About phpBB3 passwords..

Hello again,

I apologize if this is the incorrect forum to ask this, however the other support forum was for phpBB2 only.. I received a wealth of help last time I was working with phpBB2, and I managed to get everything done, but now that phpBB3 is at RC4, I figured I might poke around and get familiarized with it so that it would be easier to upgrade when a stable version came out.

The first thing I noticed was that phpBB3's database table for passwords was varchar(40), and figured phpBB3 would support SHA1 hashes natively. Unfortunately, it did not appear to be the case and I could not find any option to switch between MD5 and SHA1, so I think it will have to be hacked again.. I also noticed there is no longer an equivalent file to phpbb2's login.php, so I'm having trouble tracking down how phpbb3 goes about its business there.

I think I tracked down an auth_db.php file in the /auth folder that seems to handle authenticating everything, but I can't be sure.. Are there any other places that authenticate the user/handle password hashing, or does a change here effectively change the hash method across the entire board?

Thanks in advance

To be honest, I haven't looked at this aspect of phpBB 3 very much. I know that the equivalent of phpBB 2's login.php is the login_box function in includes/functions.php. The actual act of logging in or out is handled by the includes/auth/ files. As far as I am aware, they handle all the authentication. includes/auth.php is used sometimes, but I think that is only for permissions.

To the best of my knowledge, phpBB still only uses md5() on the passwords, so you will need a hack again. There are md5() calls in includes/ucp/ucp_register.php, ucp_profile.php, and acp/acp_users.php a for storing the password. You'd need to change those as well.

Yes, thank you for the reply. It seems to confirm what I found as well, I just thought login_box might've been something else and I was overlooking a login process similar to phpBB2.

I'll have to reconstruct everything I did in the post on these phpbb2 support forums a while back lol, so I can upgrade to phpbb3.

I haven't dug very deep yet, but as far as user registrations are concerned, are there any new key pieces of information phpBB3 requires that phpBB2 didn't? (I only know of username, password, email, joindate, IP address, user_id and group_id being required for registering a user 'manually' in phpbb2.)

There's also a user_type field that is required. phpBB 3 has an add_user() function in includes/functions_user.php that you may be able to use for creating the registration. Again, I haven't looked at this too closely, but using that may save you some time.

Quote:

Yeah, that's the worst thing about phpBB 3. Everything has to be totally recreated. That's going to delay my upgrades for a long, long time.

Well, that sucked.

I'm not sure if I'm missing it or not, but the login_box() function doesn't have any indication of using MD5 anywhere in it, which means it's pulling its information from elsewhere.. This we already know, and I found some mentions of MD5 in the auth files which I changed to SHA1, but that didn't work. login_box() refers to another login() function which refers to a user_add() function but neither of those mentions MD5 either. There's also a request_var() that pulls up the required info but no mention of MD5 there either.

Maybe a post on their forums might help a bit.