Thread: Encrypt admin and moderator passwords

Surprising that a commerical script like this does not encrpyt passwords.
Below is the code to encrpyt your admin and moderator passwords.
The encryption is DES so not great but better than nothing.
AS USUAL USE THIS AT YOUR OWN RISK. ALWAYS BACK UP ALL DATA AND IF YOU GET LOCKED OUT OF YOUR ADMIN AREA I CANNOT HELP YOU.

# === SQL Queries ===



ALTER TABLE `admins` CHANGE `Password` `Password` VARCHAR( 32 ) NOT NULL;
ALTER TABLE `moderators` CHANGE `Password` `Password` VARCHAR( 32 ) NOT NULL;



# === File Editing ===



OPEN: inc/admin.inc.php

# Allow hashed and raw passwords
FIND: if ( strcmp( $real_pwd, $passwd ) != 0 )
REPLACE WITH: if ( strcmp( $real_pwd, $passwd ) != 0 AND strcmp( $p_arr[Password], $passwd ) != 0 )



OPEN: admin/index.php

# Allow hashed and raw passwords for admin login
FIND: $result = db_res( "SELECT * FROM Admins WHERE Name = '$_POST[ID]' AND Password = '$_POST[Password]'" );
REPLACE WITH: $result = db_res( "SELECT * FROM Admins WHERE Name = '$_POST[ID]' AND ( Password = '$_POST[Password]' OR Password = '" . crypt( $_POST[Password], 'secret_string' ) . "' ) " );


OPEN: admin/global_settings.php

# Check against hashed password
FIND: if ($row['Password'] != $pwd_old) // Check old password
REPLACE WITH: if ($row['Password'] != $pwd_old AND $row['Password'] != crypt( $pwd_old, 'secret_string' )) // Check old password

# Hash admin password when changed
FIND: $q_str = "UPDATE Admins SET Password = '$pwd_new' WHERE Name = '$admin_name'";
ADD BEFORE: $pwd_new = crypt( $pwd_new, 'secret_string' );



OPEN: admin/moderators.php

# Hash passwords for moderators before inserting into DB
FIND:
// Add new moderator to database.
// Set query string -- get moderator prop values via $_POST variable.
ADD AFTER: $_POST[password] = crypt( $_POST[password], 'secret_string' );

# If changing password, hash it
FIND:
// Update moderator.
// Set query string -- get moderator prop values via $_POST variable.
$q_str = <<<EOD
UPDATE `moderators` SET
`name` = '$_POST[name]',
`email` = '$_POST[email]',
`Password` = '$_POST[password]',
`status` = '$_POST[status]'
WHERE `id` = $_POST[id];
EOD;
REPLACE WITH:
$update_pass = '';
if($_POST[password])
$update_pass = "`Password` = '" . crypt( $_POST[password], 'secret_string' ) . "',";
$q_str = <<<EOD
UPDATE `moderators` SET
`name` = '$_POST[name]',
`email` = '$_POST[email]',
$update_pass
`status` = '$_POST[status]'
WHERE `id` = $_POST[id];
EOD;

# In the update form, don't show password as it is encrypted
# NOTE: If the password field is left blank when updating, the password remains the same
FIND: <td align="center" width="10%"><input class="no" size="8" name="password" value="<?=$editdis_arr[Password]?>"></td>
REPLACE WITH: <td align="center" width="10%"><input class="no" size="8" name="password" value=""></td>



OPEN: moderators/index.php

# Allow hashed and raw passwords
FIND:
$q_str = <<<EOD
SELECT * FROM `moderators`
WHERE `name` = '$_POST[ID]' AND
`Password` = '$_POST[Password]';
EOD;
REPLACE WITH:
$encrypted = crypt( $_POST[Password], 'secret_string' );
$q_str = <<<EOD
SELECT * FROM `moderators`
WHERE `name` = '$_POST[ID]' AND
(`Password` = '$_POST[Password]' OR
`Password` = '$encrypted');
EOD;

It's very strange (to the extent of idiotic) that the script does not encrypt passwords.

For more than once in the past weeks, aeDating surprises me more than unpleasantly.

Anyway, good work, thank you.

This sounds good, but can this be applied to a live site?

I would test it out on your localhost set up and if you are happy than only apply it to your live site.
Yes it can be applied to a live site

This is good but is there a mod out there that will do member passwords to

Has anyone applied this mod to 4.1.2?


Peace.

Todd

would this work on dolphin5.3?