md5 issues

okay, I recently completed a CMS integration, and everything is aligned perfectly except one thing… The main platform is storing the password data using md5 hashing. Which is cool. However, when it stores the userdata for the second CMS the password is double hashing. Is there anything I can do here?!? Everything is so close to working correctly and I am learning a lot about PHP but I have not learned the security process.
In my code is there anything I can add to the MD5 ({$password}), for instance a -md5 ({$password}) or a (md5(md5({$password})) that would rectify the problem I am having. My php books, do not cover this very well and I have been googling madly!!! until I am out of ideas.
Also, I know that I could just change the way the script queries the database for that CMS, but I do not know how to make a call to another table in a query… Here’s the script…

if( ( isset($HTTP_POST_VARS[‘login’]) || isset($HTTP_GET_VARS[‘login’]) ) && (!$userdata[‘session_logged_in’] || isset($HTTP_POST_VARS[‘admin’])) )
$username = isset($HTTP_POST_VARS[‘username’]) ? phpbb_clean_username($HTTP_POST_VARS[‘username’]) : ‘’;
$password = isset($HTTP_POST_VARS[‘password’]) ? $HTTP_POST_VARS[‘password’] : ‘’;

	$sql = "SELECT user_id, username, user_password, user_active, user_level, user_login_tries, user_last_login_try
		WHERE username = '" . str_replace("\'", "''", $username) . "'";
	if ( !($result = $db->sql_query($sql)) )
		message_die(GENERAL_ERROR, 'Error in obtaining userdata', '', __LINE__, __FILE__, $sql);

What in this code would I need to change in order to have the password be read from the same database, only a table called,“Profiles” and the field is ,“Password”.

Thanks in advance!

MD5 is a hashing algorythm, meaning that information is lost. This implies that there is no such thing as ‘un-MD5-ing’ an MD5-ed value. What you can do is to carefully examine where passwords are being hashed, and take out the one that’s double-hashing them. Be careful with this, as you don’t want to take out the one that hashes them in the first place. Unhashed passwords in your database is not preferable.

Sponsor our Newsletter | Privacy Policy | Terms of Service