PDA

View Full Version : bbpassword Query

digitalstudio
02-23-2009, 01:02 PM
Hi.

I need to write a query that takes the value of the "bbpassword" cookie and checks it against the user table "password" field.

The query will look something like this:

$stmt = "SELECT user.`userid`
FROM `user`
WHERE `password` = '" . md5($_COOKIE['bbpassword']) . "' ";



My question is: Which functions do I need to run of the bbpassword cookie value to check it against the password field? As I'm pretty sure md5() isn't the only one!

Thanks.
TigerC10
02-23-2009, 01:41 PM
The cookie password is:


md5(md5(md5($password) . $salt) . $license)


The password hash in the user table is:

md5(md5($password) . $salt)


It is not possible to "undo" a hash. You cannot search for passwords in the database like this. In order to do what you want, you'll have to select password from the database - and then run a while loop that hashes the values out and then compares with the cookie data.


$passes = $db->query_read("SELECT password FROM ". TABLE_PREFIX ."user");
while( $user = $db->fetch_array($passes) )
{
if( md5( $user[password] . $license ) == $_COOKIE['bbpassword'] )
{
//Do something that you want to do when the password matches
break;
}
}




This is terribly inefficient, I wouldn't do it if I were you.
digitalstudio
02-23-2009, 02:11 PM
$passes = $db->query_read("SELECT password FROM ". TABLE_PREFIX ."user");
while( $user = $db->fetch_array($passes) )
{
if( md5( $user[password] . $license ) == $_COOKIE['bbpassword'] )
{
//Do something that you want to do when the password matches
break;
}
}




This is terribly inefficient, I wouldn't do it if I were you.

You're right. But you can do the same thing in a single query. I forgot to mention that i will also be doing a lookup on the user ID:

$stmt = "SELECT user.`userid`
FROM `user`
WHERE MD5(CONCAT(user.`password`, '" . $license . "')) = '" . $_COOKIE['bbpassword'] . "'
AND user.`userid` = '" . $userid . "'";

But thanks for the info, you've answered my question.
TigerC10
02-23-2009, 03:41 PM
I wasn't aware MySQL had an MD5 function, is that a new addition for MySQL 5? That makes things totally different.
Dismounted
02-24-2009, 04:41 AM
It's existed prior to that: http://dev.mysql.com/doc/refman/4.1/en/encryption-functions.html