The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
|||
|
|||
Using md5hash function for logging in
I posted the following on vBulletin.com and they suggested to post it here:
Hi Everyone, I am somewhat new to vBulletin and Moveable Type technologies, but I have been involved with the web since 1994. So, I'm pretty good with catching on, but I need your assistance. I hope someone can help me with my understanding of this function. I am one of the administrators for forums.tvgasm.com and I also maintain tvgasm.com. As mentioned above, I am new to both types of web technologies. In trying to use one of the tables of the database, namely the table tvgvbuser within the database forumdb, which holds usernames and passwords, among other information, but the passwords are encrypted. Since we were having issues with typekey authentication systems and we have over 100,000 readers, we grew tired of the issues associated with that login system. Naturally we thought, we already have a log in system and our readers have accounts within our forums section, why not use what we have and, at the same time, not loose this huge audience. I understand that the "md5" system of encrypting a word is being used for the passwords, but I do not know how to compare the password that the user types in, from the password in the table. I have tried the following AJAX code: Code:
var user = document.getElementById('navbar_username').value; var pass = document.getElementById('navbar_password').value; var vb_login_md5password = document.getElementById('vb_login_md5password').value; var vb_login_md5password_utf = document.getElementById('vb_login_md5password_utf').value; var s = document.getElementById('s').value; // Open PHP script for requests -- phpscript2 is a pre-defined php file http.open('post', phpscript2); http.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); http.onreadystatechange = handleResponsePost; http.send('username='+ user +'&password='+ md5hash(pass,vb_login_md5password, vb_login_md5password_utf, 0)); Code:
$query = mysql_query("SELECT * FROM tvgvbuser WHERE username='". $username ."' AND password='". $password ."'"); But I receive an error from the JavaScript Console of my browser that "s" is not defined. I know that since I am not calling these functions from within the forums section and, instead from within tvgasm.com, that this would probably not work. I do realize that there has been a great deal of effort in creating an entire system and that I am only trying to use a small portion of that system, outside it's natural environment. So, my ultimate question is -- is there a simple way to query this table using the natural password that the user types in and there by allowing us to continue to use the resource that we have available. Here is a link to an example of what my code is attempting to do -- http://beta.tvgasm.com/shows/login3.htm When you enter a registered username and click within the password text field, it automatically checks to see if this username is legit and responds accordingly. However, sending an SQL string for the password is another issue and that's what I need assistance with your expertise. Thanks in advance, Tarik (Kronus) |
#2
|
||||
|
||||
Passwords are encrypted in the database like so:
PHP Code:
|
#3
|
|||
|
|||
That worked perfectly. I had to modify my code to retrieve $salt first, so for anyone else who needs it.
Code:
// connect to mysql $mysql = mysql_connect('localhost','adminusername','adminpassword'); // fail on database errors if (!$mysql) { die('false|Could not connect to MySQL'); } // connect to the database mysql_select_db('forumdb', $mysql); $username = $_POST['username']; $password = $_POST['password']; $query = mysql_query("SELECT salt FROM tvgvbuser WHERE username='". $username ."'"); $row = mysql_fetch_array($query); $salt = $row["salt"]; $password = md5(md5($password) . $salt); $query = mysql_query("SELECT * FROM tvgvbuser WHERE username='". $username ."' AND password='". $password ."'"); $result = mysql_num_rows($query); $row = mysql_fetch_array($query); if ($result == 1) { $_SESSION["user"] = $row["username"]; echo 'Welcome, '. $row["username"].' . Please fill out our spam verification and post your comments. <p> <label for="comment-email">Email Address:</label> <input id="comment-email" name="email" size="30" /> </p> </div> <p> <label for="comment-url">URL:</label> <input id="comment-url" name="url" size="30" /> </p> <p> <label for="comment-bake-cookie"><input type="checkbox" id="comment-bake-cookie" name="bakecookie" onClick="if (!this.checked) forgetMe(document.comments_form)" value="1" /> Remember personal info?</label> </p> </div> <p id="comments-open-text"> <label for="comment-text">Comments: </label> <textarea id="comment-text" name="text" rows="15" cols="50"></textarea> </p> <div id="comments-open-footer" class="comments-open-footer"> <input type="submit" accesskey="v" name="preview" id="comment-preview" value="Preview" /> <input type="submit" accesskey="s" name="post" id="comment-post" value="Post" /> '; } else { echo 'Wrong combination of User Name and Password. Did you forget your Password? <a href="http://forums.tvgasm.com/login.php?do=lostpw" target="_blank"> Click here to retrieve it.</a>'; } ?> |
#4
|
|||
|
|||
Clean your variables:
PHP Code:
[sql]SELECT `username`,`password`, `salt` FROM tvgvbuser WHERE username='". $username ."' LIMIT 1[/sql] The you can remove this: PHP Code:
PHP Code:
|
#5
|
|||
|
|||
Thanks for the feedback. Keep it coming :-)
Have a good one, Tarik (kronus) |
#6
|
||||
|
||||
There's no need to do two queries. Just query once for the password and salt. Then hash the inputted password and match it up with the password fetched from the database.
|
Thread Tools | |
Display Modes | |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|