timothyarden Posted December 28, 2012 Share Posted December 28, 2012 Hi Everyone, I just had a few questions about the encryption function crypt(). If I was to do crypt($_POST['password'],CRYPT_BLOWFISH) , assuming I had just sent through a password from the form on the previous page it would return an Blowfish encrypted string. If I then used mysql to write it to my database, how, when the user logs in, would I compare the password that they have entered in the login form to the password in the database. If I compared password to the query result from the database I assume it would return that the strings do not match. My question is how would I go about comparing these two values? Is there a decrypt function that I could use to unencrypt the information from the database so that I could compare the given password with the password in the database? Thanks in advance for any help, advice or ideas! Timothy Quote Link to comment https://forums.phpfreaks.com/topic/272437-crypt-understanding-encrypting-using-this-function/ Share on other sites More sharing options...
kicken Posted December 28, 2012 Share Posted December 28, 2012 Using crypt() Quote Link to comment https://forums.phpfreaks.com/topic/272437-crypt-understanding-encrypting-using-this-function/#findComment-1401711 Share on other sites More sharing options...
timothyarden Posted December 28, 2012 Author Share Posted December 28, 2012 Thanks for the link kicken. I think I have figured it out. Please correct me if I am wrong. When on signup a user enters a password and my script encrypts it and stores it in the database using crypt($signuppassword,CRYPT_BLOWFISH) to then compare the two I would compare crypt($loginattemptpassword,CRYPT_BLOWFISH) with the $databasepasswordresult for that user and if true log in else fail. Please advise me of whether this is correct. Thanks heaps! Timothy Quote Link to comment https://forums.phpfreaks.com/topic/272437-crypt-understanding-encrypting-using-this-function/#findComment-1401713 Share on other sites More sharing options...
Muddy_Funster Posted December 28, 2012 Share Posted December 28, 2012 the script in my sig uses a combination of blowfish and whirlpool - whirlpool to generate the salt and blowfish to generate the final encryption. using it as an example, you would run the form input through it and store the returned value in the database at signup, and then run the form value through it and compare the returned value against the value in the database on login. Quote Link to comment https://forums.phpfreaks.com/topic/272437-crypt-understanding-encrypting-using-this-function/#findComment-1401766 Share on other sites More sharing options...
kicken Posted December 28, 2012 Share Posted December 28, 2012 ... stores it in the database using crypt($signuppassword,CRYPT_BLOWFISH) CRYPT_BLOWFISH is a constant that will indicate if the blowfish algorithm is available for use or not. It is not something you pass into the crypt() function. You have to generate a specific salt string for the second parameter, and the format of that string indicates which algorithm you want to use. For blowfish that salt string needs to be in the format of: ..."$2a$", "$2x$" or "$2y$", [followed by] a two digit cost parameter, [followed by] "$", [followed by] 22 digits from the alphabet "./0-9A-Za-z". EG: $2y$19$abcdefghij1234567890ab Quote Link to comment https://forums.phpfreaks.com/topic/272437-crypt-understanding-encrypting-using-this-function/#findComment-1401771 Share on other sites More sharing options...
cpd Posted December 28, 2012 Share Posted December 28, 2012 the script in my sig uses a combination of blowfish and whirlpool - whirlpool to generate the salt and blowfish to generate the final encryption. using it as an example, you would run the form input through it and store the returned value in the database at signup, and then run the form value through it and compare the returned value against the value in the database on login. Your signature password hash seems pretty solid but I don't know why you haven't forced the parameter; that seems like a flaw to me. Out of curiosity why do you lop of the first 12 characters from the final string? Quote Link to comment https://forums.phpfreaks.com/topic/272437-crypt-understanding-encrypting-using-this-function/#findComment-1401794 Share on other sites More sharing options...
Muddy_Funster Posted December 28, 2012 Share Posted December 28, 2012 Your signature password hash seems pretty solid but I don't know why you haven't forced the parameter; that seems like a flaw to me. Out of curiosity why do you lop of the first 12 characters from the final string? I take a substing out of habbit, as I don't like to have the salt anywhere in the final stored hash (I don't think it's a concern with blowfish, but other algorithms I have used in the past did attach the raw salt to the hash). The param is not forced because I had to bulk set a generic password when I wrote this the first time and had a string set in there for it, I elected to remove the string but leave the empty set option so that if anyone wants to lift the code and try it out they can just echo the result with minimum effort. I only put it up to try to encourage people to use something a bit stronger than md5() and show how easy it can be. I would like to think that anyone taking it would change the cost and substring returned to something a bit more personal. Quote Link to comment https://forums.phpfreaks.com/topic/272437-crypt-understanding-encrypting-using-this-function/#findComment-1401817 Share on other sites More sharing options...
timothyarden Posted December 28, 2012 Author Share Posted December 28, 2012 (edited) CRYPT_BLOWFISH is a constant that will indicate if the blowfish algorithm is available for use or not. It is not something you pass into the crypt() function. You have to generate a specific salt string for the second parameter, and the format of that string indicates which algorithm you want to use. For blowfish that salt string needs to be in the format of: EG: $2y$19$abcdefghij1234567890ab Okay, but I think that you can do it either way: either crypt($password,CRYPT_BLOWFISH); //or crypt($password,'$2a$'.$twodigitcostparameter.'$'.$22lettersalt); When I did the first I ran crypt('hello world',CRYPT_BLOWFISH); it returned: 1$uOkE54mmKc Thats why I think you can do it either way. Thanks for your help Muddy Funster, Ill look at your code using whirpool and crypt and try to do something similar. Thanks for everyone's help! Timothy Edited December 28, 2012 by timothyarden Quote Link to comment https://forums.phpfreaks.com/topic/272437-crypt-understanding-encrypting-using-this-function/#findComment-1401894 Share on other sites More sharing options...
kicken Posted December 28, 2012 Share Posted December 28, 2012 Okay, but I think that you can do it either way: either No, you can't do it either way. Using CRYPT_BLOWFISH as the salt parameter results in an invalid salt value since it doesn't match any of the specified algorithm salts. What happens in the case of an invalid salt is crypt() uses some default settings which is dependent on the platform PHP is running on (ie, not portable and will likely break if you move from one system to another). If you want to use a specific algorithm such as blowfish, you have to give it the proper salt value in the correct format for it to work. Quote Link to comment https://forums.phpfreaks.com/topic/272437-crypt-understanding-encrypting-using-this-function/#findComment-1401920 Share on other sites More sharing options...
timothyarden Posted December 29, 2012 Author Share Posted December 29, 2012 Okay, thanks for explaining. Timothy Quote Link to comment https://forums.phpfreaks.com/topic/272437-crypt-understanding-encrypting-using-this-function/#findComment-1401921 Share on other sites More sharing options...
cpd Posted December 29, 2012 Share Posted December 29, 2012 No you can't. Read the php.net website where I think you'll find your use of blow_fish is causing crypt to fail and return a salt. Quote Link to comment https://forums.phpfreaks.com/topic/272437-crypt-understanding-encrypting-using-this-function/#findComment-1401923 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.