#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    3
    Rep Power
    0

    Crypt function support


    Hi guys, Just been working on a crpyt function for the last few days on my login page for my site. When a user registers on the registration page there password gets encrypted with the crypt function. I didn't define a salt, just left it as crypt($password);

    now im having difficulties with checking that password with what the user enters in the login page.

    PHP Code:
    if( $page_mode == 'Login' )
    {
    require 
    "globe.php";
        
    //simple post from below
        
    $username htmlentities(trim($_POST['username']));
        
    $username mysqli_real_escape_string($mysqli$username);
        
    $password trim($_POST['password']);
        
    $query mysqli_query($mysqli"SELECT * FROM Persons WHERE Username = '$username'");
        
    $row mysqli_fetch_assoc($query);
        
    $numrows mysqli_num_rows($query);
        
    $dbuser $row['Username'];
        
    $dbpass $row['Password'];
        
    $hashed_password crypt($dbpass);
       
      

        
        if( (
    $username == '') || ($password == '') ) {
            
    $error_string .= '<font color=red>You have left either the username or password field blank!</font>';
            }
        else if (
    $numrows == 0)
        {
            
    $error_string .= '<font color=red>No username can be found!</font>';
            }
        else if (
    $numrows == 1)
        {
           
           if (
    crypt($password$hashed_password) == $hashed_password)
           {
           
    $error_string .= '<font color=red>Details checked out</font>';
           }
           else
           {
           
    $error_string .= '<font color=red>No username can be found!</font>';
           }

        }
        else {
                
    $error_string .= '<font color=red>There was an error. Please contact an Admin</font>';

        }

    problem lies within crypt. I don't believe its done correctly.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2009
    Posts
    721
    Rep Power
    7
    Is there reason you placed $hashed_password as the crypt() function's salt?

    PHP Code:
    if (crypt($password$hashed_password) == $hashed_password

    EDIT: And if you didn't define a salt upon registration, but are now, the same password is not going to match... Simply said, you are encrypting with 2 totally different salts, for different answers.
    Last edited by Triple_Nothing; November 25th, 2012 at 01:42 PM.
  4. #3
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    use PHPass instead of fumbiling with crypt(). It's basically a wrapper for crypt() that will take care of correctly generating hashes (with a salt!) and checking them.
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    3
    Rep Power
    0
    i followed the example on php.net crypt


    PHP Code:
    $hashed_password crypt('mypassword'); // let the salt be automatically generated

    /* You should pass the entire results of crypt() as the salt for comparing a
       password, to avoid problems when different hashing algorithms are used. (As
       it says above, standard DES-based password hashing uses a 2-character salt,
       but MD5-based hashing uses 12.) */
    if (crypt($user_input$hashed_password) == $hashed_password) {
       echo 
    "Password verified!";

    i may have done something wrong when i tried to get it to work with my code? Didnt fully understand that example
  8. #5
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by mrdevil123
    i may have done something wrong when i tried to get it to work with my code? Didnt fully understand that example
    And that's why you shouldn't use crypt().

    I'm pretty sure that
    PHP Code:
    $hashed_password crypt($dbpass); 
    is not what you want, because this would mean you have stored your passwords as plaintext (which would render the whole hashing stuff useless).

    But like I already said in my previous post: Unless you really know what you're doing, use a library that will take care of the technical details.
    Last edited by Jacques1; November 25th, 2012 at 01:59 PM.
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    3
    Rep Power
    0
    So what other methods are there that will encrypt as secure as the function I'm using now
  12. #7
  13. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by mrdevil123
    So what other methods are there that will encrypt as secure as the function I'm using now
    I explained that and gave you a link in reply #3.
  14. #8
  15. No Profile Picture
    I haz teh codez!
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2003
    Posts
    2,555
    Rep Power
    2338
    Originally Posted by mrdevil123
    So what other methods are there that will encrypt as secure as the function I'm using now
    Can you not read, or did you just blow off reply #3, the one from Jacques1?
    I ♥ ManiacDan & requinix

    This is a sig, and not necessarily a comment on the OP:
    Please don't be a help vampire!

IMN logo majestic logo threadwatch logo seochat tools logo