Zendcart - Merging existing userdatabase with zendcart database

Question

I've just installed zendcart on my system, I tried merging the userdatabase of the site I already had with the zendcart database.

I've managed to port everything correctly, only the passwords don't seem to work. my own system md5 hashes the passwords when they enter the DB, I don't know how zencart hashes it's password but as far as i can see is it nearly the same algorithm as I currently use only with 3 characters attached to it.

ex current password: sad97213sd123js123
ex zendcart pass: sad97213sd123js123:c1

How can I resalt my passwords to match zendcarts criteria, OR.. how can I edit zendcart to accept salted passwords generated by other means than zendcart's

Thank you in advanced

Answer 1

Inside class.zcPassword.php (/includes/classes), you will find it:

  /**
   * Determine the password type
   *
   * Legacy passwords were hash:salt with a salt of length 2
   * php < 5.3.7 updated passwords are hash:salt with salt of length > 2
   * php >= 5.3.7 passwords are BMCF format

It describes the legacy compare it does before deciding what to do with the passwords, using the ircmaxell/password-compat library, right here:

  function detectPasswordType($encryptedPassword)
  {
    $type = 'unknown';
    $tmp = explode(':', $encryptedPassword); // try to break the hash in an array of 2 elements at :, first being the hash, second a suffix
    if (count($tmp) == 2) { // if it breaks...
      if (strlen($tmp [1]) > 2) { //...then check if 2nd has a length > 2...
        $type = 'compatSha256'; //...if it does, it's SHA2
      } elseif (strlen($tmp [1]) == 2) {//...if not, make sure it's == 2...
        $type = 'oldMd5';// ...just to confirm it's MD5
      }
    }
    return $type; // and return the string to be treated ahead
  }

EDIT: //commented the code.

As you can see, :c1 is just the salt suffix (he explodes when he finds it) it reads to define which algorithm it should run to maintain backward compatibility (in your case, MD5) according to PHP version, that's why the hashes are the same.

I'd suggest you just remove the suffix at the end of all your passwords at : point or work upon that function and its dependencies as to ignore this checking.