Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
How to compare passwords in TXP?
If I take out the password from the database it has the form * BLA12BLA53BLA, but nothing to do with my password. And if I need to compare it with the password in the form, then what can I do?
Thanks in advance for ideas.
Last edited by skrishi (2011-03-21 22:12:12)
Offline
Re: How to compare passwords in TXP?
skrishi wrote:
If I take out the password from the database it has the form * BLA12BLA53BLA, but nothing to do with my password.
That has everything to do with your password. It is your password — in encrypted format.
And if I need to compare it with the password in the form, then what can I do?
Encrypt the sent value and compare that with the value stored in the database. You can encrypt the value using MySQLs password() function. For example:
/**
Extract in-coming form data, ie. $_POST['password'] and $_POST['name']
and secure the input for queries with doSlash().
*/
extract(
doSlash(
gpsa(
array(
'password',
'name'
)
)
)
);
/**
Check if there is matching row in the database
*/
if(
safe_count(
'txp_users',
"(pass=password('$password') or pass=password(lower('$password'))) and name='$name'"
) == 1
)
return 'Found a match';
Last edited by Gocom (2011-03-21 22:41:47)
Offline
Re: How to compare passwords in TXP?
Feed the password supplied in the form to the same hashing function TXP uses and then compare the result with what’s in the database.
I see you mentioning comparing it with the password in the form. Which form? If this is anything other than the TXP login screen, then please consider asking someone else to write the code required to do what you want. You do not want to expose passwords to anonymous visitors.
Offline
Re: How to compare passwords in TXP?
Gocom,
Yes, it works. Thank you.
Do I need to do extra checks on single or double quotes if I’m using secure the input for queries with doSlash ()?
Where can I find a description of the functions safe_count (), etc?
Ruud, I am compelled to write a plugin to change the password on the external side of the site (not the administrator side), as the existing plugins will not allow me to check the old password. This feature is in mem_self_registr, but it’s not working as it should, namely, it shows for some reason the window with the user’s choice. I tried to write Manfre, but two weeks later, he was silent. ing_password_protect very good plugin that I use, but it allows you to change your password, simply ing_user, but txp_user it does not work.
Unfortunately.
Sorry for my english
Offline
Re: How to compare passwords in TXP?
skrishi wrote:
Do I need to do extra checks on single or double quotes if I’m using secure the input for queries with doSlash ()?
For that situation, nope. doSlash() runs the values through mysql_real_escape_string().
Where can I find a description of the functions safe_count (), etc?
Pretty much by reading the source code. The source code is close to completely undocumented, but nonetheless that’s the main place you should look at. Database related function can be found from /lib/txplib_dp.php. The files that you should mainly concentrate are txplib_db.php, txplib_forms.php, txplib_html.php and txplib_misc.php.
Last edited by Gocom (2011-03-22 04:38:51)
Offline
Re: How to compare passwords in TXP?
Gocom wrote:
For that situation, nope. doSlash() runs the values through mysql_real_escape_string().
Pretty much by reading the source code. The source code is close to completely undocumented, but nonetheless that’s the main place you should look at. Database related function can be found from /lib/txplib_dp.php. The files that you should mainly concentrate are txplib_db.php, txplib_forms.php, txplib_html.php and txplib_misc.php.
Thank you.
Last edited by skrishi (2011-03-22 04:57:19)
Offline
Re: How to compare passwords in TXP?
I’d strongly urge you to not rely on any particular implementation of password hashes in Textpattern. These are subject to change at any time.
Textpattern core provides txp_validate, a function which accepts a plain-text password and verifies it against the user’s credentials.
Offline
Re: How to compare passwords in TXP?
wet wrote:
Textpattern core provides txp_validate, a function which accepts a plain-text password and verifies it against the user’s credentials.
The cons in that are that it resides in txp_auth.php, updates the last log-in time, which keeps the cookie valid for extended periods, and expects that the user has privs that gives an access to the backend.
Offline
Re: How to compare passwords in TXP?
Incidentally, in TXP is still used by the function password () .. if the next version of mysql again change the way password encryption difficulties arise, all users will have their Restores … is not it better to use for MD5 () and sh1 ().
Offline
Re: How to compare passwords in TXP?
skrishi wrote:
Incidentally, in TXP is still used by the function password () .. if the next version of mysql again change the way password encryption difficulties arise, all users will have their Restores … is not it better to use for MD5 () and sh1 ().
Dev branch uses phpass as of today.
Offline
Re: How to compare passwords in TXP?
Gocom wrote:
The cons in that are that it resides in txp_auth.php, updates the last log-in time, which keeps the cookie valid for extended periods, and expects that the user has privs that gives an access to the backend.
Thanks for the input. Change sets 3489 and 3490 address your concerns.
Offline
Re: How to compare passwords in TXP?
Offline