1 Topic by RNilsson (edited by RNilsson 2003-09-09 05:02)

  • From: Göteborg
  • Registered: 2003-02-25
  • Posts: 168

Topic: How to verify username/password against punBB

This is how you would verify in your own scripts against the punBB userbase, for shared userbase throughout your site for example.

This example is for PGSQL (I'm running 7.3.4)

    $DBString = "host=localhost port=5432 dbname=punbb user=pun password=pun";
    $DBConn = pg_connect($DBString);

    $username = trim($_POST['username']);
    $password = md5(trim($_POST['password']));

    $pun_users = "users";
    $pun_prefix = "";
    $SQL = "SELECT * FROM " . $pun_prefix . $pun_users . " WHERE username = '" . $username . "' AND password = '" . $password . "'";
    $Q = pg_query($SQL);
    $ROW = pg_fetch_array($DBConn, $Q);
    $NUM = pg_num_rows($ROW);
    pg_close();

    if ($NUM == "1")
    {
        print("Username & Password Verified");
    }
    else
    {
        print("Username/Password Combo not found.");
    }

This example is for MySQL (Haven't been tested live)

    $DBConn = mysql_connect("localhost", "pun", "pun");
    mysql_select_db("punbb");

    $username = trim($_POST['username']);
    $password = md5(trim($_POST['password']));

    $pun_users = "users";
    $pun_prefix = "";
    $SQL = "SELECT * FROM " . $pun_prefix . $pun_users . " WHERE username = '" . $username . "' AND password = '" . $password . "'";
    $Q = mysql_query($SQL);
    $ROW = mysql_fetch_array($Q);
    $NUM = mysql_num_rows($ROW);
    mysql_close();

    if ($NUM == "1")
    {
        print("Username & Password Verified");
    }
    else
    {
        print("Username/Password Combo not found.");
    }

It assumes you get username and password from a form using post-method.
You all get the idea, and you could haxxor it up as you like...

  • Registered: 2004-04-16
  • Posts: 10

Re: How to verify username/password against punBB

I'm going to try this for the MySQL version...

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: How to verify username/password against punBB

One thing I notice right away is the fact that you only generate an MD5 checksum. Since 1.1, all new passwords are stored as SHA1 checksums instead (for increased security). You can find out which by checking the length of the password hash in the database. If it's 32 bytes, it's an MD5 hash and if it's 40, it's an SHA1 hash.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

  • From: Göteborg
  • Registered: 2003-02-25
  • Posts: 168

Re: How to verify username/password against punBB

Yes, when i wrote this the version was 1.something.

Try this:
Replace

    if ($NUM == "1")
    {
        print("Username & Password Verified");
    }
    else
    {
        print("Username/Password Combo not found.");
    }

with

    if ($NUM == "1")
    {    // Username found
        if (strlen($ROW->password) == 32)
        { // Check against md5
            if ($ROW->password == md5(trim($_POST['password'])))
            { // Password match md5-hash
                print("Password Verified md5");
            }
            else
            {
                print("Password does not match.");
            }
        }
        elseif (strlen($ROW-password) == 40)
        { // Check against sha1
            if ($ROW->password == sha1(trim($_POST['password'])))
            { // Password match sha1
                print("Password Verified sha1");
            }
            else
            {
                if (function_exists(sha1))
                { // sha1 function exist, but password does not match.
                    print("Password does not match.");
                }
                else
                { // sha1 does not exist. user need to request new password
                    print("Password algorithm is wrong. Please request a new password via [link].");
                }
            }
        }
        else
        {
            print("Something bad happend. Catch the error here.");
        }
    }
    else
    {
        print("Username not found.");
    }

I -think- that code block should check if the returned password is 32 or 40 long, and the compare it to the provided password in the correct manner (ie: checking where to compare it).
It should also warn if the sha1 is not available if the stored password is 40 long.

Any inputs on this Rickard?