smallc28 Posted August 2, 2016 Share Posted August 2, 2016 (edited) Hello PHP freak members I learn how to ecrypt my password using the blow fish method but I'm having trouble decypting the password. Is there anyone that can over see the problem that I'm having? Sample ecrypted password > $2y$09$Q5klufp7bj6iuBA3dHpz5.fLN1sLzeGKE7nuXKunLMKKvE.rZtSTW Original password > 1234 <?php error_reporting(E_ALL & ~E_NOTICE); session_start(); if(isset ($_SESSION['id'])){ header('location: profile.php'); } else { if($_POST['submit']){ include "connect_prompt/connect_query.php"; $email = mysqli_real_escape_string($db_conx,$_POST['email']); $password_one = $_POST['password_one']; ///////////////// Blow Fish /////////////////////////////////// function cryptPass($input, $rounds = 9){ $salt = ""; $saltChars = array_merge(range('A','Z'),range('a','z'),range(0,9)); for($i = 0; $i < 22; $i++){ $salt .= $saltChars[array_rand($saltChars)]; } return crypt($input, sprintf('$2y$%02d$', $rounds) . $salt); } $password_one = $_POST['password_one']; $password = $_POST['password']; $hashedPass = cryptPass($password); if(crypt($password_one, $hashedPass) == $hashedPass){ ///////////////// Blow Fish /////////////////////////////////// $sql = "SELECT id, email, password FROM customer WHERE email='$email' AND password='$password_one' LIMIT 1"; $query = mysqli_query ($db_conx, $sql); if($query){ $row = mysqli_fetch_row($query); $userID = $row[0]; $db_email = $row[1]; $db_password = $row[2]; } if($email == $db_email && $password_one == $db_password){ $_SESSION['email'] = $email; $_SESSION['id'] = $userID; header("location: profile.php"); } else { echo "Sorry, Username or Password was incorrect"; } } } } ?> <form action="login.php" method="POST"> <input type="email" name="email" id="email" placeholder=" your@email.com" /> <br/><br/> <input type="password" name="password_one" id="password_one" placeholder=" ********" /> <br/><br/> <input type="submit" name="submit" value="SIGN IN" /> </form> Edited August 2, 2016 by Zane Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted August 2, 2016 Share Posted August 2, 2016 (edited) Your terminology is way off. crypt() hashes a password, it has nothing to do with “encryption”. A hash cannot be “decrypted”. And the algorithm you're using is bcrypt, not “Blowfish”. So when you're asking us to “decrypt the password”, this makes absolutely no sense. Besides that, the crypt() code you've appearently copied and pasted from the Internet is insecure and garbage. I suggest you simply throw away the script and start over, this time with the proper password hash API. You should also learn how to use mysqli correctly, particularly how to use prepared statements. Edited August 2, 2016 by Jacques1 Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted August 2, 2016 Share Posted August 2, 2016 <?php const PASSWORD_MIN_LENGTH = 8; const PASSWORD_MAX_LENGTH = 56; // bcrypt is limited to 56 bytes of input const PASSWORD_HASH_ALGORITHM = PASSWORD_BCRYPT; const PASSWORD_HASH_COST = 10; // the cost factor which determines the hash strength; should be as high as possible /* test: create a new password hash */ $password = 'g3xoc2YJ'; if (strlen($password) < PASSWORD_MIN_LENGTH) { die('Password too short, length must be at least '.PASSWORD_MIN_LENGTH); } if (strlen($password) > PASSWORD_MAX_LENGTH) { die('Password too long, length can be at most '.PASSWORD_MAX_LENGTH); } $passwordHash = password_hash($password, PASSWORD_HASH_ALGORITHM, ['cost' => PASSWORD_HASH_COST]); echo 'Password hash: '.$passwordHash.'<br>'; /* test: verify password */ if (password_verify($password, $passwordHash)) { echo 'The password matches the hash.<br>'; } else { echo 'The password does not match the hash.<br>'; } Quote Link to comment Share on other sites More sharing options...
smallc28 Posted August 4, 2016 Author Share Posted August 4, 2016 (edited) Where can I learn more about this I'm good at programming things but not so great at security. This is just practice for me that's why it lack security but Thanks Edited August 4, 2016 by smallc28 Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted August 4, 2016 Share Posted August 4, 2016 The PHP manual is usually a good start, because it has plenty of examples and will warn you when a function is not recommended. There's also the online security book by Padraic Brady, but it only covers some topics (not password hashing) and isn't really meant for beginners. What's important to understand about modern password hash algorithms is that you cannot do a simple string comparison like you would with, say, MD5. The hashes are parameterized with a cost factor and a random “salt”, so to verify a password, you have to load the existing hash into the application, hash the password with the same parameters and then compare the hashes. If you use the above mentioned password hash API, the last two steps are automatically done by the password_verify() function: // create and execute prepared statement to get the user data $userStmt = $databaseConnection->prepare(' SELECT id, password FROM customer WHERE email = :email '); $userStmt->execute(['email' => $_POST['email']]); $user = $userStmt->fetch(); if ($user) { if (password_verify($_POST['password'], $user['password'])) { // Everything OK } else { // Wrong password } } else { // Wrong username } (The above code uses PDO rather than mysqli; with mysqli, it will be a more complex) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.