1

I am trying to combine my chat application login with my MediaWiki login. The chat application has an odd way of authenticating and I have modded it to work with a DB.

I am trying to match the password that the user inputs in the chat login with the one stored in the MediaWiki user table, but I cannot figure out how MediaWiki hashes its passwords. I do know that I am using the default salted hashing. Does anyone have a function that can recreate this?

I have tried:

hash('md5', $password);

but there is more to it that I cannot figure out.

Nemo
  • 2,441
  • 2
  • 29
  • 63
arrowill12
  • 1,784
  • 4
  • 29
  • 54

2 Answers2

1

If this wiki page is to be believed, to verify a password against the stored database value, you could do this:

list($dummy, $type, $salt, $hash) = explode(':', $db_password);

$pwd_hash = md5($user_password);
if ($type == 'B' && md5("$salt-$pwd_hash") === $hash) {
    // yay success, type B
} elseif ($type == 'A' && $salt === $pwd_hash) {
    // yay success, type A
} else {
    // password is wrong or stored password is in an unknown format
}

Assuming $db_password is the database value and $user_password is the supplied password to verify against.

Ja͢ck
  • 170,779
  • 38
  • 263
  • 309
1

This is all straight off the top of my head, but:

<?php
//let's pretend these were entered by the user trying to authenticate
$username = 'ted';
$password = 'password';

//PDO-like syntax. I wrote my own class around it and I don't remember how to do it raw.
$query = "SELECT pw_hash FROM user_table WHERE username = ?";
$rs = $dbh->doQuery($query, array($username));
if( count($rs) == 0 ) { throw new Exception('no user'); }

//will be either
//:A:5f4dcc3b5aa765d61d8327deb882cf99
//:B:838c83e1:e4ab7024509eef084cdabd03d8b2972c

$parts = explode(':', $rs[0]['pw_hash']);
print_r($parts); //$parts[0] will be blank because of leading ':'

switch($parts[1]) {
    case 'A':
        $given_hash = md5($password);
        $stored_hash = $parts[2];
        break;
    case 'B':
        $given_hash = md5($parts[2] . md5($password));
        $stored_hash = $parts[3];
        break;
    default:
        throw new Exception('Unknown hash type');
        break;
}

if( $given_hash === $stored_hash) {
    echo "login was succesful.";
} else {
    echo "login failed.";
}

Props to Jack's comment on the question with this link to mediawiki docs.

Sammitch
  • 30,782
  • 7
  • 50
  • 77
  • this very helpful I am attempting to implement it now. the password is stored as a 'tiny blob' in the DB when i query for it will it get the hash or some binary? – arrowill12 Nov 16 '12 at 20:12
  • Beats me. Try a `var_dump()` on the result set and [try this](http://stackoverflow.com/questions/948174/how-do-i-convert-from-blob-to-text-in-mysql) to convert, if necessary. – Sammitch Nov 16 '12 at 21:10
  • I just `echo` the results and they are normal thanks for your help – arrowill12 Nov 16 '12 at 22:10