Password Format: FrontEndUsers

[pgoneill]

Just curious why the FEU passwords in the database are stored as plaintext - varchar(255) - instead of being hashed or otherwise encrypted?

[tsw]

mysql> SELECT * FROM cms_module_feusers_users;
+----+----------+----------------------------------+---------------------+---------------------+
| id | username | password                        | createdate          | expires            |
+----+----------+----------------------------------+---------------------+---------------------+
|  1 | asdf    | 6a204bd89f3c8348afd5c77c717a097a | 2006-11-01 20:09:48 | 2016-11-01 00:00:00 |
+----+----------+----------------------------------+---------------------+---------------------+

looks like a md5 hash to me

[pgoneill]

Mine isn't....what in the world? 



Some characters Photoshopped out by me.

Note: I have not touched the database, modified any code or anything like that.  All I've done is database backup/restores.

[tsw]

very strange.

    $query="INSERT INTO ".cms_db_prefix()."module_feusers_users (id,username,password,email) VALUES (?,?,?,?)";
    $params=array($newid,$newusername,md5($newpassword),$newemail);

which version are you running?

test php md5 function with a small script like this

[pgoneill]

Yeah, that worked: 098f6bcd4621d373cade4e832627b4f6.

I'm running the latest versions: CMSMS 1.0.2 and FEU 1.1.1

The code you posted is exactly as it appears in the script on our site.

[tsw]

really strange, I would put some debug statements on user creation code to see whats happening (maybe print the sql out before it gets executed)

[pgoneill]

Is that function - function CreateNewUser($id) - what is used for all password change transactions?

[tsw]

and SetUserPassword, SetUser, AddUser, ChangeUser...

but quick check shows that md5 is used correctly everywhere...

actually user with plaintext password in db shouldnt even be able to log in...

[pgoneill]

Well, they can.  We've been having all sorts of password problems, though.  I posted a thread about it recently.

EDIT: Nvm, i'll look at SVN.

really strange, I would put some debug statements on user creation code to see whats happening (maybe print the sql out before it gets executed)

You're assuming I know how to do that.  I'll have to go find a programmer...

[tsw]

heh sorry,

actually I think if you set debug mode on it should show you the queries.

hope this helps

[pgoneill]

OK.  This is exceptionally strange.

I was looking in the wrong database for passwords - in feusers_properties instead of feusers_users.  However, somehow, passwords were being replicated in the properties database.  One of our programmers and I tried to figure it out, but could not.

Any idea why a script somewhere might have been writing passwords to feusers_properties in fields titled "password" and "repeatpassword"?? 

And any idea why the feusers database tables are in latin1_swedish_ci??

'scuse my language but somehow my database got f*cked.

[calguy1000]

aha.

I bet you created properties called 'password' and 'repeatpassword' when creating properties.
even though it says on the property definition screen not too.... if you do that, then FEU will treat them like
any regular property (there are no reserved words), it's just that the user editing forms will look weird.

[pgoneill]

I didn't do that.  I wonder if someone else who has access did...time to change some permissions, it looks like.

The first group of front end users (the ones I created after creating properties) had no entries for those properties, so it wasn't me.

Thanks for all your help guys.