[release vb2] Database Password Encryption

Updated 15th July 2001
Simplish hack that allows end users to chose if they want to store encrypted versions of their password.

Full details of how this is implemented are contained in the file.
Requirements:
vBulletin 2.0.0
This has not been tested on rc1/2/3 beta1-5. It might work or it might not.

From the june 3rd update onwards a installation script is included, full details in the instructions.

it wasnt even there let me see what happens when i add it

i put it in but it still comes up with the erorr and with the line number of with ? > in it also this ? > is not above the security e-mail

[dabean]

hmm not sure exactly where you have gone wrong then.

[rebby]

in your instructions you have:

Quote:

replace
$users=$DB_site->query("SELECT username,email,password FROM user

with
$users=$DB_site->query("SELECT username,email,password,encryptedpass,userid

with this the email password feature fails.

this change will fix it:

Quote:

replace
$users=$DB_site->query("SELECT username,email,password

with
$users=$DB_site->query("SELECT username,email,password,encryptedpass,userid

[rebby]

this works great with the exception of in the user cp... the Secure password storage is not selected to yes or no by default and even if you select yes, it does nothing to the db...

it is encrypting passwords for new users taht select to have encrypted passwords from the start though (they can't unencrypted them like you noted though).

[dabean]

Find

PHP Code:

if ($action=="editoptions") {
  $templatesused = "modifyoptions_maxposts,modifyoptions_styleset,modifyoptions_stylecell,usercpnav,modifyoptions";
  include("./global.php");
  // do modify profile form

  if ($bbuserinfo[userid]==0 or $permissions['canmodifyprofile']==0) {
    show_nopermission();
  } 


now after that block add

PHP Code:

  // secure passwords
  if ($bbuserinfo[encryptedpass]) {
    $securepasswordchecked="checked";
    $securepasswordnotchecked="";
  } else {
    $securepasswordchecked="";
    $securepasswordnotchecked="checked";
  }
  // end secure passwords 


find

PHP Code:

  if ($bbuserinfo[userid]==0 or $permissions['canmodifyprofile']==0) {
    show_nopermission();
  }

  $adminemail=iif($allowmail=="yes",1,0); 


change to

PHP Code:

  if ($bbuserinfo[userid]==0 or $permissions['canmodifyprofile']==0) {
    show_nopermission();
  }
  // secure passwords
  $cryptpassword=iif($securepassword=="yes",1,0);
  // end secure passwords
  $adminemail=iif($allowmail=="yes",1,0); 


now find

PHP Code:

  //delete cookies if cookie user is off
  if ($cookieuser==0) {
    vbsetcookie("bbuserid","");
    vbsetcookie("bbpassword","");
  } 


and after it add

PHP Code:

  // secure passwords
  if ($bbuserinfo[encryptedpass]==1) {
    // md5 hash password & store todo
    $cryptpassword=1;
  } else {
    // 
    if ($cryptpassword==1) {
      $DB_site->query("UPDATE user SET password='".addslashes(md5($bbuserinfo[password]))."' WHERE userid='$bbuserinfo[userid]'");
      // set new hashed cookie
      vbsetcookie("bbpassword",md5(md5($bbuserinfo[password])));
    }
  }
  // end secure passwords 


find

PHP Code:

  $DB_site->query("UPDATE user
                   SET ".$updatestyles."adminemail='$adminemail',
                      showemail='$showemail',invisible='$invisible',cookieuser='$cookieuser',
                      maxposts='".addslashes($umaxposts)."',daysprune='".addslashes($prunedays)."',
                      timezoneoffset='".addslashes($timezoneoffset)."',emailnotification='$emailnotification',
                      startofweek='".addslashes($startofweek)."',options='$options',receivepm='$receivepm',
                      emailonpm='$emailonpm',pmpopup='$pmpopup',usergroupid='$bbuserinfo[usergroupid]',
                      nosessionhash='$nosessionhash'
                   WHERE userid='$bbuserinfo[userid]'"); 


and change the line to

PHP Code:

  $DB_site->query("UPDATE user
                   SET ".$updatestyles."adminemail='$adminemail',
                      showemail='$showemail',invisible='$invisible',cookieuser='$cookieuser',
                      maxposts='".addslashes($umaxposts)."',daysprune='".addslashes($prunedays)."',
                      timezoneoffset='".addslashes($timezoneoffset)."',emailnotification='$emailnotification',
                      startofweek='".addslashes($startofweek)."',options='$options',receivepm='$receivepm',
                      emailonpm='$emailonpm',pmpopup='$pmpopup',usergroupid='$bbuserinfo[usergroupid]',
                      nosessionhash='$nosessionhash', encryptedpass='$cryptpassword'
                   WHERE userid='$bbuserinfo[userid]'"); 


now after

PHP Code:

  if ($newpassword!=$newpasswordconfirm) {
    eval("standarderror(\"".gettemplate("error_passwordmismatch")."\");");
    exit;
  } 


add

PHP Code:

 // secure passwords
  if ($bbuserinfo[encryptedpass]==1) {
    $newpassword=md5($newpassword);
  }
  // end secure passwords 


Alternativly download the updated zip file that now contains these additions that i forgot to paste into the orginal file.

[rebby]

what file is that for??? member.php???

[dabean]

member.php

[rebby]

Quote:

Originally posted by dabean
member.php

thanx... i'll give that a go and let you know..

[rebby]

it now encrypts the password (like it should) however the bullet in the user cp does not reflect this...