A client shot me an email asking for help w/a PlainCart installation he’s trying to setup. The symptom was that the supposed login credentials of admin, admin weren’t working. Reproducing the problem was simple enough, going to the login page and trying to login as admin, admin failed, sure enough. This was a little odd given that it was a fresh install.
I’m completely unfamiliar w/PlainCart, so the first place I looked was in the tbl_users table to make sure it had users – it did. Next was to examine the application’s login function. Nothing out of the ordinary there, the login query was simple enough:
$sql = "SELECT user_id FROM tbl_user
WHERE user_name = '$userName' AND user_password = PASSWORD('$password')";
I decided to revisit the tbl_users table and look at the hashed passwords. At first glance nothing seemed out of the ordinary, but after running the following sql statement to verify the hash:
select PASSWORD('admin');
… I saw that the hash returned was *4ACFE3202A5FF5CF467898FC58AAB1D615029441, whereas the stock installation had already written a hash of 43e9a4ab75570f5b in tbl_users.user_password. Why the difference in password hashes?
According to the MySQL documentaion, it turns out that versions < MySQL 4.1 produced 16 byte hashes whereas newer versions produce 41 byte hashes. The fix was simple enough, I:
- altered the user_password column to varchar(41) so that it could hold 41 bytes; it was previously typed as varchar(32)
- updated the passwords via a call to MySQL’s PASSWORD() function
Overall this was a pretty easy fix, but since MySQL 4.1 was released in early 2005, it does beg the question: Why is PlainCart stuck on versions of MySQL older than 4.1??
