I have a forum that runs off a mysql database and I want to be able to use the forum login and p/w to access other areas of the site. The password encryption is custom, but looking through the php files, I can see how it is encrypted, I'm just not savy enough to get it to work. Hopefully someone here can help me.

Here is the section of the code where the passwords are compared...

if (my_crypt($in['current_password'],$row['password']) != $row['password']) {

Here are the my_crypt and get_salt functions:

function my_crypt($str,$salt) {

   return crypt($str,substr($salt,0,2));
}

function get_salt() {

   srand(time());
   $random = "abcdefghijklmnopqrstuvwxyz1234567890";
   $salt = substr($random,floor(rand(1,36)),1);
   $salt .= substr($random,floor(rand(1,36)),1);
   return $salt;

And here is the non functioning select satatement:

$password = my_crypt($password, $salt); //This is my problem...
$sql = "SELECT * FROM $table_name WHERE username = '$username' AND password = '$password'";

Sorry for the long post. I've been searching this site for months and have found TONS of helpful info already...Any help is appreciated...

Kale

    You need to fetch the row for the user then compare the passwords.
    The my_crypt() function requires the first 2 chars of the stored password to encrypt the entered password.

    $sql = "SELECT * FROM $table_name WHERE username = '$username' ";
$row = mysql_query( $sql );
$pass = my_crypt( $password , $row['password'] );

if( $pass == $password ) {
// good password
}

    HalfaBee

      Thanks for the input, but no luck on the authorization...

      If I take away the password checking and just input a valid username, everything works.

      Any other ideas???

      Kale

        Run the following code several times and see the outputs. You will know why your code is not working:

        $test = "test";
        echo my_crypt($test,get_salt());

        Your get_salt() function returns different salt every time. Crypt() function with different salt won't return same encrypted string. That's why it doesn't work.

          Okay, so if my_crypt uses $salt, and $salt is different everytime, how is it that the forum can recognize and compare passwords? Could it be something I overlooked?

          Here are a few more lines of the code from the section where users can change their password. On the form, it asks you to input your old password, enter the new one, then retype the new one for verification:

                // First check current password
      $q = "SELECT password
              FROM " . DB_USER . "
             WHERE id = '$u_id' ";

  $result = db_query($q);
  $row = db_fetch_array($result);
  db_free($result);

  if (my_crypt($in['current_password'],$row['password']) != $row['password']) {
     array_push($error,$in['lang']['current_password_incorrect']);
  }

  if ($in['new_password'] != $in['new_password_2']) {
     array_push($error,$in['lang']['two_passwords_different']);
  }


  if ($error) {

     print_error_mesg($in['lang']['password_errors'] . ":" , $error);
     password_form();

  }
  else {

     $salt = get_salt();

     $encrypted_password = my_crypt($in['new_password'],$salt);

     $q = "UPDATE " . DB_USER . "
              SET password = '$encrypted_password',
                  reg_date = reg_date,
                  last_date = last_date
            WHERE id = '$u_id' ";
     db_query($q);

     $mesg = $in['lang']['password_changed_1'] 
             . "<p class=\"dcemp\">$in[new_password]</p>" .
             $in['lang']['password_changed_2'];

     print_ok_mesg($mesg);

  }


   }
   else {

  print_inst_mesg($in['lang']['password_form']);
  password_form();

   }

}

          The $in keeps throwing me off as well as the $salt, which was nothing more than a table dressing to me a couple of days ago...🙂

          Kale

            Well, the only way to solve your question is to have a same salt string stored in the new column (maybe named "salt") in the user table.

            $query = "select password, salt from user_table where username = '$_POST[username]'";

            run the query above and get password and salt and then

            // password and salt are stored in $user array.
            my_crypt($_POST['password'],$user['salt']) == $user['password']) { echo "You have the right password"; }

            Remember, crypt() function has to have a same password string and the same salt string to get the same encrypted string. So you can use get_salt() to get the very first salt, but the salt has to be stored somewhere to be used later on.

            I don't think your get_salt() function returns the length of 2 string every time, so you may wanna rewrite it to do so.

              To me, a newbie, it looks like the salt is included in the crypt function. There is no "salt" field in the db. I'm lost as to why this doesn't work...

              $sql = "SELECT * FROM $table_name WHERE username = '$username' "; 
$row = mysql_query($sql); 
$pass = my_crypt($password, $row['password']); 
if($pass == $password) { 
   $msg = "Congratulations, you're authorized!";
   } else { 
   header("Location: error.html");
   exit;
}

              Hopefully I can get the author of the script to comment more on how to fix this, if not I will have to create a work around by linking to my external update page AFTER logging in to the forum.

              Kale

                For the record, here's what worked:

                if (my_crypt($password,$row['password']) == $row['password']) {
   $msg = "Congratulations, you're authorized!";
   } else { 
   header("Location: error.html");
   exit;
}

                🙂

                Kale

                  Write a Reply...