Thanks Paul and Jesse,
I got it.. the php crypt() is the one to use.. in case anyone else is hacking
in php, here's what I found to work:
$pwtype = the type as recorded in the encryption type field in the user table.
$user_password = the password as recorded in the database.
$pw = the supplied pw.
$pwout = the resulting string to compare to the database value.
<?
switch ($pwtype) {
case "md5":
$pwout = crypt($pw, substr($user_passwd, 0,
12));
break;
case "md5sum":
$pwout = md5($pw);
break;
case "crypt":
$pwout = crypt($pw, substr($user_passwd, 0, 2));
default:
$pwout = $pw;
}
// you can compare here to see if the supplied pw is correct:
if ($pw == $pwout) {
echo "Password is correct!";
} else {
echo "Wrong password!";
}
?>
On Wednesday 02 June 2004 02:40 pm, Jesse Norell wrote:
> Sorry, I didn't think that through much - you're using php, not
> hacking dbmail. :) Just use php's crypt() function. It will
> support md5 hash's if the host OS does (and the CRYPT_MD5 constant
> is set if that's the case).
>
>
> ---- Original Message ----
> From: Jesse Norell <dbmail-dev@dbmail.org>
> To: dbmail-dev@dbmail.org
> Subject: Re: [Dbmail-dev] crypt pw comparison.
> Sent: Wed, 2 Jun 2004 15:36:01 -0600 (MDT)
>
> > php's (and perl's) md5() is just an md5 digest - in dbmail,
> > look for a makemd5() function and you're set.
> >
> >
> > ---- Original Message ----
> > From: Micah <dbmail-dev@dbmail.org>
> > To: Jesse Norell <[EMAIL PROTECTED]>, DBMAIL Developers Mailinglist
> > <dbmail-dev@dbmail.org>
> > Subject: Re: [Dbmail-dev] crypt pw comparison.
> > Sent: Wed, 2 Jun 2004 14:22:52 -0700
> >
> > > Okay. Thanks, now I have to figure out how to convert the hex string
> > > that the php md5() function returns into something that I can compare
> > > with. I have a funny feeling I'm going to end up writing my own md5
> > > routine.
> > >
> > > -Micah
> > >
> > > On Wednesday 02 June 2004 02:00 pm, Jesse Norell wrote:
> > > > > Yet, the auth function in mysqlauth.c uses the password as the
> > > > > salt:
> > > > >
> > > > > -- snip --
> > > > > else if ( strcasecmp(__auth_row[2], "crypt") == 0)
> > > > > {
> > > > > trace (TRACE_DEBUG,"auth_validate(): validating using crypt()
> > > > > encryption");
> > > > > is_validated = (strcmp( (const char *) crypt(password,
> > > > > __auth_row[1]), __auth_row[1]) == 0) ? 1 : 0;
> > > > > }
> > > > > -- snip --
> > > > >
> > > > > or am I misreading this?
> > > >
> > > > Nope, that's indeed how it works. The same thing works with md5
> > > > hash passwords, as the first 8 chars are the salt (and the same
> > > > crypt() function handles them both).
> > > >
> > > >
> > > > --
> > > > Jesse Norell
> > > >
> > > > [EMAIL PROTECTED] is not my email address;
> > > > change "administrator" to my first name.
> > > > --
> > > >
> > > > _______________________________________________
> > > > Dbmail-dev mailing list
> > > > Dbmail-dev@dbmail.org
> > > > http://twister.fastxs.net/mailman/listinfo/dbmail-dev
> > >
> > > _______________________________________________
> > > Dbmail-dev mailing list
> > > Dbmail-dev@dbmail.org
> > > http://twister.fastxs.net/mailman/listinfo/dbmail-dev
> >
> > -- End Original Message --
> >
> >
> > --
> > Jesse Norell
> >
> > [EMAIL PROTECTED] is not my email address;
> > change "administrator" to my first name.
> > --
> >
> > _______________________________________________
> > Dbmail-dev mailing list
> > Dbmail-dev@dbmail.org
> > http://twister.fastxs.net/mailman/listinfo/dbmail-dev
>
> -- End Original Message --
>
>
> --
> Jesse Norell
>
> [EMAIL PROTECTED] is not my email address;
> change "administrator" to my first name.
> --
>
> _______________________________________________
> Dbmail-dev mailing list
> Dbmail-dev@dbmail.org
> http://twister.fastxs.net/mailman/listinfo/dbmail-dev
