Using uppercase PW check.

[IamSuchANoob]

Problem - application produces MD5 PWs which are uppercase, code checks lowercase.

Question- How to use uppercase check?

 

function checkPwd($x,$y)
{
    //Checks if strings are empty

    if(empty($x) || empty($y) )
    {
        //Strings were empty
        return false;
    }
    else if(strlen($x) < 4 || strlen($y) < 4)
    {
        //String length too short
        return false;
    }
    else if(strcmp($x,$y) != 0)
    {
        //Strings do not match
        return false;
    }
    else
    {
        //Password Determined valid
        return true;

    }
}

 

Question 2: Do I have to change it anywhere else, like PW generation?

function GenPwd($length = 7)
{
  $password = "";
  $possible = "0123456789bcdfghjkmnpqrstvwxyz"; //no vowels
  
  $i = 0; 
    
  while ($i < $length) { 

    
    $char = substr($possible, mt_rand(0, strlen($possible)-1), 1);
       
    
    if (!strstr($password, $char)) { 
      $password .= $char;
      $i++;
    }

  }

  return $password;

}

function GenKey($length = 7)
{
  $password = "";
  $possible = "0123456789abcdefghijkmnopqrstuvwxyz"; 
  
  $i = 0; 
    
  while ($i < $length) { 

    
    $char = substr($possible, mt_rand(0, strlen($possible)-1), 1);
       
    
    if (!strstr($password, $char)) { 
      $password .= $char;
      $i++;
    }

  }

  return $password;

}

 

Thank you for reading

[mikesta707]

i dont really see anywhere in that code that passwords have to be uppercase. In your first function, everything depends on your two input arguments, and regardless of if they are uppercase, or lowercase, they have to be  the same for the function to return true.

 

if you need to convert something to uppercase though, use the toupper function. Similarly, to convert to lowercase, there is a tolower function

[IamSuchANoob]

i dont really see anywhere in that code that passwords have to be uppercase. In your first function, everything depends on your two input arguments, and regardless of if they are uppercase, or lowercase, they have to be  the same for the function to return true.

 

if you need to convert something to uppercase though, use the toupper function. Similarly, to convert to lowercase, there is a tolower function

awkward. the code simply doesnt recognize the uppercase PWs. I checked in DB, if I convert the PW lowercase, everything is ok.

[.josh]

in any case, the case-insensitive version of strcmp is strcasecmp

[mikesta707]

Oh i see,  so you are using the lowercased PW's from the DB and the uppercased PW's from some form of input. You could always use the strtolower() function to convert all your password strings to lower case.

[.josh]

one thing to note though is that case-sensitive passwords are stronger, so ideally you should be matching up how you generate/store them, and making the check case-sensitive. 

 

For example, treating all of these as the same thing makes for less work in trying to crack a password:

 

aaa

aaA

aAa

aAA

Aaa

AaA

AAa

AAA

 

 

[IamSuchANoob]

Okay, I didnt explain myself good enough.

The password encryption from application is uppercase. I suppose the problem is within application, not the code.

 

Example.

 

md5 Encryption for 'hi' is:

 

49f68a5c8493ec2c0bf489821c21fc3b

 

and from our application it comes as:

 

49F68A5C849EC2C0BF489821C21FC3B

 

So there comes the problem, php does not think its the same PW.

 

P.S Sorry for saying it was PW not the encryption itself

[mikesta707]

oh. why don't you just use strtolower on the hashed string then? does that not work? you could also use strcasecmp().

[plznty]

Yeah, strtolower or strtoupper your inputs, that way it will be the same md5 since it will lowercase/capitalise the characters

[Andy-H]

md5 doesn't capitalize strings and I can't see anywhere in your code that takes a user inputted password, only your password generator, which granted, only contains lower case characters. However md5 is case sensitive so will hash A differently to a, therefor comparing two md5 hashed strings will return true if they match case. Are you storing your hash in a database field that is integer type or varchar less than  32 bit?

 

 

Otherwise, I must be missing something obvious in your question because everyone else seems to know what you're talking about...

 

 

 

 

[Andy-H]

Okay, I didnt explain myself good enough.

The password encryption from application is uppercase. I suppose the problem is within application, not the code.

 

Example.

 

md5 Encryption for 'hi' is:

 

49f68a5c8493ec2c0bf489821c21fc3b

 

and from our application it comes as:

 

49F68A5C849EC2C0BF489821C21FC3B

 

So there comes the problem, php does not think its the same PW.

 

P.S Sorry for saying it was PW not the encryption itself

 

 

Sorry my bad, have you checked if your code is calling strtoupper on the variable between md5 hashing it and storing it?

[IamSuchANoob]

How could I implement strcasecmp?

 

function checkPwd($x,$y)
{
    //Checks if strings are empty

    if(empty($x) || empty($y) )
    {
        //Strings were empty
        return false;
    }
    else if(strlen($x) < 4 || strlen($y) < 4)
    {
        //String length too short
        return false;
    }
    else if(strcasecmp($x,$y) != 0)
    {
        //Strings do not match
        return false;
    }
    else
    {
        //Password Determined valid
        return true;

    }
}

This does not work, if the MD5 is uppercase, it says incorrect PW.

[.josh]

well it has since been determined that you're performing a check on the md5 hash, and md5 hashes are case-sensitive.  So you will need to do a strtolower on your md5 hash since it is uppercased in your db for some reason, but ideally, you should be changing your script that uppercases it to begin with, before it goes into the db.