Webmastersite.net
Register Log In

phpBB3 integration woes

Comments on phpBB3 integration woes

ModemGuru


Usergroup: Customer
Joined: Mar 22, 2006

Total Topics: 8
Total Comments: 50
Posted Apr 23, 2008 - 12:26 PM:

Paul,

I am trying to integrate WSNLinks with phpBB3 using the Integration Generator and I am having a few issues in doing so. phpBB3 uses a new mechanism for password hashing and it seems a little complex. I'm wondering if you could help me figure out what to put in the "method for transforming an input of $userpassword into an encoded $password" box.

The new password hashing mechanism can be found in the attached functions.php file.

Attached Files:
Paul
developer

Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California

Total Topics: 61
Total Comments: 7867
Paul
Posted Apr 23, 2008 - 4:13 PM:

Looks like they've made it nightmarishly complex. There's no option in phpBB3 to just use MD5?
ModemGuru


Usergroup: Customer
Joined: Mar 22, 2006

Total Topics: 8
Total Comments: 50
Posted Apr 23, 2008 - 4:21 PM:

Not by default no. (ie: There is no option in the board's administration.) There might be some modifications someone has made, but it will likely be as complicated as integrating it. Is there any way to kind of just...copy/paste the formulas into a file to be read by WSN Links? I can mod and follow instructions pretty well, as well as fumble my way through PHP, but I do not actually -know- PHP, which is why I am looking for your more expert guidance. :-)
Paul
developer

Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California

Total Topics: 61
Total Comments: 7867
Paul
Posted Apr 24, 2008 - 5:48 PM:

PHPBB users would know best if there's an easy way. Possibly you can include one of their files and them call a function. Ask them what the simplest way to turn the user's typed password into the database value is.
ModemGuru


Usergroup: Customer
Joined: Mar 22, 2006

Total Topics: 8
Total Comments: 50
Posted Apr 24, 2008 - 8:01 PM:

www.phpbb.com/community/vie...opic.php?f=46&t=918455



Hopefully someone is able to help. smiling face




ModemGuru


Usergroup: Customer
Joined: Mar 22, 2006

Total Topics: 8
Total Comments: 50
Posted Apr 25, 2008 - 1:41 PM:

Ok, so this is what noxwizard gave me:





Here's an example of checking an entered password:

define('IN_PHPBB', true);
$phpbb_root_path = './'
$phpEx = substr(strrchr(__FILE__, '.'), 1);
include($phpbb_root_path . 'common.' . $phpEx);

//Look up the hashed password
$sql = 'SELECT user_password
FROM ' . USERS_TABLE . "
WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'";
$result = $db->sql_query($sql);
$row = $db->sql_fetchrow($result);
$db->sql_freeresult($result);

//If we found the user and its password, compare the passwords
if($row)
{
if(phpbb_check_hash($password, $row['user_password']))
{
echo "Password Match!";
}
else
{
echo "Password Mis-match!";
}
}
else
{
echo "User not found!";
}

}






Not entirely sure how to utilize that code bit, while you probably do. Your thoughts?

Thanks,

Brad
Paul
developer

Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California

Total Topics: 61
Total Comments: 7867
Paul
Posted Apr 27, 2008 - 1:19 AM:

I'll have to install phpBB to play around with it when I have the chance.
ModemGuru


Usergroup: Customer
Joined: Mar 22, 2006

Total Topics: 8
Total Comments: 50
Posted Apr 27, 2008 - 12:02 PM:

Paul wrote:
I'll have to install phpBB to play around with it when I have the chance.




Thanks Paul! That would be most helpful. I plan to upgrade my server to php5 and mysql5 soon and phpbb2 has some issues with php5. Due to this I'm going to upgrade portal.modemhelp.net to the latest version of WSNLinks and the database it is connected to (phpbb2) to phppb3. In preparation of this upgrade I am working on connecting my new website's phpbb3 database to the latest version of WSNLinks as a "trial run".



Thank you a ton for your help,

Brad
Paul
developer

Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California

Total Topics: 61
Total Comments: 7867
Paul
Posted Apr 27, 2008 - 6:07 PM:

After a few hours of investigation, it seems they simply don't offer any way to compare the actual password to the user_password database value without incorporating practically the entirity of phpBB into the page. This makes it impossible to provide any distributable version. A one-person hack may be feasible if you have a huge enough memory limit to handle both scripts loaded at once, and if none of the functions happen to conflict.

Maybe you can try again to get them to tell you how to transform the typed value into the database's user_password value without using phpBB.
Paul
developer

Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California

Total Topics: 61
Total Comments: 7867
Paul
#10 - Quote - Permalink
Posted Apr 27, 2008 - 6:21 PM:

Tested and there are many conflicts, so no chance of it ever working by including the whole phpBB source like that example.
ModemGuru


Usergroup: Customer
Joined: Mar 22, 2006

Total Topics: 8
Total Comments: 50
#11 - Quote - Permalink
Posted Apr 28, 2008 - 12:46 PM:

What I got back:




You could take the functions

phpbb_check_hash()
_hash_crypt_private()
_hash_encode64()

and copy them into their own php file. That way you wouldn't have to include all of functions.php in your script






After seeing this, I decided to see how many other scripts are doing the user integration, and I found some, such as:

Gallery2: http://www.nukedgallery.net/postt2895.html





However, in doing so I found what may be a GREAT thread on how to perform an integration. It is found at:

www.subdreamer.com/forum/sh...10749&highlight=phpbb3

It discusses how to do user integration with the new password hashing mechanism, which they said was "PHP Portable Password" found at: http://www.openwall.com/phpass/



It says on the phpass website "A cut-down version of phpass (supporting the portable hashes only) has been integrated into phpBB3 (although they have changed the hash type identifier string from "$P$" to "$H$", the hashes are otherwise compatible with those of genuine phpass)."



Does this help?
Paul
developer

Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California

Total Topics: 61
Total Comments: 7867
Paul
#12 - Quote - Permalink
Posted Apr 29, 2008 - 8:29 PM:

ModemGuru wrote:

You could take the functions

phpbb_check_hash()
_hash_crypt_private()
_hash_encode64()

and copy them into their own php file. That way you wouldn't have to include all of functions.php in your script


The problem with phpbb_check_hash is it requires the hash in advance, so using it requires some rewriting of WSN Links. I have it working for 4.2, but I don't want to introduce potential login bugs in 4.1.
ModemGuru


Usergroup: Customer
Joined: Mar 22, 2006

Total Topics: 8
Total Comments: 50
#13 - Quote - Permalink
Posted Apr 30, 2008 - 11:56 AM:

Paul wrote:


The problem with phpbb_check_hash is it requires the hash in advance, so using it requires some rewriting of WSN Links. I have it working for 4.2, but I don't want to introduce potential login bugs in 4.1.




4.2 is a ways off yet though, isn't it? I desperately need to upgrade phpbb2 to phpbb3 due to a coming server upgrade to php5 and spam-related issues. Would it be possible for the login code to be released as a "Mod" for 4.1?



Thanks,

Brad
Paul
developer

Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California

Total Topics: 61
Total Comments: 7867
Paul
#14 - Quote - Permalink
Posted Apr 30, 2008 - 11:50 PM:

It can't be done as a plugin, it requires numerous little changes to classes/member.php. Since other things have changed, 4.2's version can't be used directly. I'd need to take an hour to backport it carefully enough to ensure it wouldn't open up any security holes, and test it again... I can do that for you for $50, or you can upgrade to 4.2.0 Alpha 4 which already includes it (integration/phpbb3.php) if you don't mind the likely instability of alphas. See www.webmastersite.net/forum...420-pre-releases-8112.html
Search thread for
Download thread as
  • 0/5
  • 1
  • 2
  • 3
  • 4
  • 5



Sorry, you don't have permission to post posts. Log in, or register if you haven't yet.