lost_again Posted January 23, 2016 Share Posted January 23, 2016 I have change my forum from and old version to a new version , old version used MD5 and new version uses MD5 and Salt as there secure password my members run a app that looks at there username and password from forum database and lets them record online lap times from a game. I cant get the app to see the password anymore the app looks at this peace of php code. Please can you help me. THIS WORKED ON OLD FORUM WITH JUST MD5 $mysqlcon = mysql_connect('localhost', 'user', 'password') or die('Could not connect: ' . mysql_error()); mysql_select_db('database') or die('Could not select database'); $passhash = md5($passwd ); $authresult = mysql_query("SELECT username,password from forum_users WHERE username='$username' AND password='$passhash' ") or die('mysql error: ' . mysql_error() ); ------------------------------------------------------------------------------------------------------------------- And this works on a temperary db with no MD5 or salt $authresult = mysql_query("SELECT username,password FROM forum_users WHERE username='$username' AND password='$passwd' ") or die('mysql error: ' . mysql_error() ); ------------------------------------------------------------------------------------------------------------- THIS DOES NOT WORK ON NEW FORUM WITH MD5 and SALT $mysqlcon = mysql_connect('localhost', 'user', 'password') or die('Could not connect: ' . mysql_error()); mysql_select_db('database') or die('Could not select database'); //I tryed this $passhash == md5($salt['passwd']) // I tryed this $passhash = md5($salt['passwd']) // I tryed this $passhash == md5($passwd . salt ); // I tryed this $passhash = md5($passwd . salt ); $authresult = mysql_query("SELECT username,password from forum_users WHERE username='$username' AND password='$passhash' ") or die('mysql error: ' . mysql_error() ); Its been years sence my last codeings so i am a real newb again Quote Link to comment Share on other sites More sharing options...
QuickOldCar Posted January 23, 2016 Share Posted January 23, 2016 Your old saved md5 passwords in the database never had a salt, so adding a salt to new login will never be able to match. You need to email all users a temp link or password to log in with and have them set a new password that now includes the salt mysql_* functions are deprecated and should look into using mysqli_* or pdo md5 is not safe to use because attackers can use rainbow tables and possible to discover it, use password_hash and password_verify instead Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted January 23, 2016 Share Posted January 23, 2016 I'm afraid you haven't just missed a few years. Your code is ~15 years out of date. MD5 may have been acceptable in the 90s when PCs were relatively slow. Now it's 2016. A single stock PC can easily calculate billions(!) of MD5 hashes per second, which means you might as well store the passwords as plaintext. An attacker doesn't even care about your salts. The only way to keep your passwords relatively secure today is a specialized password hash algorithm like bcrypt. The rest of your code doesn't really look any better: The mysql_* functions are obsolete since more than a decade and have been removed from PHP. Nowadays, we use PDO. You don't seem to escape your query input anywhere, which is a gigantic security risk. Nowadays, we use prepared statements. The whole error handling is broken beyond repair. For some reason you think it's a good idea to display all internal error message to the user, making it easy for an attacker to gain information about your system. Frankly, I doubt that your code can be fixed. Removing all the atrocities in this small snippet alone takes longer than starting from scratch. Mabe you should just write it off as a sin of your youth, learn how to program in the 21st century and start over. Quote Link to comment Share on other sites More sharing options...
lost_again Posted January 23, 2016 Author Share Posted January 23, 2016 Your old saved md5 passwords in the database never had a salt, so adding a salt to new login will never be able to match. You need to email all users a temp link or password to log in with and have them set a new password that now includes the salt mysql_* functions are deprecated and should look into using mysqli_* or pdo md5 is not safe to use because attackers can use rainbow tables and possible to discover it, use password_hash and password_verify instead Old forum was e107 using MD5 new forum is mybb and I think it is MD5 With Salt and all members have re register there , I do have a temp login for them at this time but the password is in plaintext that is why im trying to get the new forum login username password to work with the app they use to record online game times. I will look Into pdo but first I would like to get old code to work , then il change it to be more secure. Quote Link to comment Share on other sites More sharing options...
lost_again Posted January 23, 2016 Author Share Posted January 23, 2016 found this in the member.php forum code $logindetails = update_password($user['uid'], md5($password), $user['salt']); so i try this but still didnt work $passhash = md5($password), $user['salt']); Quote Link to comment Share on other sites More sharing options...
QuickOldCar Posted January 23, 2016 Share Posted January 23, 2016 Show the update_password() function so we can see how they are combining them to make the final hashed password. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted January 23, 2016 Share Posted January 23, 2016 Yay. Here's your next batch of MD5 hashes, haveibeenpwned.com. What would the criminals do without PHP developers? Quote Link to comment Share on other sites More sharing options...
lost_again Posted January 23, 2016 Author Share Posted January 23, 2016 Yay. Here's your next batch of MD5 hashes, haveibeenpwned.com. What would the criminals do without PHP developers? Im sorry if you think im trying to get my members pass words . I already can see them in my temp login all Im trying to do is make my code work for my members securty you can delete this this post if you are uncomfortable with it. Quote Link to comment Share on other sites More sharing options...
lost_again Posted January 23, 2016 Author Share Posted January 23, 2016 Show the update_password() function so we can see how they are combining them to make the final hashed password. function update_password($uid, $password, $salt="") Quote Link to comment Share on other sites More sharing options...
lost_again Posted January 23, 2016 Author Share Posted January 23, 2016 i also try this $passhash = md5(md5($salt).md5($passwd)); still didnt work the app that members use just looks at my code and verifies user and password if they dont match they cant use the app Quote Link to comment Share on other sites More sharing options...
QuickOldCar Posted January 24, 2016 Share Posted January 24, 2016 function update_password($uid, $password, $salt="") What you typed back just shows the parameters for the function, take a look in the function and see exactly how the salt and password are combined. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.