New Free Tools on Dev Shed!
We're Excited to announce that Dev Shed now has 70 free tools on the site. To learn more, click here!
|
 |
|
Dev Shed Forums
> Programming Languages
> PHP Development
|
Crypt function support
Discuss Crypt function support in the PHP Development forum on Dev Shed.
Crypt function support PHP Development forum discussing coding practices, tips on PHP, and other PHP-related topics. PHP is an open source scripting language that has taken the web development industry by storm.
|
|
 |
|
|
|
|
Dev Shed Forums Sponsor:
|
|
|
November 25th, 2012, 01:22 PM
|
|
Registered User
|
|
Join Date: Nov 2012
Posts: 3
Time spent in forums: 34 m 4 sec
Reputation Power: 0
|
|
|
Crypt function support
Hi guys, Just been working on a crpyt function for the last few days on my login page for my site. When a user registers on the registration page there password gets encrypted with the crypt function. I didn't define a salt, just left it as crypt($password);
now im having difficulties with checking that password with what the user enters in the login page.
PHP Code:
if( $page_mode == 'Login' )
{
require "globe.php";
//simple post from below
$username = htmlentities(trim($_POST['username']));
$username = mysqli_real_escape_string($mysqli, $username);
$password = trim($_POST['password']);
$query = mysqli_query($mysqli, "SELECT * FROM Persons WHERE Username = '$username'");
$row = mysqli_fetch_assoc($query);
$numrows = mysqli_num_rows($query);
$dbuser = $row['Username'];
$dbpass = $row['Password'];
$hashed_password = crypt($dbpass);
if( ($username == '') || ($password == '') ) {
$error_string .= '<font color=red>You have left either the username or password field blank!</font>';
}
else if ($numrows == 0)
{
$error_string .= '<font color=red>No username can be found!</font>';
}
else if ($numrows == 1)
{
if (crypt($password, $hashed_password) == $hashed_password)
{
$error_string .= '<font color=red>Details checked out</font>';
}
else
{
$error_string .= '<font color=red>No username can be found!</font>';
}
}
else {
$error_string .= '<font color=red>There was an error. Please contact an Admin</font>';
}
}
problem lies within crypt. I don't believe its done correctly.
|
November 25th, 2012, 01:35 PM
|
|
Contributing User
|
|
Join Date: Jun 2009
Posts: 512
Time spent in forums: 5 Days 19 h 44 m 31 sec
Reputation Power: 7
|
|
Is there reason you placed $hashed_password as the crypt() function's salt?
PHP Code:
if (crypt($password, $hashed_password) == $hashed_password)
EDIT: And if you didn't define a salt upon registration, but are now, the same password is not going to match... Simply said, you are encrypting with 2 totally different salts, for different answers.
Last edited by Triple_Nothing : November 25th, 2012 at 01:42 PM.
|
November 25th, 2012, 01:37 PM
|
 |
You have been warned
|
|
|
|
Hi,
use PHPass instead of fumbiling with crypt(). It's basically a wrapper for crypt() that will take care of correctly generating hashes (with a salt!) and checking them.
|
November 25th, 2012, 01:38 PM
|
|
Registered User
|
|
Join Date: Nov 2012
Posts: 3
Time spent in forums: 34 m 4 sec
Reputation Power: 0
|
|
i followed the example on php.net crypt
PHP Code:
$hashed_password = crypt('mypassword'); // let the salt be automatically generated
/* You should pass the entire results of crypt() as the salt for comparing a
password, to avoid problems when different hashing algorithms are used. (As
it says above, standard DES-based password hashing uses a 2-character salt,
but MD5-based hashing uses 12.) */
if (crypt($user_input, $hashed_password) == $hashed_password) {
echo "Password verified!";
}
i may have done something wrong when i tried to get it to work with my code? Didnt fully understand that example
|
November 25th, 2012, 01:51 PM
|
|
You have been warned
|
|
|
|
Quote: | Originally Posted by mrdevil123 i may have done something wrong when i tried to get it to work with my code? Didnt fully understand that example |
And that's why you shouldn't use crypt().
I'm pretty sure that
PHP Code:
$hashed_password = crypt($dbpass);
is not what you want, because this would mean you have stored your passwords as plaintext (which would render the whole hashing stuff useless).
But like I already said in my previous post: Unless you really know what you're doing, use a library that will take care of the technical details.
Last edited by Jacques1 : November 25th, 2012 at 01:59 PM.
|
November 25th, 2012, 02:14 PM
|
|
Registered User
|
|
Join Date: Nov 2012
Posts: 3
Time spent in forums: 34 m 4 sec
Reputation Power: 0
|
|
|
So what other methods are there that will encrypt as secure as the function I'm using now
|
November 25th, 2012, 02:33 PM
|
|
You have been warned
|
|
|
|
Quote: | Originally Posted by mrdevil123 So what other methods are there that will encrypt as secure as the function I'm using now |
I explained that and gave you a link in reply #3.
|
November 25th, 2012, 02:34 PM
|
|
|
Quote: | Originally Posted by mrdevil123 So what other methods are there that will encrypt as secure as the function I'm using now |
Can you not read, or did you just blow off reply #3, the one from Jacques1?
__________________
I ♥ ManiacDan & requinix
This is a sig, and not necessarily a comment on the OP:
Please don't be a help vampire!
|
Developer Shed Advertisers and Affiliates
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
Rate This Thread |
 Linear Mode
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
