1

I am using SMF. In SMF passwords saved in mysql like: 

sha1(usernamepassword);

Some of hashes works fine. But other hashes which includes special chars like "öüşığ" and space etc. does not match.

For example "aksak temüraga" should be converted to sha1 as "4b4eb0eed79356eb56eb9058e6dea20d71e48e3c" but it is converted to sha1 as "c4aa8328bf5ec76cfc0416fd7ec40f8dea7f3d62"

Sezer Toker
  • 23
  • 11
  • 1
    most likely an encoding problem. – Funk Forty Niner Aug 12 '16 at 12:31
  • To be clear i am trying to make an external login for my forum but i guess i failed with special chars. – Sezer Toker Aug 12 '16 at 12:32
  • Consult [How to support UTF-8 completely in a web application](http://stackoverflow.com/questions/279170/how-to-support-utf-8-completely-in-a-web-application) - Formerly known as *"UTF-8 all the way through…"* – Funk Forty Niner Aug 12 '16 at 12:32
  • Do not store *un*-salted hashes in your database. Please read a basic introduction on how to securely store salted hashed passwords in a database. – code_dredd Aug 12 '16 at 12:33
  • Thanks, are you sure this would not corrupt special chars saved in database? – Sezer Toker Aug 12 '16 at 12:34
  • You would need to use a test table and see. Once you have it working, apply it to your working code/table. It could also be a collation problem. – Funk Forty Niner Aug 12 '16 at 12:35
  • 1
    Btw, don't use sha1; it's old and cannot be trusted anymore. I suggest you use something of this century like `password_hash()`, setup a new column with a boolean flag of `0|1` and have your users update their password with a new safer one. Once that's done, you can query the database to check to see if it was changed, and use the new safer hash. If not, advise them to change their password. – Funk Forty Niner Aug 12 '16 at 12:37
  • @Fred-ii- i am afraid i dont have the experince to do it properly. But sounds like a great idea and safer solution to my problem. I will try to do it in my free time. Thanks again. – Sezer Toker Aug 12 '16 at 12:40
  • It is, believe me. Yet for now, you can visit that link I gave you, read through it, test out a few examples, pass utf8 to the connection before querying and check file/db/table encoding/collation. Oh, and you're welcome ;-) – Funk Forty Niner Aug 12 '16 at 12:41

1 Answers1

1

Since you are trying to create an external login to SMF forum, then you have to stay with hashing provided by SMF.

About your problem, you should take a look at Sources\LogInOut.php file of SMF installation, to check how SMF creates the login.

Then you can use the same technique for your external login.

Whiteulver
  • 828
  • 7
  • 12
  • 1
    They should change services then ;-) Anyone using sha1 in this day and age, should be shut down, or rewritten in order to accomodate security issues of "this century". – Funk Forty Niner Aug 12 '16 at 12:44
  • 1
    Not only change services, but do migration too. You know, nobody loves things that break Backward Compatibility. I think that the migration is the pain, not changing the hashing :) – Whiteulver Aug 12 '16 at 12:47