Some Help/Information with vB Integration Please

[Dismounted]

Goto the vBulletin Members' Area and download a copy of vBulletin with uncompressed JS files .

[DarkScythe]

Thanks - I didn't even know such a thing existed.. Took me a while to figure out where to download it from.

Anyway, I can read it now but I still can't really do anything since I don't know any Javascript.. Google finds a bunch of SHA1 JS scripts, but I wouldn't know where to begin importing that stuff as I can barely follow what's going on in the stock JS. I feel I've gone a bit over my head here..

[Carnage]

I have integrated VB with a custom written site in the past; The way i did it was very simple.

When a user registered at the end of the registration process (once the orriginal site had verified their email address etc) I invoked the Vbulletin data manager for users, filled in the required information from the custom sites database and saved it to vb.

There are some clever tricks i pulled to get a shared login session as well, but its been a while and i can't remember them off the top of my head. (soemthing along the lines of sending and encrypted form of the login information to vbulletin as the get value on a transparent 1x1 php image and using a vb plugin to check the encrypted database against its user data and perform a user login.)

[DarkScythe]

Thanks for the response - that's very similar to what I did with phpBB2, and what I'm trying to do with this. The problem is exporting user data FROM vB to the other program. From my work with phpBB2, I've already placed code in the proper places within EE to import the data into vB, I just need to change the database tables to reflect vB's system instead of phpBB's, although whether I can use the data manager for this or not, I've no idea yet.

If you can provide some tips with where I can locate some of the places within vB that I need to hook into for exporting username/password/email/birthday data, I'd definitely appreciate it though.

Thanks!

[DarkScythe]

Anyone?

[Dismounted]

Quote:

Originally Posted by DarkScythe

If you can provide some tips with where I can locate some of the places within vB that I need to hook into for exporting username/password/email/birthday data, I'd definitely appreciate it though.

Thanks!

All the information you need is in the "user" table. The easiest way to keep this updated (IMO) would be to hook into the user data manager - as this is where any changes to (default) user information should be performed.

[DarkScythe]

Thanks once again for the reply, Dismounted.

Isn't the user data manager for putting data into vB?
Right now, I don't need to do that, I'm trying to export data from vB into EE's database.
For putting data into vB's database, I could just set a database call to write to ti directly, no?
It seemed to work out well for phpBB, and having only 1 table to write to makes it even easier, I just need to insert into the table the required fields, which from what I can tell are basically every field without a default value of 0 in it.

My biggest problem right now is trying to import the data into EE from vB. Since I don't know any Javascript, I think it would be a pointless endeavor to try to modify the vbulletin_md5.js file to also do SHA1. Thus I'm left with trying to copy the MD5 hash instead, and just hope no one gains access to the databases, since EE does not have any funcionality to support salting of the passwords.

However, in the registration page, it seems that the rule it uses to set the password in the DB is this:

PHP Code:

$userdata->set('password', ($vbulletin->GPC['password_md5'] ? $vbulletin->GPC['password_md5'] : $vbulletin->GPC['password'])); 


That seems to say to input what's in password_md5, or if it does not exist, copy what's in password, but either way they're both completely hashed with the salt, if I'm not mistaken.. so there's no way I can call the unsalted version here. (Correct me if I'm wrong here, please.) This password thing is really the biggest roadblack I have preventing me from moving ahead with this bridge.. Where can I pull up the unsalted password? Along those lines, where does the salt get added to the database?

Thanks in advance.

[Dismounted]

Quote:

Originally Posted by DarkScythe

Isn't the user data manager for putting data into vB?
Right now, I don't need to do that, I'm trying to export data from vB into EE's database.
For putting data into vB's database, I could just set a database call to write to ti directly, no?
It seemed to work out well for phpBB, and having only 1 table to write to makes it even easier, I just need to insert into the table the required fields, which from what I can tell are basically every field without a default value of 0 in it.

Exporting data is simple - just fetch it from the database. Adding and modifying should be done through the data manager - as there are sometimes other things to do other than just updating the field in the database.

Quote:

Originally Posted by DarkScythe

However, in the registration page, it seems that the rule it uses to set the password in the DB is this:

PHP Code:

$userdata->set('password', ($vbulletin->GPC['password_md5'] ? $vbulletin->GPC['password_md5'] : $vbulletin->GPC['password'])); 


That seems to say to input what's in password_md5, or if it does not exist, copy what's in password, but either way they're both completely hashed with the salt, if I'm not mistaken.. so there's no way I can call the unsalted version here.

You can't call the unhashed version anywhere at all - if the user has JS enabled - it will not send any unhashed passwords. That condition checks if "password_md5" is populated - if it is populated, it means the user has JS enabled and the password was sent in hashed form.

Quote:

Originally Posted by DarkScythe

This password thing is really the biggest roadblack I have preventing me from moving ahead with this bridge.. Where can I pull up the unsalted password? Along those lines, where does the salt get added to the database?

The unsalted password cannot be pulled from the database (it simply doesn't exist). Any stored forms of a user's password is always hashed (and salted).

[DarkScythe]

So, you're suggesting I fetch data from the database, rather than use the information present in variables during registration? For example, I was planning on hooking in around here:

PHP Code:

($hook = vBulletinHook::fetch_hook('register_addmember_process')) ? eval($hook) : false; 


And making a database call out to EE's database to populate the username field with $vbulletin->GPC['username'].

You said if "password_md5" is populated, it means that the user has JS enabled and password was sent in hashed form - if that check fails (it's empty) that should mean JS was not enabled, but the regular "password" field it's setting into the database at that point is still hashed (with the salt already), just using php from elsewhere instead of JS - correct?

I know I can't pull the unstalted password from the database, I've taken a look at it. What I want to know is if I can either intercept the password before hashing so I can give it to EE (this requires editing that JS file, but I don't know how to do this) or copy the md5 hash of the password BEFORE it gets re-hashed with the salt. Does the JS hash only the password before returning it to the browser, or does it also add the salt?

My last alternative is to hack EE into supporting salts, but I've no idea how difficult that will be.. It doesn't look like there are any official hacks or mods out for that purpose.

Sorry for all the questions, I'm trying to understand how everything works here..
Thanks again.

[Dismounted]

Quote:

Originally Posted by DarkScythe

So, you're suggesting I fetch data from the database, rather than use the information present in variables during registration? For example, I was planning on hooking in around here:

PHP Code:

($hook = vBulletinHook::fetch_hook('register_addmember_process')) ? eval($hook) : false; 


And making a database call out to EE's database to populate the username field with $vbulletin->GPC['username'].

You have to take in account if people change email addresses, etc. So the best way (IMO) would be to hook into the user data manager.

Quote:

Originally Posted by DarkScythe

You said if "password_md5" is populated, it means that the user has JS enabled and password was sent in hashed form - if that check fails (it's empty) that should mean JS was not enabled, but the regular "password" field it's setting into the database at that point is still hashed (with the salt already), just using php from elsewhere instead of JS - correct?

If "password_md5" is empty, it does mean JS was disabled and $vbulletin->GPC['password'] contains the unhashed password. It is still hashed and salted server-side.

Quote:

Originally Posted by DarkScythe

What I want to know is if I can either intercept the password before hashing so I can give it to EE (this requires editing that JS file, but I don't know how to do this) or copy the md5 hash of the password BEFORE it gets re-hashed with the salt. Does the JS hash only the password before returning it to the browser, or does it also add the salt?

$vbulletin->GPC['password_md5'] during registration will be the single md5-hashed password.