1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XenForo Password Encryption

Discussion in 'XenForo Questions and Support' started by ZoomZaa, Oct 13, 2012.

  1. ZoomZaa

    ZoomZaa Member

    How does XenForo Password Encryption work?
    I'm trying to code a PHP script to check whether or not the input password matches with the password stored in the database.
    I've tried [' sha1(sha1($password) . salt) '] but didn't work.
    What exactly the formula is?
  2. Chris D

    Chris D XenForo Developer Staff Member

    Jake Bunce likes this.
  3. ZoomZaa

    ZoomZaa Member

  4. Chris D

    Chris D XenForo Developer Staff Member

    You've tried both and they didn't work?

    They are the only methods used by XenForo to hash passwords. The method used depends on whether you have the relevant PHP extension installed.
    James likes this.
  5. James

    James Well-Known Member

    Have a look in XenForo_Authentication_Core for the algorithm. Your hashing algorithm will either be sha1 or sha256, depending on whether you have the ability to do it.
    sha1(sha1($password) . $salt);
    sha256(sha256($password) . $salt);
  6. ZoomZaa

    ZoomZaa Member

    No. They didn't work.
    When I used SHA1, the result was not the same as the one in the database.
    When I used SHA256, it resulted in error.
  7. James

    James Well-Known Member

    Are you using the salt also? Are you making sure you hash the password then re-hash it with the salt?
    Chris D likes this.
  8. Chris D

    Chris D XenForo Developer Staff Member

    What was the error?

    Is the PHP script and XenForo install running on the same server? If not, it's possible that your server running the PHP script doesn't have the correct PHP extension installed whereas your XenForo install does.
  9. ZoomZaa

    ZoomZaa Member

    I used:
    sha1(sha1($password) . salt)
    Was this correct?
    They're running on the same server.
    The error was an Internal error. Seemed like the server could not define SHA256. So, the stored passwords should be SHA1-encrypted, shouldn't they?
  10. James

    James Well-Known Member

    Yep, that's correct. I'm not sure why it wouldn't return the same string unless something is wrong in the password and/or salt.

    You should create a test account, grab the hash from the database, grab the salt and create a script to see if the hash is correct.
    Chris D likes this.
  11. ZoomZaa

    ZoomZaa Member

    Still doesn't work. :(
  12. Chris D

    Chris D XenForo Developer Staff Member

    We'd probably need to see your code to be able to debug it effectively.

    At the moment we can only see one half of the equation, e.g. the actual formula XenForo uses. The part we can't see, e.g. your script might be the part that leads us to the solution.
  13. ZoomZaa

    ZoomZaa Member

    Thanks for your support.

    Here is my script:

    $username = $_POST['username'];
    $password = $_POST['password'];
    $password = sha1(sha1($password) . salt);
    $con = mysql_connect("localhost","*****","*****");
    if (!$con)
    die('Could not connect: ' . mysql_error());
    $idsearch = mysql_query("SELECT user_id FROM xf_user WHERE username = '$username'");
    while ($row = mysql_fetch_assoc($idsearch)) {
    $user_id = $row['user_id'];
    $authenticate = mysql_query("SELECT remember_key FROM xf_user_authenticate WHERE user_id = '$user_id'");
    while ($row = mysql_fetch_assoc($authenticate)) {
    $forumpassword = $row['remember_key'];
    if($password == $forumpassword){
    echo "Password Correct";
    echo "Password Incorrect<br>";
    I'm still new in PHP, I'd love to hear your advice too. :)
    Chris D likes this.
  14. Chris D

    Chris D XenForo Developer Staff Member

    I'm relatively new to PHP also, and the only PHP experience I have is ALL XenForo.

    I've just figured out this little script that may help...

    Because I always think in XenForo, I literally do nothing unless it involves XenForo. So the following does what you want, but entirely using XenForo functions and classes. You should be able to call these from your script.


    $fileDir dirname(__FILE__);

    $fileDir '/library/XenForo/Autoloader.php');
    XenForo_Autoloader::getInstance()->setupAutoloader($fileDir '/library');

    XenForo_Application::initialize($fileDir '/library'$fileDir);

    $username 'Kier';
    $password 'KiersPassword';

    $db XenForo_Application::getDb();

    $data $db->fetchOne('
        FROM xf_user_authenticate AS auth
        INNER JOIN xf_user AS user ON
            (user.user_id = auth.user_id)
        WHERE user.username = ?

    $auth XenForo_Authentication_Abstract::createDefault();


    $check $auth->authenticate($username$password);

    So, talking through it.

    The first 10 lines (before $username) basically load XenForo's classes.

    You need to specify the full server path to Autoloader.php, in my case my PasswordCheck.php is in the XenForo root so the __FILE__ parameter is sufficient.

    I then set the username and password (obviously this can be retrieved from $_POST parameters instead).

    I then get the database. This handles all of the database authentication and everything.

    Big difference between my code and your code is I'm selecting 'data' from xf_user_authenticate NOT the remember_key. I'm not sure what the remember_key is, but it's something different. I believe data essentially contains your password hash and salt amongst other things in a serialised array.

    Now I've got that, I create the default XenForo authentication object and set the data I retrieved from the database.

    I can then make a call to the authenticate function and pass in my username and password.

    The response will either be true or false. I have dumped the response using Zend_Debug::dump($check)

    Attached Files:

    intradox and Jake Bunce like this.
  15. ZoomZaa

    ZoomZaa Member

    Many Thanks!
    Does $auth stand for the result (true or false), right?
  16. Chris D

    Chris D XenForo Developer Staff Member

    $auth creates the authentication handler.

    In my code it's:

    $check = $auth->authenticate($username, $password);

    That contains the result of the check. Will either be true or false.
    Jake Bunce likes this.
  17. ZoomZaa

    ZoomZaa Member

    For Zend_Debug, you need Zend Framework to use this, right?
  18. Chris D

    Chris D XenForo Developer Staff Member

    It's built into XenForo and loaded along with the XenForo Autoloader.

    For testing purposes you could equally just use something like:
    if ($check)
  19. ZoomZaa

    ZoomZaa Member

    Thank you very much. :)
    I'll try it now and will keep you posted.
    Chris D likes this.
  20. ZoomZaa

    ZoomZaa Member

    I got an error: HTTP500 Internal Error.

Share This Page