1

I'm working on a site that when a user registers they will have a ftp user created using proftpd and mysql. What I want to know how to do is authenticate a user as I've never seen a password stored this way before.

INSERT INTO `ftpuser` (`id`, `userid`, `passwd`, `uid`, `gid`,`homedir`,`shell`, `count`, `accessed`, `modified`)
 VALUES ('', 'newuser', ENCRYPT('password'), 2001, 2001, '/var/www/accounts/newuser', '/sbin/nologin', 0, '', '');

From here on out I'll have php create the directory and then create a new corresponding table that gives the user all their account details, (IE userprofile with email options etc etc) So from here the way I've always stored passwords has been sha1("username:password"), so the statement has been

$hashpass = sha1(strtoupper($_POST['username']));
$query = <<<SQL
SELECT id
FROM accounts
WHERE password = :hashpass
SQL;
$resource = $this->db->db->prepare( $query );
$resource->execute( array (
":hashpass" => $hashpass,
));
if($resource->rowCount() == 0 ) {
return "Error";
}
else {
//Set the Session
}

What I have no clue on how to do is how to query the password that proftpd stores. Any input would be appreciated.

Morgan Green
  • 1,012
  • 2
  • 10
  • 22
  • Are you looking to retrieve/query the plaintext password, or the hashed password, from the database? The SQL statement you provided shows `..., ENCRYPT('password'), ...`, which is using MySQL's builtin [`ENCRYPT`](https://dev.mysql.com/doc/refman/5.5/en/encryption-functions.html#function_encrypt) function to automatically store the hashed password. When ProFTPD uses this row, it asks MySQL to use that `ENCRYPT` function on the password provided by the client, and see if there is a row in the database where both username and hash password match. Does this help? – Castaglia Feb 01 '16 at 02:47

0 Answers0