Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

md5 hash and c#


bleak_winter

Recommended Posts

Does anybody out there know how to port the hash encryption code from php to c#? I've been trawling the internet for 10+ hours and I feel as though I'm going around in circles. I need another website that is programmed in c# to enter and validate the password in the customer database. So far I am banging my head against a brick wall. I just cannot replicate the encryption/salt or validation code in c#.

 

So far the only information I've found is a snippet of code from a website saying that the code has to be converted to ASCII as c# uses UTF-16....and that totally confused me!?! I'm useless at php and I'm fumbling along trying to understand the code - I need help from a code guru.

 

ANY help, pointers, website leads or advice would be MUCH appreciated. It's mission critical that the c# site links to oscommerce and I can't sleep until the code is completed.

Link to comment
Share on other sites

Does anybody out there know how to port the hash encryption code from php to c#? I've been trawling the internet for 10+ hours and I feel as though I'm going around in circles. I need another website that is programmed in c# to enter and validate the password in the customer database. So far I am banging my head against a brick wall. I just cannot replicate the encryption/salt or validation code in c#.

 

So far the only information I've found is a snippet of code from a website saying that the code has to be converted to ASCII as c# uses UTF-16....and that totally confused me!?! I'm useless at php and I'm fumbling along trying to understand the code - I need help from a code guru.

 

ANY help, pointers, website leads or advice would be MUCH appreciated. It's mission critical that the c# site links to oscommerce and I can't sleep until the code is completed.

why you need to port it? use the MD5CryptoServiceProvider class. Use the ComputeHash member just pass the string to it to generate the hash in order to test it, trim it from "-" and compare it with the result of the md5 php function.

Link to comment
Share on other sites

The problem seems to be the way c# encodes in Utf instead of ASCII. Also I don't fully follow how OSC salts the password before encrypting. :'(

 

// This function validates a plain text password with an

// encrypted password

function tep_validate_password($plain, $encrypted) {

if (tep_not_null($plain) && tep_not_null($encrypted)) {

// split apart the hash / salt

$stack = explode(':', $encrypted);

if (sizeof($stack) != 2) return false;

if (md5($stack[1] . $plain) == $stack[0]) {

return true;

}

}

return false;

}

////

// This function makes a new password from a plaintext password.

function tep_encrypt_password($plain) {

$password = '';

for ($i=0; $i<10; $i++) {

$password .= tep_rand();

}

$salt = substr(md5($password), 0, 2);

$password = md5($salt . $plain) . ':' . $salt;

return $password;

}

Link to comment
Share on other sites

  • 4 months later...

I know this is a bit late for you, but may be of help to others.

 

The way the salt's stored is really simple - the "salt" is the last 2 characters after the ":", so to validate a password all you need do is take "salt + plaintextpassword", then run md5 on it, and you get the hash. To compare with what's stored in the php db, then you add ":"+salt and store it. Here's the function I use for validating users against the oscommerce db with c#:

 

private bool ValidatePassword(string dbPassword, string plain)

{

bool valid = false;

if (dbPassword != null)

{

string[] parts = dbPassword.Split(new char[] { ':' });

if (parts.Length != 2)

throw new Exception("Stored password is corrupted: " + dbPassword);

string salt = parts[1];

string pwd = parts[0];

 

 

// use the same salt to encrypt the plain password

MD5CryptoServiceProvider md5 = new MD5CryptoServiceProvider();

 

byte[] data = Encoding.Default.GetBytes(salt + plain);

byte[] hashed = md5.ComputeHash(data);

string verifypwd = "";

foreach (byte b in hashed)

verifypwd += b.ToString("x2");

if (verifypwd == pwd)

valid = true;

}

return valid;

}

 

 

Regards

Russell

Link to comment
Share on other sites

  • 2 years later...

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...