I have been working on a subscription module for VB3. It works fine for VB2. My problem is (like most) in the new dual hash/salt routines. I have figured out the dual md5 hash thanks to searching the forums, yet my troubles lay in the area of the salt routine.

My external php application has a database of its own, and when a customer registers thru this application, it creates its database tables there, and moves over to create the information in the VB3 database.

I cannot figure out the salt to save my life. The password works, but if you write the info to the VB database, without the data on the salt table, theres some crazy things that happen when you try to login. (An inverted forum!!).

Heres the basic shell of this function. Any help you can offer me on this would be much appreciated. Im about to use the PC as a boat anchor, and most of my hair has been pulled out over the last 4 hrs of me picking at this. Save what little bit of hair I have!!

Code:

function vbulletin_added($member_id, $product_id,
$member){
global $db, $config, $plugin_config;

$this_config = $plugin_config['protect']['vbulletin'];
$vb_db = $this_config['db'];

$max = vbulletin_get_max($member['data']['status']);
if ($max < 0) return;

foreach ($member as $k=>$v)
$member[$k] = $db->escape($v);
$q = $db->query("SELECT password, usergroupid
FROM {$vb_db}user
WHERE username='$member[login]'
");
list($p,$ul) = mysql_fetch_row($q);
$dat = date('M d, Y');
$pass = md5(md5($member['pass']).$salt);
if (!$ul){ //user not exists
$db->query($s = "INSERT INTO {$vb_db}user
(usergroupid, username, password, email, joindate,
daysprune, pmpopup, salt
)
VALUES
($max, '$member[login]', '$pass', '$member[email]', unix_timestamp(),
-1,1,'$salt'
)
");
$vb_user_id = mysql_insert_id();
$db->query($s = "INSERT INTO {$vb_db}userfield
(userid) VALUES ($vb_user_id)
");
} else {
$denied = join(',', $this_config['denied_levels']);
$db->query($s = "UPDATE {$vb_db}user
SET password='$pass', usergroupid=$max
WHERE username='$member[login]'
AND usergroupid NOT IN ($denied)
");
}
}

In the searching that I have done here, I found the salting routine used in function.php which is:

// ###################### Start makesalt #######################
// generates a totally random string of $length chars
function fetch_user_salt($length = 3)
{
$salt = '';
for ($i = 0; $i < $length; $i++)
{
$salt .= chr(rand(32, 126));
}
return $salt;
}

But I havent been able to successfully include it in my above script.

Any help you can administer to this rambler would make you THE supreme one in my eyes. Thanks!

I'm having a similar problem here. The external module I'm trying to hook in supplies a Perl program to do this with almost any mySQL database. It works with vB3 all the way up to the password verification step; but fails there due to the new hashing.

I think I can offer some helpful information on the salt issue and perhaps in return you can give me the Perl Code to handle the password encryption? The deal with the salt value is that it's STORED as part of each vB3 user's member database record. If you do a describe on the vb3_user table, you'll find the salt value is the last field in each row. So you don't really NEED to create a salt value. All you need to do is grab the user's salt value from each member's record and append it to the original MD5 encrypted password before you do the second MD5 encryption.

Hopefully, that will help you out. My problem is I can't figure out how to code that double-MD5 encryption in Perl!

Good Luck! Please drop me a PM if you can help me on the Perl encryption bit!

I think you and I are on different projects. Sounds like your withdrawing from someone who already exists in the VB3 database. Im the opposite. Im creating the users account outside of VB3, then it writes the data to the VB3 DB. So they never actuallly register in the forums at all, thus I need to create the salt value for it to be stored in the VB3 DB. I would be happy to assist you if I could, but my lack of experience would only hender your efforts.

No help here yet eh. Same on VBulletin.Com ... Still been pecking at it all weekend and I came to the conclusion that all info given here and Vbull.Com is wrong. It almost seems like its some big secret since none of the 'big wigs' are willing to chime in and straighten out the many who have asked the same thing.

The theory of the new changed hashing is:

MD5 the Normal Password (1st MD5)
Add the Salt to the end of the MD5 above and MD5 it (2nd MD5)

Guess what. That simply does not work, even when using this to make the salt:

// ###################### Start makesalt #######################
// generates a totally random string of $length chars
function vbulletin_addedsalt($length = 3)
{
$salt = '';
for ($i = 0; $i < $length; $i++)
{
$salt .= chr(rand(32, 126));
}
return $salt;
}

(The above deriven from /includes/functions.php)

Heres the excerpt from the code ive been working on:

$q = $db->query("SELECT password, usergroupid
FROM {$vb_db}user
WHERE username='$member[login]'
");
list($p,$ul) = mysql_fetch_row($q);
$dat = date('M d, Y');
// The following is a new variable to set the passworddate
$pde = date('Y d, M');

// Beginning of Salt Routine Ripped from VB3 /includes/functions.php

$saltlength = 3;
$salt = '';
for ($i = 0; $i < $saltlength; $i++)
$salt .= chr(rand(32, 126));

// End of Salt Routine Random Generation

// First Normal Password Hash

$pass = md5($member['pass']);

// ReName the Variable Here for Next Hash

$pash = $pass;

// Add some Salt and Hash it again

$pass = md5($pash) . $salt;

// End of New MD5 Dual Hash Routine

if (!$ul){ //user not exists
$db->query($s = "INSERT INTO {$vb_db}user
(usergroupid, displaygroupid, username, password, passworddate, email, styleid, parentemail, showvbcode,
customtitle, joindate, daysprune, lastvisit, lastactivity, lastpost, posts, reputation, reputationlevelid,
timezoneoffset, pmpopup, avatarid, avatarrevision, options, maxposts, startofweek, referrerid, languageid,
emailstamp, threadedmode, autosubscribe, pmtotal, pmunread, salt)

VALUES

($max, $max, '$member[login]', '$pass', '$pde', '$member[email]', 0, '$member[email]', 1,
0, unix_timestamp(), -1, unix_timestamp(), unix_timestamp(), 0, 0, 10, 5,
-7, 1, 0, 0, 7255, -1, 1, 0, 1,
0, 0, 0, 0, 0, '$salt')");

$vb_user_id = mysql_insert_id();
$db->query($s = "INSERT INTO {$vb_db}userfield
(userid) VALUES ($vb_user_id)
");

Maybe it does work, and my code is bad. I cant seem to find it anywhere if it is. Would be nice for someone who actually knows that their doing (and what their talking bout) to step up and offer some assistance. It'd sure be appreciated.

Just to clarify what it is I am doing:

The user comes to MY php application and creates himself an account. Upon doing so, my app sends the data to the SQL database of VBull and creates himself an account there. The user -never- registers directly via VBull. The above script that I have posted works, but the password is wrong. To obtain having the correct password, you dont do 2 seperate pass hashes, you do one:

IE: $pass = md5(md5($member['pass']) . $salt);

That works just fine. However - When a user goes to VBull, and is asked for his username and password, he enters it, hes told its been accepted and goes to redirect him to the main forums page, the screen scroll bar (normally located on the far right of all browsers), is moved to the left, and is asked to login again, with the text and formatting of the forums changed and frankly, bassackwards. Damnedest thing ive ever seen.

Lil help to resolve this driving-me-crazy-having-self-taught-myself-this-and-working-on-it-all-weekend-to-get-this-far-and-still-be-this-short problem?!

Thanks to any assistance you can provide me.