Gossamer Forum
Home : Products : Gossamer Forum : Discussion :

Outside User Authorization / Decrypt Password?

Quote Reply
Outside User Authorization / Decrypt Password?
I need to check the user database and determine is the password entered is correct, then extract the user group permissions. This will allow me to interace the program with Imagefolio. Any help would be appreciated! I'll pay a reasonable fee for assistance in getting this working - anyone? This is over my head, any help would be appreciated.

Here is a rough script I'm starting from - I highlighted the areas I could use a bit of assistance with:

sub read_user_db {

$dbh=DBI->connect("DBI:$sql_db:$db_name:$db_host:$db_port",$db_user_name,$db_password) or die $DBI::errstr;

$form_password = $dbh->quote($FORM{'if_password'});

$form_username = $dbh->quote($FORM{'if_username'});

$db_query = "SELECT $db_field_username, $db_field_password, $db_field_email, MD5($form_password)"; #use PASSWORD($form_password) if you used mySQL to encrypt password

how do you check against the encrypted password?

$db_query .= ", $db_field_firstname" if $db_field_firstname;

$db_query .= ", $db_field_lastname" if $db_field_lastname;

$db_query .= ", $db_field_group_permissions" if $db_field_group_permissions;

I'll have to do a SELECT to find the user group permissions?

gforum_UserGroup contains the grouping details in here:

user_id_fk group_id_fk

so you'd have to determine the users number, then cross reference it to determine what groups they belonged to, then goto Gforum_Grouping extract the group name from the details here:

group_id group_name group_moderator_fk

$db_query .= " FROM $db_table WHERE $db_field_username = $form_username";



if ($dbh) {

$sth = $dbh->prepare($db_query) or die $DBI::errstr;

$sth->execute or die $DBI::errstr;

@row = $sth->fetchrow_array;

$found_this_user = 1 if @row;

$sth->finish();

}

if ($found_this_user) {

if (($row[1] eq $row[3])) {

$found_this_pass = 1;

}

elsif (lc($row[1]) eq lc($FORM{'if_password'})) {

$found_this_pass = 1;

}

$ifusername = $row[0]; # This is the username

$ifemail = $row[2]; # This is the email

$next_field = 4;

if ($db_field_firstname) {

$iffirstname = $row[$next_field]; # This is the first name

$next_field++;

}

if ($db_field_lastname) {

$iflastname = $row[$next_field]; # This is the last name

$next_field++;

}

if ($db_field_group_permissions) {

$ifgroup = $row[$next_field]; # This is the ImageFolio group

}

}

}

1;
Quote Reply
Re: [DoubleJJ] Outside User Authorization / Decrypt Password? In reply to
Hi,

Are you trying to modify Imagefolio to authenticate off Gossamer Forum or modify Gossamer Forum to authenticate off Image Folio?

I'm assuming the first. Basic steps would be:

1. Select from the database the user_password where Username = 'Foo'
2. Compare the input with the database with:

require GT::MD5::Crypt;
$password_good = ($db_encrypted eq GT::MD5::Crypt::gt_md5_crypt($form_cleartext, $db_encrypted));

3. If password_good is true, then it's the right password, if not, then it's wrong.

Hope that helps,

Alex
--
Gossamer Threads Inc.

Last edited by:

Jagerman: Mar 18, 2003, 5:13 PM
Quote Reply
Re: [Alex] Outside User Authorization / Decrypt Password? In reply to
OK - maybe a different approach:

$form_password = $dbh->quote($FORM{'if_password'});
$form_username = $dbh->quote($FORM{'if_username'});

$db_query = "SELECT $db_field_username, $db_field_password, $db_field_email, MD5($form_password)"; #use PASSWORD($form_password) if you used mySQL to encrypt password

Sorry - I'm not sure what to do here? How do I get the password working properly in the above statement? You are not using standard MD5 encryption? How do I check password with Gossamer Threads encryption?


$db_query .= ", $db_field_firstname" if $db_field_firstname;
$db_query .= ", $db_field_lastname" if $db_field_lastname;
$db_query .= ", $db_field_group_permissions" if $db_field_group_permissions;
$db_query .= " FROM $db_table WHERE $db_field_username = $form_username";
Quote Reply
Re: [Alex] Outside User Authorization / Decrypt Password? In reply to
help - I got it 90% working :) Jeez, there is no end to how much you can learn in programming.

using:

GT::MD5::Crypt::gt_md5_crypt($form_cleartext, $db_encrypted)

outputs a different value than the one stored in the database - any ideas?

-jj

Last edited by:

DoubleJJ: Mar 19, 2003, 6:24 PM
Quote Reply
Re: [DoubleJJ] Outside User Authorization / Decrypt Password? In reply to
perl -MGT::MD5::Crypt=gt_md5_crypt -e 'print gt_md5_crypt("foo", "a7v9q764")'
$GT$a7v9q764$WrMX4LPnoFMX55YPuzlTV1


perl -MGT::MD5::Crypt=gt_md5_crypt -e 'print gt_md5_crypt("foo", q|$GT$a7v9q764$WrMX4LPnoFMX55YPuzlTV1|)'
$GT$a7v9q764$WrMX4LPnoFMX55YPuzlTV1

Are you sure you have the plain text password correct?

Jason Rhinelander
Gossamer Threads
jason@gossamer-threads.com
Quote Reply
Re: [Jagerman] Outside User Authorization / Decrypt Password? In reply to
In Reply To:
perl -MGT::MD5::Crypt=gt_md5_crypt -e 'print gt_md5_crypt("foo", q|$GT$a7v9q764$WrMX4LPnoFMX55YPuzlTV1|)'
$GT$a7v9q764$WrMX4LPnoFMX55YPuzlTV1


I don't undertsand what this is showing / doing?
Quote Reply
Re: [DoubleJJ] Outside User Authorization / Decrypt Password? In reply to
In order to see if the plain text password you have is correct, you call:

if ($encrypted eq GT::MD5::Crypt::gt_md5_crypt($plaintext, $encrypted)) {
# Password matches
}


The gt_md5_crypt() function will re-encrypt the plain text password using the "salt" of the encrypted password; if it works, the return value should be the same as the encrypted password you passed in.

Jason Rhinelander
Gossamer Threads
jason@gossamer-threads.com