Alright, I have a website with a user system, all the user passwords are stored in a mysql database and md5 encrypted. I am attempting to re-encrypt all those passwords with a salt so the same password will be used on my website, as the forum. I have come up with this..

http://www.teenagezone.org

I'm using functions straight from vBulletin to do it, and when I get it working right, changing it so it will loop through all the users in my database and update their password to work with a salt. Now.. it dosn't seem to be working right. The script works, but when I update that in the database for vbulletin, and try logging in, it will not work.

Here is the scripts..

index.php

<?php
include "pwfunction.php";

if (!$_POST['submit']){
echo "<form method='POST' style='margin: 0px;'>
<b>Hash: </b>
<input type='password' name='pass'><br><br>
<input type='submit' name='submit' value='sumbmit'>
</form>";
}else{
$password = $_POST['pass'];

$salt = fetch_user_salt();
$hash = hash_password($password, $salt);

echo ("$hash - $salt");

}
?>


pwfunction.php

<?php

function hash_password($password, $salt)
{
if ($password == '')
{
}
else if (verify_md5($password))
{
$password = md5($password);
}
return md5($password . $salt);
}


function fetch_user_salt($length = 3)
{
$salt = '';
for ($i = 0; $i < $length; $i++)
{
$salt .= chr(rand(33, 126));
}
return $salt;
}

function verify_md5(&$md5)
{
return (preg_match('#^[a-f0-9]{32}$#', $md5) ? true : false);
}

?>


Does anyone know the problem or can give me some advice of why it is not working.

pwfunction.php, function 'hash_password'.
else if (verify_md5($password))
Should be:
else if (!verify_md5($password))

Wow, thanks! I would have never thought to do that and would be sitting there for days attempting to make it work.

Sorry for double posting, but I have something to add to this post. I currently have the script grabbing users from my website testing database, and it works! But.. it only does some, then errors. The reason being is to much work for the server doing this in a while loop for 4000 members (re encrypting plus producing a slat). Does anyone know how to limit how many it will do in a second/minute, or offer a idea for a different solution for doing this which will work?

Thanks.

Wow, thanks! I would have never thought to do that and would be sitting there for days attempting to make it work.

Sorry for double posting, but I have something to add to this post. I currently have the script grabbing users from my website testing database, and it works! But.. it only does some, then errors. The reason being is to much work for the server doing this in a while loop for 4000 members (re encrypting plus producing a slat). Does anyone know how to limit how many it will do in a second/minute, or offer a idea for a different solution for doing this which will work?

Thanks.

Anyone?

Add a variable. Increase it every time a user goes by.

Add a variable. Increase it every time a user goes by.

How so?

What kind of errors do you get?

What kind of errors do you get?

It just says you have a error with your sql syntax, but I think its because a) it is loading all random characters, right? So it is interfering with the sql update query and/or b) it is trying to load all 4000 at the same time, causing it to stop.

It only does about 10-20 then errors.... the highest its ever gotten was to 75, but then I have to drop the table and upload the backup to try again. The only thing I can think of doing is adding check boxes to the script with the usernames, check off 10, click submit, and it will update those one, then in the while loop it will only grab rows where there is noting in the salt field. But that would take a long time...

What exactly is the error with your SQL syntax?

What exactly is the error with your SQL syntax?

It varies with each run. For example:

First run:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '$R' WHERE `id`='1819'' at line 1

Second run:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1472'' at line 1

Third run:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'E' WHERE `id`='3290'' at line 1

By run I mean refresh.

It sounds as though you aren't escaping certain value(s) in your sql statement. Are you using mysql_escape_string() on your variables before you use them in your statement?

No? The source to the script I am using is located in the first post in this thread, I quoted it below.

Alright, I have a website with a user system, all the user passwords are stored in a mysql database and md5 encrypted. I am attempting to re-encrypt all those passwords with a salt so the same password will be used on my website, as the forum. I have come up with this..

http://www.teenagezone.org

I'm using functions straight from vBulletin to do it, and when I get it working right, changing it so it will loop through all the users in my database and update their password to work with a salt. Now.. it dosn't seem to be working right. The script works, but when I update that in the database for vbulletin, and try logging in, it will not work.

Here is the scripts..

index.php

<?php
include "pwfunction.php";

if (!$_POST['submit']){
echo "<form method='POST' style='margin: 0px;'>
<b>Hash: </b>
<input type='password' name='pass'><br><br>
<input type='submit' name='submit' value='sumbmit'>
</form>";
}else{
$password = $_POST['pass'];

$salt = fetch_user_salt();
$hash = hash_password($password, $salt);

echo ("$hash - $salt");

}
?>


pwfunction.php

<?php

function hash_password($password, $salt)
{
if ($password == '')
{
}
else if (verify_md5($password))
{
$password = md5($password);
}
return md5($password . $salt);
}


function fetch_user_salt($length = 3)
{
$salt = '';
for ($i = 0; $i < $length; $i++)
{
$salt .= chr(rand(33, 126));
}
return $salt;
}

function verify_md5(&$md5)
{
return (preg_match('#^[a-f0-9]{32}$#', $md5) ? true : false);
}

?>


Does anyone know the problem or can give me some advice of why it is not working.

AFAIK your problem is to do with your SQL statement. Your script above tells me nothing that will explain your SQL errors.

You asked if I was using mysql_escape_string()... which would be in the source if I was, right?

Where are your SQL errors generated from? You're giving me half the story - I haven't a clue what's happening in the "rest" of your script. The above script generated a password hash with salt. It has does nothing to do with your database. Your SQL errors are coming from somewhere...

Where are your SQL errors generated from? You're giving me half the story - I haven't a clue what's happening in the "rest" of your script. The above script generated a password hash with salt. It has does nothing to do with your database. Your SQL errors are coming from somewhere...

OH. Ok here:

<?php
include "pwfunction.php";

$dbh=mysql_connect ("localhost", "user", "password") or die ('I cannot connect to the database because: ' . mysql_error());
mysql_select_db ("database");

$get = mysql_query("SELECT * FROM users") or die('Error, query failed');
while($row = mysql_fetch_array($get)){

$password = $row['password'];
$id = $row['id'];

$salt = fetch_user_salt();
$hash = hash_password($password, $salt);

$update = mysql_query("UPDATE users SET `password`='$hash', `salt`='$salt' WHERE `id`='$id'") or die(mysql_error());
}
?>

pwfunctions.php is the same. Sorry my bad, I forgot to add the updated script for running it.

Since you have a connection to your database, you can use mysql_real_escape_string() (which you should use anyway). This should solve your problem:

$salt = mysql_real_escape_string(fetch_user_salt());
$hash = mysql_real_escape_string(hash_password($password, $salt));

$update = mysql_query("UPDATE users SET `password`='$hash', `salt`='$salt' WHERE `id`='$id'") or die(mysql_error());

Let me try this, just a second.

Ah! It worked! Thank you SO MUCH.