[mrdevil123]

Hi guys, Just been working on a crpyt function for the last few days on my login page for my site. When a user registers on the registration page there password gets encrypted with the crypt function. I didn't define a salt, just left it as crypt($password);

now im having difficulties with checking that password with what the user enters in the login page.

PHP Code:

if( $page_mode == 'Login' )
{
require "globe.php";
    //simple post from below
    $username = htmlentities(trim($_POST['username']));
    $username = mysqli_real_escape_string($mysqli, $username);
    $password = trim($_POST['password']);
    $query = mysqli_query($mysqli, "SELECT * FROM Persons WHERE Username = '$username'");
    $row = mysqli_fetch_assoc($query);
    $numrows = mysqli_num_rows($query);
    $dbuser = $row['Username'];
    $dbpass = $row['Password'];
    $hashed_password = crypt($dbpass);
   
  

    
    if( ($username == '') || ($password == '') ) {
        $error_string .= '<font color=red>You have left either the username or password field blank!</font>';
        }
    else if ($numrows == 0)
    {
        $error_string .= '<font color=red>No username can be found!</font>';
        }
    else if ($numrows == 1)
    {
       
       if (crypt($password, $hashed_password) == $hashed_password)
       {
       $error_string .= '<font color=red>Details checked out</font>';
       }
       else
       {
       $error_string .= '<font color=red>No username can be found!</font>';
       }

    }
    else {
            $error_string .= '<font color=red>There was an error. Please contact an Admin</font>';

    }
} 


problem lies within crypt. I don't believe its done correctly.

[Triple_Nothing]

Is there reason you placed $hashed_password as the crypt() function's salt?

PHP Code:

if (crypt($password, $hashed_password) == $hashed_password) 


EDIT: And if you didn't define a salt upon registration, but are now, the same password is not going to match... Simply said, you are encrypting with 2 totally different salts, for different answers.

[Jacques1]

Hi,

use PHPass instead of fumbiling with crypt(). It's basically a wrapper for crypt() that will take care of correctly generating hashes (with a salt!) and checking them.

[mrdevil123]

i followed the example on php.net crypt

PHP Code:

$hashed_password = crypt('mypassword'); // let the salt be automatically generated

/* You should pass the entire results of crypt() as the salt for comparing a
   password, to avoid problems when different hashing algorithms are used. (As
   it says above, standard DES-based password hashing uses a 2-character salt,
   but MD5-based hashing uses 12.) */
if (crypt($user_input, $hashed_password) == $hashed_password) {
   echo "Password verified!";
} 


i may have done something wrong when i tried to get it to work with my code? Didnt fully understand that example

[Jacques1]

Originally Posted by mrdevil123

i may have done something wrong when i tried to get it to work with my code? Didnt fully understand that example

And that's why you shouldn't use crypt().

I'm pretty sure that

PHP Code:

$hashed_password = crypt($dbpass); 


is not what you want, because this would mean you have stored your passwords as plaintext (which would render the whole hashing stuff useless).

But like I already said in my previous post: Unless you really know what you're doing, use a library that will take care of the technical details.

[mrdevil123]

So what other methods are there that will encrypt as secure as the function I'm using now

[Jacques1]

Originally Posted by mrdevil123

So what other methods are there that will encrypt as secure as the function I'm using now

I explained that and gave you a link in reply #3.

[ptr2void]

Originally Posted by mrdevil123

So what other methods are there that will encrypt as secure as the function I'm using now

Can you not read, or did you just blow off reply #3, the one from Jacques1?