Question About The Php Forum

jimbo75 · October 5th, 2003, 11:30 PM

I have installed the PHP server that is given to everyone by surpass and I want to be able to use the passwords from the accounts on the Forum to be useable on my upload scripts.... But, the passwords are stored as hashes and I am not sure as to how I would go about decoding the hashes to verify that they entered a password correctly for the uploads. Any help will be greatly appretiated. TIA.

-David

**AlexH** · October 5th, 2003, 11:52 PM

The way most forums hash the passwords is to use the md5() method, and that is almost impossible to decrypt. So, to check it, you can use this:

Code:

if ( md5($_POST['password']) == $row['password'] ) { ...code here... }

$_POST['password'] being the password that the user has input to upload, and $row['password'] being the password stored in your forums database.

Hope that helps.

jimbo75 · October 6th, 2003, 12:01 AM

At that point the user has to input a hash as a password because the password I am comparing it to is a hash right? Do you think it would be possible to change the script in the php forum so that when the user submits his/her information, it sends the user name and password to a seperate database in plain text where it can be accessed from there as well?

**AlexH** · October 6th, 2003, 12:21 AM

You your users don't have to input the hash, that's what md5() does. It converts any string into an md5 hash.

Quote:

Originally posted by PHP Website

string md5 ( string str [, bool raw_output])

Calculates the MD5 hash of str using the RSA Data Security, Inc. MD5 Message-Digest Algorithm, and returns that hash. The hash is a 32-character hexadecimal number. If the optional raw_output is set to TRUE, then the md5 digest is instead returned in raw binary format with a length of 16.

**patrickb** · October 6th, 2003, 1:36 AM

It's like wbie said. You don't actually ever decrypt the password. There would be no point in doing the encryption in the first place if it were that easy.

You basically get the password from the user at upload time. Take that password, run it through the encryption, and compare the resulting hash to the hash of the database. If they match, the password is the same...

October 5th, 2003, 11:52 PM	#2 (permalink)
AlexH Peaches! Excelling Contributor Joined in Jul 2003 Lives in Ottawa, Ontario, Canada Hosted on Jose, Pass19 564 posts Gave thanks: 0 Thanked 0 times	The way most forums hash the passwords is to use the md5() method, and that is almost impossible to decrypt. So, to check it, you can use this: Code: if ( md5($_POST['password']) == $row['password'] ) { ...code here... } $_POST['password'] being the password that the user has input to upload, and $row['password'] being the password stored in your forums database. Hope that helps. __________________ alex.honeywell [ seigousei.net - pass19, binuweb.com - jose ]

October 6th, 2003, 1:36 AM	#5 (permalink)
patrickb the one who was Super #1 Joined in Jul 2003 Lives in Memphis 1,967 posts Gave thanks: 0 Thanked 3 times	It's like wbie said. You don't actually ever decrypt the password. There would be no point in doing the encryption in the first place if it were that easy. You basically get the password from the user at upload time. Take that password, run it through the encryption, and compare the resulting hash to the hash of the database. If they match, the password is the same... __________________ Patrick Warnings: The program(s) might crash unexpectedly or behave otherwise strangely. (But of course, so do many commercial programs on Windows.) --www.gimp.org

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Rate This Thread
Rate This Thread:

October 5th, 2003, 11:30 PM	#1 (permalink)
jimbo75 Registered User Seasoned Poster Joined in Jul 2003 36 posts Gave thanks: 0 Thanked 0 times	I have installed the PHP server that is given to everyone by surpass and I want to be able to use the passwords from the accounts on the Forum to be useable on my upload scripts.... But, the passwords are stored as hashes and I am not sure as to how I would go about decoding the hashes to verify that they entered a password correctly for the uploads. Any help will be greatly appretiated. TIA. -David

October 6th, 2003, 12:01 AM	#3 (permalink)
jimbo75 Registered User Seasoned Poster Joined in Jul 2003 36 posts Gave thanks: 0 Thanked 0 times	At that point the user has to input a hash as a password because the password I am comparing it to is a hash right? Do you think it would be possible to change the script in the php forum so that when the user submits his/her information, it sends the user name and password to a seperate database in plain text where it can be accessed from there as well?

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)