I need to import a database of usernames and passwords into a new vB installation. The passwords are encrypted using perl like so:
$encryptedpassword = crypt($password,"aa");

I would like to hack vB to recognize either the standard vB password or the imported (encrypted) passwords. I'm thinking that users with the old style password will be able to update their passwords as normal, and the old password will be replaced by a vB-format one.

Will this work? If so, could someone give me some pointers on where to start? Thanks.

I need to import a database of usernames and passwords into a new vB installation. The passwords are encrypted using perl like so:
$encryptedpassword = crypt($password,"aa");

I would like to hack vB to recognize either the standard vB password or the imported (encrypted) passwords. I'm thinking that users with the old style password will be able to update their passwords as normal, and the old password will be replaced by a vB-format one.

Will this work? If so, could someone give me some pointers on where to start? Thanks.
Are you importing from another forum system?

Sort of - I'm migrating from WebBBS. I'm not going to import the existing messages but I do need to import the usernames and passwords. The complication is that I've been using my own custom MySQL database to manage my WebBBS users, since the WebBBS username/password system is useless.

So the passwords are encrypted using the same format as WebBBS but stored in a different way (MySQL as opposed to WebBBS profiles). I don't believe there's any way to directly import the passwords into the standard vB format. Actually I don't even know how vB formats passwords yet - I haven't got that far.

Please, can anyone help? All I want to know is where to find the code which says "If the password entered in the form equals the password in the database..." so I can add "...OR if it equals the old encrypted version".

If I can just get some guidance on where to start I'm happy to try and figure out the rest.

login.php is the file you need to look at. But if i were you, i'd have the users reset their passwords, or i'd make a script to autogenerate new passwords and mail them.

Thanks rake. Unfortunately a huge number of our users don't have email addies in the database, and can't add them. It's a long story - I never quite finished writing my user management script for WebBBS when I gave up on it altogether. Now I'm stuck in a horrible no-mans land, with a password/email catch-22.

Anyway, if the only file I need to look at is login.php, I'll have a look and see what I can figure out. Thanks again.

actually, you need to look at the includes/functions_login.php file, very last function in the file. Add your code there. :)

Ah, I see it. So I believe I need to do something like:
if (
$bbuserinfo['password'] != iif($password AND !$md5password, md5(md5($password) . $bbuserinfo['salt']), '') AND
$bbuserinfo['password'] != md5($md5password . $bbuserinfo['salt']) AND
$bbuserinfo['password'] != iif($md5password_utf, md5($md5password_utf . $bbuserinfo['salt']), '')
// Add a line here:
// AND $bbuserinfo['password'] != (this bit I haven't figured out yet)
)
{
return false;
}
... where I have to figure out how to check for the old perl crypt($password,"aa") password. If anyone would like to tell me what I should put in that line, I promise to be your best friend. Otherwise I'm off to learn how PHP deals with encryption.

AND $bbuserinfo['password'] != crypt($password,"aa")

that would be it... :) check the php manual for the crypt function. aa is your salt, right?

Dammit, that simple!? For some reson I thought PHP handled it differently. As you can see, I'm a PHP newbie. I've got to go away for a while now but I'll try this as soon as I get back. Thanks heaps for your help rake.

I'm so close but can't quite get it. I've created a user with the crypt'd password "test" (aaqPiZY5xR5l.). If I enter the following code it works fine:
AND $bbuserinfo['password'] != crypt("test","aa")

But if I use the password variable it no longer works:
AND $bbuserinfo['password'] != crypt($password,"aa")

I've even defined a test variable which works:
$oldpassword = "test";
.....
AND $bbuserinfo['password'] != crypt($oldpassword,"aa")

This seems to indicate that the variable $password isn't actually "test" at this point. Any ideas what's going on, or how I can see the actual value of $password?

There is a JavaScript on all the login forms that blanks the password variable and md5's it, then sends it as $md5password. Have you removed that JS?

Aha. I didn't know about that. I went to clientscript/vbulletin_md5.js and commented out the guts of the md5hash function and it all works now! Am I right in thinking this function is a non-critical extra security measure and I won't be leaving a huge security hole without it?

Once the new board is up and running I'll get everyone to update their passwords over the first couple of months, then remove this hack.