IamSuchANoob Posted May 30, 2011 Share Posted May 30, 2011 Problem - application produces MD5 PWs which are uppercase, code checks lowercase. Question- How to use uppercase check? function checkPwd($x,$y) { //Checks if strings are empty if(empty($x) || empty($y) ) { //Strings were empty return false; } else if(strlen($x) < 4 || strlen($y) < 4) { //String length too short return false; } else if(strcmp($x,$y) != 0) { //Strings do not match return false; } else { //Password Determined valid return true; } } Question 2: Do I have to change it anywhere else, like PW generation? function GenPwd($length = 7) { $password = ""; $possible = "0123456789bcdfghjkmnpqrstvwxyz"; //no vowels $i = 0; while ($i < $length) { $char = substr($possible, mt_rand(0, strlen($possible)-1), 1); if (!strstr($password, $char)) { $password .= $char; $i++; } } return $password; } function GenKey($length = 7) { $password = ""; $possible = "0123456789abcdefghijkmnopqrstuvwxyz"; $i = 0; while ($i < $length) { $char = substr($possible, mt_rand(0, strlen($possible)-1), 1); if (!strstr($password, $char)) { $password .= $char; $i++; } } return $password; } Thank you for reading Quote Link to comment Share on other sites More sharing options...
mikesta707 Posted May 30, 2011 Share Posted May 30, 2011 i dont really see anywhere in that code that passwords have to be uppercase. In your first function, everything depends on your two input arguments, and regardless of if they are uppercase, or lowercase, they have to be the same for the function to return true. if you need to convert something to uppercase though, use the toupper function. Similarly, to convert to lowercase, there is a tolower function Quote Link to comment Share on other sites More sharing options...
IamSuchANoob Posted May 30, 2011 Author Share Posted May 30, 2011 i dont really see anywhere in that code that passwords have to be uppercase. In your first function, everything depends on your two input arguments, and regardless of if they are uppercase, or lowercase, they have to be the same for the function to return true. if you need to convert something to uppercase though, use the toupper function. Similarly, to convert to lowercase, there is a tolower function awkward. the code simply doesnt recognize the uppercase PWs. I checked in DB, if I convert the PW lowercase, everything is ok. Quote Link to comment Share on other sites More sharing options...
.josh Posted May 30, 2011 Share Posted May 30, 2011 in any case, the case-insensitive version of strcmp is strcasecmp Quote Link to comment Share on other sites More sharing options...
mikesta707 Posted May 30, 2011 Share Posted May 30, 2011 Oh i see, so you are using the lowercased PW's from the DB and the uppercased PW's from some form of input. You could always use the strtolower() function to convert all your password strings to lower case. Quote Link to comment Share on other sites More sharing options...
.josh Posted May 30, 2011 Share Posted May 30, 2011 one thing to note though is that case-sensitive passwords are stronger, so ideally you should be matching up how you generate/store them, and making the check case-sensitive. For example, treating all of these as the same thing makes for less work in trying to crack a password: aaa aaA aAa aAA Aaa AaA AAa AAA Quote Link to comment Share on other sites More sharing options...
IamSuchANoob Posted May 30, 2011 Author Share Posted May 30, 2011 Okay, I didnt explain myself good enough. The password encryption from application is uppercase. I suppose the problem is within application, not the code. Example. md5 Encryption for 'hi' is: 49f68a5c8493ec2c0bf489821c21fc3b and from our application it comes as: 49F68A5C849EC2C0BF489821C21FC3B So there comes the problem, php does not think its the same PW. P.S Sorry for saying it was PW not the encryption itself Quote Link to comment Share on other sites More sharing options...
mikesta707 Posted May 30, 2011 Share Posted May 30, 2011 oh. why don't you just use strtolower on the hashed string then? does that not work? you could also use strcasecmp(). Quote Link to comment Share on other sites More sharing options...
plznty Posted May 30, 2011 Share Posted May 30, 2011 Yeah, strtolower or strtoupper your inputs, that way it will be the same md5 since it will lowercase/capitalise the characters Quote Link to comment Share on other sites More sharing options...
Andy-H Posted May 30, 2011 Share Posted May 30, 2011 md5 doesn't capitalize strings and I can't see anywhere in your code that takes a user inputted password, only your password generator, which granted, only contains lower case characters. However md5 is case sensitive so will hash A differently to a, therefor comparing two md5 hashed strings will return true if they match case. Are you storing your hash in a database field that is integer type or varchar less than 32 bit? Otherwise, I must be missing something obvious in your question because everyone else seems to know what you're talking about... Quote Link to comment Share on other sites More sharing options...
Andy-H Posted May 30, 2011 Share Posted May 30, 2011 Okay, I didnt explain myself good enough. The password encryption from application is uppercase. I suppose the problem is within application, not the code. Example. md5 Encryption for 'hi' is: 49f68a5c8493ec2c0bf489821c21fc3b and from our application it comes as: 49F68A5C849EC2C0BF489821C21FC3B So there comes the problem, php does not think its the same PW. P.S Sorry for saying it was PW not the encryption itself Sorry my bad, have you checked if your code is calling strtoupper on the variable between md5 hashing it and storing it? Quote Link to comment Share on other sites More sharing options...
IamSuchANoob Posted May 31, 2011 Author Share Posted May 31, 2011 How could I implement strcasecmp? function checkPwd($x,$y) { //Checks if strings are empty if(empty($x) || empty($y) ) { //Strings were empty return false; } else if(strlen($x) < 4 || strlen($y) < 4) { //String length too short return false; } else if(strcasecmp($x,$y) != 0) { //Strings do not match return false; } else { //Password Determined valid return true; } } This does not work, if the MD5 is uppercase, it says incorrect PW. Quote Link to comment Share on other sites More sharing options...
.josh Posted May 31, 2011 Share Posted May 31, 2011 well it has since been determined that you're performing a check on the md5 hash, and md5 hashes are case-sensitive. So you will need to do a strtolower on your md5 hash since it is uppercased in your db for some reason, but ideally, you should be changing your script that uppercases it to begin with, before it goes into the db. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.