PcGeniusProductions Posted April 21, 2008 Share Posted April 21, 2008 Hi there... I am trying to integrate an application database with joomla, which uses MD5+Salt. The app already has MD5, but to let it understand joomla, it needs salt... here is my current md5 code md5($password) What would I need to do to this to make it think like Joomla? I dontthink adding a regular salt is going to work, I think joomla has it different... I dont reli have a clue, Basically, if anyone has any ideas, please let me know cuzz I just spent a full 2 days wasting my time trying to find an answer. Thanks in Advance. Quote Link to comment Share on other sites More sharing options...
DarkWater Posted April 21, 2008 Share Posted April 21, 2008 I didn't know md5 could use salts. Quote Link to comment Share on other sites More sharing options...
PcGeniusProductions Posted April 21, 2008 Author Share Posted April 21, 2008 Well, Joomla found a way and now it both secure and annoying! Quote Link to comment Share on other sites More sharing options...
Fadion Posted April 21, 2008 Share Posted April 21, 2008 It depends on the salt joomla uses. Im sure u know how to use salts, but an example: <?php $pass = '123456'; $salt = 'joomla'; $enc = md5($pass.$salt); ?> Usually it is a good technique to salt the username or any dynamic data which can be easily retrieved. Do a research and see if u can find what type of salt joomla uses. Quote Link to comment Share on other sites More sharing options...
DarkWater Posted April 21, 2008 Share Posted April 21, 2008 MD5 does not use salts. At all. string md5 ( string $str [, bool $raw_output ] ) That's all you can do with MD5. Raw_output outputs a 16 char binary string. Quote Link to comment Share on other sites More sharing options...
PcGeniusProductions Posted April 21, 2008 Author Share Posted April 21, 2008 then how on earth has joomla managed to do it? I know a few salting scripts, but none that match joomlas. Quote Link to comment Share on other sites More sharing options...
Fadion Posted April 21, 2008 Share Posted April 21, 2008 m8 salt is not a parameter of md5(), its just a technique to increase security. As in the example i gave, salts are just concatenated to the original password and the output is always 16 chars. Quote Link to comment Share on other sites More sharing options...
PcGeniusProductions Posted April 21, 2008 Author Share Posted April 21, 2008 OK... then I really don't understand. If what you guys are saying is true, then why wont my script work when using MD5 alone? Or does joomla ONLY salt passwords? I don't hard code PHP too much so this is very frustrating Quote Link to comment Share on other sites More sharing options...
DarkWater Posted April 21, 2008 Share Posted April 21, 2008 mate salt is not a parameter of md5(), its just a technique to increase security. As in the example i gave, salts are just concatenated to the original password and the output is always 16 chars. 1) The output of MD5 is 32 characters if it's not in binary form. =) 2) Most functions use salts as a separate parameter, like the MySQL encrypt functions and PHP's crypt() function. Just to let you know. It actually uses the salt in the hashing process. Quote Link to comment Share on other sites More sharing options...
PcGeniusProductions Posted April 21, 2008 Author Share Posted April 21, 2008 would it be of any help to post my PHP script for you to see? that way you see what I mean. Someone who uses joomla will know of their encryption and how to replicate it. Quote Link to comment Share on other sites More sharing options...
DarkWater Posted April 21, 2008 Share Posted April 21, 2008 Posting it would help a LOT. Quote Link to comment Share on other sites More sharing options...
PcGeniusProductions Posted April 21, 2008 Author Share Posted April 21, 2008 <?php // users.php :: Handles user account functions. include('lib.php'); $link = opendb(); if (isset($_GET["do"])) { $do = $_GET["do"]; if ($do == "register") { register(); } elseif ($do == "verify") { verify(); } elseif ($do == "lostpassword") { lostpassword(); } elseif ($do == "changepassword") { changepassword(); } } function register() { // Register a new account. $controlquery = doquery("SELECT * FROM {{table}} WHERE id='1' LIMIT 1", "control"); $controlrow = mysql_fetch_array($controlquery); if (isset($_POST["submit"])) { extract($_POST); $errors = 0; $errorlist = ""; // Process username. if ($username == "") { $errors++; $errorlist .= "Username field is required.<br />"; } if (preg_match("/[^A-z0-9_\-]/", $username)==1) { $errors++; $errorlist .= "Username must be alphanumeric.<br />"; } // Thanks to "Carlos Pires" from php.net! $usernamequery = doquery("SELECT username FROM {{table}} WHERE username='$username' LIMIT 1","users"); if (mysql_num_rows($usernamequery) > 0) { $errors++; $errorlist .= "Username already taken - unique username required.<br />"; } // Process charname. if ($charname == "") { $errors++; $errorlist .= "Character Name field is required.<br />"; } if (preg_match("/[^A-z0-9_\-]/", $charname)==1) { $errors++; $errorlist .= "Character Name must be alphanumeric.<br />"; } // Thanks to "Carlos Pires" from php.net! $characternamequery = doquery("SELECT charname FROM {{table}} WHERE charname='$charname' LIMIT 1","users"); if (mysql_num_rows($characternamequery) > 0) { $errors++; $errorlist .= "Character Name already taken - unique Character Name required.<br />"; } // Process email address. if ($email1 == "" || $email2 == "") { $errors++; $errorlist .= "Email fields are required.<br />"; } if ($email1 != $email2) { $errors++; $errorlist .= "Emails don't match.<br />"; } if (! is_email($email1)) { $errors++; $errorlist .= "Email isn't valid.<br />"; } $emailquery = doquery("SELECT email FROM {{table}} WHERE email='$email1' LIMIT 1","users"); if (mysql_num_rows($emailquery) > 0) { $errors++; $errorlist .= "Email already taken - unique email address required.<br />"; } // Process password. if (trim($password1) == "") { $errors++; $errorlist .= "Password field is required.<br />"; } if (preg_match("/[^A-z0-9_\-]/", $password1)==1) { $errors++; $errorlist .= "Password must be alphanumeric.<br />"; } // Thanks to "Carlos Pires" from php.net! if ($password1 != $password2) { $errors++; $errorlist .= "Passwords don't match.<br />"; } $password = md5($password1); if ($errors == 0) { if ($controlrow["verifyemail"] == 1) { $verifycode = ""; for ($i=0; $i<8; $i++) { $verifycode .= chr(rand(65,90)); } } else { $verifycode='1'; } $query = doquery("INSERT INTO {{table}} SET id='',regdate=NOW(),verify='$verifycode',username='$username',password='$password',email='$email1',charname='$charname',charclass='$charclass',difficulty='$difficulty'", "users") or die(mysql_error()); if ($controlrow["verifyemail"] == 1) { if (sendregmail($email1, $verifycode) == true) { $page = "Your account was created successfully.<br /><br />You should receive an Account Verification email shortly. You will need the verification code contained in that email before you are allowed to log in. Once you have received the email, please visit the <a href=\"users.php?do=verify\">Verification Page</a> to enter your code and start playing."; } else { $page = "Your account was created successfully.<br /><br />However, there was a problem sending your verification email. Please check with the game administrator to help resolve this problem."; } } else { $page = "Your account was created succesfully.<br /><br />You may now continue to the <a href=\"login.php?do=login\">Login Page</a> and continue playing ".$controlrow["gamename"]."!"; } } else { $page = "The following error(s) occurred when your account was being made:<br /><span style=\"color:red;\">$errorlist</span><br />Please go back and try again."; } } else { $page = gettemplate("register"); if ($controlrow["verifyemail"] == 1) { $controlrow["verifytext"] = "<br /><span class=\"small\">A verification code will be sent to the address above, and you will not be able to log in without first entering the code. Please be sure to enter your correct email address.</span>"; } else { $controlrow["verifytext"] = ""; } $page = parsetemplate($page, $controlrow); } $topnav = "<a href=\"login.php?do=login\"><img src=\"images/button_login.gif\" alt=\"Log In\" border=\"0\" /></a><a href=\"users.php?do=register\"><img src=\"images/button_register.gif\" alt=\"Register\" border=\"0\" /></a><a href=\"help.php\"><img src=\"images/button_help.gif\" alt=\"Help\" border=\"0\" /></a>"; display($page, "Register", false, false, false); } function verify() { if (isset($_POST["submit"])) { extract($_POST); $userquery = doquery("SELECT username,email,verify FROM {{table}} WHERE username='$username' LIMIT 1","users"); if (mysql_num_rows($userquery) != 1) { die("No account with that username."); } $userrow = mysql_fetch_array($userquery); if ($userrow["verify"] == 1) { die("Your account is already verified."); } if ($userrow["email"] != $email) { die("Incorrect email address."); } if ($userrow["verify"] != $verify) { die("Incorrect verification code."); } // If we've made it this far, should be safe to update their account. $updatequery = doquery("UPDATE {{table}} SET verify='1' WHERE username='$username' LIMIT 1","users"); display("Your account was verified successfully.<br /><br />You may now continue to the <a href=\"login.php?do=login\">Login Page</a> and start playing the game.<br /><br />Thanks for playing!","Verify Email",false,false,false); } $page = gettemplate("verify"); $topnav = "<a href=\"login.php?do=login\"><img src=\"images/button_login.gif\" alt=\"Log In\" border=\"0\" /></a><a href=\"users.php?do=register\"><img src=\"images/button_register.gif\" alt=\"Register\" border=\"0\" /></a><a href=\"help.php\"><img src=\"images/button_help.gif\" alt=\"Help\" border=\"0\" /></a>"; display($page, "Verify Email", false, false, false); } function lostpassword() { if (isset($_POST["submit"])) { extract($_POST); $userquery = doquery("SELECT email FROM {{table}} WHERE email='$email' LIMIT 1","users"); if (mysql_num_rows($userquery) != 1) { die("No account with that email address."); } $newpass = ""; for ($i=0; $i<8; $i++) { $newpass .= chr(rand(65,90)); } $md5newpass = md5($newpass); $updatequery = doquery("UPDATE {{table}} SET password='$md5newpass' WHERE email='$email' LIMIT 1","users"); if (sendpassemail($email,$newpass) == true) { display("Your new password was emailed to the address you provided.<br /><br />Once you receive it, you may <a href=\"login.php?do=login\">Log In</a> and continue playing.<br /><br />Thank you.","Lost Password",false,false,false); } else { display("There was an error sending your new password.<br /><br />Please check with the game administrator for more information.<br /><br />We apologize for the inconvience.","Lost Password",false,false,false); } die(); } $page = gettemplate("lostpassword"); $topnav = "<a href=\"login.php?do=login\"><img src=\"images/button_login.gif\" alt=\"Log In\" border=\"0\" /></a><a href=\"users.php?do=register\"><img src=\"images/button_register.gif\" alt=\"Register\" border=\"0\" /></a><a href=\"help.php\"><img src=\"images/button_help.gif\" alt=\"Help\" border=\"0\" /></a>"; display($page, "Lost Password", false, false, false); } function changepassword() { if (isset($_POST["submit"])) { extract($_POST); $userquery = doquery("SELECT * FROM {{table}} WHERE username='$username' LIMIT 1","users"); if (mysql_num_rows($userquery) != 1) { die("No account with that username."); } $userrow = mysql_fetch_array($userquery); if ($userrow["password"] != md5($oldpass)) { die("The old password you provided was incorrect."); } if (preg_match("/[^A-z0-9_\-]/", $newpass1)==1) { die("New password must be alphanumeric."); } // Thanks to "Carlos Pires" from php.net! if ($newpass1 != $newpass2) { die("New passwords don't match."); } $realnewpass = md5($newpass1); $updatequery = doquery("UPDATE {{table}} SET password='$realnewpass' WHERE username='$username' LIMIT 1","users"); if (isset($_COOKIE["dkgame"])) { setcookie("dkgame", "", time()-100000, "/", "", 0); } display("Your password was changed successfully.<br /><br />You have been logged out of the game to avoid cookie errors.<br /><br />Please <a href=\"login.php?do=login\">log back in</a> to continue playing.","Change Password",false,false,false); die(); } $page = gettemplate("changepassword"); $topnav = "<a href=\"login.php?do=login\"><img src=\"images/button_login.gif\" alt=\"Log In\" border=\"0\" /></a><a href=\"users.php?do=register\"><img src=\"images/button_register.gif\" alt=\"Register\" border=\"0\" /></a><a href=\"help.php\"><img src=\"images/button_help.gif\" alt=\"Help\" border=\"0\" /></a>"; display($page, "Change Password", false, false, false); } function sendpassemail($emailaddress, $password) { $controlquery = doquery("SELECT * FROM {{table}} WHERE id='1' LIMIT 1", "control"); $controlrow = mysql_fetch_array($controlquery); extract($controlrow); $email = <<<END You or someone using your email address submitted a Lost Password application on the $gamename server, located at $gameurl. We have issued you a new password so you can log back into the game. Your new password is: $password Thanks for playing. END; $status = mymail($emailaddress, "$gamename Lost Password", $email); return $status; } function sendregmail($emailaddress, $vercode) { $controlquery = doquery("SELECT * FROM {{table}} WHERE id='1' LIMIT 1", "control"); $controlrow = mysql_fetch_array($controlquery); extract($controlrow); $verurl = $gameurl . "?do=verify"; $email = <<<END You or someone using your email address recently signed up for an account on the $gamename server, located at $gameurl. This email is sent to verify your registration email. In order to begin using your account, you must verify your email address. Please visit the Verification Page ($verurl) and enter the code below to activate your account. Verification code: $vercode If you were not the person who signed up for the game, please disregard this message. You will not be emailed again. END; $status = mymail($emailaddress, "$gamename Account Verification", $email); return $status; } function mymail($to, $title, $body, $from = '') { // thanks to arto dot PLEASE dot DO dot NOT dot SPAM at artoaaltonen dot fi. $controlquery = doquery("SELECT * FROM {{table}} WHERE id='1' LIMIT 1", "control"); $controlrow = mysql_fetch_array($controlquery); extract($controlrow); $from = trim($from); if (!$from) { $from = '<'.$controlrow["adminemail"].'>'; } $rp = $controlrow["adminemail"]; $org = '$gameurl'; $mailer = 'PHP'; $head = ''; $head .= "Content-Type: text/plain \r\n"; $head .= "Date: ". date('r'). " \r\n"; $head .= "Return-Path: $rp \r\n"; $head .= "From: $from \r\n"; $head .= "Sender: $from \r\n"; $head .= "Reply-To: $from \r\n"; $head .= "Organization: $org \r\n"; $head .= "X-Sender: $from \r\n"; $head .= "X-Priority: 3 \r\n"; $head .= "X-Mailer: $mailer \r\n"; $body = str_replace("\r\n", "\n", $body); $body = str_replace("\n", "\r\n", $body); return mail($to, $title, $body, $head); } ?> Only the username, password and email need setting to jos_users instead of {{table}} Quote Link to comment Share on other sites More sharing options...
Fadion Posted April 21, 2008 Share Posted April 21, 2008 lol its just that i use sha1() so i didnt think too much about the nr of chars. I know that salt can be used as a parameter: "string crypt ( string $str [, string $salt ] )". With md5 u hash the string with a concatenated salt, thats all about it. @PcGeniusProductions, i made a simple search for the joomla salt and there are several topics on their forums with your same problem. The only answered topic i found is with the following lines and taking those for granted, joomla generates a random salt with mosMakePassword(), hashes it with md5() and saves it in mysql: $salt = mosMakePassword(16); $crypt = md5($pwd.$salt); $row->password = $crypt.':'.$salt; mosMakePassword($length= Random password generator return: password So a scenario would be: <?php $salt = 'random123456'; $crypt = md5('mypass'.'random123456'); $row->password = $crypt.':'.$salt; //which would echo: ff80f7438b24e0a27b41d0c28c483f67:random123456 ?> The salt is stored in the db next to the username (seperated by:). Get it? Quote Link to comment Share on other sites More sharing options...
PcGeniusProductions Posted April 21, 2008 Author Share Posted April 21, 2008 ... I understand what your saying,,, but how on earth do I implement that code? Is there no way to disable Joomlas Salting? just use pure MD5? Quote Link to comment Share on other sites More sharing options...
DarkWater Posted April 21, 2008 Share Posted April 21, 2008 lol its just that i use sha1() so i didnt think too much about the nr of chars. I know that salt can be used as a parameter: "string crypt ( string $str [, string $salt ] )". With md5 u hash the string with a concatenated salt, thats all about it. @PcGeniusProductions, i made a simple search for the joomla salt and there are several topics on their forums with your same problem. The only answered topic i found is with the following lines and taking those for granted, joomla generates a random salt with mosMakePassword(), hashes it with md5() and saves it in mysql: $salt = mosMakePassword(16); $crypt = md5($pwd.$salt); $row->password = $crypt.':'.$salt; mosMakePassword($length= Random password generator return: password So a scenario would be: <?php $salt = 'random123456'; $crypt = md5('mypass'.'random123456'); $row->password = $crypt.':'.$salt; //which would echo: ff80f7438b24e0a27b41d0c28c483f67:random123456 ?> The salt is stored in the db next to the username (seperated by:). Get it? Lol, okay. Quote Link to comment Share on other sites More sharing options...
Fadion Posted April 21, 2008 Share Posted April 21, 2008 If u search in google for "mosMakePassword" we will get info of where that function is being used, meaning in what files. What i can think is of editing all those pages (mainly admin and user profiles) and remove the "$salt=mosMakePassword()" line and all the salt related stuff. Or just stick to the way they programmed it and add to the md5($pass) the salt like the example i gave before using mosMakePassword(). Quote Link to comment Share on other sites More sharing options...
redarrow Posted April 21, 2008 Share Posted April 21, 2008 Use md5 and sha1 this way it works fine for me lol..... where sha1 is u can also use the salt function ok......... <?php $password=md5(sha1(md5("123454322"))); echo $password; ?> Quote Link to comment Share on other sites More sharing options...
PcGeniusProductions Posted April 21, 2008 Author Share Posted April 21, 2008 Oh, this looks promising, let me test this... Quote Link to comment Share on other sites More sharing options...
Fadion Posted April 21, 2008 Share Posted April 21, 2008 lol redarrow, u are md5-ing the sha1 md5-d of '12345322' . Quote Link to comment Share on other sites More sharing options...
PcGeniusProductions Posted April 21, 2008 Author Share Posted April 21, 2008 listen guys, its late, nearly 3:30AM, this integration aint a matter of life and death. I can live without it. Lets save a few headaches and drop the subject. I will contact the designer and pay him to mod the files. Cheers for your Help. Quote Link to comment Share on other sites More sharing options...
Fadion Posted April 21, 2008 Share Posted April 21, 2008 Im ok with "if i cant do it, pay someone else to do it", but u have to try your best before. Sure it is kinda frustrating opening all those files with infinite lines of code and change just a couple of lines, but it can be done. Anyway the bad part of this is that u wont learn anything in the process, just find/replace :S. Quote Link to comment Share on other sites More sharing options...
PcGeniusProductions Posted April 21, 2008 Author Share Posted April 21, 2008 yeah true, that is frustrating, but I am more a business man than a programmer. Anyway, im cloding this thread, just want to say thanks to everyone who helped me... I got it to register as salted, but not login, I wanted it other way round, lol. Cya'll. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.