Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Checking username/password outside of Vanilla (varbinary issue possibly)

jrossjross New
edited February 2010 in Vanilla 2.0 - 2.8
I wrote a private message script where I'm using the usernames/password from vanilla.

It worked great - I could do a md5 convert with the stored password - but it appears that now the password is stored as varbinary - it messed up my script.

Does anyone have a script to verify user/pass using the LUM_User?

Comments

  • MarkMark Vanilla Staff
    Vanilla 1 does it with the library/People/People.Class.PasswordHash.php file. The specific function you're looking for is here:

    http://code.google.com/p/lussumo-vanilla/source/browse/trunk/src/library/People/People.Class.PasswordHash.php#280

    The PasswordHash class is standalone. The PeoplePasswordHash class is tied to Vanilla a little bit, but You should be able to write your own implementation of it pretty easily that doesn't rely on Vanilla 1 at all.
  • I need to figure that one out - my old one was a bit simpler - if anyone knows an easier way to tweak the following - I'd really appreciate it:
    /**
    * Checks whether or not the given username is in the
    * database, if so it checks if the given password is
    * the same password in the database for that user.
    * If the user doesn't exist or if the passwords don't
    * match up, it returns an error code (1 or 2).
    * On success it returns 0.
    */
    function confirmUser($username, $password){
    global $conn;
    /* Add slashes if necessary (for query) */
    if(!get_magic_quotes_gpc()) {
    $username = addslashes($username);
    }

    /* Verify that user is in database */
    $q = "select Password, Email from LUM_User where Name = '$username'";
    $result = mysql_query($q,$conn);
    if(!$result || (mysql_numrows($result) < 1)){
    return 1; //Indicates username failure
    }

    /* Retrieve password from result, strip slashes */
    $dbarray = mysql_fetch_array($result);
    $dbarray['Password'] = stripslashes($dbarray['Password']);
    $password = stripslashes($password);

    $_SESSION['email'] = $dbarray['Email'];
    $db2 = $dbarray['Password'];
    $email2 = $dbarray['Email'];
    /* Validate that password is correct */
    if($password == $dbarray['Password']){
    return 0; //Success! Username and password confirmed
    }
    else{
    return 2; //Indicates password failure
    }
    }

    /**
    * checkLogin - Checks if the user has already previously
    * logged in, and a session with the user has already been
    * established. Also checks to see if user has been remembered.
    * If so, the database is queried to make sure of the user's
    * authenticity. Returns true if the user has logged in.
    */
    function checkLogin(){
    /* Check if user has been remembered */
    if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookpass'])){
    $_SESSION['username'] = $_COOKIE['cookname'];
    $_SESSION['password'] = $_COOKIE['cookpass'];
    $_SESSION['email'] = $_COOKIE['cookemail'];
    }

    /* Username and password have been set */
    if(isset($_SESSION['username']) && isset($_SESSION['password'])){
    /* Confirm that username and password are valid */
    if(confirmUser($_SESSION['username'], $_SESSION['password']) != 0){
    /* Variables are incorrect, user not logged in */
    unset($_SESSION['username']);
    unset($_SESSION['password']);
    return false;
    }
    return true;
    }
    /* User not logged in */
    else{
    return false;
    }
    }


    /**
    * Checks to see if the user has submitted his
    * username and password through the login form,
    * if so, checks authenticity in database and
    * creates session.
    */
    if(isset($_POST['sublogin'])){
    /* Check that all fields were typed in */
    if(!$_POST['user'] || !$_POST['pass']){
    die('You didn\'t fill in a required field.');
    }
    /* Spruce up username, check length */
    $_POST['user'] = trim($_POST['user']);
    if(strlen($_POST['user']) > 30){
    die("Sorry, the username is longer than 30 characters, please shorten it.");
    }

    /* Checks that username is in database and password is correct */
    $md5pass = md5($_POST['pass']);
    $result = confirmUser($user, $md5pass);
    echo "Sorry for the inconvenince - we're our current experiencing issues with this script.";
    /* Check error codes */
    if($result == 1){
    die('That username doesn\'t exist in our database.');
    }
    else if($result == 2){
    die('Incorrect password, please try again.');
    }

    /* Username and password correct, register session variables */
    $_POST['user'] = stripslashes($_POST['user']);
    $_SESSION['username'] = $_POST['user'];
    $_SESSION['password'] = $md5pass;

    /**
    * This is the cool part: the user has requested that we remember that
    * he's logged in, so we set two cookies. One to hold his username,
    * and one to hold his md5 encrypted password. We set them both to
    * expire in 100 days. Now, next time he comes to our site, we will
    * log him in automatically.
    */
    if(isset($_POST['remember'])){
    setcookie("cookname", $_SESSION['username'], time()+60*60*24*100, "/");
    setcookie("cookpass", $_SESSION['password'], time()+60*60*24*100, "/");
    setcookie("cookemail", $_SESSION['email'], time()+60*60*24*100, "/");
    }
  • edited February 2010
    Vanilla 1 and 2 are using phpass:
    http://www.openwall.com/phpass/

    Here is a function to check the password against the password hash saved in Vanilla DB:

    function CheckPassword($DbHash, $FormPassword) {
    if ($DbHash[0] === '_' || $DbHash[0] === '$') {
    $PH = new PasswordHash();
    $PH->CheckPassword($FormPassword, $DbHash);
    } else if ($FormPassword && $DbPassword !== '*'
    && ($FormPassword === $DbHash || md5($FormPassword) === $DbHash)
    ) {
    return true;
    }
    return false;
    }
    Edit: fixed typo.
  • When I place that function in my script - I get:
    Parse error: syntax error, unexpected '['
    in this line:
    if (DbHash[0] === '_' || DbHash[0] === '$') {
  • edited February 2010
    @jross Likely it's a typo (missing dollar signs), try:
    function CheckPassword($DbHash, $FormPassword) {
    if ($DbHash[0] === '_' || $DbHash[0] === '$') {
    return new PasswordHash()->CheckPassword($FormPassword, $DbHash);
    } else if ($FormPassword && $DbPassword !== '*'
    && ($FormPassword === $DbHash || md5($FormPassword) === $DbHash)
    ) {
    return true;
    }
    return false;
    }
Sign In or Register to comment.