vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)
-   -   md5 password + salt (https://vborg.vbsupport.ru/showthread.php?t=150299)

Norco 06-21-2007 05:48 PM
md5 password + salt
 
Alright, I have a website with a user system, all the user passwords are stored in a mysql database and md5 encrypted. I am attempting to re-encrypt all those passwords with a salt so the same password will be used on my website, as the forum. I have come up with this..

http://www.teenagezone.org

I'm using functions straight from vBulletin to do it, and when I get it working right, changing it so it will loop through all the users in my database and update their password to work with a salt. Now.. it dosn't seem to be working right. The script works, but when I update that in the database for vbulletin, and try logging in, it will not work.

Here is the scripts..

index.php
PHP Code:
<?php
include "pwfunction.php";

if (!$_POST['submit']){
echo "<form method='POST' style='margin: 0px;'>
<b>Hash: </b>
<input type='password' name='pass'><br><br>
<input type='submit' name='submit' value='sumbmit'>
</form>";
}else{
$password $_POST['pass'];

$salt fetch_user_salt();
$hash hash_password($password$salt);

echo ("$hash - $salt");

}
?>
pwfunction.php
PHP Code:
<?php

    function hash_password($password$salt)
    {
        if ($password == '')
        {
        }
        else if (verify_md5($password))
        {
            $password md5($password);
        }
        return md5($password $salt);
    }


function fetch_user_salt($length 3)
{
    $salt '';
    for ($i 0$i $length$i++)
    {
        $salt .= chr(rand(33126));
    }
    return $salt;
}

    function verify_md5(&$md5)
    {
        return (preg_match('#^[a-f0-9]{32}$#'$md5) ? true false);
    }
    
?>
Does anyone know the problem or can give me some advice of why it is not working.

Dismounted 06-22-2007 06:22 AM
pwfunction.php, function 'hash_password'.
PHP Code:
else if (verify_md5($password)) 
Should be:
PHP Code:
else if (!verify_md5($password)) 

Norco 06-22-2007 11:08 AM
Wow, thanks! I would have never thought to do that and would be sitting there for days attempting to make it work.

Sorry for double posting, but I have something to add to this post. I currently have the script grabbing users from my website testing database, and it works! But.. it only does some, then errors. The reason being is to much work for the server doing this in a while loop for 4000 members (re encrypting plus producing a slat). Does anyone know how to limit how many it will do in a second/minute, or offer a idea for a different solution for doing this which will work?

Thanks.

Norco 06-25-2007 07:10 PM
Quote:
Originally Posted by Norco (Post 1273856)
Wow, thanks! I would have never thought to do that and would be sitting there for days attempting to make it work.

Sorry for double posting, but I have something to add to this post. I currently have the script grabbing users from my website testing database, and it works! But.. it only does some, then errors. The reason being is to much work for the server doing this in a while loop for 4000 members (re encrypting plus producing a slat). Does anyone know how to limit how many it will do in a second/minute, or offer a idea for a different solution for doing this which will work?

Thanks.
Anyone?

Dismounted 06-26-2007 07:37 AM
Add a variable. Increase it every time a user goes by.

Norco 06-26-2007 02:29 PM
Quote:
Originally Posted by Dismounted (Post 1276761)
Add a variable. Increase it every time a user goes by.
How so?

MarkPW 06-26-2007 09:33 PM
What kind of errors do you get?

Norco 06-26-2007 11:51 PM
Quote:
Originally Posted by MarkPW (Post 1277267)
What kind of errors do you get?
It just says you have a error with your sql syntax, but I think its because a) it is loading all random characters, right? So it is interfering with the sql update query and/or b) it is trying to load all 4000 at the same time, causing it to stop.

It only does about 10-20 then errors.... the highest its ever gotten was to 75, but then I have to drop the table and upload the backup to try again. The only thing I can think of doing is adding check boxes to the script with the usernames, check off 10, click submit, and it will update those one, then in the while loop it will only grab rows where there is noting in the salt field. But that would take a long time...

MarkPW 06-27-2007 12:40 AM
What exactly is the error with your SQL syntax?

Norco 06-27-2007 12:48 AM
Quote:
Originally Posted by MarkPW (Post 1277362)
What exactly is the error with your SQL syntax?
It varies with each run. For example:

First run:
Quote:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '$R' WHERE `id`='1819'' at line 1
Second run:
Quote:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1472'' at line 1
Third run:
Quote:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'E' WHERE `id`='3290'' at line 1
By run I mean refresh.

MarkPW 06-27-2007 01:12 AM
It sounds as though you aren't escaping certain value(s) in your sql statement. Are you using mysql_escape_string() on your variables before you use them in your statement?

Norco 06-27-2007 01:34 AM
No? The source to the script I am using is located in the first post in this thread, I quoted it below.

Quote:
Originally Posted by Norco (Post 1273369)
Alright, I have a website with a user system, all the user passwords are stored in a mysql database and md5 encrypted. I am attempting to re-encrypt all those passwords with a salt so the same password will be used on my website, as the forum. I have come up with this..

http://www.teenagezone.org

I'm using functions straight from vBulletin to do it, and when I get it working right, changing it so it will loop through all the users in my database and update their password to work with a salt. Now.. it dosn't seem to be working right. The script works, but when I update that in the database for vbulletin, and try logging in, it will not work.

Here is the scripts..

index.php
PHP Code:
<?php
include "pwfunction.php";

if (!$_POST['submit']){
echo "<form method='POST' style='margin: 0px;'>
<b>Hash: </b>
<input type='password' name='pass'><br><br>
<input type='submit' name='submit' value='sumbmit'>
</form>";
}else{
$password $_POST['pass'];

$salt fetch_user_salt();
$hash hash_password($password$salt);

echo ("$hash - $salt");

}
?>
pwfunction.php
PHP Code:
<?php

    function hash_password($password$salt)
    {
        if ($password == '')
        {
        }
        else if (verify_md5($password))
        {
            $password md5($password);
        }
        return md5($password $salt);
    }


function fetch_user_salt($length 3)
{
    $salt '';
    for ($i 0$i $length$i++)
    {
        $salt .= chr(rand(33126));
    }
    return $salt;
}

    function verify_md5(&$md5)
    {
        return (preg_match('#^[a-f0-9]{32}$#'$md5) ? true false);
    }
    
?>
Does anyone know the problem or can give me some advice of why it is not working.

MarkPW 06-27-2007 01:49 AM
AFAIK your problem is to do with your SQL statement. Your script above tells me nothing that will explain your SQL errors.

Norco 06-27-2007 01:51 AM
You asked if I was using mysql_escape_string()... which would be in the source if I was, right?

MarkPW 06-27-2007 01:59 AM
Where are your SQL errors generated from? You're giving me half the story - I haven't a clue what's happening in the "rest" of your script. The above script generated a password hash with salt. It has does nothing to do with your database. Your SQL errors are coming from somewhere...

Norco 06-27-2007 02:06 AM
Quote:
Originally Posted by MarkPW (Post 1277402)
Where are your SQL errors generated from? You're giving me half the story - I haven't a clue what's happening in the "rest" of your script. The above script generated a password hash with salt. It has does nothing to do with your database. Your SQL errors are coming from somewhere...
OH. Ok here:

PHP Code:
<?php
include "pwfunction.php";

 $dbh=mysql_connect ("localhost""user""password") or die ('I cannot connect to the database because: ' mysql_error());
mysql_select_db ("database");

$get mysql_query("SELECT * FROM users") or die('Error, query failed');
while($row mysql_fetch_array($get)){

$password $row['password']; 
$id $row['id'];

$salt fetch_user_salt();
$hash hash_password($password$salt);

$update mysql_query("UPDATE users SET `password`='$hash', `salt`='$salt' WHERE `id`='$id'") or die(mysql_error());
}
?>
pwfunctions.php is the same. Sorry my bad, I forgot to add the updated script for running it.

MarkPW 06-27-2007 02:29 AM
Since you have a connection to your database, you can use mysql_real_escape_string() (which you should use anyway). This should solve your problem:

PHP Code:
$salt mysql_real_escape_string(fetch_user_salt());
$hash mysql_real_escape_string(hash_password($password$salt));

$update mysql_query("UPDATE users SET `password`='$hash', `salt`='$salt' WHERE `id`='$id'") or die(mysql_error()); 

Norco 06-27-2007 02:33 AM
Let me try this, just a second.

Ah! It worked! Thank you SO MUCH.


All times are GMT. The time now is 09:19 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01313 seconds
  • Memory Usage 1,801KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (8)bbcode_php_printable
  • (9)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (18)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete