Jump to content

Crypt() Function Usage


Recommended Posts

i have written the below quick php script to show the quick usage of CRYPT Function --



function cryptpassword($input)
$salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)); 
//$hash = crypt($input, "\$5\$rounds=50000\${$salt}\$");   // <<<--- AM I SUPPOSE TO USE THIS
$hash = crypt($input, '$5$rounds=50000${$salt}$');             // <<<---  OR AM I SUPPOSE TO USE THIS
return $hash;

$cryptedpassword = cryptpassword('test123');//pass the password which you want to encrypt

echo $cryptedpassword;



It returns s below --


what "$5$rounds=50000" is doing in the output , if yes then do we need to store the whole above generated string in db or just without the "$5$rounds=50000" part.

Am i doing something wrong here ?

Link to comment
Share on other sites

I think you may have confused PHP with the ${$salt}$ part but otherwise yes, that's supposed to be there and yes, you do need to store it too. Knowing the number of rounds is not about stronger cryptography but about making it harder for someone to brute-force hashes.

Link to comment
Share on other sites

Now I am successfully able to generate the crypted string .. now I want that generated string to be compared with user given input --



/*This script is used to verify whether the  crypt string generated from generatecryptpassword.php script matches with the new crypt string  of the user input password
Ideally $hash value will come from db , but we have  taken it directly from the generatecryptpassword.php script .
Also note that we need to escape the $ as \$ before comparing*/

$user_input= 'test123';
$hash = '$6$rounds=50000$86f50a6ac3d0839a$6oapcEjXqL5FsAS6Uj6LUeUxHhW3dH1/krfFwQYCOzg8qAHlPSu/Cvtq4p5XSzmi8yQ1g9F3/syAEhlVXKbQS1';
$newhash= str_replace('$','\$',$hash);
echo $newhash . "\n"; 
/* To verify the hash: */

echo crypt($user_input, $newhash) . "\n"; //optional

if(crypt($user_input, $newhash) == $newhash)
   echo "Password is correct!";
   echo "Password is invalid";



The problem over here is that when I am manually changing '$' to '\$' then things are working perfectly , but when I doing it through str_replace fn , it doesnt works and the final hash het generated a new one as below ---

##php ./comparecryptedpassword.php
\$0lXFe./5bns <<-- this should be the original crypted string . but its some other value
Password is invalid

any pointers ..

Edited by fresher_06
Link to comment
Share on other sites

You don't have to do anything to the string. If you "need" to escape the $s then there's something wrong.


The code should be as simple as

$user_input = 'test123';
$hash = '$6$rounds=50000$86f50a6ac3d0839a$6oapcEjXqL5FsAS6Uj6LUeUxHhW3dH1/krfFwQYCOzg8qAHlPSu/Cvtq4p5XSzmi8yQ1g9F3/syAEhlVXKbQS1';

if (crypt($user_input, $hash) == $hash) {
    // match
} else {
    // no match

Link to comment
Share on other sites

You don't need to escape the $'s with a slash like you're trying to do.  The only time you would need to is if you're writing a string literal using double-quotes (to prevent PHP from thinking they are varaibles).  If you use single-quotes or pull the value from somewhere (database, cookie, variable, file, etc) then you do not need to do anything to it.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.