integrated into an existing site or as a sub part to a larger website. For me phpbb was a great add on so i could provide a community area for my users. Now i need to stick with an outdated RC version in order to keep the functionality i need.

cardude · Post by **cardude** » Sat Mar 08, 2008 1:30 am

Acyd Burn wrote:Yes, this is correct. The hash is always different.

Try the following:

Code: Select all

<?php

$password = "test";

define('IN_PHPBB', true);
$phpbb_root_path = 'forums/';

$phpEx = substr(strrchr(__FILE__, '.'), 1);
include($phpbb_root_path . 'common.php');
include($phpbb_root_path . 'includes/functions_user.php');
include($phpbb_root_path . 'includes/ucp/ucp_register.php');

$hash = '$H$9eKXZWW653tFUTIDrJs00Y2rcnpk1R.';

if (phpbb_check_hash($password, $hash))
{
	echo "(match) ";
}

$result = phpbb_hash($password);

if (phpbb_check_hash($password, $result))
{
	echo "(match) ";
}

if (!phpbb_check_hash('test2', $result))
{
	echo "(no match) ";
}

?>

The $hash variable is a random hash for 'test'... you should get (match) (match) (no match)

I can get this to run, but how do I check if the username and password that the user entered? Right now there isn't anywhere to put the username in the script.

ameeck · Post by **ameeck** » Sun Mar 09, 2008 3:55 pm

Use the login method of the user class for that. It will also automatically initialize sessions and set cookies if the login is succesful.

Megasmrt · Post by **Megasmrt** » Sun Mar 09, 2008 11:24 pm

Overkill!

Great work, i'm done. Tnx to everyone!

u rock!

advertisements