[SOLVED] Trying to understand crypt() function

[scanreg]

I have the following function using crypt():

 

function validate_form() {
    global $db;

    $errors = array();

    $encrypted_password = $db->getOne('SELECT password FROM users WHERE username = ?',
                                      array($_POST['username']));
   
    if ($encrypted_password != crypt($_POST['password'], $encrypted_password)) {
        $errors[] = 'Please enter a valid username and password.';
    }

 

I don't understand why the $encrypted_password is in the crypt() arguments

 

I know that crypt() can take a second argument for salt.

 

However, shouldn't the comparison be more like:

 

if ($encrypted_password != crypt($_POST['password'])

 

It's just testing whether the stored encrypted password equals an encrypted password sent through a form.

 

Why is $encrypted_password in the crypt() function as well?

 

Many thanks

[Alex]

That doesn't look right.

[PFMaBiSmAd]

The first two, 9, 12, or 16 characters, depending on the encryption type, of the "encrypted" output is the random salt that was generated when the original value was processed. The crypt() function needs that random salt when it processes the value you are trying to compare with the original.

[scanreg]

I "think" I'm getting you

 

The crypt() "skims off" the front-end (the salt) of the second argument value and then uses that skimmed-off part (salt) as the salt for the submitted password......and then statement does the comparison:

 

if ($encrypted_password != crypt($_POST['password'], $encrypted_password))

 

Am I on target?

 

Thanks

[PFMaBiSmAd]

Yes.

[scanreg]

Wahoo!!!!

 

Thanks so much