Quale Posted December 29, 2009 Share Posted December 29, 2009 Hello, I have a vBulletin forum. vBulletin encrypts using salt (random ASCII) and md5 hash. The users salt combination can be found in the database table, named: salt Now, I have a C++ application that requires the user to log in with their forum username and password. For now, this barely works. The user is only able to log in, if they know what their encrypted password is. (since my php script that talks to the DB doesn't encrypt the password) Here is my PHP script that I use to talk to the database: <?PHP include("sql.php"); $user = $_GET['user']; $pass= $_GET['pass']; $id= $_GET['id']; $check_info = @mysql_query("SELECT * FROM `user` WHERE `username` = '$user'"); $user_info = mysql_fetch_assoc($check_info); $check_info = @mysql_query("SELECT * FROM `user` WHERE `membergroupids` = '$id'"); $user_info = mysql_fetch_assoc($check_info); if($user == $user_info['username'] && $pass == $user_info['password'] && $id == $user_info['membergroupids']) { echo 'true'; } else { echo 'false'; } ?> And the attached file is how vbulletin encrypts their password. (too long to post) - How do I encrypt the entered password the same way vBulletin does using the php script? Any help is highly appreciated. ~Quale [attachment deleted by admin] Quote Link to comment https://forums.phpfreaks.com/topic/186551-encrypt-password-with-md5-and-salt-from-db-table/ Share on other sites More sharing options...
premiso Posted December 29, 2009 Share Posted December 29, 2009 First up, the password is not encrypted as if it was you could decrypt it It is hashed. Second, I am not sure what your question is, but I am sure if your C++ application talks to the MySQL database you can find a C++ version of MD5 and use that with the salt from the DB to figure out if the password entered into the C++ application is valid or not. Another alternative is create a simple PHP script that uses vbulletin's hashing system and send the password entered into C++ into that php script, run it and get back a hashed version of the password and use that for validation. Hopefully that answers your question. C++ MD5 Resource: http://stackoverflow.com/questions/1892242/calculate-md5-in-c Quote Link to comment https://forums.phpfreaks.com/topic/186551-encrypt-password-with-md5-and-salt-from-db-table/#findComment-985203 Share on other sites More sharing options...
Quale Posted December 29, 2009 Author Share Posted December 29, 2009 Another alternative is create a simple PHP script that uses vbulletin's hashing system and send the password entered into C++ into that php script, run it and get back a hashed version of the password and use that for validation. This is exactly what I need ! But I have NO idea how to make that work in the script that I have. Quote Link to comment https://forums.phpfreaks.com/topic/186551-encrypt-password-with-md5-and-salt-from-db-table/#findComment-985204 Share on other sites More sharing options...
premiso Posted December 29, 2009 Share Posted December 29, 2009 Not sure, but you will either have to make a remote webpage call or, if the application is local to the server make a call to php to run the script using PHP CLI. If you want to do the remote webpage call (cause you want this to work on a system other than your server), you will probably have to take this question to either our "Other Languages" forum here or to a C++ forum. But before you do that, try google first and see how to contact a remote site. Quote Link to comment https://forums.phpfreaks.com/topic/186551-encrypt-password-with-md5-and-salt-from-db-table/#findComment-985206 Share on other sites More sharing options...
Quale Posted December 29, 2009 Author Share Posted December 29, 2009 Not sure, but you will either have to make a remote webpage call or, if the application is local to the server make a call to php to run the script using PHP CLI. If you want to do the remote webpage call (cause you want this to work on a system other than your server), you will probably have to take this question to either our "Other Languages" forum here or to a C++ forum. But before you do that, try google first and see how to contact a remote site. I have the application part ready (remote) totally finished I can log in with the hashed password and username.. hell, it even checks the forum rank but, the php file needs to hash it using md5 and vbulletins-3-character salt. in PHP Quote Link to comment https://forums.phpfreaks.com/topic/186551-encrypt-password-with-md5-and-salt-from-db-table/#findComment-985208 Share on other sites More sharing options...
oni-kun Posted December 29, 2009 Share Posted December 29, 2009 Why does it need to in PHP? As mentioned before you can pull the SALT from the database and hash the password with C++. Quote Link to comment https://forums.phpfreaks.com/topic/186551-encrypt-password-with-md5-and-salt-from-db-table/#findComment-985209 Share on other sites More sharing options...
Quale Posted December 29, 2009 Author Share Posted December 29, 2009 Why does it need to in PHP? As mentioned before you can pull the SALT from the database and hash the password with C++. You mean I can directly talk to the database using C++? because the salt thingy is different for every user, so I need to get it from the DB. Quote Link to comment https://forums.phpfreaks.com/topic/186551-encrypt-password-with-md5-and-salt-from-db-table/#findComment-985210 Share on other sites More sharing options...
oni-kun Posted December 29, 2009 Share Posted December 29, 2009 Why does it need to in PHP? As mentioned before you can pull the SALT from the database and hash the password with C++. You mean I can directly talk to the database using C++? because the salt thingy is different for every user, so I need to get it from the DB. Yeah, you can talk to your database. I'm not sure if externally but it should be simple if you have shell/SSH access. Quote Link to comment https://forums.phpfreaks.com/topic/186551-encrypt-password-with-md5-and-salt-from-db-table/#findComment-985211 Share on other sites More sharing options...
Quale Posted December 29, 2009 Author Share Posted December 29, 2009 Thanks a lot for your help oni-kun, but I'd really like to do it in PHP, especially since i've spent quite some time perfecting the php file to my needs so far. Quote Link to comment https://forums.phpfreaks.com/topic/186551-encrypt-password-with-md5-and-salt-from-db-table/#findComment-985212 Share on other sites More sharing options...
premiso Posted December 29, 2009 Share Posted December 29, 2009 Well you have a something to think about. In order to make a request for a hashed password or for the salt you want to encrypt that data and you also want a validation key sent with it. As anyone with a network monitor can see what is being sent across the network and to where which could potentially be used to grab all the users salts and using that to hack accounts. The method of encryption will need to be able to be used on both sides and have to have the valid key passed etc. How to do that I am not sure, but I am sure you can find a common encryption method between C++ and PHP where they both can validate a public key being sent. I have never attempted to do this, but you have to be cautious as if you do not take the methods to secure it can be used to hack accounts on your site. Quote Link to comment https://forums.phpfreaks.com/topic/186551-encrypt-password-with-md5-and-salt-from-db-table/#findComment-985217 Share on other sites More sharing options...
Quale Posted December 29, 2009 Author Share Posted December 29, 2009 I want to thank everyone for their help on the matter, but someone @ vBulletin forums helped me out.. this is the final script: <?PHP include("sql.php"); $user = addslashes($_GET['user']); $pass= $_GET['pass']; $id= is_numeric($_GET['id'])?$_GET['id']:0; $check_info = @mysql_query("SELECT * FROM `user` WHERE `username` = '$user'"); $user_info = mysql_fetch_assoc($check_info); $encpassword = md5(md5($pass).$user_info['salt']); $usergroups = explode(',',$user_info['membergroupids']); $usergroups[] = $user_info['usergroupid']; //checking primary group as well now, isn't rly needed. if($encpassword == $user_info['password'] and in_array($id,$usergroups)) { echo 'true'; } else { echo 'false'; } ?> SOLVED! Quote Link to comment https://forums.phpfreaks.com/topic/186551-encrypt-password-with-md5-and-salt-from-db-table/#findComment-985642 Share on other sites More sharing options...
premiso Posted December 29, 2009 Share Posted December 29, 2009 Just an FYI, if the C++ software does anything with user information I would look into a better way, as it would be really easy to setup a spoofed site using a local server that just echos true / false using the HOSTS file to point it to your own. So if all you are doing is displaying stats, that is fine. But just know that anyone can be validated for any user with that script / logic if they know how. Quote Link to comment https://forums.phpfreaks.com/topic/186551-encrypt-password-with-md5-and-salt-from-db-table/#findComment-985650 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.