Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What function returns a Drupal-6-valid password hash?

I want to make a script to insert some 100 users into a Drupal 6 database - their username, mail and password hash.

After reading about the PHP class that Drupal 6 uses, I'm not sure I can pull this off. My method was to send every user a mail like "Hello, x! Your new password is y", then insert the hashed "y" into Drupal's user table.

I know Drupal returns an md5. But it doesn't just md5's the original password, but a very mixed-up password (using salt and other methods).

I've looked into the Portable PHP password hashing framework Drupal's using, but I don't think it works just with a copy+paste method.

So, my question is: can I make a PHP function that returns a valid Drupal 6 password hash to insert it into its user table?

like image 488
nevvermind Avatar asked Oct 08 '10 16:10

nevvermind


3 Answers

Actually, Drupal 6 does not use any salt to calculate the hash of the password. Its just a simply md5 of the password

You can try this for your self. Set your password to something.

Calculate the md5 of your password (you can use this link http://www.miraclesalad.com/webtools/md5.php for convenience).

You will find that the hash stored in the database in the users table in the pass column will be exactly the same

This behavior for the default installation of Drupal 6 (the behavior may have changed for Drupal 7). Only if you have some special module installed will the behavior be any different for Drupal 6.

like image 157
Sid Kshatriya Avatar answered Oct 21 '22 09:10

Sid Kshatriya


If you're creating users programmatically, you should create the plaintext password yourself, and then use the user_save() function to insert the user into the database. That function will hash and save everything for you.

like image 4
Dave DeLong Avatar answered Oct 21 '22 10:10

Dave DeLong


The existing user import module looks like it would work for bulk user importing. This does not answer your "how do I hash the password" question, but it would remove the need for a custom (probably more error prone) script.

like image 2
brian_d Avatar answered Oct 21 '22 09:10

brian_d