Jump to content

Recommended Posts

i'm reading a book on php, and when i got the part with crypting paswords i've tryed this:

 

<html>

<?php

$x=$_POST['nume'];

$x2=$_POST['prenume'];

$x3=$_POST['parola'];

$x4=$_POST['confparola'];

 

echo $x;

echo " ";

echo $x2;

echo " ";

echo $x3;

echo " ";

echo $x4;

echo " ";

 

$c=crypt($x3);

echo $c;

echo " ";

$d=crypt($x4);

echo $d;

 

if ($c==$d)

echo "bun";

 

?>

 

</html>

 

 

$1$pi5.87..$Gioj06xz2YWzM0/fgqLkW0            $1$vK1.Mf..$3zp/OoUq51QsbcTEwTjsU1

 

my crypt paswords are not the same, how can i verify a password if they are not the same?

 

and one more thing

 

they say that ceil() and floor() is the same as round () except one rounds the number in the superior value and the other in the inferior value

 

but rounds (4.239,2) //4.24

 

but ceil and floor can only be used as ceil(3,59) //4

 

can you help me?

Link to comment
https://forums.phpfreaks.com/topic/85518-crypt-var/
Share on other sites

You need to add the salt argurment and use the same salt for each crypt() function

<?php
$x=$_POST['nume'];
$x2=$_POST['prenume'];
$x3=$_POST['parola'];
$x4=$_POST['confparola'];
$cyrpt_salt = 'blah';
echo $x;
echo " ";
echo $x2;
echo " ";
echo $x3;
echo " ";
echo $x4;
echo " ";

$c=crypt($x3, $cyrpt_salt);
echo $c;
echo " ";
$d=crypt($x3, $cyrpt_salt);
echo $d;

if ($c==$d)
echo "bun";
?>

Link to comment
https://forums.phpfreaks.com/topic/85518-crypt-var/#findComment-436393
Share on other sites

$cyrpt_salt = 'blah';

 

what this means? the codification pather (key);

The salt is basically what the final result is generated from.

 

$c=crypt($x3, $cyrpt_salt);
echo $c;
echo " ";
$d=crypt($x3, $cyrpt_salt);

As you can see, these both use the same salt to generate your 'passwords'.

 

Otherwise, the salt, and thus the values you return would change every time you used it.

Link to comment
https://forums.phpfreaks.com/topic/85518-crypt-var/#findComment-436445
Share on other sites

It a secret encryption key that makes it harder to crack. You can change it to whatever you want to. But knowing what default encyption your operating system uses can help you decide on long of a salt to use. See  crypt()

 

If you don't use a salt it will generate a random key every time its called making a totally different hash.

Link to comment
https://forums.phpfreaks.com/topic/85518-crypt-var/#findComment-436451
Share on other sites

and how should i protect this var to not be find out? change the $var name into something like this: $aoiajdsa215545_;+  ?

 

Make it something loooooooooooooong. Long, with lots of different characters.

EG:

~(@$&%TTNB)&#TNWQ%^T*()YN_QTY*Q)NTYQ@#*)(TNT_&Y)^T^#QWTQ#T^UQ*#N(TYT^ BNQ^WT*)QT^BYQ&(%^T#Y%BN#)(TY&#QT&(WNTYG(WN$TY$(W_TNy(q@*_&yn*(_NY89-y*$_wmnwt*n t$w_*(tny*$w)(t$tyw_$(*$wt&w_t*&124U54107FN

 

As you can see, I've made it extremely long, using:

- Letters

- Integers

- Symbols

 

In case of remote inclusion, also make your variable name inconspicuous.

 

Such as $_xkey or something.

Link to comment
https://forums.phpfreaks.com/topic/85518-crypt-var/#findComment-436466
Share on other sites

You really need to read the manual on crypt(). Standard DES only uses the first 8 characters of text. If you are using this for passwords it is not good unless you get the salt in the correct format so it uses md5.

 

You might just want to use php md5() function, its a lot simpler.

 

Quoted from a reply found in the php manual for the crypt() function

Since many of you are wondering why when providing salt the characters over the 8th are ignored in the password, I'll clarify it a bit.

 

By default, PHP will try to use the best encryption method available on your system : MD5 or Simple DES.

Usually this is the MD5 method ($1$).

In this case, the salt must look like : "$1$xxxxxxxx$" where x are random ASCII characters. When you use MD5 passwords, all characters of the password are encrypted in this 34 characters hash.

 

However if your salt starts with an ASCII character, the system will assume it's a standard DES encrypted password. The main weakness of this system : only the 8 first characters of the password are used.

 

A correct version of the code :

 

<?php

function makesalt($type=CRYPT_SALT_LENGTH) {

  switch($type) {

    case 8:

      $saltlen=9; $saltprefix='$1$'; $saltsuffix='$'; break;

    case 2:

    default: // by default, fall back on Standard DES (should work everywhere)

      $saltlen=2; $saltprefix=''; $saltsuffix=''; break;

    #

  }

  $salt='';

  while(strlen($salt)<$saltlen) $salt.=chr(rand(64,126));

  return $saltprefix.$salt.$saltsuffix;

}

 

$salt=makesalt();

$longpassword='fez1c89ez1c98ez4c89z4eqf98ez';

 

$encrypted = crypt($longpassword, $salt);

 

$encrypted2 = crypt(substr($longpassword, 0, 8), $encrypted);

 

if ($encrypted == $encrypted2) {

  echo 'Match: Weak encryption method (Standard DES)';

} else {

  echo 'NoMatch: Strong encryption method (MD5)';

}

?>

 

If you use makesalt(2) you will force usage of Standard DES method, and the passwords will match. If you just use makesalt() there's great chances you'll have a MD5 password (don't know any system used nowadays which does not support MD5 passwords).

 

Finally, do not look at md5() PHP function if you want a md5 password, that's not related. UNIX MD5 passwords uses a salt, are 34 character long and start with $1$. The reply from md5() is 32 characters long, and is more adapted for file integrity check (call that a checksum).

 

Some people use sha1() passwords but without salt. Here's my simple sha1crypt function which will work with standard crypt passwords (by calling crypt()) AND a home-made "sha1" encryption method.

 

<?php

// NOTE: This function requires PHP 5.0.0 as we use "raw output" option of sha1()

function sha1crypt($password, $salt=null) {

  if ( (is_null($salt)) || (strlen($salt)<1) ) {

    $salt='';

    while(strlen($salt)<10) $salt.=chr(rand(64,126));

    $salt='$sha1$'.$salt.'$';

  }

  if ($salt{0}!='$') return crypt($password, $salt);

  $tmp=explode('$',$salt);

  if ($tmp[1]!='sha1') return crypt($password, $salt);

  $saltstr=$tmp[2];

  if (strlen($saltstr) != 10) return crypt($password, $salt);

  $encrypt=base64_encode(sha1($saltstr.$password,true));

  return '$sha1$'.$saltstr.'$'.$encrypt;

}

 

// without salt, sha1crypt() will generate on

$pass=sha1crypt('foobar');

echo $pass."\n";

 

// pass directly password as salt - different output as password is not the same

echo sha1crypt('foobarbaz',$pass)."\n";

 

// same password - same output

echo sha1crypt('foobar',$pass)."\n";

 

// Encrypt using MD5 passwords

echo sha1crypt('foobar','$1$blahblahg$')."\n";

?>

 

will output:

$sha1$oFkYeI|vuu$d3n7D30OnecZSbS6KIbxCch608A=

$sha1$oFkYeI|vuu$iA8KmbCZun1G1gEw2qVr42ELVH4=

$sha1$oFkYeI|vuu$d3n7D30OnecZSbS6KIbxCch608A=

$1$blahblah$/8Hme91aEkHzLaVk0g9EQ0

 

My sha1-encrypted passwords are 45 characters long.

 

Remember to read that too before using SHA1 passwords too :

http://www.schneier.com/blog/archives/2005/02/sha1_broken.html

 

 

Link to comment
https://forums.phpfreaks.com/topic/85518-crypt-var/#findComment-436622
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.