November 25th, 2012, 12:22 PM
-
Crypt function support
Hi guys, Just been working on a crpyt function for the last few days on my login page for my site. When a user registers on the registration page there password gets encrypted with the crypt function. I didn't define a salt, just left it as crypt($password);
now im having difficulties with checking that password with what the user enters in the login page.
PHP Code:
if( $page_mode == 'Login' )
{
require "globe.php";
//simple post from below
$username = htmlentities(trim($_POST['username']));
$username = mysqli_real_escape_string($mysqli, $username);
$password = trim($_POST['password']);
$query = mysqli_query($mysqli, "SELECT * FROM Persons WHERE Username = '$username'");
$row = mysqli_fetch_assoc($query);
$numrows = mysqli_num_rows($query);
$dbuser = $row['Username'];
$dbpass = $row['Password'];
$hashed_password = crypt($dbpass);
if( ($username == '') || ($password == '') ) {
$error_string .= '<font color=red>You have left either the username or password field blank!</font>';
}
else if ($numrows == 0)
{
$error_string .= '<font color=red>No username can be found!</font>';
}
else if ($numrows == 1)
{
if (crypt($password, $hashed_password) == $hashed_password)
{
$error_string .= '<font color=red>Details checked out</font>';
}
else
{
$error_string .= '<font color=red>No username can be found!</font>';
}
}
else {
$error_string .= '<font color=red>There was an error. Please contact an Admin</font>';
}
}
problem lies within crypt. I don't believe its done correctly.
November 25th, 2012, 12:35 PM
-
Is there reason you placed $hashed_password as the crypt() function's salt?
PHP Code:
if (crypt($password, $hashed_password) == $hashed_password)
EDIT: And if you didn't define a salt upon registration, but are now, the same password is not going to match... Simply said, you are encrypting with 2 totally different salts, for different answers.
Last edited by Triple_Nothing; November 25th, 2012 at 12:42 PM.
November 25th, 2012, 12:37 PM
-
Hi,
use PHPass instead of fumbiling with crypt(). It's basically a wrapper for crypt() that will take care of correctly generating hashes (with a salt!) and checking them.
November 25th, 2012, 12:38 PM
-
i followed the example on php.net crypt
PHP Code:
$hashed_password = crypt('mypassword'); // let the salt be automatically generated
/* You should pass the entire results of crypt() as the salt for comparing a
password, to avoid problems when different hashing algorithms are used. (As
it says above, standard DES-based password hashing uses a 2-character salt,
but MD5-based hashing uses 12.) */
if (crypt($user_input, $hashed_password) == $hashed_password) {
echo "Password verified!";
}
i may have done something wrong when i tried to get it to work with my code? Didnt fully understand that example
November 25th, 2012, 12:51 PM
-
Originally Posted by mrdevil123
i may have done something wrong when i tried to get it to work with my code? Didnt fully understand that example
And that's why you shouldn't use crypt().
I'm pretty sure that
PHP Code:
$hashed_password = crypt($dbpass);
is not what you want, because this would mean you have stored your passwords as plaintext (which would render the whole hashing stuff useless).
But like I already said in my previous post: Unless you really know what you're doing, use a library that will take care of the technical details.
Last edited by Jacques1; November 25th, 2012 at 12:59 PM.
November 25th, 2012, 01:14 PM
-
So what other methods are there that will encrypt as secure as the function I'm using now
November 25th, 2012, 01:33 PM
-
Originally Posted by mrdevil123
So what other methods are there that will encrypt as secure as the function I'm using now
I explained that and gave you a link in reply #3.
November 25th, 2012, 01:34 PM
-
Originally Posted by mrdevil123
So what other methods are there that will encrypt as secure as the function I'm using now
Can you not read, or did you just blow off reply #3, the one from Jacques1?
I ♥ ManiacDan & requinix
This is a sig, and not
necessarily a comment on the OP:
Please don't be a
help vampire!