Hey,

I am using VB 3.8 and am trying to validate the password through an external app. Here is the PHP code I have


$username = isset($_GET[$usernameLabel]) ? ($_GET[$usernameLabel]) : "";
$password = isset($_GET[$passwordLabel]) ? ($_GET[$passwordLabel]) : "";
$userid = isset($_GET[$useridLabel]) ? $_GET[$useridLabel] : "";
$script = isset($_GET[$scriptLabel]) ? ($_GET[$scriptLabel]) : "";

$action = isset($_GET[$actionLabel]) ? $_GET[$actionLabel] : "";

switch($action){
case $actionLoginLabel:
$userid = -1;
$res = mysql_query("select `userid`,`username`,`password`,`salt` from `user` where 1",$sql_con);
while($row = mysql_fetch_array($res,MYSQL_ASSOC)){
if($row["password"] == md5(md5($password).$row["salt"]) && strtolower($row["username"]) == strtolower($username)){
$userid = $row["userid"];
break;
}
}
//echo(enc($userid));
echo($userid);
break;


and here is the java


private void loginButton_event(ActionEvent e) {
char[] p_raw = passwordTextBox.getPassword();
String p = "";
for(char c : p_raw){
p = p + Character.toString(c);
}

try {
userid = Integer.parseInt(getPage(DOMAIN+"?"+LABEL_ACTION+"="+LABEL_ACTION_LOGIN+"&"+LABEL_USERNAME+"="+usernameTextBox.getText()+"&"+LABEL_PASSWORD+"="+p));
} catch(NumberFormatException err){}

if(userid > -1){
username = usernameTextBox.getText();
password = p;

setVisible(false);
} else {
JOptionPane.showMessageDialog(this,"Incorrect login details!","Error!",JOptionPane.ERROR_MESSAGE);
}
}


It always shows as Incorrect login but I am using the right login/pass, can anyone help fix this please?

<span style="text-decoration: line-through">I think maybe it should be:</span> nvm, Eric is right.

Here is what vB 3.8 has in functions login:

md5(md5($password) . $vbulletin->userinfo['salt'])

So:
md5(md5($password) . $row['salt'])

Should be fine. I'm not familiar with Java but are you sure you are getting the input values correctly?

That's the same code I already have :/.

I think i need to encrypt it on the java side so it will read it from the database?

That's the same code I already have :/.

That's my fault - in the previous post I was suggesting that it needed to be changed and Eric was pointing out that what you have is correct. I deleted my code just to avoid someone seeing it in the future and thinking it might be correct.


I think i need to encrypt it on the java side so it will read it from the database?

I don't think so - I think if you added an md5() on the java side you'd have to remove one on the server side. Have you tried anything like writing some debug info to a file to see what values you're working with?

One thing, you probably need to html encode the password to handle cases where it has special characters. Maybe doing an md5() on the java side would be a good idea. It might take care of that and any issue where someone might see the url (like server logs).

It seems the password is more encrypted than i thought, can I PM you the whole code to see if you can work it out?

You can do that if you'd like.