On Wed, 17 Mar 2004 09:44:25 +0100, "Christian Meisinger"
<c.*********@li vingliquid.com> wrote:
has anyone tryed to check .htpasswd passwords with php?
everythink works fine as long as they are encrypted with
the default CRYPT mode of apaches htpasswd.
crypt($pass, $htpass) === $htpass
but how to check MD5?
if you use ./htpasswd -m .htpasswd user
the password will be md5 encrypted.
php manual says that crypt supports md5 if the "salt" starts with $1$.
CRYPT_MD5 - MD5 encryption with a twelve character
salt starting with $1$
then i read the htpasswd manual:
-m Use Apache's modified MD5 algorithm for passwords.
The MD5 algorithm used by htpasswd is specific to the Apache
software; passwords encrypted using it will not be usable
with other Web servers.
great.
does anyone know if a apache md5 algorithm exists for php?
Well - Apache is open source, so you can have a look at the code they use.
In the Apache source, have a look at apr_md5_encode in
srclib/apr-util/crypto/apr_md5.c .
It contains such gems of comments as:
/*
* Then something really weird...
*/
I don't know how much experience you have with C; you may be able to work
through the source and link against APR to get a small executable that does the
same as htpasswd. Or if you're particularly competent with C you could
translate the relevant parts to PHP; C and PHP share a fair amount of syntax.
Perhaps you could run htpasswd using exec(), getting it to write to a
temporary file of your choice, then read that file? I haven't traced it far
enough into what it actually writes to the file to say whether this will be a
workable approach, though.
--
Andy Hassall <an**@andyh.co. uk> / Space: disk usage analysis tool
<http://www.andyh.co.uk > / <http://www.andyhsoftwa re.co.uk/space>