Home/ Questions/Q 6813613
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T20:35:26+00:00

UPDATE: RESPONSE FOUND AT: http://community.invisionpower.com/tracker/issue-21634-md5-once-password-does-not-decode-html-entities/ I want to make a separated page using my

  • 0

UPDATE:

RESPONSE FOUND AT:

http://community.invisionpower.com/tracker/issue-21634-md5-once-password-does-not-decode-html-entities/

I want to make a separated page using my forum credentials (I am using Invision Power Board), so I started looking into how to the password works.

Mainly on the members table you have members_pass_hash and members_pass_salt tables and the encryption is done as follow:

/**
 * Generates a compiled passhash.
 * Returns a new MD5 hash of the supplied salt and MD5 hash of the password
 *
 * @param   string      User's salt (5 random chars)
 * @param   string      User's MD5 hash of their password
 * @return  string      MD5 hash of compiled salted password
 */
static public function generateCompiledPasshash( $salt, $md5_once_password )
{
    return md5( md5( $salt ) . $md5_once_password );
}

After that I start doing my page but no matter what I do the password never matches the one in the database.

Even using MD5(CONCAT(MD5(members_pass_salt),MD5('mypass')) direct on the mysql doesn’t give me the correct value…

I have also searched on communities and at ipb’s forum but can’t narrow what could be the problem here.

My code piece that produces the password is as follow:

$password = $this->input->post('password');
$md5_once_password = md5($password);
$password_hash = md5( md5( $salt ) . $md5_once_password );

$salt comes from the database and I have echo it to my page to make sure it was the correct salt as well.

Continuing at IPB code there is also:

if ( $member['members_pass_hash'] == self::generateCompiledPasshash( $member['members_pass_salt'], $md5_once_password ) )
{
    return true;
}
else
{
    return false;
}

And going back to the initial piece of code I posted from IPB it means the password is matched against the field members_pass_hash from the members table with md5( md5( $salt ) . $md5_once_password )

Any ideas of what I could be doing wrong to get the password to mismatch ?

Encoding somewhere or anything ?

UPDATE with hashs for testing:

This one works fine:

salt: Do.|O
password: fsk23478cf
hash: f3f3c75110ea9a27a1c01e580676997f

This one does not work, dont know why yet:

salt: ppxps
password: fsk23478cf!*
hash saved by the forum: d060c2fb78c5b8a9e9d303c7b4fab456
hash created by my aap: 0df0c7f24f7f79bd7ad8e501f5447986

UPDATE2:

Nailed down the problem being the exclamation mark on the password but still don’t know what is causing it and how to solve.

Passwords with ! will not match properly and right now I am trying to find out if the forum does anything special to the ! which I haven’t found, all I have found is that it does trimming to the password field and then md5 it as said above.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You should be aware that if you give any value to md5(), it will output always the same value.

    That being said and assuming you check the same password using both algorithms, it seems like your salt is not identical in these two cases. It may be one char, it may be some invisible char or it may be a different source of the salt, but it seems the salt from first case is not the salt from the second one.

    Just make sure you have account on your discussion board and check what password is being checked (maybe save it into a file when the function / method is invoked?) and compare with what you pass to your newly created function.

    md5() is not magic and should not behave differently if you pass same values to it – this is the basic foundation of hashing functions. The problem lies within the values you pass to md5().

    • 0