RobertP Posted November 20, 2012 Share Posted November 20, 2012 Catchy title? well that is exactly my problem. i have 2 methods inside my 'Member' class (code below). As you an see, i am not getting the expected results from 'crypt'. What started this problem was i have switched my development pc's operating system from win7 to Ubuntu 14, and there was a few small case-sensitive issues i had to fix while moving my site, however this is a security issue that was allowing anyone to login using the wrong password, that is before i added the 'if(strlen($newPassword)!=60)' check. If anyone else has seen this issue, please let me know how you solved it public function setPassword($password) { $salt = Util::generateRndStr(; $newPassword = self::encrypt($password, $salt); echo 'pass='.$password.'<br />'; echo 'salt='.$salt.'<br />'; echo 'ePas='.$newPassword.'<br />'; if(strlen($newPassword)!=60){ trigger_error('Internal issue with Member::encrypt.',E_USER_WARNING); return false; } $statement = $this->connection->prepare('UPDATE members SET passwrd = ?, sal_t = ? WHERE id = ? LIMIT 1;'); $id = $this->get('id'); $statement->bindParam(1, $newPassword, PDO::PARAM_STR); $statement->bindParam(2, $salt, PDO::PARAM_STR); $statement->bindParam(3, $id, PDO::PARAM_INT); $statement->execute(); return $statement->rowCount() == 1; } public static function encrypt($string, $salt) { return crypt($string, '$2y$10$' . $salt . '$'); } Quote Link to comment https://forums.phpfreaks.com/topic/270929-linux-cryptography-problem/ Share on other sites More sharing options...
Christian F. Posted November 20, 2012 Share Posted November 20, 2012 There are two possible causes: Blowfish hashing with a salt as follows: "$2a$", "$2x$" or "$2y$", a two digit cost parameter, "$", and 22 digits from the alphabet "./0-9A-Za-z". Using characters outside of this range in the salt will cause crypt() to return a zero-length string. (My emphasis.) ...developers targeting only PHP 5.3.7 and later should use "$2y$"... Well... The PHP manual outlines a couple more, but the two above are the most likely ones from the little info you've provided us with so far. Without knowing exactly what the Util::generateRndStr () does all we can do is speculate. So if the two quotes above aren't of any help, please post the contents of that functions as well. Quote Link to comment https://forums.phpfreaks.com/topic/270929-linux-cryptography-problem/#findComment-1393688 Share on other sites More sharing options...
RobertP Posted November 20, 2012 Author Share Posted November 20, 2012 (edited) terribly sorry, here is the requested method. public static function generateRndStr($length, $type = 0) { if ($length < 1) return null; switch ($type) { case 1://captcha. $possible = '23456789bcdfghjkmnpqrstvwxyz'; break; case 2://sessions. $possible = 'abcdefghijklmnopqrstuvwxyz0123456789'; break; default://all. $possible = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'; } $str = null; for ($i = 0; $i < $length; $i++) $str .= substr($possible, mt_rand(0, strlen($possible) - 1), 1); return $str; } this is my results during testing, just so everyone can see the problem outright.. pass=1234 salt=tvFvbjGG ePas=$2y$10$tvFvbjGG$ Edited November 20, 2012 by RobertP Quote Link to comment https://forums.phpfreaks.com/topic/270929-linux-cryptography-problem/#findComment-1393697 Share on other sites More sharing options...
Christian F. Posted November 20, 2012 Share Posted November 20, 2012 I refer to the added emphasis in my first quote. Quote Link to comment https://forums.phpfreaks.com/topic/270929-linux-cryptography-problem/#findComment-1393700 Share on other sites More sharing options...
RobertP Posted November 20, 2012 Author Share Posted November 20, 2012 (edited) I refer to the added emphasis in my first quote. Thank you, i have noticed that my salt was a little to small Not sure how it changed from 21 to 8.. but that fixed my problem. Fix: public function setPassword($password) { $salt = Util::generateRndStr(21); $newPassword = self::encrypt($password, $salt); if(strlen($newPassword)!=60){ trigger_error('Internal issue with Member::encrypt.',E_USER_WARNING); return false; } $statement = $this->connection->prepare('UPDATE members SET passwrd = ?, sal_t = ? WHERE id = ? LIMIT 1;'); $id = $this->get('id'); $statement->bindParam(1, $newPassword, PDO::PARAM_STR); $statement->bindParam(2, $salt, PDO::PARAM_STR); $statement->bindParam(3, $id, PDO::PARAM_INT); $statement->execute(); return $statement->rowCount() == 1; } Edited November 20, 2012 by RobertP Quote Link to comment https://forums.phpfreaks.com/topic/270929-linux-cryptography-problem/#findComment-1393703 Share on other sites More sharing options...
Christian F. Posted November 20, 2012 Share Posted November 20, 2012 21..? You should still be missing one digit. Glad to hear that it works though. Quote Link to comment https://forums.phpfreaks.com/topic/270929-linux-cryptography-problem/#findComment-1393715 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.