thilakan Posted July 15, 2014 Share Posted July 15, 2014 <?php function cryptPass($input, $rounds = 9){ $salt = ""; $saltChars = array_merge(range('A','Z'), range('a','z'), range(0,9)); for($i = 0; $i < 22; $i++){ $salt .= $saltChars[array_rand($saltChars)]; } return crypt($input, sprintf('$2y$%02d$', $rounds) . $salt); } echo $inputPass = "password2"; echo $pass = "password"; $hashedPass = cryptPass($pass); echo $hashedPass; if(crypt($inputPass, $hashedPass) == $hashedPass){ echo "<br /><h1>Password is a match = log user in</h1>"; }else{ echo "<br />Password does not match = do not log in"; } ?> My PHP version 5.2 When I run above code I am getting the password match answer. I should have get error message. Can anyone advise me . Thank you. Quote Link to comment Share on other sites More sharing options...
thilakan Posted July 15, 2014 Author Share Posted July 15, 2014 any one ? Quote Link to comment Share on other sites More sharing options...
jazzman1 Posted July 15, 2014 Share Posted July 15, 2014 What result do you get using the next if/else block? if (defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH){ echo "true"; } else { echo "false"; } Quote Link to comment Share on other sites More sharing options...
thilakan Posted July 15, 2014 Author Share Posted July 15, 2014 The result is false Quote Link to comment Share on other sites More sharing options...
Solution Jacques1 Posted July 15, 2014 Solution Share Posted July 15, 2014 There's a lot wrong with this. First of all, PHP 5.2 is hopelessly outdated. It was abandoned back in 2011 and is full of unfixed bugs. Even worse: The bcrypt implementation of all PHP versions before 5.3.7 is broken. So you cannot use PHP 5.2. If that's all you get from your webhoster, then there's something very wrong with their update policy. Get away from them and get a proper hoster. Secondly, never just copy and paste some code you found somewhere on the Internet. Whoever wrote this implementation clearly doesn't know what she's doing. The salt alphabet is wrong, the salt is not random, and there's no error checking whatsoever. This is badly screwed up. Last but not least, never fumble with cryptography on such a low level. When you call crypt() directly, you're doing it wrong. This function is highly complex and shouldn't be used by anybody but library authors. So: Get a proper webhoster with an up-to-date PHP version. You need at least 5.3.7 to use bcrypt. The current version is in fact 5.5. If you can get PHP 5.5, use the new Password Hashing extension. It offers a nice high-level interface for password hashing and takes care of all the ugly details. If you cannot get PHP 5.5, you need a proper library. Use the password_compat library by Anthony Ferrara. You need to get familiar with error checking, especially when you deal with security code. You can't just call a function and assume that it always runs successfully. What if it fails? You need to check that by looking at the return value. 1 Quote Link to comment Share on other sites More sharing options...
jazzman1 Posted July 15, 2014 Share Posted July 15, 2014 I've done some research on the web and found that the crypt_blowfish function using this hashing algorithm is used in php 5.3.0+. If you insist to use it probably you would need to create a patch for this older php version, which isn't a good idea. Why do you want/need to use this version of php? Quote Link to comment Share on other sites More sharing options...
thilakan Posted July 16, 2014 Author Share Posted July 16, 2014 Thank you jazzman1 & Jacques1 I am godaddy hosting plan and when I check phpinfo, I think I may need a different plan. I am trying to find a way to secure a password. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.