I'm trying to integrate basic auth with a vBuletin site. The goal is limit my test site to beta-testers only; all of which would appear in a particular vB user group from the main site's database.
The problem is that vBulletin uses the following password has function in PHP:
$hash = md5 ( md5 ($password) + $salt )
The problem here is that two md5's are being done and the salt is dynamic (exists in the user.salt table);
My idea would be to give Auth_MySQL_Encryption_Types the name of a stored procedure (or just StoredProcedure and then have another param that takes the procedure name). This stored proc then takes the username and password (both properly escaped, of course) as it's inputs and returns the hash for comparison to the DB.
From what I've read of the docs, this isn't currently possible, nor is there anything that really does what I'm trying to achieve (but perhaps I'm missing some kind of trick).
Note: I'm trying to drive all of my auth from the main site's user DB rather than embed additional HTTP auth into the vB source files/templates on the test sites that I've got (as I routinely overwrite those based on the backups of the main site).
Anyone have any suggestions or is this more of an enhancement request?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi There,
I'm trying to integrate basic auth with a vBuletin site. The goal is limit my test site to beta-testers only; all of which would appear in a particular vB user group from the main site's database.
The problem is that vBulletin uses the following password has function in PHP:
$hash = md5 ( md5 ($password) + $salt )
The problem here is that two md5's are being done and the salt is dynamic (exists in the user.salt table);
My idea would be to give Auth_MySQL_Encryption_Types the name of a stored procedure (or just StoredProcedure and then have another param that takes the procedure name). This stored proc then takes the username and password (both properly escaped, of course) as it's inputs and returns the hash for comparison to the DB.
From what I've read of the docs, this isn't currently possible, nor is there anything that really does what I'm trying to achieve (but perhaps I'm missing some kind of trick).
Note: I'm trying to drive all of my auth from the main site's user DB rather than embed additional HTTP auth into the vB source files/templates on the test sites that I've got (as I routinely overwrite those based on the backups of the main site).
Anyone have any suggestions or is this more of an enhancement request?
If you don't have to maintain backwards compatibility with a bunch of hashed passwords then why not just change the PHP function that VB uses?
$hash = md5($password);
I'm using libapache2-mod-auth-mysql package on Debian Lenny which also has:
Auth_MySQL_Encryption_Types PHP_MD5
which will work with that.