Comments
HELP: Moving MD5 encryption from 1 field to another
Written By Sebastiano on Oct. 13, 2007.
7 Comments
Report Note
+ Clip This
HI,
Okay here is what i want to do.
I'm running Joomla & Wordpress Multi on a server, now there is no script to let the joomla user create automatically an account with the WP installation, therefor I've written a little script, to match users from the joomla user_table to the wordpress usertable, if the user does not exist, then he will be added to the wordpress table...
Now everything is working ok, except for the password field.
I can extract the md5 hash correcty, but when i try to fill the wordpress password field the md5 is being altered... any idea how to fix this?
basically i can pull it out right , putting it back somewhere else isn't working.
Hope someone can help with this...
Ty,
Sebastiano ^-^
Oli
Written Oct. 13, 2007 / Report /
So you're using joomla to work off a WP user database?
I'm pretty sure this is a case of salting. Salt is added data thrown in with data before you hash it up. That way if people do get the hash, it's harder for tem to figure out what it might be.
You'll need to have a look at the login code for WP to see how things are salted.
Oli
Written Oct. 13, 2007 / Report /
Oh. No. No I'm confused. You're trying to sync up two user tables?
Hmm not sure that makes any difference actually... I think you've just got two different salting algorithms.
If you're allowing sign-ups from both places, you're going to need to alter the process to use just one salting schema and do the same with the login process.
If you don't have much data to migrate at the moment, I think the easiest route would be to just link the two sign-up process together... so when I sign up on the joomla install, that calls the WP sign-up code and when I sign up on WP, it calls the joomla's sign up code. Considerably less hacking around but that doesn't help existing users.
Sebastiano
Written Oct. 13, 2007 / Report /
hmm, actually I don't think that is the problem . the weird thing is, if I take a value from a field, and drop it into another field, why is the value being changed?
here is a piece of the code:
$stmt_j = "SELECT * FROM ".$table_joomla." ";
$ret_j = mysql_query($stmt_j)or die("Could not successfully run query ($stmt_j) from DB: " . mysql_error()) ;
while ($row = mysql_fetch_array($ret_j)) {
$username = $row["username"];
$password = $row["password"];
$email = $row["email"];
$registerDate = $row["registerDate"];
$stmt_w = "SELECT * FROM ".$table_wp." WHERE user_login = '".$row["username"]."' ";
$ret_w = mysql_query($stmt_w)or die("Could not successfully run query ($stmt_w) from DB: " . mysql_error()) ;
if (mysql_num_rows($ret_w) == 0) {
$stmt_insert = "INSERT INTO ".$table_wp."
SET user_login = '$username',
user_pass = '$password',
user_email = '$email',
user_registered = '$registerDate' ";
$ret_insert = mysql_query($stmt_insert)or die("Could not successfully run query ($stmt_insert) from DB: " . mysql_error()) ;
}
}
You would expect that both password fields would match now, but this is not the case...
Oli
Written Oct. 13, 2007 / Report /
Ok do a small experiment for me.
Insert a row into each database's user table with a password like "pie". Then pull back each row and see what the password is. There might be some trigger set up to encrypt input at database level.
If that's the case, it's trying to reencrypt a md5 hash. You should be able to break that (in a good way) so you can import the data across and then turn it back on and implement it so it creates an account on each system when a new user signs up (a much cleaner method than playing catch-up).
Sebastiano
Written Oct. 13, 2007 / Report /
hmm, oli thanks for the help , there was actually a problem with the script.
You where right about the salting, joomla is all over it... (I hate that)..
and WP seems to double md5 hash the passwords ? hmm well this is going to take all night, for me it is the first time to work with joomla & wordpress, I am used to homebrewed scripts, phpwebthings and phpnuke(eeww).... and I haven't coded anything at all last 2 months, so it is a little complex...
after 1 hour of searching in the wp files i finally found where the actual piece of code is where we validate user login.. now i'm going to try to implent the salting technique joomla is using...
oniTony
Written Oct. 13, 2007 / Report /
Salting is good because you can't trust the user to actually use a strong password. It's also good in terms that when someone is working on the database (helping you out, or otherwise) -- they don't have the passwords in plaintext, and it's so much more difficult to crack.
Though you are right - all of that does seriously get in the way if you try to merge two different encryption implementations.
Sebastiano
Written Oct. 13, 2007 / Report /
okay have it almoust working now, anyway here is the hash.salt work around...
$form_password = the value you send with the form.
$storedPassword = the value in the database
list( $pass, $salt ) = explode( ":", $storedPassword );
$form_password = md5( $form_password . $salt );
$form_password = $form_password .":".$salt;
now $form_password is equal to $storedPassword and all should work perfectly ! i hope