bschultz Posted August 18, 2007 Share Posted August 18, 2007 Hi, I have a shopping cart database that I need to authenticate off of. The DB password is stored in a md5+salt hash. The function used by the cart is this: <?php /** * password_funcs functions * * @package functions * @copyright Copyright 2003-2005 Zen Cart Development Team * @copyright Portions Copyright 2003 osCommerce * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0 * @version $Id: password_funcs.php 2618 2005-12-20 00:35:47Z drbyte $ */ //// // This function validates a plain text password with an encrpyted password function zen_validate_password($plain, $encrypted) { if (zen_not_null($plain) && zen_not_null($encrypted)) { // split apart the hash / salt $stack = explode(':', $encrypted); if (sizeof($stack) != 2) return false; if (md5($stack[1] . $plain) == $stack[0]) { return true; } } return false; } //// // This function makes a new password from a plaintext password. function zen_encrypt_password($plain) { $password = ''; for ($i=0; $i<10; $i++) { $password .= zen_rand(); } $salt = substr(md5($password), 0, 2); $password = md5($salt . $plain) . ':' . $salt; return $password; } ?> I'm not very familiar at all with functions. How can I incorporate this function with my existing code to check the DB for authentication? Thanks. Quote Link to comment https://forums.phpfreaks.com/topic/65624-solved-md5salt-question/ Share on other sites More sharing options...
Fadion Posted August 18, 2007 Share Posted August 18, 2007 the first function compares a normal password with an hash and returns true if they are equal, u need to pass two parameters, the normal and hash password. The second one needs only one parameter and returns its md5 hash. Actually u need to have them in a ie. functions.inc.php and include that file wherever u need to use those functions. Usage: zen_validate_password('shopping', 'ffd93f16876049265fbaef4da268dd0e') zen_encrypt_password('shopping') Anyway u could easilt write these functions by yourself with your own features. Quote Link to comment https://forums.phpfreaks.com/topic/65624-solved-md5salt-question/#findComment-327738 Share on other sites More sharing options...
bschultz Posted August 19, 2007 Author Share Posted August 19, 2007 That makes sense, but I have no idea where it gets (or uses) the $plain and $encrypted variables. And my understanding of salt is that is generates a random string. If the password is entered to the DB with a random string at the end...how can I ever validate from it? Quote Link to comment https://forums.phpfreaks.com/topic/65624-solved-md5salt-question/#findComment-327862 Share on other sites More sharing options...
Fadion Posted August 19, 2007 Share Posted August 19, 2007 The idea of salt is to use a value which can be retrieved, ie md5(username + password) in a login system. In this case the salt is random but is appended to the password by using: $password = md5($salt . $plain) . ':' . $salt; Actually a stored password of yours will be: hash(password+salt):hash(salt) In the validate_password function it is used explode() to split the hash from the password. As i previosly said there's no rocket science in this and even if ure new to php u can manage your own pass+salt system. Also keep in mind that md5 or sha1 are one way encrypting algorithms which cant be decrypted. The only way to find one's password is to compare his/her hash to a dictionary of hashes, but i dont think this will be your case, so the need of a salt is optional. Anyway those functions look good to me Quote Link to comment https://forums.phpfreaks.com/topic/65624-solved-md5salt-question/#findComment-327866 Share on other sites More sharing options...
dbillings Posted August 19, 2007 Share Posted August 19, 2007 In words that you can understand you will need to retrieve the encrypted password from the database via a mysql_query then take that result and plug it in to the $encrypted variable in the function i.e. <?php $encrypted = 12345678910; // imaginary mysql_result for $encrypted. $plain = $_REQUEST['password']; // users submited password from a form or possible a session. zen_validate_password($plain, $encrypted) /* This will inturn produce a result of true or false obviously true if the encrypted mysql_result matches the submitted users entry after encryption. So to use it in a conditional.... */ if (zen_validate_password($plain, $encrypted) { // do something you want accomplished after returning true. }else{ // do something if it returns false. } ?> God speed little doddle. Quote Link to comment https://forums.phpfreaks.com/topic/65624-solved-md5salt-question/#findComment-327882 Share on other sites More sharing options...
bschultz Posted August 19, 2007 Author Share Posted August 19, 2007 Here's what I've come up with...and I get "Illegal Access" as the echo <?php ini_set('include_path', '/var/www/web6/web/shop/includes/functions'); include "password_funcs.php"; include "functions_general.php"; $conn1 = mysql_connect(xxx,xxx,xxx); if (!$conn1) { echo "Unable to connect to DB: " . mysql_error(); exit; } if (!mysql_select_db("cart")) { echo "Unable to select mydbname: " . mysql_error(); exit; } $sql1 = "SELECT customers_password FROM customers"; $username = $_POST['myemail']; $encrypted = $customers_password; // imaginary mysql_result for $encrypted. $plain = $_POST['password']; // users submited password from a form or possible a session. /* This will inturn produce a result of true or false obviously true if the encrypted mysql_result matches the submitted users entry after encryption. So to use it in a conditional.... */ if (zen_validate_password($plain, $encrypted)) { echo "$plain, $encrypted"; } else { echo "Could not successfully run query from DB:" . mysql_error(); } ?> Does it have to do with the includes, or something else? Quote Link to comment https://forums.phpfreaks.com/topic/65624-solved-md5salt-question/#findComment-328222 Share on other sites More sharing options...
bschultz Posted August 19, 2007 Author Share Posted August 19, 2007 I figured that out...but get a new error: Warning: require(DIR_WS_FUNCTIONSfunctions_prices.php) [function.require]: failed to open stream: No such file or directory in /var/www/web6/web/shop/includes/functions/functions_general.php on line 1459 Fatal error: require() [function.require]: Failed opening required 'DIR_WS_FUNCTIONSfunctions_prices.php' (include_path='/var/www/web6/web/shop/includes/functions') in /var/www/web6/web/shop/includes/functions/functions_general.php on line 1459 That must be in the functions code I've included from my cart...is there a way to ignore those? Quote Link to comment https://forums.phpfreaks.com/topic/65624-solved-md5salt-question/#findComment-328229 Share on other sites More sharing options...
dbillings Posted August 21, 2007 Share Posted August 21, 2007 in the same directory as the script you are trying to run should be a script called (I'm not sure if that DIR_WS_FUNCTIONS thing is part of the filename? From what I'm familiar with it would be but I could be wrong.) DIR_WS_FUNCTIONSfunctions_prices.php. It is telling you that it isn't there. Why isn't it there is what you need to find out. Where is it? Quote Link to comment https://forums.phpfreaks.com/topic/65624-solved-md5salt-question/#findComment-329408 Share on other sites More sharing options...
bschultz Posted August 22, 2007 Author Share Posted August 22, 2007 Sorry dbillings...I got this figured out the other day and never posted back. The function file I was including had a BUNCH of other (not needed) functions. I copied the part of the function I needed into my code, and dropped the include of the rest of the file. Some of this code is Zen-Cart specific, but here it is: <?php define('IS_ADMIN_FLAG', false); //tells the script that is included that you are authorized to use it ini_set('include_path', '/var/www/web6/web/shop/includes/functions'); include "password_funcs.php"; //Zen-Cart function file that handles the authorization of the db with md5+salt password function zen_not_null($value) { if (is_array($value)) { if (sizeof($value) > 0) { return true; } else { return false; } } else { if (($value != '') && (strtolower($value) != 'null') && (strlen(trim($value)) > 0)) { return true; } else { return false; } } } $conn1 = mysql_connect('xxx', 'xxx', 'xxx'); if (!$conn1) { echo "Unable to connect to DB: " . mysql_error(); exit; } if (!mysql_select_db("cart", $conn1)) { echo "Unable to select mydbname: " . mysql_error(); exit; } $username = $_POST['myemail']; $sql = "SELECT customers_password FROM customers where customers_email_address = '" . $username . "'"; $res = mysql_query($sql) or die('Query failed: ' . mysql_error()); $result = mysql_fetch_array($res) or die("You have either entered the wrong email address or password, OR you don't have a ticket for today. Try again!" . mysql_error()); $encrypted = $result['customers_password']; // encrypted data from database $plain = $_POST['password']; // users submitted password from a form or possible a session. /* This will in turn produce a result of true or false obviously true if the encrypted mysql_result matches the submitted users entry after encryption. So to use it in a conditional.... */ //echo "comparing: $plain, $encrypted for $username: "; if (zen_validate_password($plain, $encrypted)) { $sql1 = "SELECT customers_email_address, date_purchased, order_total FROM orders WHERE customers_email_address = '$_POST[myemail]' AND order_total = '100.00'"; $result1 = mysql_query($sql1); if (!$result1) { echo "Could not successfully run query ($sql1) from DB: " . mysql_error(); exit; } if (mysql_num_rows($result1) == 0) { echo ""; } while ($row1 = mysql_fetch_assoc($result1)) { session_register("myemail"); echo "<meta http-equiv=Refresh content=1;url='page.php?page=seasonticket'>"; } $sql2 = "SELECT customers_email_address, date_purchased, order_total FROM orders WHERE customers_email_address = '$_POST[myemail]' AND order_total = '5.00' AND date_format(date_purchased, '%Y-%m-%d') = CURRENT_DATE"; $result2 = mysql_query($sql2); if (!$result2) { echo "Could not successfully run query ($sql2) from DB: " . mysql_error(); exit; } if (mysql_num_rows($result2) == 0) { echo "<meta http-equiv=Refresh content=5;url='page.php?page=noticket'>"; } while ($row2 = mysql_fetch_assoc($result2)) { session_register("myemail"); echo "<meta http-equiv=Refresh content=3;url='page.php?page=singleticket'>"; } } else { echo "A mistake has been made, or you don't have a ticket for today's game...please try again!<meta http-equiv=Refresh content=3;url='page.php?page=listen'>"; } ?> Thanks again everyone for everything! Quote Link to comment https://forums.phpfreaks.com/topic/65624-solved-md5salt-question/#findComment-330523 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.