icx Posted May 7, 2003 Posted May 7, 2003 I have about 600 customer records sitting in a .tab text file. I have gone to the effort to make sure that all the data is accurate and complete. I can import the data directly into MySQL using the mysqlimport function, and have done so successfully - customers, addresses the whole deal 100% perfectly imported. BUT, I CANNOT LOGIN WITH ANY OF THEIR PASSWORDS! The passwords that I imported into MySQL from the .tab text file are in plain text and I think that this is the porblem. Two questions (3 i guess): 1. How are those passwords being encrypted (what algorithim) 2. Is there any way to encrypt them properly while importing from .tab text file 3. Is this even the problem?????
Guest Posted May 7, 2003 Posted May 7, 2003 Yes, the passwords in OSCommerce are encrypted. You should be able to correct this with the following query on your database (backup beforehand though). update customers set customers_password=md5(customers_password); The algorithm used is actually a Hashing algorithm instead of an encryption algorithm. Once this is done, you won't be able to retrieve the original password. Oscommerce handles this by assigning a new temporary password if a customer loses theirs. I hope this helps.
icx Posted May 7, 2003 Author Posted May 7, 2003 First off thanks - I appreciate your reply. When I look at working passwords though the format is slightly different. working password --> fd6fa87f997e06125ac56d611b8f8919:ff new password created with update customers set customers_password=md5(customers_password) --> 626682c5b20a0a24201a4735770f33ee notice there is no colon? I am not sure what this means, but I know that I still cannot log in with any of the customer's passwords. Any more suggestions?
icx Posted May 7, 2003 Author Posted May 7, 2003 inside /catalog/includes/function there is a password_funcs.php page.... //// // This function makes a new password from a plaintext password. function tep_encrypt_password($plain) { $password = ''; for ($i=0; $i<10; $i++) { $password .= tep_rand(); } $salt = substr(md5($password), 0, 2); $password = md5($salt . $plain) . ':' . $salt; return $password; } ?> Unfortunately I do not understand this - $Salt?????
icx Posted May 7, 2003 Author Posted May 7, 2003 Is there a way to generate new passwords for users inthe admin. How about generate new passwords for ALL users???
Guest Posted May 7, 2003 Posted May 7, 2003 Okay... they salt the passwords before storing them. I should have looked first. In MySQL terms this would be similar to: update customers set customers_password = concat_ws(":", md5(concat('ip', customers_password)), 'ip'); Not as good as a random salt but it will work for your needs. I have also tested this on a dummy database with plaintext passwords and was able to login through the catalog. For added security, you can change the ip in the above query to any 2 character string.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.