how to add md5 value in this function

Question

I'm Using phpfox with userplane webchat and this function is to grab sessionGuid from the database Original function is: Function 1:

function get_current_online_session_login() {
        $oSrvSec = &App::getModuleService('Account', 'Security');
        $login = $oSrvSec->getCurrentUserLogin();
        $aReq = getRow(App::getT('online_session'), 'online_session_user = "' . $login . '"');
//      return $aReq['online_session_login'];
        return $aReq['online_session_id'];
    }

And i make change's in it so it return the salted hash but Chat is not working and show error that you are not authorized to enter in chat. Here is what i make change in this code:

function get_current_online_session_login() {
        $oSrvSec = &App::getModuleService('Account', 'Security');
        $login = $oSrvSec->getCurrentUserLogin();
        $aReq = getRow(App::getT('online_session'), 'online_session_user = "' . $login . '"');
        $salt='waka_waka_shaka_laka_8342394';
//      return $aReq['online_session_login'];
        $umSar = $aReq['online_session_id'];
        $saltedHash = md5($umSar . $salt);
        return $saltedHash;
    }

in this file have 2 function for session_id so i am not sure how to resolve this issue here is the 2nd session_id function: Function 2

function get_user_with_session_id($session_id) {
        $session = getRow(App::getT('online_session'), "online_session_id = '$session_id'");
//      $session = getRow(App::getT('online_session'), "online_session_login = '$session_id'");
        $oSecurityService = &App::getModuleService('Account', 'Security');
        $user = $oSecurityService->getUserByName($session['online_session_user']);      
        return isset($user) ? $user->aData['id'] : null;
    }

Please i need help. You can see function 1: and function 2: are original function in my common.php file and this function return the normal figure's for session_id and i want to return session_id as md5 salted hash or base_64. Thanks

It's not very clear what this code is supposed to do and how salted hashes are actually being used. — Ja͢ck, Nov 01 '12 at 07:34
You should explain what you indend to do with this hash-value. Whether and how hashing and salting is appropriate, depends heavily on the usage of the resulting hash-value. — martinstoeckli, Nov 01 '12 at 08:20
hello, I have no idea about php and functions i am just trying to make $sessionGUID more complicated for hackers actually i'm using phpfox with userplane webchat and this function grab the sessionGuid for each users example : 203, 204, 205, 206,etc. And hackers can get any user's session_id easily so i want to make it like md5 salted hash so no one can hack the chat. — user1790627, Nov 01 '12 at 14:37
Original Function is : `function get_current_online_session_login() { $oSrvSec = &App::getModuleService('Account', 'Security'); $login = $oSrvSec->getCurrentUserLogin(); $aReq = getRow(App::getT('online_session'), 'online_session_user = "' . $login . '"'); // return $aReq['online_session_login']; return $aReq['online_session_id']; }` — user1790627, Nov 01 '12 at 14:38

score 0 · Answer 1 · answered Nov 01 '12 at 07:34

0

You first have to check if the crypt() method has MD5 support, and then pass the string to encrypt as well as the salt, beginning with $1$. See crypt() on PHP.net.

if (CRYPT_MD5 == 1) {
  $saltedHash' . crypt($umSar, '$1$waka_wak$') . "\n";
}

Note that the salt must be 12 characters long for MD5.

answered Nov 01 '12 at 07:34

Lukas_Skywalker

2,053
1
16
28

Please Check my question again i update it, i'm using userplane webchat with phpfox and this function is for grab session Guid and i want sessionguid to be md5 salted hash so it will be complicated for any hacker to hack the chat. – user1790627 Nov 01 '12 at 14:56

score 0 · Answer 2 · edited May 23 '17 at 12:12

0

If you're thinking of de-crypting the online-session-id you encrypted in function get_current_online_session_login() that's not not the purpose of md5 hashing.

If you want to encrypt/decrypt, u can use functions like mcrypt_decrypt,mcrypt_encrypt and base64_encode,base64_decode..

example answer: encrypt/decrypt password

edited May 23 '17 at 12:12

Community

1
1

answered Nov 01 '12 at 09:41

we.mamat

687
11
21

I updated my question i want to give you some example code i saw in wordpress userplane plugin that returns the md5 hash as sessionGuid: `public function get_current_session() { wp_get_current_user(); global $user_ID; // $secret = get_option('secret'); // return upl_common_user::get_encrypted($secret, $user_ID); return md5($user_ID); }` – user1790627 Nov 01 '12 at 14:51
And the other function in same file: `public function get_user_by_session_id($session_id) { global $wpdb; $sql = "SELECT ID FROM " . $wpdb->users; $users = $wpdb->get_results($sql); foreach ($users as $user) { $sid = md5($user->ID); if($sid == $session_id) { return $user->ID; } } return null; // $secret = get_option('secret'); // return upl_common_user::get_decrypted($secret, $session_id); }` – user1790627 Nov 01 '12 at 14:54
I have 2 different function in common.php file for session. And i want to return session as md5 salted hash. Right now Userplane Chat is working and it return sessionGuid as some figures like, 203, 204, 205, 206, and so on different figures for different user's. – user1790627 Nov 01 '12 at 16:22
well, like i said, u have to change your encryption method. md5 cant be changed back into normal text unless u have something like a rainbow table. change your md5 encryption into something else..the answer in the link i gave you has a quite powerful encryption/decryption method – we.mamat Nov 02 '12 at 04:39

martinstoeckli · Accepted Answer · 2012-11-01T20:57:42.667

First you should understand, what a session-id is for. Normally the server will not recognize, that a user has already done some actions on a website, each request is like a new visit. To remember a user and his actions, the server stores them together with a random number, the session-id.

This session-id will be passed to the browser, and if the user e.g. presses a button, this session-id is handled back to the server. Now the server can look for the stored actions with this number and therefore will "remember" the user.

In your example you took the session-id, destroyed it with a one way hash function, and passed it to the browser. When the browser handles back this invalid session-id, the server has no chance to find the stored actions with this invalid number.

That said, the session-id is only a number to refind the already stored information on the server. It does in no way improve security, when you alter this number, because the browser will just send back what he gets, and the server has to recognize it, whether he previously encrypted/obfuscated it or not.

If your session-ids are predictable, like 203, 204, ..., then you should find the piece of code which generates such inappropriate numbers and modify this code, so it produces "truly" random numbers.

how to add md5 value in this function

3 Answers3