...

View Full Version : Encypted Password



Ndogg
07-24-2009, 03:18 AM
Im using this login script, and for the part posted below, its suppose to change there password they entered into the form to the encrypted password so that it can properly check the DB if its the correct account. But I guess its not doing that because everytime I type in my pass it says wrong password.


<?php
ob_start();

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

$encrypted_mypassword=md5($mypassword);

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$encrypted_mypassword = stripslashes($encrypted_mypassword);
$myusername = mysql_real_escape_string($myusername);
$encrypted_mypassword = mysql_real_escape_string($encrypted_mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and user_password='$encrypted_mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();
?>

Fou-Lu
07-24-2009, 03:32 AM
Where is $tbl defined?
I assume as well that the insertion had md5 encrypted as well? If so, ensure that the char/varchar column width is at minimum 32 characters, otherwise it will truncate you're string to fit the db column.

session_register shouldn't even work. You need a session_start but on top of that, session_register will only work with register_globals enabled, which has been disabled by default since PHP4.2.1. Instead, use $_SESSION['myusername'] = $myusername;. After any header call where you desire to perform a redirection, exit or die you're script. Processing of the remaining code will still happen without it.


Actually, I don't see any of you're configuration information defined; you shouldn't make it past the mysql_select_db call.

Ndogg
07-24-2009, 03:41 AM
Where is $tbl defined?
I assume as well that the insertion had md5 encrypted as well? If so, ensure that the char/varchar column width is at minimum 32 characters, otherwise it will truncate you're string to fit the db column.

session_register shouldn't even work. You need a session_start but on top of that, session_register will only work with register_globals enabled, which has been disabled by default since PHP4.2.1. Instead, use $_SESSION['myusername'] = $myusername;. After any header call where you desire to perform a redirection, exit or die you're script. Processing of the remaining code will still happen without it.


Actually, I don't see any of you're configuration information defined; you shouldn't make it past the mysql_select_db call.


I cut out the connect code, its easier than blanking out the info.

Also, the code works when I copy and paste the encrypted password.

Fou-Lu
07-24-2009, 04:09 AM
I cut out the connect code, its easier than blanking out the info.

Also, the code works when I copy and paste the encrypted password.

Gotcha, thats fine then.

When you say the encrypted password, do you mean that you run an md5('yourpassword'); copy that result, and put it into the password field? If so, that would indicate that you're data has been encrypted twice through md5 before being stored in the database.

Zangeel
07-24-2009, 04:24 AM
Just use


$encrypted_mypassword = md5(mysql_real_escape_string($mypassword));

Why are you using stripslashes? mysql_real_escape_string should work fine against sql injections, and it takes out slashes while mysql_real_escape_string escapes characters.

And make sure the same method the passwords were inputted with is used to check them.

Fou-Lu
07-24-2009, 04:56 AM
Stripslashes are used to remove quotes from magic_quotes_gpc. You should always check before hand, otherwise it will compromise some passwords: eg: mypasswordis\\. Oops, the stripslashes will remove the second last \ if magic_quotes are not enabled. I can't wait for PHP6 (magic_quotes_gpc and runtime are both history).

You won't need either actually. You may want to do it anyways for consistency, but md5 hash will always result in a 128bit hex string. For that reason you don't need to worry about a string break.

A point does go on that though, if special characters exist in the password, you must be 100% certain that whatever you did for insertion is happening with the comparison.
If magic_quotes_gpc is enabled and were not stripslashed before insertion, a password like 'I'm the best' would not match. This is since the insertion would have included the \, and the comparison does not.

Ndogg
07-24-2009, 04:57 AM
Gotcha, thats fine then.

When you say the encrypted password, do you mean that you run an md5('yourpassword'); copy that result, and put it into the password field? If so, that would indicate that you're data has been encrypted twice through md5 before being stored in the database.

No, I went into the db, copied the encrypted password out of there, then pasted it into the password box.

MattF
07-24-2009, 04:59 AM
No, I went into the db, copied the encrypted password out of there, then pasted it into the password box.

That would mean that you are double encrypting the submitted password.

Fou-Lu
07-24-2009, 05:01 AM
Are you 100% certain that this is the code that the form is being posted to? It should not work, the DB I assume is already encrypted, and encrypting it again would result in a non-comparison.


Matt got one in here.
Its actually the other way around from the looks of it. If its retrieved from the db and validates against the db, that would indicate that the processing comparison it not encrypting the value. Perhaps this: user_password='$encrypted_mypassword' is actually: user_password='$mypassword'?

Ndogg
07-24-2009, 05:02 AM
That would mean that you are double encrypting the submitted password.

Well, I tried posting the real password, and it doesnt work, so that must mean its not checking for the encrypted password, otherwise when I tried the encrypted password, that wouldnt have worked. So theres something wrong with changing the normal password to the encrypted password.

EDIT: The form is sending the info to the correct location
<form name="form1" method="post" action="checklogin.php">

MattF
07-24-2009, 05:12 AM
First, get rid of those stripslashes lines and do stripslashes removal properly, (only if needed). Put this at the top of that file, under the opening tag:



if (get_magic_quotes_gpc() && isset($_POST))
{
$_POST = array_map('stripslashes', $_POST);
}

Fou-Lu
07-24-2009, 05:16 AM
First, get rid of those stripslashes lines and do stripslashes removal properly, (only if needed). Put this at the top of that file, under the opening tag:



if (get_magic_quotes_gpc() && isset($_POST))
{
$_POST = array_map('stripslashes', $_POST);
}


I would second this. A localized global stripping is better than the stripslashes one by one simply because of the get_magic_quotes_gpc.
I'll have to see on my 6-dev if @ will still allow processing. I remember testing this a bit and get_magic_quotes_gpc wasn't deprecated, its gone. What a pain.

Ndogg
07-24-2009, 05:18 AM
This is what Im at now, is this correct:


<?php
if (get_magic_quotes_gpc() && isset($_POST))
{
$_POST = array_map('stripslashes', $_POST);
}
ob_start();
$host="mysql7.***************"; // Host name
$username=""; // Mysql username
$password=""; // Mysql password
$db_name=""; // Database name
$tbl_name=""; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

$encrypted_mypassword=md5($mypassword);

// To protect MySQL injection (more detail about MySQL injection)
$myusername = mysql_real_escape_string($myusername);
$encrypted_mypassword = md5(mysql_real_escape_string($mypassword));

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and user_password='$encrypted_mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("encrypted_mypassword");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();
?>

MattF
07-24-2009, 05:26 AM
Edited: The virtues of viewing a cached page. A five minute time lag. :D

MattF
07-24-2009, 05:28 AM
<?php

if (get_magic_quotes_gpc() && isset($_POST))
{
$_POST = array_map('stripslashes', $_POST);
}

ob_start();

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// To protect MySQL injection (more detail about MySQL injection)
$myusername = mysql_real_escape_string($_POST['myusername']);
$encrypted_mypassword = mysql_real_escape_string(md5($_POST['mypassword']));

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and user_password='$encrypted_mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("encrypted_mypassword");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();
?>

Btw, you are sure they're using md5 encryption?

Fou-Lu
07-24-2009, 05:37 AM
<?php

if (get_magic_quotes_gpc() && isset($_POST))
{
$_POST = array_map('stripslashes', $_POST);
}

ob_start();

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// To protect MySQL injection (more detail about MySQL injection)
$myusername = mysql_real_escape_string($_POST['myusername']);
$encrypted_mypassword = mysql_real_escape_string(md5($_POST['mypassword']));

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and user_password='$encrypted_mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("encrypted_mypassword");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();
?>

Btw, you are sure they're using md5 encryption?

I thought about this as well, but the only way you could extract the password from the db and use it in this form would be if there is two password fields - one thats real thats md5'd from the 'fake' one, and one that may or may not be md5.
This is odd. Very odd.

MattF
07-24-2009, 05:42 AM
I'll have to see on my 6-dev if @ will still allow processing. I remember testing this a bit and get_magic_quotes_gpc wasn't deprecated, its gone. What a pain.

They do like to make life awkward. :D I'd appreciate it if you could let me know the results. :)

Ndogg
07-24-2009, 05:43 AM
Btw, you are sure they're using md5 encryption?

Not positive

MattF
07-24-2009, 05:45 AM
Not positive

The database password is definitely encrypted? If so, I would be thinking more along the lines of SHA with a fallback to md5 for pre PHP5? versions.

Ndogg
07-24-2009, 05:51 AM
The database password is definitely encrypted? If so, I would be thinking more along the lines of SHA with a fallback to md5 for pre PHP5? versions.

It is encrypted, lol, whats SHA?

MattF
07-24-2009, 06:02 AM
http://uk3.php.net/manual/en/function.sha1.php

Fou-Lu
07-24-2009, 06:02 AM
http://php.ca/manual/en/function.sha1.php

Out of curiousity, can you try this instead:


printf("md5(%s) is %s\n", $_POST['mypassword'], $encrypted_mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername'";
$result=mysql_query($sql);
$record = mysql_fetch_assoc($result);
printf("Userinfo: %s\n", print_r($record, true));


Comment out the remaining code. Create a fake user if necessary to protect personal information.


Sorry, can you post results for using a 'real' password, as well as one using the hashed password?

Ndogg
07-24-2009, 06:12 AM
http://php.ca/manual/en/function.sha1.php

Out of curiousity, can you try this instead:


printf("md5(%s) is %s\n", $_POST['mypassword'], $encrypted_mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername'";
$result=mysql_query($sql);
$record = mysql_fetch_assoc($result);
printf("Userinfo: %s\n", print_r($record, true));


Comment out the remaining code. Create a fake user if necessary to protect personal information.


Sorry, can you post results for using a 'real' password, as well as one using the hashed password?


md5(Nathan1) is Userinfo: Wrong Username or Password
md5($H$9cifnoi3I7GIrHSSke3vw1wXsP.FJQ1) is Userinfo: Wrong Username or Password

Fou-Lu
07-24-2009, 06:24 AM
Definitely a problem with the $encrypted_mypassword variable.
The userinfo doesn't make any sense.

That password isn't md5. It looks kinda like blowfish, anyone know what that is offhand?

MattF
07-24-2009, 06:33 AM
Definitely a problem with the $encrypted_mypassword variable.
The userinfo doesn't make any sense.

That password isn't md5. It looks kinda like blowfish, anyone know what that is offhand?

http://php.ca/manual/en/function.crypt.php

Judging by the above, I'd say crypt using md5.

MattF
07-24-2009, 06:38 AM
md5(Nathan1) is Userinfo: Wrong Username or Password
md5($H$9cifnoi3I7GIrHSSke3vw1wXsP.FJQ1) is Userinfo: Wrong Username or Password

Can you post your code, (without the db connection info), as it is at the moment with that code of Fou-Lu's incorporated.

Ndogg
07-24-2009, 06:41 AM
<?php
ob_start();
if (get_magic_quotes_gpc() && isset($_POST))
{
$_POST = array_map('stripslashes', $_POST);
}

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

printf("md5(%s) is %s\n", $_POST['mypassword'], $encrypted_mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername'";
$result=mysql_query($sql);
$record = mysql_fetch_assoc($result);
printf("Userinfo: %s\n", print_r($record, true));

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("encrypted_mypassword");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();
?>

MattF
07-24-2009, 06:46 AM
<?php
ob_start();
if (get_magic_quotes_gpc() && isset($_POST))
{
$_POST = array_map('stripslashes', $_POST);
}

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

$myusername = mysql_real_escape_string($_POST['myusername']);
$encrypted_mypassword = mysql_real_escape_string(md5($_POST['mypassword']));

printf("md5(%s) is %s\n", $_POST['mypassword'], $encrypted_mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername'";
$result=mysql_query($sql);
$record = mysql_fetch_assoc($result);
printf("Userinfo: %s\n", print_r($record, true));

ob_end_flush();
?>

Ndogg
07-24-2009, 06:49 AM
Is that all I need to use? With the DB connection

MattF
07-24-2009, 06:53 AM
Is that all I need to use? With the DB connection

It's just a test script to get the info from that statement Fou-Lu posted. :)

Ndogg
07-24-2009, 07:02 AM
md5(Nathan1) is 2ba043e58fc7bc90d31dd3610ca8120e Userinfo: Array ( [user_id] => 2 [user_type] => 3 [group_id] => 7 [user_permissions] => 005m9rzik0zjzik0xs zik0zjzhb2tc zik0zjzhb2tc zik0zjzhb2tc zik0zjzhb2tc zik0zjzhb2tc zik0zjzhb2tc zik0zjzhb2tc zik0zjzhb2tc zik0zjzhb2tc zik0zjzhb2tc zik0zjzhb2tc zik0zjzhb2tc zik0zjzhb2tc [user_perm_from] => 0 [user_ip] => 75.45.116.173 [user_regdate] => 1248335962 [username] => Ndogg [username_clean] => ndogg [user_password] => $H$9cifnoi3I7GIrHSSke3vw1wXsP.FJQ1 [user_passchg] => 0 [user_pass_convert] => 0 [user_email] => dwightshwrute@yahoo.com [user_email_hash] => 150654301423 [user_birthday] => [user_lastvisit] => 1248345268 [user_lastmark] => 0 [user_lastpost_time] => 1248345120 [user_lastpage] => index.php [user_last_confirm_key] => [user_last_search] => 0 [user_warnings] => 0 [user_last_warning] => 0 [user_login_attempts] => 0 [user_inactive_reason] => 0 [user_inactive_time] => 0 [user_posts] => 1 [user_lang] => en [user_timezone] => 0.00 [user_dst] => 0 [user_dateformat] => D M d, Y g:i a [user_style] => 2 [user_rank] => 1 [user_colour] => FFFF00 [user_new_privmsg] => 0 [user_unread_privmsg] => 0 [user_last_privmsg] => 0 [user_message_rules] => 0 [user_full_folder] => -3 [user_emailtime] => 0 [user_topic_show_days] => 0 [user_topic_sortby_type] => t [user_topic_sortby_dir] => d [user_post_show_days] => 0 [user_post_sortby_type] => t [user_post_sortby_dir] => a [user_notify] => 0 [user_notify_pm] => 1 [user_notify_type] => 0 [user_allow_pm] => 1 [user_allow_viewonline] => 1 [user_allow_viewemail] => 1 [user_allow_massemail] => 1 [user_options] => 895 [user_avatar] => [user_avatar_type] => 0 [user_avatar_width] => 0 [user_avatar_height] => 0 [user_sig] => [user_sig_bbcode_uid] => [user_sig_bbcode_bitfield] => [user_from] => [user_icq] => [user_aim] => [user_yim] => [user_msnm] => [user_jabber] => [user_website] => [user_occ] => [user_interests] => [user_actkey] => [user_newpasswd] => [user_form_salt] => 67379adc23b67f7e ) Wrong Username or Password

Thats what I get lol.

MattF
07-24-2009, 07:40 AM
Have a look in the main login script and see what function it uses for encrypting the passwords.

p.s: Change your password if that was a real account login. :)

Ndogg
07-24-2009, 07:52 AM
The main account login is in PhpBB, but wouldnt the passwords be encrypted in the registration page


If your tired of trying to figure this out, its fine because I found a more simple version of a forum that has a lot more simple login that I might be able to use.

MattF
07-24-2009, 07:59 AM
The main account login is in PhpBB, but wouldnt the passwords be encrypted in the registration page

The password has to be encrypted wherever it is queried against the DB. That will happen in at least register.php, (when you create the account), and login.php for when you attempt to login.




If your tired of trying to figure this out, its fine because I found a more simple version of a forum that has a lot more simple login that I might be able to use.

Not at all. It's merely that a simple grep of the login file will yield the encrytion method far more quickly than trying to guess it. Btw, any half decent software should be encrypting the password, so switching software just for this reason is a tad drastic. :D What's the other software you're looking at, btw?

_Aerospace_Eng_
07-24-2009, 08:42 AM
I believe phpbb3 is using their own hashing function. Its called phpbb_hash which should be located in includes/functions.php. It uses /dev/urandom and md5. Looks like they are using some salting as well. From what I gather these are the functions used when registering/logging in.

function phpbb_hash($password)
{
$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';

$random_state = unique_id();
$random = '';
$count = 6;

if (($fh = @fopen('/dev/urandom', 'rb')))
{
$random = fread($fh, $count);
fclose($fh);
}

if (strlen($random) < $count)
{
$random = '';

for ($i = 0; $i < $count; $i += 16)
{
$random_state = md5(unique_id() . $random_state);
$random .= pack('H*', md5($random_state));
}
$random = substr($random, 0, $count);
}

$hash = _hash_crypt_private($password, _hash_gensalt_private($random, $itoa64), $itoa64);

if (strlen($hash) == 34)
{
return $hash;
}

return md5($password);
}

/**
* Check for correct password
*/
function phpbb_check_hash($password, $hash)
{
$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
if (strlen($hash) == 34)
{
return (_hash_crypt_private($password, $hash, $itoa64) === $hash) ? true : false;
}

return (md5($password) === $hash) ? true : false;
}

/**
* Generate salt for hash generation
*/
function _hash_gensalt_private($input, &$itoa64, $iteration_count_log2 = 6)
{
if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31)
{
$iteration_count_log2 = 8;
}

$output = '$H$';
$output .= $itoa64[min($iteration_count_log2 + ((PHP_VERSION >= 5) ? 5 : 3), 30)];
$output .= _hash_encode64($input, 6, $itoa64);

return $output;
}

/**
* Encode hash
*/
function _hash_encode64($input, $count, &$itoa64)
{
$output = '';
$i = 0;

do
{
$value = ord($input[$i++]);
$output .= $itoa64[$value & 0x3f];

if ($i < $count)
{
$value |= ord($input[$i]) << 8;
}

$output .= $itoa64[($value >> 6) & 0x3f];

if ($i++ >= $count)
{
break;
}

if ($i < $count)
{
$value |= ord($input[$i]) << 16;
}

$output .= $itoa64[($value >> 12) & 0x3f];

if ($i++ >= $count)
{
break;
}

$output .= $itoa64[($value >> 18) & 0x3f];
}
while ($i < $count);

return $output;
}

/**
* The crypt function/replacement
*/
function _hash_crypt_private($password, $setting, &$itoa64)
{
$output = '*';

// Check for correct hash
if (substr($setting, 0, 3) != '$H$')
{
return $output;
}

$count_log2 = strpos($itoa64, $setting[3]);

if ($count_log2 < 7 || $count_log2 > 30)
{
return $output;
}

$count = 1 << $count_log2;
$salt = substr($setting, 4, 8);

if (strlen($salt) != 8)
{
return $output;
}

/**
* We're kind of forced to use MD5 here since it's the only
* cryptographic primitive available in all versions of PHP
* currently in use. To implement our own low-level crypto
* in PHP would result in much worse performance and
* consequently in lower iteration counts and hashes that are
* quicker to crack (by non-PHP code).
*/
if (PHP_VERSION >= 5)
{
$hash = md5($salt . $password, true);
do
{
$hash = md5($hash . $password, true);
}
while (--$count);
}
else
{
$hash = pack('H*', md5($salt . $password));
do
{
$hash = pack('H*', md5($hash . $password));
}
while (--$count);
}

$output = substr($setting, 0, 12);
$output .= _hash_encode64($hash, 16, $itoa64);

return $output;
}

Ndogg
07-25-2009, 01:09 AM
Not at all. It's merely that a simple grep of the login file will yield the encrytion method far more quickly than trying to guess it. Btw, any half decent software should be encrypting the password, so switching software just for this reason is a tad drastic. :D What's the other software you're looking at, btw?

PunBB :) I Believe you have an account there, sent you a message.


I believe phpbb3 is using their own hashing function. Its called phpbb_hash which should be located in includes/functions.php. It uses /dev/urandom and md5. Looks like they are using some salting as well. From what I gather these are the functions used when registering/logging in.

function phpbb_hash($password)
{
$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';

$random_state = unique_id();
$random = '';
$count = 6;

if (($fh = @fopen('/dev/urandom', 'rb')))
{
$random = fread($fh, $count);
fclose($fh);
}

if (strlen($random) < $count)
{
$random = '';

for ($i = 0; $i < $count; $i += 16)
{
$random_state = md5(unique_id() . $random_state);
$random .= pack('H*', md5($random_state));
}
$random = substr($random, 0, $count);
}

$hash = _hash_crypt_private($password, _hash_gensalt_private($random, $itoa64), $itoa64);

if (strlen($hash) == 34)
{
return $hash;
}

return md5($password);
}

/**
* Check for correct password
*/
function phpbb_check_hash($password, $hash)
{
$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
if (strlen($hash) == 34)
{
return (_hash_crypt_private($password, $hash, $itoa64) === $hash) ? true : false;
}

return (md5($password) === $hash) ? true : false;
}

/**
* Generate salt for hash generation
*/
function _hash_gensalt_private($input, &$itoa64, $iteration_count_log2 = 6)
{
if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31)
{
$iteration_count_log2 = 8;
}

$output = '$H$';
$output .= $itoa64[min($iteration_count_log2 + ((PHP_VERSION >= 5) ? 5 : 3), 30)];
$output .= _hash_encode64($input, 6, $itoa64);

return $output;
}

/**
* Encode hash
*/
function _hash_encode64($input, $count, &$itoa64)
{
$output = '';
$i = 0;

do
{
$value = ord($input[$i++]);
$output .= $itoa64[$value & 0x3f];

if ($i < $count)
{
$value |= ord($input[$i]) << 8;
}

$output .= $itoa64[($value >> 6) & 0x3f];

if ($i++ >= $count)
{
break;
}

if ($i < $count)
{
$value |= ord($input[$i]) << 16;
}

$output .= $itoa64[($value >> 12) & 0x3f];

if ($i++ >= $count)
{
break;
}

$output .= $itoa64[($value >> 18) & 0x3f];
}
while ($i < $count);

return $output;
}

/**
* The crypt function/replacement
*/
function _hash_crypt_private($password, $setting, &$itoa64)
{
$output = '*';

// Check for correct hash
if (substr($setting, 0, 3) != '$H$')
{
return $output;
}

$count_log2 = strpos($itoa64, $setting[3]);

if ($count_log2 < 7 || $count_log2 > 30)
{
return $output;
}

$count = 1 << $count_log2;
$salt = substr($setting, 4, 8);

if (strlen($salt) != 8)
{
return $output;
}

/**
* We're kind of forced to use MD5 here since it's the only
* cryptographic primitive available in all versions of PHP
* currently in use. To implement our own low-level crypto
* in PHP would result in much worse performance and
* consequently in lower iteration counts and hashes that are
* quicker to crack (by non-PHP code).
*/
if (PHP_VERSION >= 5)
{
$hash = md5($salt . $password, true);
do
{
$hash = md5($hash . $password, true);
}
while (--$count);
}
else
{
$hash = pack('H*', md5($salt . $password));
do
{
$hash = pack('H*', md5($hash . $password));
}
while (--$count);
}

$output = substr($setting, 0, 12);
$output .= _hash_encode64($hash, 16, $itoa64);

return $output;
}

So, what should I do?

MattF
07-25-2009, 05:54 AM
PunBB :) I Believe you have an account there

I do indeed. :) I'm sod all use where 1.3* is concerned though. :D I've only ever spent about 5 five minutes in total looking at that code.

Ndogg
07-25-2009, 07:17 AM
Well, I got a entegration code so now I got it to say You need to login and stuff like that, but I would like to have a login form which I will try and do, but if anyone has this simple form please post :)



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum