Page 1 of 1

Help accessing using password variable

Posted: Sun Jan 26, 2003 11:12 pm
by pushtheextreme
I'm all too new at this, and hardly know a thing. I'm learning as I go, but here's what I'm working on at the moment.

I'm trying to use the following login.php page to login to our Mantis bugtracker. We've gone to encrypted passwords, and as such the current password variables are not working. I should be able to replace the current password variables with MD5('password') function, but it seems like it's not working.

Attached below is the code, feel free to take a look at it if you're up for the challenge.


Matt


<?php
# Mantis - a php based bugtracking system
# Copyright (C) 2000, 2001 Kenzaburo Ito - kenito@300baud.org
# This program is distributed under the terms and conditions of the GPL
# See the README and LICENSE files for details
?>
<?php
# Check login then redirect to main_page.php3 or to login_page.php3
?>
<?php include( "core_API.php" ) ?>
<?php
db_connect( $g_hostname, $g_db_username, $g_db_password, $g_database_name );

if ( BASIC_AUTH == $g_login_method ) {
$f_username = isset( $PHP_AUTH_USER ) ? $PHP_AUTH_USER : $REMOTE_USER;
$f_password = $PHP_AUTH_PW;
}

# get user info
$row = get_user_info_by_name_arr( $f_username );

$login_result = 1;
if ( $row ) {
extract( $row, EXTR_PREFIX_ALL, "u" );
} else {
# invalid login
$login_result = 0;
}

if (( $g_anonymous_account == $f_username ) && ( ON == $g_allow_anonymous_login )) {
$f_password = "";
}

$t_project_id = 0;
if (( 1 == $login_result )&&
( ON == $u_enabled )&&
is_password_match( $f_username, $f_password, $u_password )) {

# increment login count
increment_login_count( $u_id );

$t_project_id = get_default_project( $u_id );

if ( ( isset( $f_perm_login ) )&&( "on" == $f_perm_login ) ) {
# set permanent cookie (1 year)
setcookie( $g_string_cookie, $u_cookie_string, time()+$g_cookie_time_length );
if ( $t_project_id > -1 ) {
setcookie( $g_project_cookie, $t_project_id, time()+$g_cookie_time_length );
}
} else {
# set temp cookie, cookie dies after browser closes
setcookie( $g_string_cookie, $u_cookie_string );
if ( $t_project_id > -1 ) {
setcookie( $g_project_cookie, $t_project_id, time()+$g_cookie_time_length+$g_cookie_time_length );
}
}

# login good
$login_result = 1;
} else {
# invalid login
$login_result = 0;
}

# goto main_page or back to login_page
if ( $t_project_id > -1 ) {
$t_redirect_url = $g_main_page;
} else if ( $login_result ) {
if ( isset($f_project_id) ) {
$t_redirect_url = $g_set_project."?f_project_id=".$f_project_id;
} else {
$t_redirect_url = $g_login_select_proj_page;
}
# Login failed, create user if basic authentication
} else if ( BASIC_AUTH == $g_login_method ) { # @@@ ADDED fix the if assignment problem
if ( $t_cookie_string = signup_user( $f_username ) ) {
$t_redirect_url = $g_login_select_proj_page;
$login_result = 1;
setcookie( $g_string_cookie, $t_cookie_string );
} else {
$t_redirect_url = $g_login_page."?f_error=1";
}
} else {
$t_redirect_url = $g_login_page."?f_error=1";
}

if ( ( ON == $g_quick_proceed )&&( $login_result ) ) {
print_header_redirect( $t_redirect_url );
}
?>
<?php print_page_top1() ?>
<?php
# goto main_page or back to login_page
if ( $t_project_id > 0 ) {
print_meta_redirect( $g_main_page, 0 );
} else if ( $login_result ) {
if ( isset($f_project_id) ) {
print_meta_redirect( $g_set_project."?f_project_id=".$f_project_id, 0 );
} else {
print_meta_redirect( $g_login_select_proj_page, 0 );
}
} else {
print_meta_redirect( $g_login_page."?f_error=1", 0 );
}
?>
<?php print_page_top2a() ?>

<p>
<div align="center">
<?php
if ( $t_project_id > 0 ) { # SUCCESS
print_bracket_link( $g_main_page, $s_proceed );
} else if ( $login_result ) { # SUCCESS
print_bracket_link( $g_login_select_proj_page, $s_proceed );
} else { # FAILURE
echo $MANTIS_ERROR[ERROR_LOGIN]."<p>";

print_bracket_link( $g_login_page."?f_error=1", $s_proceed );
}
?>
</div>

<?php print_page_bot1( __FILE__ ) ?>

Posted: Mon Jan 27, 2003 3:50 am
by volka
What do you want to crypt/hash where?
If you've hashed the passwords in your database you have to compare the hashed password provided by the user with the field's value of the database, probably done in is_password_match(x,y,z). $f_password is certainly plaintext, $u_password already hashed.

This only secures the stored passwords in the database from beeing stolen but does not provide a security layer for transmitting the login-information.

Posted: Mon Jan 27, 2003 6:03 pm
by pushtheextreme
I'm trying to grab the crypted password from the database, and verify that with what is entered in.

The deal is I'm learning PHP (hardly know a thing about it), and this particular code is what I'm trying to see if I can fix.

I know you've got to be annoyed and think "eh, <span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span> newbie", but I was hoping to see how to fix it, and learn something through you guys thoughts.

The code this corresponds to is the bugtracker at http://dev.rockclimbing.com/login_page.php

Hope this helps.

Thanks for the reply. ;)

-Matt

Posted: Mon Jan 27, 2003 8:26 pm
by volka
not very helpful ;)
but try

Code: Select all

is_password_match( $f_username, $f_password, md5($u_password) ))
might be working.

Posted: Wed Jan 29, 2003 6:11 pm
by pushtheextreme
Volka,
Thanks for the reply. I tried that code, but it didn't work. Thanks for the suggestion, but the more I dig into this it looks like the password field is actually quierying the Mantis db, instead of the user tables for the main site.

Thanks again; looks like this could be a bigger mess than I thought.


Matt