Solved

Replacing Password Functions/Process In oscommerce, With phpFox's

Posted on 2010-09-23
7
1,159 Views
Last Modified: 2013-11-13
Hello,

I am trying to replace the password and verification functions/process of open source oscommerce ms2.2 with what's used in open source phpFox 2.05.

Overall objective is to be able to eventually import (more readily) oscommerce customers, into phpFox.

-------------------------------------------

The oscommerce code uses one table field for both password and salt: customers_password
The phpfox code uses two fields: password & password_salt

In all of the oscommerce files, I have replaced all instances of "customers_password" with "password", and added "password_salt" to the oscommerce databases's "customers" TABLE (below).

The databases's "customers" TABLE (originally):
drop table if exists customers;
create table customers (
  customers_id int(11) not null auto_increment,
  customers_gender char(1) not null ,
  customers_firstname varchar(32) not null ,
  customers_lastname varchar(32) not null ,
  customers_dob datetime default '0000-00-00 00:00:00' not null ,
  customers_email_address varchar(96) not null ,
  customers_default_address_id int(11) ,
  customers_telephone varchar(32) not null ,
  customers_fax varchar(32) ,
  customers_password varchar(40) not null ,
  customers_newsletter char(1) ,
  PRIMARY KEY (customers_id)
);

Open in new window


The databases's "customers" TABLE now (modified):
drop table if exists customers;
create table customers (
  customers_id int(11) not null auto_increment,
  customers_gender char(1) not null ,
  customers_firstname varchar(32) not null ,
  customers_lastname varchar(32) not null ,
  customers_dob datetime default '0000-00-00 00:00:00' not null ,
  customers_email_address varchar(96) not null ,
  customers_default_address_id int(11) ,
  customers_telephone varchar(32) not null ,
  customers_fax varchar(32) ,
  password char(32) not null ,
  password_salt char(3) not null ,
  customers_newsletter char(1) ,
  PRIMARY KEY (customers_id)
);

Open in new window


Using this information (below) on how to import users into phpFox, which I got from http://wiki.phpfox.com/guide/V2/Importing_Users, I have been unsuccessful so far, and am looking for advise on what I might be doing incorrectly.
 
Information on importing users into phpFox:
-------------------------------------------
 
The field: password
holds a 32 character salted MD5 hashed version of user's password.
 
In order to get this value the following PHP code is used:
md5(md5($PASSWORD) . md5($SALT))

Open in new window


The variable: $PASSWORD
holds the users password.
 
The variable: $SALT
holds a random set of characters.
 
The PHP function used is:
function getSalt($iTotal = 3)
{
 $sSalt = '';
 for ($i = 0; $i < $iTotal; $i++)
 {
  $sSalt .= chr(rand(33, 91));
 }
 return $sSalt;
}

Open in new window


For the field: password_salt
input the value for the salt created earlier and used in the MD5 hash.
 
-------------------------------------------

Using the above information, I replaced the original oscommerce function "tep_encrypt_password" code (found in: includes/functions/password_funcs.php)

ORIGINAL CODE:
  function tep_encrypt_password($plain) {
    $password = '';

    for ($i=0; $i<10; $i++) {
      $password .= tep_rand();
    }

    $salt = substr(md5($password), 0, 2);

    $password = md5($salt . $plain) . ':' . $salt;

    return $password;
  }

Open in new window


REPLACED WITH:
  function tep_get_salt($iTotal = 3) {
	$salt = '';
	for ($i = 0; $i < $iTotal; $i++) {
	  $salt .= chr(rand(33, 91));
	}
	return $salt;
  }

  function tep_encrypt_password() {
    $password = '';

    for ($i=0; $i<9; $i++) {
      $password .= tep_rand();
    }

    $salt = tep_get_salt();

    $password = md5(md5($password) . md5($salt));

    return $password;
  }

Open in new window


-------------------------------------------

In the oscommerce file "create_account.php" I modified the "$sql_data_array", which is used to insert the newly created customer information:
ORIGINAL CODE:
      $sql_data_array = array('customers_firstname' => $firstname,
                              'customers_lastname' => $lastname,
                              'email' => $email_address,
                              'customers_telephone' => $telephone,
                              'customers_fax' => $fax,
                              'customers_newsletter' => $newsletter,
                              'password' => tep_encrypt_password($password));

Open in new window

MODIFED TO:
      $sql_data_array = array('customers_firstname' => $firstname,
                              'customers_lastname' => $lastname,
                              'email' => $email_address,
                              'customers_telephone' => $telephone,
                              'customers_fax' => $fax,
                              'customers_newsletter' => $newsletter,
                              'password' => tep_encrypt_password($password),
                              'password_salt' => tep_get_salt($password_salt));

Open in new window


-------------------------------------------

Focusing for now on just creating the customer "password" & "password_salt" (not focusing on the verification function/process part):

When creating a new customer the "password_salt" field of the databases's "customers" TABLE does not get populated. I have no idea even, if the password tep_encrypt_password function is using the tep_get_salt function correctly.

I don't even know if I am doing any part of this whole thing correctly?!

Can I get some help... please   =)
 create-account.php password-funcs.php
0
Comment
Question by:CTru
  • 5
  • 2
7 Comments
 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 500 total points
ID: 33752934
What's the question here?  Have you considered hiring a developer - it looks like a rather large project.

One thing that  might be helpful -- use var_dump() to visualize the data.  For example, var_dump($sql_data_array) might tell you something interesting.  If you echo "<pre>"; beforehand, it makes the var_dump() output easier to read.
0
 

Author Comment

by:CTru
ID: 33755516
I wanna be a developer Ray, not hire one! My janitor job suks!

Thanks for the var_dump() info. I'll try it, and see what it tells!
0
 

Author Comment

by:CTru
ID: 33759502

Hello Again,

var_dump() was great to be introduced to, however, it pretty much gave me the same information that I was getting by looking at the insert through phMyAdmin Browse.

Your first sentence (question), was helpful too as it made me wonder even more than I had (What is... the question here?)   =) So, another thanks to you Ray!

I guess, to begin with, I was looking for help in understanding what to do with the information I got (about importing users into phpFox).

My wanna-be project has several parts to it, some which I am having trouble with clearly defining, never mind describing.

So I will focus on one part, and come up with a question!

Regards,

CT
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Accepted Solution

by:
CTru earned 0 total points
ID: 33765305
Well... to put a lid on this...

I have been able to figure out my questions clearly, concerning this post, and as well, answer them.

I didn't understand to begin with how to use the "Information on importing users into phpFox". There were several questions around this.

As I began to figure out how to make use of the info, there became more questions around implementing.

Basically by staring at it and googling some of it; I was able to begin modifying by trial and error until the changes worked.

The part of my project is finished, now making it a bit more than a wanna-be project, and I, a way tiny bit more than a wanna-be developer!

Some of what I know now that I didn't:
- var_dump() function
- md5() itself is a function
- to get the functions return value, call the function

Now I have to get figured out how to start a session, and set a cookie or two for each application, from the other... more fun!

I realize that nothing found here will be of any use to anyone else, so my putting a lid on (so to speak) this post, is just me being me.

You get the points by default Ray, and because I do appreciate that you took the moments to have a look, and at least tried to respond some.

I am off to the cookies and sessions zones, if there even are such animals!

=)
0
 

Author Comment

by:CTru
ID: 33765327
I went to give you the points Ray, and the accept button appears to have disappeared!
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 33771686
You can ask a moderator to reopen the question if you need to, but the close request is OK with me.  If you want to change that, use the "request attention" link near the top of the page.

Here is a good book that I think you would enjoy:
http://www.sitepoint.com/books/phpmysql4/

That book will answer many of your questions about PHP.

Here is everything you need to know about sessions (for starters)

Use session_start() at the top of every page.
http://us2.php.net/manual/en/function.session-start.php

Then you can use the $_SESSION array to store data that will persist from page to page of your web site.  Easy!

0
 

Author Comment

by:CTru
ID: 33771887
Well Hey Again Ray!

I am pretty sure that when closing the question I WAS able to give you the points.

I way appreciate the links and will, of course, have a look.

I posted another question already, concerning the sessions and cookies. I am hoping I was clearer with it!

When you have some moments, perhaps we can continue conversing some, there - or rather here: http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_26501309.html?cid=543

Thanks again for your moments already.

Carlos
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Whether you’re a college noob or a soon-to-be pro, these tips are sure to help you in your journey to becoming a programming ninja and stand out from the crowd.
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
The viewer will learn how to dynamically set the form action using jQuery.
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now