[SOLVED] MD5+salt question

[bschultz]

Hi,

 

I have a shopping cart database that I need to authenticate off of.  The DB password is stored in a md5+salt hash.  The function used by the cart is this:

 

<?php
/**
* password_funcs functions 
*
* @package functions
* @copyright Copyright 2003-2005 Zen Cart Development Team
* @copyright Portions Copyright 2003 osCommerce
* @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
* @version $Id: password_funcs.php 2618 2005-12-20 00:35:47Z drbyte $
*/

////
// This function validates a plain text password with an encrpyted password
  function zen_validate_password($plain, $encrypted) {
    if (zen_not_null($plain) && zen_not_null($encrypted)) {
// split apart the hash / salt
      $stack = explode(':', $encrypted);

      if (sizeof($stack) != 2) return false;

      if (md5($stack[1] . $plain) == $stack[0]) {
        return true;
      }
    }

    return false;
  }

////
// This function makes a new password from a plaintext password. 
  function zen_encrypt_password($plain) {
    $password = '';

    for ($i=0; $i<10; $i++) {
      $password .= zen_rand();
    }

    $salt = substr(md5($password), 0, 2);

    $password = md5($salt . $plain) . ':' . $salt;

    return $password;
  }
?>

 

I'm not very familiar at all with functions.  How can I incorporate this function with my existing code to check the DB for authentication?

 

Thanks.

 

 

[Fadion]

the first function compares a normal password with an hash and returns true if they are equal, u need to pass two parameters, the normal and hash password. The second one needs only one parameter and returns its md5 hash. Actually u need to have them in a ie. functions.inc.php and include that file wherever u need to use those functions.

 

Usage:

zen_validate_password('shopping', 'ffd93f16876049265fbaef4da268dd0e')
zen_encrypt_password('shopping')

 

Anyway u could easilt write these functions by yourself with your own features.

 

[bschultz]

That makes sense, but I have no idea where it gets (or uses) the $plain and $encrypted variables.  And my understanding of salt is that is generates a random string.  If the password is entered to the DB with a random string at the end...how can I ever validate from it?

[Fadion]

The idea of salt is to use a value which can be retrieved, ie md5(username + password) in a login system. In this case the salt is random but is appended to the password by using:

$password = md5($salt . $plain) . ':' . $salt;

 

Actually a stored password of yours will be: hash(password+salt):hash(salt)

 

In the validate_password function it is used explode() to split the hash from the password.

 

As i previosly said there's no rocket science in this and even if ure new to php u can manage your own pass+salt system. Also keep in mind that md5 or sha1 are one way encrypting algorithms which cant be decrypted. The only way to find one's password is to compare his/her hash to a dictionary of hashes, but i dont think this will be your case, so the need of a salt is optional. Anyway those functions look good to me 

[dbillings]

In words that you can understand you will need to retrieve the encrypted password from the database via a mysql_query then take that result and plug it in to the $encrypted variable in the function i.e.

 

<?php

$encrypted = 12345678910; // imaginary mysql_result for $encrypted.
$plain = $_REQUEST['password']; // users submited password from a form or possible a session.

zen_validate_password($plain, $encrypted)

/* This will inturn produce a result of true or false obviously true if
the encrypted mysql_result matches the submitted users entry after encryption. 
So to use it in a conditional.... */

if (zen_validate_password($plain, $encrypted) {

    // do something you want accomplished after returning true.

}else{
   
    // do something if it returns false.

}

?>

 

God speed little doddle.

[bschultz]

Here's what I've come up with...and I get "Illegal Access" as the echo

 

<?php
ini_set('include_path', '/var/www/web6/web/shop/includes/functions');
include "password_funcs.php";
include "functions_general.php";

$conn1 = mysql_connect(xxx,xxx,xxx);

if (!$conn1) {
   echo "Unable to connect to DB: " . mysql_error();
   exit;
}

if (!mysql_select_db("cart")) {
   echo "Unable to select mydbname: " . mysql_error();
   exit;
}

$sql1 = "SELECT customers_password FROM customers";


$username = $_POST['myemail'];
$encrypted = $customers_password; // imaginary mysql_result for $encrypted.
$plain = $_POST['password']; // users submited password from a form or possible a session.


/* This will inturn produce a result of true or false obviously true if
the encrypted mysql_result matches the submitted users entry after encryption. 
So to use it in a conditional.... */

if (zen_validate_password($plain, $encrypted)) {
echo "$plain, $encrypted";
} else {
echo "Could not successfully run query from DB:" . mysql_error();
}

?>

 

Does it have to do with the includes, or something else?

[bschultz]

I figured that out...but get a new error:

 

Warning: require(DIR_WS_FUNCTIONSfunctions_prices.php) [function.require]: failed to open stream: No such file or directory in /var/www/web6/web/shop/includes/functions/functions_general.php on line 1459

 

Fatal error: require() [function.require]: Failed opening required 'DIR_WS_FUNCTIONSfunctions_prices.php' (include_path='/var/www/web6/web/shop/includes/functions') in /var/www/web6/web/shop/includes/functions/functions_general.php on line 1459

 

That must be in the functions code I've included from my cart...is there a way to ignore those?

[dbillings]

in the same directory as the script you are trying to run should be a script called (I'm not sure if that DIR_WS_FUNCTIONS thing is part of the filename? From what I'm familiar with it would be but I could be wrong.) DIR_WS_FUNCTIONSfunctions_prices.php. It is telling you that it isn't there. Why isn't it there is what you need to find out. Where is it?

[bschultz]

Sorry dbillings...I got this figured out the other day and never posted back.  The function file I was including had a BUNCH of other (not needed) functions.  I copied the part of the function I needed into my code, and dropped the include of the rest of the file.

 

Some of this code is Zen-Cart specific, but here it is:

 

<?php
define('IS_ADMIN_FLAG', false);           //tells the script that is included that you are authorized to use it
ini_set('include_path', '/var/www/web6/web/shop/includes/functions');
include "password_funcs.php";        //Zen-Cart function file that handles the authorization of the db with md5+salt password

  function zen_not_null($value) {
    if (is_array($value)) {
      if (sizeof($value) > 0) {
        return true;
      } else {
        return false;
      }
    } else {
      if (($value != '') && (strtolower($value) != 'null') && (strlen(trim($value)) > 0)) {
        return true;
      } else {
        return false;
      }
    }
  }

$conn1 = mysql_connect('xxx', 'xxx', 'xxx');

if (!$conn1) {
   echo "Unable to connect to DB: " . mysql_error();
   exit;
}

if (!mysql_select_db("cart", $conn1)) {
   echo "Unable to select mydbname: " . mysql_error();
   exit;
}

$username = $_POST['myemail'];
$sql = "SELECT customers_password FROM customers where customers_email_address = '" . $username . "'";
$res = mysql_query($sql) or die('Query failed: ' . mysql_error());
$result = mysql_fetch_array($res) or die("You have either entered the wrong email address or password, OR you don't have a ticket for today.  Try again!" . mysql_error());

$encrypted = $result['customers_password']; // encrypted data from database
$plain = $_POST['password']; // users submitted password from a form or possible a session.


/* This will in turn produce a result of true or false obviously true if
the encrypted mysql_result matches the submitted users entry after encryption. 
So to use it in a conditional.... */
//echo "comparing: $plain, $encrypted for $username:  ";

if (zen_validate_password($plain, $encrypted)) {
$sql1 = "SELECT customers_email_address, date_purchased, order_total FROM orders WHERE customers_email_address = '$_POST[myemail]' AND order_total = '100.00'";

$result1 = mysql_query($sql1);

if (!$result1) {
   echo "Could not successfully run query ($sql1) from DB: " . mysql_error();
   exit;
}

if (mysql_num_rows($result1) == 0) {
   
echo "";   
}


while ($row1 = mysql_fetch_assoc($result1)) {

session_register("myemail");
echo "<meta http-equiv=Refresh content=1;url='page.php?page=seasonticket'>";   
}
$sql2 = "SELECT customers_email_address, date_purchased, order_total FROM orders WHERE customers_email_address = '$_POST[myemail]' AND order_total = '5.00' AND date_format(date_purchased, '%Y-%m-%d') = CURRENT_DATE";

$result2 = mysql_query($sql2);

if (!$result2) {
   echo "Could not successfully run query ($sql2) from DB: " . mysql_error();
   exit;
}

if (mysql_num_rows($result2) == 0) {
   
echo "<meta http-equiv=Refresh content=5;url='page.php?page=noticket'>";
   
}


while ($row2 = mysql_fetch_assoc($result2)) {

session_register("myemail");
echo "<meta http-equiv=Refresh content=3;url='page.php?page=singleticket'>";   
}

} else {
echo "A mistake has been made, or you don't have a ticket for today's game...please try again!<meta http-equiv=Refresh content=3;url='page.php?page=listen'>";
}

?>

 

Thanks again everyone for everything!