I'm writing a phpBB password authorization script, but am having 2 problems.
1) phpBB must use some modified form of MD5 encryption because the MD5 encryption of my password is different from that shown in the database.
2) No matter what, this script returns true. There is no way to make it return false.
Here is the code:
<?php
//Connect to and seelct database
$dbh=mysql_connect ("localhost", "<my username is naked so you can't see it>", "<no_password_viewing_for_you>") or die (mysql_error());
mysql_select_db ("pyro_forums");
//Grab the encrypted password from the database and store it so that we can close the database connection
$encrypted_pass=mysql_query ("SELECT user_password FROM phpbb_users WHERE username=/'".$HTTP_POST_VARS[user]."/'");
//Close the database connection
mysql_close();
//Check if the password is correct, and set the variable accordingly
if ($HTTP_POST_VARS[pass]==$encrypted_pass) {
$pass_correct="True";
}
else{
$pass_correct="False";
};
//Show the result of the verification
echo($pass_correct);
?>
