Checking user and pass externally.

[engineerisaac]

Hello, i'm working on a system where a player in an online game (counterstrike) can link they're online game account to their forum account.

I can do everything else but the linking PHP code.

What I want to do is make an external PHP page that receives the queries from the game server. It receives the players input, their forum user name and password. In the external PHP page, I want to use the user name and password given and check it against the MySQL tables for vBulletin. I tried MD5 hashing the raw password from the query, but it is different from the MD5 in the database.

Is there some other type of hashing that vBulletin uses? A snippit of code would be great!

This is what I have now, And I always get 0 rows returned because the passwords are differet.... (I know I am entering the correct password )

PHP Code:

<?php
//Link.php - Grabs username+pass input from gameserver and checks it against the DB.
$mysql = mysql_connect(******);
mysql_select_db(***);
$user = $_GET['u'];
$pass = $_GET['p'];
$steamid = $_GET['s'];
$hashpass = md5($pass);

$check = mysql_query("SELECT * FROM user WHERE username='$user' AND password='$hashpass'");
if(mysql_num_rows($check) == 0){
    die("notfound");
}else{
    $row = mysql_fetch_array($check);
    mysql_query("UPDATE userfield SET steamid='$steamid' WHERE userid='$row[userid]'");
    echo "pass";
}

thank you for your help in advance!

[EnIgMa1234]

You might want to remove your database info from the code

As for your error check this line of code.

PHP Code:

WHERE username='$user' AND password='$hashhpass'"); 


$hashhpass should be $hashpass

[engineerisaac]

Quote:

Originally Posted by EnIgMa1234

You might want to remove your database info from the code

As for your error check this line of code.

PHP Code:

WHERE username='$user' AND password='$hashhpass'"); 


$hashhpass should be $hashpass

Oops, i saw that but that is not the problem (That probally happened when i was rewriting the variables for that example) i think it's the way the PHP MD5's the raw password, when I do it manually, the Hashes are not the same. Is there some sort of algorithm?

[EnIgMa1234]

Oh,

vBulletin uses a salt value on top of their password.

I think passwords are encrypted like this (Don't quote me on this though).

md5($password.$salt);

The salt value is stored in the user table.

[engineerisaac]

Quote:

Originally Posted by EnIgMa1234

Oh,

vBulletin uses a salt value on top of their password.

I think passwords are encrypted like this (Don't quote me on this though).

md5($password.$salt);

The salt value is stored in the user table.

That does not seem to be the case either... hmmm
Does anyone else happen to know?
It seems like vBulletin uses a Javascript code to hash it's passwords, but the code is very jumbled up and hard to read. I could be wrong though.

[jchamber2010]

that's how it's done...

Line 144 functions_login.php

Code:

md5($md5password . $vbulletin->userinfo['salt'])

are you sure that you are getting the salt from the database as well it's a field in the user table.

[Paul M]

Try this (untested) ;

PHP Code:

$userid = 0;
$user = mysql_real_escape_string($user);
$check = mysql_query("SELECT userid,password,salt FROM user WHERE username='$user'");
if(mysql_num_rows($check) > 0)
{
    $rec = mysql_fetch_array($check);
    if($rec['password'] == md5(md5($password).$rec['salt']))
    {
        $userid = $rec['userid'];
    }
}

// if $userid > 0 then login was ok. 


[engineerisaac]

Quote:

Originally Posted by Paul M

Try this (untested) ;

THANK YOU! This worked! Thank you for your help everyone!