Crypt() Function Usage

[fresher_06]

i have written the below quick php script to show the quick usage of CRYPT Function --

 

<?php

function cryptpassword($input)
{
$salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)); 
//$hash = crypt($input, "\$5\$rounds=50000\${$salt}\$");   // <<<--- AM I SUPPOSE TO USE THIS
$hash = crypt($input, '$5$rounds=50000${$salt}$');             // <<<---  OR AM I SUPPOSE TO USE THIS
return $hash;
}

$cryptedpassword = cryptpassword('test123');//pass the password which you want to encrypt

echo $cryptedpassword;
?>

 

 

It returns s below --

$5$rounds=50000${$wnklXJLpO.n6UXPwNPcZmLjSRZP0vOgbqTn3.rIplM4

what "$5$rounds=50000" is doing in the output , if yes then do we need to store the whole above generated string in db or just without the "$5$rounds=50000" part.

Am i doing something wrong here ?

[requinix]

I think you may have confused PHP with the ${$salt}$ part but otherwise yes, that's supposed to be there and yes, you do need to store it too. Knowing the number of rounds is not about stronger cryptography but about making it harder for someone to brute-force hashes.

[fresher_06]

Now I am successfully able to generate the crypted string .. now I want that generated string to be compared with user given input --

 

 

<?php
/*This script is used to verify whether the  crypt string generated from generatecryptpassword.php script matches with the new crypt string  of the user input password
Ideally $hash value will come from db , but we have  taken it directly from the generatecryptpassword.php script .
Also note that we need to escape the $ as \$ before comparing*/

$user_input= 'test123';
$hash = '$6$rounds=50000$86f50a6ac3d0839a$6oapcEjXqL5FsAS6Uj6LUeUxHhW3dH1/krfFwQYCOzg8qAHlPSu/Cvtq4p5XSzmi8yQ1g9F3/syAEhlVXKbQS1';
$newhash= str_replace('$','\$',$hash);
echo $newhash . "\n"; 
/* To verify the hash: */
//$newhash="\$6\$rounds=50000\$86f50a6ac3d0839a\$6oapcEjXqL5FsAS6Uj6LUeUxHhW3dH1/krfFwQYCOzg8qAHlPSu/Cvtq4p5XSzmi8yQ1g9F3/syAEhlVXKbQS1";

echo crypt($user_input, $newhash) . "\n"; //optional

if(crypt($user_input, $newhash) == $newhash)
{
   echo "Password is correct!";
}
else
{
   echo "Password is invalid";
}

?>

 

The problem over here is that when I am manually changing '$' to '\$' then things are working perfectly , but when I doing it through str_replace fn , it doesnt works and the final hash het generated a new one as below ---

##php ./comparecryptedpassword.php
\$6\$rounds=50000\$86f50a6ac3d0839a\$6oapcEjXqL5FsAS6Uj6LUeUxHhW3dH1/krfFwQYCOzg8qAHlPSu/Cvtq4p5XSzmi8yQ1g9F3/syAEhlVXKbQS1
\$0lXFe./5bns <<-- this should be the original crypted string . but its some other value
Password is invalid

any pointers ..

Edited November 3, 2012 by fresher_06

[requinix]

You don't have to do anything to the string. If you "need" to escape the $s then there's something wrong.

 

The code should be as simple as

$user_input = 'test123';
$hash = '$6$rounds=50000$86f50a6ac3d0839a$6oapcEjXqL5FsAS6Uj6LUeUxHhW3dH1/krfFwQYCOzg8qAHlPSu/Cvtq4p5XSzmi8yQ1g9F3/syAEhlVXKbQS1';

if (crypt($user_input, $hash) == $hash) {
    // match
} else {
    // no match
}

[kicken]

You don't need to escape the $'s with a slash like you're trying to do.  The only time you would need to is if you're writing a string literal using double-quotes (to prevent PHP from thinking they are varaibles).  If you use single-quotes or pull the value from somewhere (database, cookie, variable, file, etc) then you do not need to do anything to it.