I am trying to integrate WSNLinks with phpBB3 using the Integration Generator and I am having a few issues in doing so. phpBB3 uses a new mechanism for password hashing and it seems a little complex. I'm wondering if you could help me figure out what to put in the "method for transforming an input of $userpassword into an encoded $password" box.
The new password hashing mechanism can be found in the attached functions.php file.
Not by default no. (ie: There is no option in the board's administration.) There might be some modifications someone has made, but it will likely be as complicated as integrating it. Is there any way to kind of just...copy/paste the formulas into a file to be read by WSN Links? I can mod and follow instructions pretty well, as well as fumble my way through PHP, but I do not actually -know- PHP, which is why I am looking for your more expert guidance. :-)
PHPBB users would know best if there's an easy way. Possibly you can include one of their files and them call a function. Ask them what the simplest way to turn the user's typed password into the database value is.
//Look up the hashed password $sql = 'SELECT user_password FROM ' . USERS_TABLE . " WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'"; $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); $db->sql_freeresult($result);
//If we found the user and its password, compare the passwords if($row) { if(phpbb_check_hash($password, $row['user_password'])) { echo "Password Match!"; } else { echo "Password Mis-match!"; } } else { echo "User not found!"; }
}
Not entirely sure how to utilize that code bit, while you probably do. Your thoughts?
Paul wrote: I'll have to install phpBB to play around with it when I have the chance.
Thanks Paul! That would be most helpful. I plan to upgrade my server to php5 and mysql5 soon and phpbb2 has some issues with php5. Due to this I'm going to upgrade portal.modemhelp.net to the latest version of WSNLinks and the database it is connected to (phpbb2) to phppb3. In preparation of this upgrade I am working on connecting my new website's phpbb3 database to the latest version of WSNLinks as a "trial run".
After a few hours of investigation, it seems they simply don't offer any way to compare the actual password to the user_password database value without incorporating practically the entirity of phpBB into the page. This makes it impossible to provide any distributable version. A one-person hack may be feasible if you have a huge enough memory limit to handle both scripts loaded at once, and if none of the functions happen to conflict.
Maybe you can try again to get them to tell you how to transform the typed value into the database's user_password value without using phpBB.
It discusses how to do user integration with the new password hashing mechanism, which they said was "PHP Portable Password" found at: http://www.openwall.com/phpass/
It says on the phpass website "A cut-down version of phpass (supporting the portable hashes only) has been integrated into phpBB3 (although they have changed the hash type identifier string from "$P$" to "$H$", the hashes are otherwise compatible with those of genuine phpass)."
and copy them into their own php file. That way you wouldn't have to include all of functions.php in your script
The problem with phpbb_check_hash is it requires the hash in advance, so using it requires some rewriting of WSN Links. I have it working for 4.2, but I don't want to introduce potential login bugs in 4.1.
The problem with phpbb_check_hash is it requires the hash in advance, so using it requires some rewriting of WSN Links. I have it working for 4.2, but I don't want to introduce potential login bugs in 4.1.
4.2 is a ways off yet though, isn't it? I desperately need to upgrade phpbb2 to phpbb3 due to a coming server upgrade to php5 and spam-related issues. Would it be possible for the login code to be released as a "Mod" for 4.1?
It can't be done as a plugin, it requires numerous little changes to classes/member.php. Since other things have changed, 4.2's version can't be used directly. I'd need to take an hour to backport it carefully enough to ensure it wouldn't open up any security holes, and test it again... I can do that for you for $50, or you can upgrade to 4.2.0 Alpha 4 which already includes it (integration/phpbb3.php) if you don't mind the likely instability of alphas. See www.webmastersite.net/forum...420-pre-releases-8112.html
0/5
1
2
3
4
5
Sorry, you don't have permission to post posts. Log in, or register if you haven't yet.
Comments on phpBB3 integration woes
Usergroup: Customer
Joined: Mar 22, 2006
Total Topics: 8
Total Comments: 50
Paul,
I am trying to integrate WSNLinks with phpBB3 using the Integration Generator and I am having a few issues in doing so. phpBB3 uses a new mechanism for password hashing and it seems a little complex. I'm wondering if you could help me figure out what to put in the "method for transforming an input of $userpassword into an encoded $password" box.
The new password hashing mechanism can be found in the attached functions.php file.
Attached Files:
developer
Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California
Total Topics: 61
Total Comments: 7868
Looks like they've made it nightmarishly complex. There's no option in phpBB3 to just use MD5?
Usergroup: Customer
Joined: Mar 22, 2006
Total Topics: 8
Total Comments: 50
Not by default no. (ie: There is no option in the board's administration.) There might be some modifications someone has made, but it will likely be as complicated as integrating it. Is there any way to kind of just...copy/paste the formulas into a file to be read by WSN Links? I can mod and follow instructions pretty well, as well as fumble my way through PHP, but I do not actually -know- PHP, which is why I am looking for your more expert guidance. :-)
developer
Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California
Total Topics: 61
Total Comments: 7868
PHPBB users would know best if there's an easy way. Possibly you can include one of their files and them call a function. Ask them what the simplest way to turn the user's typed password into the database value is.
Usergroup: Customer
Joined: Mar 22, 2006
Total Topics: 8
Total Comments: 50
www.phpbb.com/community/vie...opic.php?f=46&t=918455
Hopefully someone is able to help.
Usergroup: Customer
Joined: Mar 22, 2006
Total Topics: 8
Total Comments: 50
Ok, so this is what noxwizard gave me:
Here's an example of checking an entered password:
define('IN_PHPBB', true);
$phpbb_root_path = './'
$phpEx = substr(strrchr(__FILE__, '.'), 1);
include($phpbb_root_path . 'common.' . $phpEx);
//Look up the hashed password
$sql = 'SELECT user_password
FROM ' . USERS_TABLE . "
WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'";
$result = $db->sql_query($sql);
$row = $db->sql_fetchrow($result);
$db->sql_freeresult($result);
//If we found the user and its password, compare the passwords
if($row)
{
if(phpbb_check_hash($password, $row['user_password']))
{
echo "Password Match!";
}
else
{
echo "Password Mis-match!";
}
}
else
{
echo "User not found!";
}
}
Not entirely sure how to utilize that code bit, while you probably do. Your thoughts?
Thanks,
Brad
developer
Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California
Total Topics: 61
Total Comments: 7868
I'll have to install phpBB to play around with it when I have the chance.
Usergroup: Customer
Joined: Mar 22, 2006
Total Topics: 8
Total Comments: 50
I'll have to install phpBB to play around with it when I have the chance.
Thanks Paul! That would be most helpful. I plan to upgrade my server to php5 and mysql5 soon and phpbb2 has some issues with php5. Due to this I'm going to upgrade portal.modemhelp.net to the latest version of WSNLinks and the database it is connected to (phpbb2) to phppb3. In preparation of this upgrade I am working on connecting my new website's phpbb3 database to the latest version of WSNLinks as a "trial run".
Thank you a ton for your help,
Brad
developer
Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California
Total Topics: 61
Total Comments: 7868
After a few hours of investigation, it seems they simply don't offer any way to compare the actual password to the user_password database value without incorporating practically the entirity of phpBB into the page. This makes it impossible to provide any distributable version. A one-person hack may be feasible if you have a huge enough memory limit to handle both scripts loaded at once, and if none of the functions happen to conflict.
Maybe you can try again to get them to tell you how to transform the typed value into the database's user_password value without using phpBB.
developer
Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California
Total Topics: 61
Total Comments: 7868
Tested and there are many conflicts, so no chance of it ever working by including the whole phpBB source like that example.
Usergroup: Customer
Joined: Mar 22, 2006
Total Topics: 8
Total Comments: 50
What I got back:
You could take the functions
phpbb_check_hash()
_hash_crypt_private()
_hash_encode64()
and copy them into their own php file. That way you wouldn't have to include all of functions.php in your script
After seeing this, I decided to see how many other scripts are doing the user integration, and I found some, such as:
Gallery2: http://www.nukedgallery.net/postt2895.html
However, in doing so I found what may be a GREAT thread on how to perform an integration. It is found at:
www.subdreamer.com/forum/sh...10749&highlight=phpbb3
It discusses how to do user integration with the new password hashing mechanism, which they said was "PHP Portable Password" found at: http://www.openwall.com/phpass/
It says on the phpass website "A cut-down version of phpass (supporting the portable hashes only) has been integrated into phpBB3 (although they have changed the hash type identifier string from "$P$" to "$H$", the hashes are otherwise compatible with those of genuine phpass)."
Does this help?
developer
Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California
Total Topics: 61
Total Comments: 7868
You could take the functions
phpbb_check_hash()
_hash_crypt_private()
_hash_encode64()
and copy them into their own php file. That way you wouldn't have to include all of functions.php in your script
The problem with phpbb_check_hash is it requires the hash in advance, so using it requires some rewriting of WSN Links. I have it working for 4.2, but I don't want to introduce potential login bugs in 4.1.
Usergroup: Customer
Joined: Mar 22, 2006
Total Topics: 8
Total Comments: 50
The problem with phpbb_check_hash is it requires the hash in advance, so using it requires some rewriting of WSN Links. I have it working for 4.2, but I don't want to introduce potential login bugs in 4.1.
4.2 is a ways off yet though, isn't it? I desperately need to upgrade phpbb2 to phpbb3 due to a coming server upgrade to php5 and spam-related issues. Would it be possible for the login code to be released as a "Mod" for 4.1?
Thanks,
Brad
developer
Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California
Total Topics: 61
Total Comments: 7868
It can't be done as a plugin, it requires numerous little changes to classes/member.php. Since other things have changed, 4.2's version can't be used directly. I'd need to take an hour to backport it carefully enough to ensure it wouldn't open up any security holes, and test it again... I can do that for you for $50, or you can upgrade to 4.2.0 Alpha 4 which already includes it (integration/phpbb3.php) if you don't mind the likely instability of alphas. See www.webmastersite.net/forum...420-pre-releases-8112.html