Password Salt help

[ferret147]

I have a vBulletin installation and I would like to use the users table from this forum to make a custom log-in script for the rest of my website.  I am using the User Authentication wizards in Dreamweaver to kick start the log in scripts then hand coding in the encryption then eventually the cookies.

 

vBulletin encrypts their passwords like this - md5(md5($password).$salt)

 

Here is the standard code that Dreamweaver puts into the page for you (If you do not want to use any encryption this all works fine)

<?php require_once('../Connections/VB.php'); ?>
<?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();
}

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if (isset($_POST['Username'])) {
  $loginUsername=$_POST['Username'];
  $password=$_POST['Password'];
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "index.php";
  $MM_redirectLoginFailed = "test2.php";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_VB, $VB);
  
  $LoginRS__query=sprintf("SELECT username, password FROM user WHERE username='%s' AND password='%s'",
    get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password)); 
   
  $LoginRS = mysql_query($LoginRS__query, $VB) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
     $loginStrGroup = "";
    
    //declare two session variables and assign them
    $_SESSION['MM_Username'] = $loginUsername;
    $_SESSION['MM_UserGroup'] = $loginStrGroup;	      

    if (isset($_SESSION['PrevUrl']) && false) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>login test</title>
</head>

<body>
<form id="login" name="login" method="POST" action="<?php echo $loginFormAction; ?>">
  <label>Username -
  <input name="Username" type="text" id="Username" />
  </label>
  <p>
    <label>Password -
    <input name="Password" type="text" id="Password" />
    </label>
  </p>
  <p>
    <label>
    <input name="Login" type="submit" id="Login" value="Log-In" />
    </label>
  </p>
</form>
</body>
</html>

 

I need to figure out how to get the salt from the users table in the database so I can encrypt the entered password in the forum

 

Here is an example of a failed attempt

 

I put the encryption on the post data from the forum but the $salt value would not work here as I have not yet got it form the database.

 

$password=md5(md5($_POST['Password']).$salt);

 

$LoginRS__query=sprintf("SELECT username, salt, password FROM user WHERE username='%s' AND salt='%s' AND password='%s'",
    get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $salt : addslashes($salt), get_magic_quotes_gpc() ? $password : addslashes($password)); 

 

I also tried this;

$LoginRS__query=sprintf("SELECT username, salt, password FROM user WHERE username='%s' AND salt='%s' AND password='%s'",
    get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $salt : addslashes($salt),$password=md5(md5($_POST['Password']).$salt), get_magic_quotes_gpc() ? $password : addslashes($password)); 

 

Thought that would of done the job but it didn't

 

So if anybody has any clue on this the help would be appreciated.

[Mchl]

Why not just

SELECT username, salt, password FROM user WHERE username='?'

 

 

[ferret147]

Umm, wouldn't that just authenticate the login based on the username and nothing else!!!

[Mchl]

The point is to select the credentials basing on username, and then check if salted password matches the one stored in database.

[ferret147]

Yeah exactly but the password stored in the database encryped with the salt like this -  md5(md5($password).salt)

 

So when we type a password into the form to log in it has to encrypt the same way to compare them, so we have to go into the database and grap that salt to be able to encrypt the password we enter into the forum.

[Mchl]

That's it. But since you don't know either the salted password or the salt, you can't use them in SELECT!

[ferret147]

Right so all I need to do is greb the salt for the entered user then I will have the password because then I can encrypt it using md5 and the salt.

 

But how do I do this all in one operation, ie;

 

• Enter Username & Password
  
• Click Submit
  
• Grab salt that corresponds to entered user
  
• run encryption on password
  
• Compare encrypted password from form with the one in the database if matches login if not fail.
  

 

The code I already have does everything apart form getting the salt from the table then encrypting.

[Mchl]

# PSEUDOCODE #

$posted_username = $_POST['username']
$posted_password = $_POST['password']

SELECT salt, password FROM user WHERE username='$posted_username'
if (no rows returned) {
//login failed - no user found with such username
} else {
  //store the query results in
  // $db_salt
  // $db_password

  if ($db_password == md5(md5($posted_password).$db_salt)) {
    //'login successful
  } else {
    //login failed - password mismatch
  }

}

[ferret147]

Right so that is exactly like the original code above

 

  $LoginRS = mysql_query($LoginRS__query, $VB) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
     $loginStrGroup = "";
    
    //declare two session variables and assign them
    $_SESSION['MM_Username'] = $loginUsername;
    $_SESSION['MM_UserGroup'] = $loginStrGroup;         

    if (isset($_SESSION['PrevUrl']) && false) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];   
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>

 

But all I have to do is add a new if statement for encrypt the password and check it.

 

OK cool, thanks.  I'll try that after a cuppa tea and get back to you

[corbin]

SELECT username, salt, password FROM user WHERE username='?'

 

 

You could actually do it in just MySQL, but there's not really an advantage to doing that.

 

 

WHERE username = 'blah' AND MD5(CONCAT(MD5(password), salt)) = 'the hash'

[ferret147]

Yeah and no lol

 

This is doing my head in now, been trying to do this for hours

 

Right I did try;

SELECT username, password, salt FROM user WHERE username='%s' AND password = 'MD5((MD5($password), salt))'"

 

I done it the way round you had suggested but it was back to front it was looking for a table row of the name for the password!

 

My problem is I need to base this on the code from my original post because the current 120 page website uses the Dreamweaver User Authentication right through the site including in the admin section.

 

As far as I can see it can not be done (With my limited knowledge) in one step, the only way I can see to achieve this would be doing it in two steps, I know it is going to be clumsy adn very untidy but to get this done I think I will have to do it like this;

 

Page Login

 

Enter username - post username to page login2

 

Page login2

use the posted data to get the username, password, salt and save as server sessions

ask for user to enter password and login

 

on submit use the user name in a session to post to original Dreamweaver script and encrypt the password with the salt stored in a session.

[corbin]

I'm procrastinating finishing a research paper, so I shall write a full example:

 

 

<?php

session_start();

$success = false;
$error = '';

if($_POST) {
    mysql_connect();
    mysql_select_db();
    $username = (isset($_POST['username'])) ? trim($_POST['username']) : '';
    $password = (isset($_POST['password'])) ? trim($_POST['password']) : '';
    if(empty($username) || empty($password)) {
        $error = 'Please make sure to enter a username and password';
    }
    else {
        $q = mysql_query(sprintf("SELECT 1 FROM user WHERE username = '%s' AND password = MD5(CONCAT(MD5('%s'), salt);", mysql_real_escape_string($username), mysql_real_escape_string($password)));
        if(mysql_num_rows($q)) {
            $success = true;
            $_SESSION['username'] = $username;
            //you would probably want to do something more elegant than this....  You would probably also want to pull the username from the DB and maybe get some other info
        }
    }
}

if(!$success) {
    if(!empty($error)) echo $error;
    ?>
<form action="" method="POST">
    <input type="text" name="username" /><br />
    <input type="password" name="password" /><br />
    <input type="submit" value="Login">
</form>
<?php
}

[ferret147]

OK I just made a demo of this from scratch on a live website.

 

If you have the time to browse it can I PM you the details?

[corbin]

Writing a research paper right now, but I'm always down for an excuse to procrastinate.

[ferret147]

OK cool, but if you are too busy please don't break form work to help me on this one, I got loads of time before this needs to be ready and loads more content to add too.

 

PM sent

[ferret147]

Forgot to add;

 

Username is - username

Password is - 073c50d55921b689772bf8b7e6e550a8

 

Which is;

<?php
$password ="passwords";
$salt = "123";
echo md5(md5($password).$salt);
?>