PHP Account Registration / User Control Panel

[twistedvengeance]

So, I'm looking to make a user control panel for a website, so people can edit their characters and what not.
However, I can't figure out the encryption method used by either the login server source, or MXI.

This is what I have found

Code: Select all

case LOGIN_CREATE:
    //looking for same login
    if( Sql_Query(SqlHandle,"SELECT accounts.id FROM accounts WHERE accounts.login = '%s'",login) == SQL_ERROR )
    { //If this account is already made 
        WBUFB(session[fd]->wdata,0) = LOGIN_ERROR_CREATE;
        WFIFOSET(fd,1);
        do_close_login(sd,fd);
        return -1;
    }
                
    if( Sql_NumRows(SqlHandle) == 0 )
    { // If not
        //creating new account_id 
        char *fmtQuery = "SELECT max(accounts.id) FROM accounts;";

        uint32 accid = 0;

        if( Sql_Query(SqlHandle,fmtQuery) != SQL_ERROR  && Sql_NumRows(SqlHandle) != 0)
        {
            Sql_NextRow(SqlHandle);
            
            accid = Sql_GetUIntData(SqlHandle,0)+1;
        }else{
            WBUFB(session[fd]->wdata,0) = LOGIN_ERROR_CREATE;
            WFIFOSET(fd,1);
            do_close_login(sd,fd);
            return -1;
        }

        accid = (accid < 1000 ? 1000 : accid);
    
        //creating new account
        time_t timecreate;
        tm*	   timecreateinfo;

        time(&timecreate);
        timecreateinfo = localtime(&timecreate);

        // Start the query to insert an account
        
        char strtimecreate[128];
        strftime(strtimecreate,sizeof(strtimecreate),"%Y:%m:%d %H:%M:%S",timecreateinfo);
        fmtQuery = "INSERT INTO accounts(id,login,password,timecreate,timelastmodify,status,priv)\
                               VALUES(%d,'%s',PASSWORD('%s'),'%s',NULL,%d,%d);";

        // End the query                       
                               
        if( Sql_Query(SqlHandle,fmtQuery,accid,login,password,
                      strtimecreate,ACCST_NORMAL,ACCPRIV_USER) == SQL_ERROR )
        {
            WBUFB(session[fd]->wdata,0) = LOGIN_ERROR_CREATE;
            WFIFOSET(fd,1);
            do_close_login(sd,fd);
            return -1;
        }

        ShowStatus(CL_WHITE"login_parse" CL_RESET": account<" CL_WHITE"%s" CL_RESET"> was created\n",login);
        WBUFB(session[fd]->wdata,0) = LOGIN_SUCCESS_CREATE;
        WFIFOSET(fd,1);
        do_close_login(sd,fd);
    }else{
        ShowWarning(CL_WHITE"login_parse" CL_RESET": account<" CL_WHITE"%s" CL_RESET"> already exists\n",login);
        WBUFB(session[fd]->wdata,0) = LOGIN_ERROR_CREATE;
        WFIFOSET(fd,1);
        do_close_login(sd,fd);
    }
    break;

Now, I'm no whiz at C++, not by a long shot, but I do not see an encryption method being used for the password. I see PASSWORD('yourpassword') being used, which would encrypt your password with md5. md5 is not the encryption method being used. It is SHA1, from what I can see.

I've written some PHP to try and find the encoding hash, but I just can't seem to find it.

Code: Select all

<?php
	mysql_connect("****","****","****");
	mysql_select_db("dspdb");
	$account = "myaccount";
	$account_vars = mysql_query("SELECT * FROM accounts WHERE login='$account'");
	
	$password = "mypassword";
	$fetch_vars = mysql_fetch_array($account_vars);
	$internal_hash = $fetch_vars['timecreate'];
	$encryptions = array("ffxi","finalfantasyeleven","finalfantasy11","squareenix","se");
	foreach($encryptions as $print){
		$send = "*" . sha1($print);
		echo $send . " " .// Echo the encoded string
		strlen($send) . // Show length of encode
		"<br />\n"; // Break line
	}
?>

If anyone knows anything that I don't, or you see something stupid I missed, PLEASE post, letting me know.
Thanks!

[bluekirby0]

Actually it is using mysql's password function. Just use mysql's password function again in the comparison and you are good to go.

[twistedvengeance]

Oh my god. Thank you. I've been trying to figure this out for nearly a month now. Works perfect.

[bluekirby0]

No problem