Some Help/Information with vB Integration Please

[DarkScythe]

Hello,

A few weeks ago I decided to purchase a vB license for my forums. I plan to use it in conjunction with the ExpressionEngine CMS/Blog. This was after some careful consideration and lots of comparisons with competing software - I hope I made the right choice. My plan is to integrate the two programs just enough so that a user will only need to register once either on the forums, or at the CMS and have access to both. Previously, I had completed an integration that suited my needs between EE and phpBB2. However, as my luck would have it, the team decided to release phpBB3 release candidates soon after. Knowing that phpBB2 was then at the end of its line, I had to scrap that and move on. I tried to make sense of phpBB3's code, but had no luck.

Anyway, this leads me to vB. I'm looking at the code, but I'm a bit stumped at how to get access to the $password variable. One of my biggest considerations for purchasing vB was hoping its support was a little better than phpBB's support - it was pretty hit and miss for help with the code. Being that vB is closed source, I hope that everyone is a little more familiar with it.

What I did with phpBB2 was to insert an additional database call during user registration and a few other places to copy the most important user details (username/password/email) into the ExpressionEngine database and vice-versa. After all the bugs were worked out, this worked out very well, at least during my bit of testing.

I'm trying to essentially mirror this with vB, so the first step I took was to head into the registration file. part way down, I can see what I believe is the database call to update the database with the password, but I have no idea how to proceed from there - it doesn't look like that's the real password. I think it may have already been hashed somewhere, but I can't seem to locate when that happens to capture it and send it to EE's database.

If anyone can help em out with this, I'd be extremely grateful - thanks in advance.

Edit:
Now that I think about it, I may not actually need the original password. ExpressionEngine supports both MD5 and SHA1 encryption. With phpBB2, I changed its system to use SHA1 as well, to be compatible with EE since I set it to use SHA1 over MD5. However, I suppose there's little difference between using the two, and vB appears to use a salt which is better than phpBB2's implementation. Unfortunately, I don't think EE supports salts, so if I were to be able to grab the MD5 hash, it would have to be before the salt is added to it, and I can simply copy that into EE's database.. that still leaves the username/email fields though..

[MoT3rror]

When every a password is submitted by form, it is md5 once without salt. Then the salt is added to the end and md5 again so the final password looks something like this.

md5(md5($password) . $salt)

On the register page, the password from the user is $vbulletin->GPC['password'], I believe.

[Dismounted]

As MoT3rror has said, the password stored in the database is like so:

PHP Code:

md5(md5($password) . $salt); 


The salt is unique for every user and is stored in the database. Also, if the user has Javascript enabled when logging in, the password that is entered is md5 hashed once, and is sent through the POST variable "md5_password".

[DarkScythe]

Thank you for the replies.

I was able to tell about the double hashing, but I couldn't figure out exactly when I could pull the password. I had found this in the registration file, which I believe is when the database actually gets updated with the password information:

PHP Code:

    // set password
    $userdata->set('password', ($vbulletin->GPC['password_md5'] ? $vbulletin->GPC['password_md5'] : $vbulletin->GPC['password'])); 


But I have no idea which one to copy over. Are you saying that

PHP Code:

$vbulletin->GPC['password'] 


is what I need to copy over (after hashing, if that's the plaintext password?)

Along those lines, I read somewhere around here that the plaintext variable would turn up empty if javascript is enabled as there's a JS that hashes it before it hits the code or something - does this mean I need to copy the md5 hash instead before the salt is added?

Also.. I can't seem to find similar database calls for the other user information such as the username/email address. When/where does this information get added? I believe I may be simply overlooking it somewhere nearby..

Another thing.. apologies for all my questions.. Is it possible to turn birthdays into a required field when registering? I don't need to make it public, but I do plan on needing that information for some access restriction.

Thanks again!

[Dismounted]

If the user has Javascript enabled, vBulletin will hash the password field, then empty it, before being sent to the server. The first bit of code checks if the MD5 hashed password exists, if it doesn't, it uses the normal password field instead (which doesn't exist if the password is hashed).

[DarkScythe]

Yes, that's what I remember reading, and why the above userdata set line is checking. Where is the Javascript function though, I see no mention of it around that section of code..

I did find this in the global file

PHP Code:

 // you may define this if you don't want the password in the login box to be zapped onsubmit; good for integration
 $show['nopasswordempty'] = defined('DISABLE_PASSWORD_CLEARING') ? 1 : 0; // this nees to be an int for the templates 


Is this what I am looking for? I could also simply copied the hashed value directly over, but it would be plain MD5, which is a little iffy.. I don't think EE has any salting mechanism built in by default, so I normally hash passwords into SHA1, if I can, before putting it in there.

As for email and username, I was apparently blind - they're set a few lines down after the password. There is another field I'd like to mandate though.. is there a way to force users to have to set their birthday during registration? I do not need it to be publicly visible, or even editable afterwards by users.

Thanks again.

--------------- Added [DATE]1216767919[/DATE] at [TIME]1216767919[/TIME] ---------------

Actually, from doing some more research, it seems there might be several ways of doing what I'm trying to do.. but I'm not sure of the differences between them.

At its most basic level, I'm basically re-doing what I had to do with phpBB2, that is injecting my own code into the source files to get some integration with the user tables.

However, I have also seen something about vB's plugin system which may allow me to put the code into plugins and be less invasive to the source code. (I have no idea what the difference between a plugin and a product are at the moment.. It just seems like I put my code into one of them and insert a "hook" line into the source code and it would replace that hook with whatever the linked code is.)

Lastly, vB also seems to have "datamanagers." What are these? From the manual it says they are useful for 'rapid integration of vBulletin-specific data structures and data constraints into [...] third-party applications.' I'm not entirely sure how to access this, or if it coincides with what I want to do..

If anyone can shed some light on this, I'd appreciate it.
Thanks in advance.

[Dismounted]

Quote:

Originally Posted by DarkScythe

Yes, that's what I remember reading, and why the above userdata set line is checking. Where is the Javascript function though, I see no mention of it around that section of code..

See the "onsubmit" attribute on the login form.

Quote:

Originally Posted by DarkScythe

I did find this in the global file

PHP Code:

 // you may define this if you don't want the password in the login box to be zapped onsubmit; good for integration
 $show['nopasswordempty'] = defined('DISABLE_PASSWORD_CLEARING') ? 1 : 0; // this nees to be an int for the templates 


Is this what I am looking for? I could also simply copied the hashed value directly over, but it would be plain MD5, which is a little iffy.. I don't think EE has any salting mechanism built in by default, so I normally hash passwords into SHA1, if I can, before putting it in there.

Disabling the client-side hash would be a bad idea IMO, as then the password would be sent plain text across the "interwebz" . You could always SHA1 your MD5 hash.

Quote:

Originally Posted by DarkScythe

vB also seems to have "datamanagers." What are these? From the manual it says they are useful for 'rapid integration of vBulletin-specific data structures and data constraints into [...] third-party applications.' I'm not entirely sure how to access this, or if it coincides with what I want to do..

Data managers allow you to insert data into vBulletin's system, with simple PHP function calls. See the articles section for some examples.

[DarkScythe]

Thanks again for the informative reply.
I'm sorry, I must be a pain in the butt with all these questions, but I do appreciate the help.

I took a look at that function and I believe your talking about this one?

PHP Code:

        if (
            $vbulletin->userinfo['password'] != iif($password AND !$md5password, md5(md5($password) . $vbulletin->userinfo['salt']), '') AND
            $vbulletin->userinfo['password'] != iif($md5password, md5($md5password . $vbulletin->userinfo['salt']), '') AND
            $vbulletin->userinfo['password'] != iif($md5password_utf, md5($md5password_utf . $vbulletin->userinfo['salt']), '')
        ) 


That seems to compare the password against several factors in order to fully hash it. I suppose disabling client-side hashing would be a bad idea, but I don't want to replace vB's MD5 system with SHA1. I did it with phpBB but it was in a couple places so it was annoying to track down, and that also would probably break update scripts. If you mean SHA1 the MD5 hash itself, I'm not sure what that would accomplish.. the user would then have to enter the MD5 hash in order to log in to EE then, would they not?

Could I simply add an extra line into that if statement to re-encode the base $password (I assume this is the plaintext one it discards) into SHA1 and place it in another variable, then simply call that variable when I need it?

As for the datamanagers, if they're only used for putting data *into* vB, then perhaps they may come in handy when I do the reverse from EE, although is this required? With phpBB, all I needed to do was plug in a few 'required' database fields manually and I had a fully active user.

As an aside, I figured out vB has an option to force birthdays as required.. vB certainly has an exhaustive options panel compared to phpBB, I'm still not fully through that thing yet. I'm glad vB also has options for minimum username length, but there doesn't appear to be a similar one for password lengths.. the mods I've found don't seem to support the latest version.

After this, I still need to track down places where the user/admin can change their password and email.. Forgot password form, profile options, and admin panel off the top of my head - am I missing any?

[Dismounted]

Quote:

Originally Posted by DarkScythe

I took a look at that function and I believe your talking about this one?

PHP Code:

        if (
            $vbulletin->userinfo['password'] != iif($password AND !$md5password, md5(md5($password) . $vbulletin->userinfo['salt']), '') AND
            $vbulletin->userinfo['password'] != iif($md5password, md5($md5password . $vbulletin->userinfo['salt']), '') AND
            $vbulletin->userinfo['password'] != iif($md5password_utf, md5($md5password_utf . $vbulletin->userinfo['salt']), '')
        ) 


You're looking in the PHP files - the function that hashes client-side is a Javascript function - found in /clientscript/.

[DarkScythe]

Oops, sorry.

Wow, I can't understand these javascript files at all.. I at least have a PHP book to refer to lol.
I assume this means there's no way I can modify this to also hash it into SHA1 format..

In that case, I'll just have to copy over the MD5 hash.. Does the JS hash it with or without the salt?