How to Encrypt password with the new system?

Discussion forum for MOD Writers regarding MOD Development.
Acyd Burn
Consultant
Consultant
Posts: 5830
Joined: Wed Dec 05, 2001 8:31 pm
Location: Behind You
Name: Meik Sievertsen

Re: How to Encrypt password with the new system?

Post by Acyd Burn »

Can u tell me what can be sql injection in my code? please
You do not escape passed strings to the db... this alone opens up for sql injection (i would read up on the various sites about sql injection). Furthermore, you seem to register the username/password to the session, as well as redirecting with parameters coming directly from the session - someone could change these to their liking and open up your application for code injection, response splitting and maybe even more.

Of course all this also depends on other factors, code you additionally use, etc. With phpBB3 we increased security a lot by using common functions which are required by our coding guidelines. This alone makes it hard to write insecure code - for example if following strictly it is very hard to create sql injection holes, due to queries following a strict standard. Therefore, our MOD Team will instantly deny mods not adhering to the coding guidelines. I am also worried about the increase of insecure code being submitted to our mods database. :/ At first, we may not care - but at the second look you will realise once a vulnerability is found within a MOD this will most likely be backlashed at phpBB, saying that phpBB is insecure just because a MOD had a vulnerability. Therefore (and for our own SDLC) we created the internal framework we have in conjunction with the coding guidelines. Sure, it is much to learn for someone just beginning with PHP, but IMO it is worth it.
User avatar
huyhoa
Registered User
Posts: 66
Joined: Sat Oct 02, 2004 4:39 am
Name: Huy Hoa
Contact:

Re: How to Encrypt password with the new system?

Post by huyhoa »

Thanks burn. I will look in my code again and check.
About what you said, i know. But, i dont change anything about phpbb code (i hope that will help me to update direct if phpbb3 have any update unless you will change the way to hash password like RC5 to RC7 :mrgreen: -- It make me crazy at least 2 weeken days )
As you said. i think many people had been hacked and then they say that becoz phpbb insecure. Someone like that, i agree but we still and also truth in phpbb, that why we use phpbb3 and hope it had more mod for webmaster.
About mod for phpbb3, i dont use any mod outside origal phpbb. But i hope you see us, please help us some problem for better phpbb3.
So i can request to you and dev group that, please open in phpb system link in new window (we dont want visitor open link and leave our site)
some other mod i think if it in phpbb3 system as well:
- Thank mod
- Hide mod (i see a deverloping mod but not in origal phpbb)
- Quick reply mod
I hope these mod can use as additional mod in phpbb RC8 or GOLD version.
Thank you very much
Imichimera
Registered User
Posts: 67
Joined: Sun Aug 12, 2007 7:48 am
Location: I'm here some place
Contact:

Re: How to Encrypt password with the new system?

Post by Imichimera »

Okay... I've tried both of these out. First with the actual PHPBB3.0 hasher and it gave me the error:

Code: Select all

Fatal error: Call to a member function sql_escape() on a non-object in forum/includes/functions.php on line 145
and then I tried the other mod from the other site, followed the instructions and i get no match.
So thats no good...

I've decided that the other site's mod is probably not the best thing to use, see as the other hasher it uses still returns "$P$" instead of "$H$", and would like to see the fix for the error created by PHPBB's method.

I may just be doing something wrong, if any one has gotten the other method to work right, that is.

Thanks for the help guys.
Gamezftw.com
We Are Games!
Acyd Burn
Consultant
Consultant
Posts: 5830
Joined: Wed Dec 05, 2001 8:31 pm
Location: Behind You
Name: Meik Sievertsen

Re: How to Encrypt password with the new system?

Post by Acyd Burn »

Imichimera wrote:Okay... I've tried both of these out. First with the actual PHPBB3.0 hasher and it gave me the error:

Code: Select all

Fatal error: Call to a member function sql_escape() on a non-object in forum/includes/functions.php on line 145
Stop - do not try anything else... what did i say before? You need to have the phpBB3 DBAL initiated. If you get this error you either did not, overwrote the $db variable or using your own. I said, the hashing function need to fetch the config table for the seeding value - therefore a db connection is needed.
I've decided that the other site's mod is probably not the best thing to use, see as the other hasher it uses still returns "$P$" instead of "$H$", and would like to see the fix for the error created by PHPBB's method.
There is no error - we used the hash project, but they are not interchangeable. You *need* to use the phpBB3 hashing method or this will never work.
Imichimera
Registered User
Posts: 67
Joined: Sun Aug 12, 2007 7:48 am
Location: I'm here some place
Contact:

Re: How to Encrypt password with the new system?

Post by Imichimera »

So to fix this, I simply need to include DBAL into my file?
Gamezftw.com
We Are Games!
User avatar
huyhoa
Registered User
Posts: 66
Joined: Sat Oct 02, 2004 4:39 am
Name: Huy Hoa
Contact:

Re: How to Encrypt password with the new system?

Post by huyhoa »

Imichimera wrote:So to fix this, I simply need to include DBAL into my file?
if need, you will have to do.
@Burn : So, i hope after RC7, from RC7 and later version, you will dont change the way to hash password.
It' make me and i know many people who se same users data phpbb3 for other site
Please make it better and limit the way to change password hash.
Thank you. And hope we will see Phpbb3 GOld soon (may be in this year - could it be? )
Imichimera
Registered User
Posts: 67
Joined: Sun Aug 12, 2007 7:48 am
Location: I'm here some place
Contact:

Re: How to Encrypt password with the new system?

Post by Imichimera »

Thanks all for the help.
Gamezftw.com
We Are Games!
schuel
Registered User
Posts: 10
Joined: Thu Sep 27, 2007 3:23 am

Re: How to Encrypt password with the new system?

Post by schuel »

I'm a bit confused. If I want to create a totally new hash (not compare), what code do I need? I have tried the following which works but every time I refresh the page I get a different result, is this right?
<?php

$password = "test";

define('IN_PHPBB', true);
$phpbb_root_path = 'forums/';

$phpEx = substr(strrchr(__FILE__, '.'), 1);
include($phpbb_root_path . 'common.php');
include($phpbb_root_path . 'includes/functions_user.php');
include($phpbb_root_path . 'includes/ucp/ucp_register.php');

$result = phpbb_hash($password);

echo "$result";

?>
Acyd Burn
Consultant
Consultant
Posts: 5830
Joined: Wed Dec 05, 2001 8:31 pm
Location: Behind You
Name: Meik Sievertsen

Re: How to Encrypt password with the new system?

Post by Acyd Burn »

Yes, this is correct. The hash is always different.

Try the following:

Code: Select all

<?php

$password = "test";

define('IN_PHPBB', true);
$phpbb_root_path = 'forums/';

$phpEx = substr(strrchr(__FILE__, '.'), 1);
include($phpbb_root_path . 'common.php');
include($phpbb_root_path . 'includes/functions_user.php');
include($phpbb_root_path . 'includes/ucp/ucp_register.php');

$hash = '$H$9eKXZWW653tFUTIDrJs00Y2rcnpk1R.';

if (phpbb_check_hash($password, $hash))
{
	echo "(match) ";
}

$result = phpbb_hash($password);

if (phpbb_check_hash($password, $result))
{
	echo "(match) ";
}

if (!phpbb_check_hash('test2', $result))
{
	echo "(no match) ";
}

?>
The $hash variable is a random hash for 'test'... you should get (match) (match) (no match)
User avatar
FabryDesign
Registered User
Posts: 66
Joined: Sat May 12, 2007 9:14 pm
Location: Texas
Contact:

Re: How to Encrypt password with the new system?

Post by FabryDesign »

My code isn't working, and I'm not sure why. Either I'm not understanding what value $check outputs, or the password isn't validating for some reason:

Code: Select all

$userR = mysql_query("SELECT * FROM phpbb_users WHERE (username_clean='$u')");
		
		if(mysql_num_rows($userR) == 0){
			
			$errors .= '<br />Username did not match any records.';
			
		} else {
		
			$row = mysql_fetch_assoc($userR);
		
			include "PasswordHash.php";
			$t_hasher = new PasswordHash(8, TRUE);
			$hash = $row['user_password']; //from database
			$check = $t_hasher->CheckPassword($u, $hash);
			//$check will be true or false if the passwords match
			unset($t_hasher); //cleanup
		
			if($check == true){
							
				$userid = $row['user_id'];
		
				$query = "SELECT * FROM phpbb_banlist WHERE ban_userid='$userid'";
				$banresult = mysql_query($query);
				
				if(mysql_num_rows($banresult) == 1){
					header("Location:banned.php");
				} else {
					session_start();
					$_SESSION['name'] = $row[username];
					$_SESSION['user_id'] = $row[user_id];
					
					$id = $row['user_id'];
					$adminR = mysql_query("SELECT * FROM phpbb_user_group WHERE (group_id='5') AND (user_id='$id')");
					if(mysql_num_rows($adminR) == 1){
						$_SESSION['admin'] == TRUE;
					}
		
					if(isset($_GET['redirect'])){
						$page = $_GET['redirect'] . '.php';
					} else {
						$page = 'index.php';
					}
		
					header("Location:$page");
		
					exit();
				}

			} else {
				$errors .= 'The username and password did not match any current account. Please try again.';
			}
I always get the error message for the if($check)...
Acyd Burn
Consultant
Consultant
Posts: 5830
Joined: Wed Dec 05, 2001 8:31 pm
Location: Behind You
Name: Meik Sievertsen

Re: How to Encrypt password with the new system?

Post by Acyd Burn »

Are you using the library? If so, you need to change the hash identifier to match phpBB's. ;) Or just use the two in-built functions. ;)
User avatar
FabryDesign
Registered User
Posts: 66
Joined: Sat May 12, 2007 9:14 pm
Location: Texas
Contact:

Re: How to Encrypt password with the new system?

Post by FabryDesign »

Acyd Burn wrote:Are you using the library? If so, you need to change the hash identifier to match phpBB's. ;) Or just use the two in-built functions. ;)
Uh... I'm using the phpass script with the edited identifier as posted by mecu. What built-in functions are there and would they be easier to use?
Acyd Burn
Consultant
Consultant
Posts: 5830
Joined: Wed Dec 05, 2001 8:31 pm
Location: Behind You
Name: Meik Sievertsen

Re: How to Encrypt password with the new system?

Post by Acyd Burn »

User avatar
FabryDesign
Registered User
Posts: 66
Joined: Sat May 12, 2007 9:14 pm
Location: Texas
Contact:

Re: How to Encrypt password with the new system?

Post by FabryDesign »

Acyd Burn wrote:I posted the instructions above. ;)

http://www.phpbb.com/community/viewtopi ... 5#p3240125
Okay, and in using that for checking login, $password would be the entered password, $hash would be the password from the database, and if either one of the "matches" comes out, I should continue with the script? Also, where does 'test2' come from?

Sorry for any inconvenience,
FD
Acyd Burn
Consultant
Consultant
Posts: 5830
Joined: Wed Dec 05, 2001 8:31 pm
Location: Behind You
Name: Meik Sievertsen

Re: How to Encrypt password with the new system?

Post by Acyd Burn »

phpbb_check_hash($password, $hash) is the key function (my script is to show the basic working, it is not meant as a copy & paste script you can use - i expect those programming able to think a bit for themselves. ;)).

if the function returns true, the password is correct, else not. $password is the password the user entered, $hash the stored hash.
Locked

Return to “[3.0.x] MOD Writers Discussion”