[release vb2] Database Password Encryption

Updated 15th July 2001
Simplish hack that allows end users to chose if they want to store encrypted versions of their password.

Full details of how this is implemented are contained in the file.
Requirements:
vBulletin 2.0.0
This has not been tested on rc1/2/3 beta1-5. It might work or it might not.

From the june 3rd update onwards a installation script is included, full details in the instructions.

does the dbencrypt.php do all the table altering and replacing of the other php files for me

[dabean]

Updated: (15:05 BST)

Improvements:
- Database update script, delete it after using it. Thanks tubedogg but i'd already writen my own to go with this improved version.
- Encypted passwords option at registration

Bug fixes:
- Members can no longer follow a password regeneration link more than once.

i ran the encyption file but i dont see any make password encrypted field on registering

[dabean]

As the text file "password_encryption.txt" contained in the zip states all the installer does it make the database changes for you. You still have to modify the code and templates by following the instructions in the file.

ok something wrong is going on here when ever i edit my member.php file the way you say i get this error when i try to access my change password, edit options or any thing else that has to do with the user profile and this is the error

Fatal error: Call to undefined function: getuserinfo() in /home/photo/public_html/tmbps/member.php on line 101

and here is line 101 on member.php

PHP Code:

    $bbuserinfo=getuserinfo($userid); 


[dabean]

hmm, you've obviously made a mistake in altering the code.

the following lines should exist starting at line 47.

PHP Code:

if ($action=="login") {
  include("./global.php");
  if (isset($username)) { 


if these lines do exist then have another look at precise structure of the alterations you made.

If you'd made any changes to global.php or admin\functions.php as part of any other hacks you have added you may also want to double check them.

there at line 42 right after

// ############################### start login ###############################

here is what the code looks like for that section tell me if anything needs to be switched

PHP Code:

if ($action=="login") {
  include("./global.php");
  if (isset($username)) {
    // get userid for given username
    if ($user=$DB_site->query_first("SELECT userid,username,password,cookieuser,encryptedpass FROM user WHERE username='".addslashes(htmlspecialchars($username))."'")) {
      // secure passwords
      if ($user[encryptedpass]==1) {
        if ($user[password]!=md5($password)) {  // check secure password
          eval("standarderror(\"".gettemplate("error_wrongpassword")."\");");
          exit;
        }
      } else {
        if ($user[password]!=$password) {  // check standard password
          eval("standarderror(\"".gettemplate("error_wrongpassword")."\");");
          exit;
        }
      }
      $userid=$user[userid];
    } else { // invalid username entered
       eval("standarderror(\"".gettemplate("error_wrongusername")."\");");
       exit;
    } // end secure passwords
      $userid=$user[userid];
    } else { // invalid username entered
       eval("standarderror(\"".gettemplate("error_wrongusername")."\");");
       exit;
    }

    if ($user['cookieuser']==1) {
      vbsetcookie("bbuserid",$user['userid']);
      vbsetcookie("bbpassword",md5($user['password']));
    }

    $DB_site->query("DELETE FROM session WHERE sessionhash='".addslashes($session[dbsessionhash])."'");

    $session['sessionhash']=md5(uniqid(microtime()));
    $session['dbsessionhash']=$session['sessionhash'];
    $DB_site->query("INSERT INTO session (sessionhash,userid,host,useragent,lastactivity,styleid) VALUES ('".addslashes($session['sessionhash'])."','$userid','".addslashes($session['host'])."','".addslashes($session['useragent'])."','".time()."','$session[styleid]')");
    vbsetcookie("sessionhash",$session['sessionhash'],0);
    $username = $user['username'];
  }

  $url=ereg_replace("sessionhash=[a-z0-9]{32}&","",$url);
  $url=ereg_replace("\\?sessionhash=[a-z0-9]{32}","",$url);
  $url=ereg_replace("s=[a-z0-9]{32}&","",$url);
  $url=ereg_replace("\\?s=[a-z0-9]{32}","",$url);

  if ($url!="" and $url!="index.php" and $url!=$HTTP_REFERER) {

    if (strpos($url,"?")>0) {
      $url.="&s=$session[dbsessionhash]";
    } else {
      $url.="?s=$session[dbsessionhash]";
    }
    //header("Location: $url");

    $url = str_replace("\"", "", $url);
    eval("standardredirect(\"".gettemplate("redirect_login")."\",\"$url\");");
  } else {
    $bbuserinfo=getuserinfo($userid);
    eval("standardredirect(\"".gettemplate("redirect_login")."\",\"index.php?s=$session[dbsessionhash]\");");
} 


[dabean]

hmm you've repeated the same block of code twice.

PHP Code:

    } // end secure passwords
      $userid=$user[userid];
    } else { // invalid username entered
       eval("standarderror(\"".gettemplate("error_wrongusername")."\");");
       exit;
    } 


should be changed to

PHP Code:

 } // end secure passwords 


now i am getting this erorr
Parse error: parse error in /home/photo/public_html/tmbps/member.php on line 1370

and here are lines 1366-1370

PHP Code:

eval("standarderror(\"".gettemplate("error_invalidsecureid")."\");");
  }
}

? > 


withput the space between the ? and the > of course

[dabean]

okay take a look at

PHP Code:

// ############################### start secure email password ###############################
if ($action=="securepw") { 


check that ?> doesn't appear above it.