Home | Products | Consulting | Hosting | Forums | Support | Order | 1-800-752-0455
  Main
Index 		Search
Posts 		Who's
Online 		Log
In

Home: General: Off Topic Conversations:
MD5 authentication

 
 


Lionel
User

Feb 28, 2003, 2:47 PM

Post #1 of 7 (3469 views)
Shortcut
MD5 authentication Can't Post
I am using a Perl script that has various routines pointing to a file named su blogonsub. As I am consolidated all authentication on my site, I'd like to change that and replace it with Digest::MD5 and connect to a database.

The code for the sublogon using crypt is

sub logonsub {my($p)=$INPUT{p};if((!$p) && $PROCESS{p}){$p=$PROCESS{p}; }
$p=($p)?$p:'primary'; if($p eq 'smsub'){$p='sm';} if($p eq 'iconfigsub'){$p='iconfig';}
if(!$INPUT{password}){$ecode="$tranup59";pbox($p);exit;}
else{if(!$px){$px=crypt($INPUT{password},$kx);@tt=use_this_file('>>',"$my_base_loc$cfgfile",'',"px\|$px\n");}
else{if((crypt($INPUT{password},$kx) ne $px) && !($INPUT{password}=~/^[1-9]$kx/) && (crypt($INPUT{password},$kx) ne $ori_ha{'px'})){$ecode="$tranup60";pbox($p);exit;} }
$leg=$INPUT{leg}=crypt($ENV{REMOTE_ADDR},$kx);$t_msg="$tranup61";&$p;} }



all I want is something like:

#!/usr/local/bin/perl
use DBI();
use Digest::MD5 qw(md5 md5_hex md5_base64);
$db = DBI->connect("DBI:mysql:server=localhost", username, password);
$query = $db->prepare("SELECT username, password FROM users");
$query->execute;

and if authenticated do what it's supposed to do.

Can anyone help me on that? Help would be greatly appreciated

and this is the current sub to create the login box:

sub pboxsub(;$) {my($p)=@_;if((!$p) && $PROCESS{p}){$p=$PROCESS{p}; }if((!$p) && $INPUT{p}){$p=$INPUT{p}; } $p=($p)?$p:'primary';
my $vtag="";if($tm){$vtag.=qq~&tm=$tm~;}if($si){$vtag.=qq~&si=$si~;}
if($PROCESS{domode}){$vtag.="&domode=$PROCESS{domode}";}
if($PROCESS{try}){$vtag.="&try=$PROCESS{try}";}
my $etag=($emode)?'&emode=y':'';
my $ltag=($pageID)?"&pa=$pageID":' ';$ltag.=($subID)?"&su=$subID":'';
my($ts,$tr)=tbits('',3);my($ts,$tr2)=tbits('',3,'','right');
my $td1=td(400,40);my $td2=td(400,25,'ffcc00');my $td3=td(400,18,'','','11px');
my $ipn1=ipn(password,password);my $ipb=ipb();
$ecode=($ecode)?qq~$tr$td3<span style="color:#ff0000;"><b>$tranup68</b><br>$ecode</td></tr>~:'';
print qq~<html>\n<head>\n<title>$tranup69</title>\n</head><body bgcolor="#000066">
<form name="ft" method="post" action="$my_http?logon=1$vtag$etag$ltag">\n<input type="hidden" name="p" value="$p">\n
<div align="center"><table width="400" border="1" cellspacing="5" cellpadding="5" bgcolor="#CCCCCC">
<tr>
<td bgcolor=#FFCC00>\n$ts$tr$td1
<a href="$my_http?pbox2=y$vtag$etag$ltag&p=$p">$tranup70</a><br><br>
</td></tr>\n$tr$td2<b>$tranup71</b></td></tr>\n
$tr$td3 $tranup72</td></tr>$ecode$tr$td2<b>$tranup73</b></td></tr>
$td3$ipn1</td></tr>
$tr2$td2$ipb</td></tr>
</table></td>
</tr>
</table></form></div></body></html>~;
if($newpub){apub(1);} if($PROCESS{up}){apub(3,$pageID,$subID);}
exit;
}


(This post was edited by Lionel on Feb 28, 2003, 3:08 PM)


dlo_itools
Staff


Feb 28, 2003, 5:26 PM

Post #2 of 7 (3455 views)
Shortcut
Re: [Lionel] MD5 authentication [In reply to] Can't Post
Base on the well-packed and commentless original code, here is a guess at what integrating MD5 into logonsub might look like. It assumes that your input form contains username and password fields.

Code
 sub logonsub { 
  my($p)=$INPUT{p}; 
  if((!$p) && $PROCESS{p}){ 
    $p=$PROCESS{p};  
  }  
  $p=($p)?$p:'primary';  
  if($p eq 'smsub') {$p='sm';}  
  if($p eq 'iconfigsub') {$p='iconfig';}  
  if(!$INPUT{password}){ 
    $ecode="$tranup59"; 
    pbox($p); 
    exit; 
  } else { 
    use DBI();  
    use Digest::MD5 qw(md5 md5_hex md5_base64);  
    $db = DBI->connect("DBI:mysql:server=localhost", username, password);  
    $query = $db->prepare("SELECT username, password FROM users WHERE username = $INPUT{username} AND password = $INPUT{password}");  
    $query->execute; 
    if (($name,$password) = $query->fetchrow_array) { 
      $leg=$INPUT{leg}=crypt($ENV{REMOTE_ADDR},$kx); 
      $t_msg="$tranup61"; 
      &$p; 
    } else { 
      $ecode="$tranup60"; 
      pbox($p); 
      exit; 
    } 
  }  
}
It's probably more involved than just that, but hopefully that can get things started (at least you'll know what doesn't work... Wink)
/Dave Lo


Lionel
User

Feb 28, 2003, 5:36 PM

Post #3 of 7 (3452 views)
Shortcut
Re: [dlo] MD5 authentication [In reply to] Can't Post
thanks a million. Sorry about the 'lack of comments'. That's all there was. If this thing works, you'll have made my year!


Lionel
User

Feb 28, 2003, 6:16 PM

Post #4 of 7 (3448 views)
Shortcut
good and puzzling news [In reply to] Can't Post
That actually opened a page, no error messages, but a white page. But I am puzzled. The correct routine opens up the page

/sitesel.pl?logon=1&tm=userselect&si=haitiwebs&pa=1&su=1

and your code...

/sitesel.pl?logon=1&tm=userselect&si=haitiwebs&pa=1&su=1

exactly the same link!!! But blank.


Lionel
User

Feb 28, 2003, 6:30 PM

Post #5 of 7 (3447 views)
Shortcut
Re: [Lionel] good and puzzling news [In reply to] Can't Post
I think I know where the problem is. there are no input for username. If you look at the link in above post, the username is represented by si (site id) and the normal input box that I am using displays only the password. Therefore, mysql got no parameters to query.

I tried replacing

SELECT username, password FROM user WHERE username = $INPUT{username} AND password = $INPUT{password}");

with

SELECT password FROM user WHERE username = $si AND password = $INPUT{password}");

still the same result


dlo_itools
Staff


Mar 5, 2003, 9:44 AM

Post #6 of 7 (3421 views)
Shortcut
Re: [Lionel] good and puzzling news [In reply to] Can't Post
Hi Lionel,

Your changes to the SELECT statement looks correct. So this points to several possible suspects:

* The select statement is failing. Trying putting quotes around the values for username and password

Code
 $query = $db->prepare("SELECT username, password FROM users  
WHERE username = '$si' AND password = '$INPUT{password}'");
* Is the $si and $INPUT{password} combination found in the database? Try printing some status messages to see what happens after the name/password lookup.

Code
 print "content-type: text/html\n\n"; 
if (($name,$password) = $query->fetchrow_array) { 
  print "$name/$password found!<br>\n"; 
  $leg=$INPUT{leg}=crypt($ENV{REMOTE_ADDR},$kx); 
  $t_msg="$tranup61"; 
  &$p; 
} else { 
  print "$name/$password not found!<br>\n"; 
  print "error is " . $query->errstr . "<br>\n"; 
  $ecode="$tranup60"; 
  pbox($p); 
  exit; 
}
* The original code contained the following which I thought only handled creating the encrypted password and logging the attempt. But perhaps the use_this_file routine also has other important side effects. Try adding those lines before the line &$p;

Code
### add this code 
$px=crypt($INPUT{password},$kx); 
@tt=use_this_file('>>',"$my_base_loc$cfgfile",'',"px\|$px\n"); 
### 
&$p;
I hope this helps.
/Dave Lo


Lionel
User

Mar 13, 2003, 9:30 PM

Post #7 of 7 (3383 views)
Shortcut
Re: [dlo] good and puzzling news [In reply to] Can't Post
thanks Dave. It was easier to just bypass this function and read the info directly from my member database

 
 
 


Search for (options)
Products
CMS Builder
Article Manager
Realty Manager
Listings Manager
Order Now
 Services
Priority Consulting
Hosting
 Support
Online Documentation
Support Forums
Support Homepage
 Company Info
12 reasons to choose us!
Meet the team
Monthly newsletter
 Contact Us
Toll Free: 1-800-752-0455
Phone: (604) 689-3347
Sales | Support
Conditions of Use | Privacy Policy | Copyright © interactivetools.com 2008
#201 - 2730 Commercial Drive, Vancouver BC Canada V5N 5P4