Jump to content

Decryption Help


smallc28

Recommended Posts

Hello PHP freak members I learn how to ecrypt my password using the blow fish method but I'm having trouble decypting the password. Is there anyone that can over see the problem that I'm having? 

 

Sample ecrypted password > $2y$09$Q5klufp7bj6iuBA3dHpz5.fLN1sLzeGKE7nuXKunLMKKvE.rZtSTW

Original password > 1234 

 



<?php 
error_reporting(E_ALL & ~E_NOTICE);
session_start();
if(isset ($_SESSION['id'])){
header('location: profile.php');
} else {
if($_POST['submit']){
include "connect_prompt/connect_query.php";
 $email = mysqli_real_escape_string($db_conx,$_POST['email']); 
 $password_one =  $_POST['password_one']; 


///////////////// Blow Fish ///////////////////////////////////


 function cryptPass($input, $rounds = 9){
$salt = "";
$saltChars = array_merge(range('A','Z'),range('a','z'),range(0,9));
for($i = 0; $i < 22; $i++){
$salt .= $saltChars[array_rand($saltChars)];
}
return crypt($input, sprintf('$2y$%02d$', $rounds) . $salt);
}
$password_one = $_POST['password_one'];
$password = $_POST['password'];
$hashedPass = cryptPass($password);


if(crypt($password_one, $hashedPass) == $hashedPass){




///////////////// Blow Fish ///////////////////////////////////


$sql = "SELECT id, email, password FROM customer WHERE email='$email' AND password='$password_one' LIMIT 1";
$query = mysqli_query ($db_conx, $sql);
if($query){
$row = mysqli_fetch_row($query);
$userID = $row[0];
$db_email = $row[1];
$db_password = $row[2];
}
if($email == $db_email && $password_one == $db_password){
$_SESSION['email'] = $email;
$_SESSION['id'] = $userID;
header("location: profile.php");
} else {
echo "Sorry, Username or Password was incorrect";
}
}
  }
}
?>




<form 
action="login.php" method="POST">
    <input type="email" name="email" id="email" placeholder="  your@email.com" />
    <br/><br/>
    <input type="password" name="password_one" id="password_one" placeholder="  ********" />
    <br/><br/>
    <input type="submit" name="submit" value="SIGN IN" />
</form>

Edited by Zane
Link to comment
Share on other sites

Your terminology is way off. crypt() hashes a password, it has nothing to do with “encryption”. A hash cannot be “decrypted”. And the algorithm you're using is bcrypt, not “Blowfish”.

 

So when you're asking us to “decrypt the password”, this makes absolutely no sense. Besides that, the crypt() code you've appearently copied and pasted from the Internet is insecure and garbage.

 

I suggest you simply throw away the script and start over, this time with the proper password hash API. You should also learn how to use mysqli correctly, particularly how to use prepared statements.

Edited by Jacques1
Link to comment
Share on other sites


<?php

const PASSWORD_MIN_LENGTH = 8;
const PASSWORD_MAX_LENGTH = 56; // bcrypt is limited to 56 bytes of input
const PASSWORD_HASH_ALGORITHM = PASSWORD_BCRYPT;
const PASSWORD_HASH_COST = 10; // the cost factor which determines the hash strength; should be as high as possible



/* test: create a new password hash */

$password = 'g3xoc2YJ';

if (strlen($password) < PASSWORD_MIN_LENGTH)
{
die('Password too short, length must be at least '.PASSWORD_MIN_LENGTH);
}

if (strlen($password) > PASSWORD_MAX_LENGTH)
{
die('Password too long, length can be at most '.PASSWORD_MAX_LENGTH);
}

$passwordHash = password_hash($password, PASSWORD_HASH_ALGORITHM, ['cost' => PASSWORD_HASH_COST]);

echo 'Password hash: '.$passwordHash.'<br>';



/* test: verify password */

if (password_verify($password, $passwordHash))
{
echo 'The password matches the hash.<br>';
}
else
{
echo 'The password does not match the hash.<br>';
}
Link to comment
Share on other sites

The PHP manual is usually a good start, because it has plenty of examples and will warn you when a function is not recommended. There's also the online security book by Padraic Brady, but it only covers some topics (not password hashing) and isn't really meant for beginners.

 

What's important to understand about modern password hash algorithms is that you cannot do a simple string comparison like you would with, say, MD5. The hashes are parameterized with a cost factor and a random “salt”, so to verify a password, you have to load the existing hash into the application, hash the password with the same parameters and then compare the hashes. If you use the above mentioned password hash API, the last two steps are automatically done by the password_verify() function:

// create and execute prepared statement to get the user data
$userStmt = $databaseConnection->prepare('
    SELECT
        id,
        password
    FROM
        customer
    WHERE
        email = :email
');
$userStmt->execute(['email' => $_POST['email']]);
$user = $userStmt->fetch();

if ($user)
{
    if (password_verify($_POST['password'], $user['password']))
    {
        // Everything OK
    }
    else
    {
        // Wrong password
    }
}
else
{
    // Wrong username
}

(The above code uses PDO rather than mysqli; with mysqli, it will be a more complex)

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.