homepage Welcome to WebmasterWorld Guest from 54.237.71.86
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / Databases
Forum Library, Charter, Moderators: physics

Databases Forum

    
Password like a code !
how can i remove it?
HitDelisi




msg:4077181
 8:13 pm on Feb 9, 2010 (gmt 0)

in wordpress theme , i add a user and a password from its admin panel but in the phpmyadmin screen, this is somehow user_pass is like a code ; for example :

$P$B7IwcRzXuNkR5XuOyfqQF7bOiLXbk7.

but actually user's password is webzegs.

what should i do to make that user_pass area normal. i am editing it and writing myself webzegs then i want to login to the site. and it doesn't accept it and says that it is an invalid password.

i mean username and password written in the users table are not available to log in to site. how can i remove this code ?

 

rocknbil




msg:4077206
 8:59 pm on Feb 9, 2010 (gmt 0)

Most likely, when WP creates the pass, it executes an md5 or other algorithm on the string to encrypt it. This is what gets stored in the database.

When you view it in phpMyAdmin, you are seeing the raw encrypted string.

When the user logs in, they will enter "webzegs" and the same algo will be executed on the user input to compare it with the stored string. If it matches, they will be authenticated.

No "retrieve password" or plain text version ("webzegs") will be available anywhere. This is a good thing.

If "webzegs" is not working for a login, there is something in the encrypting algo that is is being done differently - I would guess its wherever the actual login is attempted, but don't know.

The way to tell would be to put a couple echo's on the failed login screen:

echo "FROM DATABASE: $password <br>";
echo "USER INPUT: $usr_pwd_from_input <br>";

If the two strings don't match, something is hosed up in your user input encryption - OR - sometimes, the database and table collation can have an effect on this.

HitDelisi




msg:4077229
 9:48 pm on Feb 9, 2010 (gmt 0)

thank you very much. now i have another question. i want my wordpress not to execute an md5 or other algorithm on this string to encrypt it. what should i do, is there anyone who knows the structure of wordpress well. i don't want it to encrypt my password. is there anyway to solve this problem ?

HitDelisi




msg:4077230
 9:52 pm on Feb 9, 2010 (gmt 0)

/**
* Handles registering a new user.
*
* @param string $user_login User's username for logging in
* @param string $user_email User's email address to send password and add
* @return int|WP_Error Either user's ID or error on failure.
*/
function register_new_user($user_login, $user_email) {
$errors = new WP_Error();

$user_login = sanitize_user( $user_login );
$user_email = apply_filters( 'user_registration_email', $user_email );

// Check the username
if ( $user_login == '' )
$errors->add('empty_username', __('<strong>ERROR</strong>: Please enter a username.'));
elseif ( !validate_username( $user_login ) ) {
$errors->add('invalid_username', __('<strong>ERROR</strong>: This username is invalid. Please enter a valid username.'));
$user_login = '';
} elseif ( username_exists( $user_login ) )
$errors->add('username_exists', __('<strong>ERROR</strong>: This username is already registered, please choose another one.'));

// Check the e-mail address
if ($user_email == '') {
$errors->add('empty_email', __('<strong>ERROR</strong>: Please type your e-mail address.'));
} elseif ( !is_email( $user_email ) ) {
$errors->add('invalid_email', __('<strong>ERROR</strong>: The email address isn&#8217;t correct.'));
$user_email = '';
} elseif ( email_exists( $user_email ) )
$errors->add('email_exists', __('<strong>ERROR</strong>: This email is already registered, please choose another one.'));

do_action('register_post', $user_login, $user_email, $errors);

$errors = apply_filters( 'registration_errors', $errors, $user_login, $user_email );

if ( $errors->get_error_code() )
return $errors;

$user_pass = wp_generate_password();
$user_id = wp_create_user( $user_login, $user_pass, $user_email );
if ( !$user_id ) {
$errors->add('registerfail', sprintf(__('<strong>ERROR</strong>: Couldn&#8217;t register you... please contact the <a href="mailto:%s">webmaster</a> !'), get_option('admin_email')));
return $errors;
}

wp_new_user_notification($user_id, $user_pass);

return $user_id;
}


this is the registration form

HitDelisi




msg:4077248
 10:16 pm on Feb 9, 2010 (gmt 0)

hey bro, this is the code standing for webzegs. here the code is

$P$B7IwcRzXuNkR5XuOyfqQF7bOiLXbk7.

can anyone tell me what encrytpt is it. md5 is usually longer ones and not containing $ or some unknown characters

so what encryption is it ? anyone have an idea ?

rocknbil




msg:4077350
 1:06 am on Feb 10, 2010 (gmt 0)

i don't want it to encrypt my password.


Wordpress is insecure enough as it is, I advise you don't make it worse by following through on this thought . . . .

Your answer is right there in the code you posted,

$user_pass = wp_generate_password();

There is a function, wp_generate_password(), that's likely where you'd find out how it's doing what it's doing.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Databases
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved