0

Hi.
I purchased some software recently but have been unable get any helpful product support with the following problem, because it's a coding matter, I guess. The purchased software is for a PayPal subscription management system, and it relies on user verification by way of a username (email address) and a hashed password.

I have developed my own login scripts which use a hashed md5 password and all that is fine.I want to integrate my scripts with the purchased software using the supplied mySql database tables.

My problem is that the supplied software goes a step further than a hashed md5 password by applying initializing vectors to the hashed password. I cannot figure out how to modify my login code to accommodate the encrypted password that appears in the database.

It is beyond my current abilities to figure this out on my own. I'd really appreciate it if anyone can help.

I've attached my own login script below, and Ive attached what I think is the decryption code that comes with the purchased software. There is also a database file.

Hope someone can help me.

<?php
session_start();
if ($_POST['password']) {
//Connect to the database 
    include_once "db_connect.php";    
$email = stripslashes($_POST['payer_email']);
$email = strip_tags($email);
$email = mysql_real_escape_string($email);
$password = preg_replace("/[^A-Za-z0-9]/", "", $_POST['password']); // filter everything but numbers and letters
$password = md5($password);
// Make query and then register all relevant database data into SESSION variables.
$sql = mysql_query("SELECT * FROM sec_tblusers WHERE payer_email='$email' AND password='$password' AND signedup='1'") or die("failed"); 
$login_check = mysql_num_rows($sql);
if($login_check > 0){ 
    while($row = mysql_fetch_array($sql)){ 
        // Get member data into a session variable
        $id = $row["recid"];   
        session_register('recid'); 
        $_SESSION['recid'] = $id;
   
        $payer_email = $row["payer_email"]; 
        session_register('payer_email'); 
        $_SESSION['payer_email'] = $payer_email;
        
        $password = $row["password"]; 
        session_register('password'); 
        $_SESSION['password'] = $password;        
           
        $iv = $row["iv"]; 
        session_register('iv'); 
        $_SESSION['iv'] = $iv;
         
        $signedup = $row["signedup"]; 
        session_register('signedup'); 
        $_SESSION['signedup'] = $signedup;
         
        $lastlogin = $row["lastlogin"]; 
        session_register('lastlogin'); 
        $_SESSION['lastlogin'] = $lastlogin;
    
        // Update last_log_date field for this member now
        mysql_query("UPDATE sec_tblusers SET lastlogin=now() WHERE recid='$id'");
        // Print success message here then exit the script
        //header("location: member_profile.php?id=$id"); 
        header("location: adduser.php?id=$id"); 
        exit();
    } // close while
} else {
// Print login failure message to the user and link them back to your login page
  print '<br /><br /><font color="#FF0000">You do not show in our records as a subscriber. Has the subscription expired?</font><br />
<br /><a href="../main.php">Click here</a> to go back.';
  exit();
}
}// close if post
?>

What I think is the decrypting code that comes with the purchased software goes like this.

<?php 
//---------------------------------------
//Given the payer_email address, return the decrypted password
function getpassword($payer_email, $dbhost, $dbusername, $dbpass, $dbname, $dbprefix, &$message) {

    $dl = new DataLayer();
    $dl->debug=false;
    $dl->connect( $dbhost, $dbusername, $dbpass, $dbname )  or die ( "Database connection error " . $dl->geterror() );
       
    //SELECT password, iv FROM sec_tblusers WHERE payer_email = '" . $payer_email . "'"
    $cols = array("password", "iv");
    $table = $dl->select( $dbprefix."sec_tblusers", "", $cols, "payer_email = '$payer_email'", "" );

    if ($dl->geterror()) {
        $message = "SQL error - user.php ref 58 " . $dl->geterror();
        exit;
    }

    $IV = $table[0]['iv'];
    $password = $table[0]['password'];

    $decryption = new password($IV, $password);
    $decryption->decode();
    $decode = $decryption->getdecodedtext();

    return $decode;

}


//------------------------------------
?>

The database table is here.

-- Table structure for table `sec_tblusers`
--

CREATE TABLE `sec_tblusers` (
  `recid` int(11) NOT NULL AUTO_INCREMENT,
  `payer_email` varchar(100) NOT NULL,
  `password` varchar(50) DEFAULT NULL,
  `iv` int(11) DEFAULT NULL,
  `signedup` int(11) NOT NULL DEFAULT '0',
  `signupdate` datetime NOT NULL,
  `lastlogin` datetime NOT NULL,
  PRIMARY KEY (`recid`),
  UNIQUE KEY `payer_email` (`payer_email`),
  KEY `password` (`password`),
  KEY `signedup` (`signedup`),
  KEY `lastlogin` (`lastlogin`),
  KEY `signupdate` (`signupdate`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=22 ;

--
-- Dumping data for table `sec_tblusers`
--

INSERT INTO `sec_tblusers` (`recid`, `payer_email`, `password`, `iv`, `signedup`, `signupdate`, `lastlogin`) VALUES
(5, 'someone@gmail.com', 'cRbeAWgN3 ', 316, 1, '0000-00-00 00:00:00', '2010-11-10 22:29:06'),
(6, 'someoneelse@gmail.com', 'cRbeAWgN3 ', 269, 1, '0000-00-00 00:00:00', '0000-00-00 00:00:00');

I suspect that there may be some other relevant code in the purchased software, and I could hunt that up if someone could tell me what to look for.

Anyway, I'm really in need of some help, or some advice.

Cheers, everyone.

2
Contributors
4
Replies
5
Views
7 Years
Discussion Span
Last Post by facarroll
0

Dumping data for table `sec_tblusers`

Is the data shown on that dump already encrypted? If yes, what code did you use to encode it? It would help to see the definition of DataLayer and Password Classes to see what methods they have available and what they are actually doing.

0

I have solved the problem. The password was encrypted before it arrived at the database, so the posted password had to be treated the same way.

Is the data shown on that dump already encrypted? If yes, what code did you use to encode it? It would help to see the definition of DataLayer and Password Classes to see what methods they have available and what they are actually doing.

0

for purposes of authenticating only, I would have:

$pwd=getpassword($_POST['email'],....);

//then compare that against the posted password:
if( md5($_POST['email']) == $pwd )
{
 //successful
}

I purchased some software recently ...

What software did you buy?

Edited by hielo: n/a

0

phpsecurearea from www.withinweb.com. About $US 70.

for purposes of authenticating only, I would have:

$pwd=getpassword($_POST['email'],....);

//then compare that against the posted password:
if( md5($_POST['email']) == $pwd )
{
 //successful
}

What software did you buy?

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.