alin19 Posted January 11, 2008 Share Posted January 11, 2008 i'm reading a book on php, and when i got the part with crypting paswords i've tryed this: <html> <?php $x=$_POST['nume']; $x2=$_POST['prenume']; $x3=$_POST['parola']; $x4=$_POST['confparola']; echo $x; echo " "; echo $x2; echo " "; echo $x3; echo " "; echo $x4; echo " "; $c=crypt($x3); echo $c; echo " "; $d=crypt($x4); echo $d; if ($c==$d) echo "bun"; ?> </html> $1$pi5.87..$Gioj06xz2YWzM0/fgqLkW0 $1$vK1.Mf..$3zp/OoUq51QsbcTEwTjsU1 my crypt paswords are not the same, how can i verify a password if they are not the same? and one more thing they say that ceil() and floor() is the same as round () except one rounds the number in the superior value and the other in the inferior value but rounds (4.239,2) //4.24 but ceil and floor can only be used as ceil(3,59) //4 can you help me? Quote Link to comment Share on other sites More sharing options...
Daukan Posted January 11, 2008 Share Posted January 11, 2008 You need to add the salt argurment and use the same salt for each crypt() function <?php $x=$_POST['nume']; $x2=$_POST['prenume']; $x3=$_POST['parola']; $x4=$_POST['confparola']; $cyrpt_salt = 'blah'; echo $x; echo " "; echo $x2; echo " "; echo $x3; echo " "; echo $x4; echo " "; $c=crypt($x3, $cyrpt_salt); echo $c; echo " "; $d=crypt($x3, $cyrpt_salt); echo $d; if ($c==$d) echo "bun"; ?> Quote Link to comment Share on other sites More sharing options...
alin19 Posted January 11, 2008 Author Share Posted January 11, 2008 $cyrpt_salt = 'blah'; what this means? the codification pather (key); Quote Link to comment Share on other sites More sharing options...
twostars Posted January 11, 2008 Share Posted January 11, 2008 $cyrpt_salt = 'blah'; what this means? the codification pather (key); The salt is basically what the final result is generated from. $c=crypt($x3, $cyrpt_salt); echo $c; echo " "; $d=crypt($x3, $cyrpt_salt); As you can see, these both use the same salt to generate your 'passwords'. Otherwise, the salt, and thus the values you return would change every time you used it. Quote Link to comment Share on other sites More sharing options...
alin19 Posted January 11, 2008 Author Share Posted January 11, 2008 aha, i get it now, Quote Link to comment Share on other sites More sharing options...
Daukan Posted January 11, 2008 Share Posted January 11, 2008 It a secret encryption key that makes it harder to crack. You can change it to whatever you want to. But knowing what default encyption your operating system uses can help you decide on long of a salt to use. See crypt() If you don't use a salt it will generate a random key every time its called making a totally different hash. Quote Link to comment Share on other sites More sharing options...
alin19 Posted January 11, 2008 Author Share Posted January 11, 2008 and how should i protect this var to not be find out? change the $var name into something like this: $aoiajdsa215545_;+ ? Quote Link to comment Share on other sites More sharing options...
twostars Posted January 11, 2008 Share Posted January 11, 2008 and how should i protect this var to not be find out? change the $var name into something like this: $aoiajdsa215545_;+ ? Make it something loooooooooooooong. Long, with lots of different characters. EG: ~(@$&%TTNB)&#TNWQ%^T*()YN_QTY*Q)NTYQ@#*)(TNT_&Y)^T^#QWTQ#T^UQ*#N(TYT^ BNQ^WT*)QT^BYQ&(%^T#Y%BN#)(TY&#QT&(WNTYG(WN$TY$(W_TNy(q@*_&yn*(_NY89-y*$_wmnwt*n t$w_*(tny*$w)(t$tyw_$(*$wt&w_t*&124U54107FN As you can see, I've made it extremely long, using: - Letters - Integers - Symbols In case of remote inclusion, also make your variable name inconspicuous. Such as $_xkey or something. Quote Link to comment Share on other sites More sharing options...
alin19 Posted January 11, 2008 Author Share Posted January 11, 2008 i see that if i use gfe3wq2egadf4wqsad32q or gfe3wq2egadf4wqsad32qd21ewejhsdh2iu3jdi32w8e21jjw i get the same crypted var; how many of this letters are userd in the cryptation? only the first 4-5 as i sow Quote Link to comment Share on other sites More sharing options...
Daukan Posted January 11, 2008 Share Posted January 11, 2008 You really need to read the manual on crypt(). Standard DES only uses the first 8 characters of text. If you are using this for passwords it is not good unless you get the salt in the correct format so it uses md5. You might just want to use php md5() function, its a lot simpler. Quoted from a reply found in the php manual for the crypt() function Since many of you are wondering why when providing salt the characters over the 8th are ignored in the password, I'll clarify it a bit. By default, PHP will try to use the best encryption method available on your system : MD5 or Simple DES. Usually this is the MD5 method ($1$). In this case, the salt must look like : "$1$xxxxxxxx$" where x are random ASCII characters. When you use MD5 passwords, all characters of the password are encrypted in this 34 characters hash. However if your salt starts with an ASCII character, the system will assume it's a standard DES encrypted password. The main weakness of this system : only the 8 first characters of the password are used. A correct version of the code : <?php function makesalt($type=CRYPT_SALT_LENGTH) { switch($type) { case 8: $saltlen=9; $saltprefix='$1$'; $saltsuffix='$'; break; case 2: default: // by default, fall back on Standard DES (should work everywhere) $saltlen=2; $saltprefix=''; $saltsuffix=''; break; # } $salt=''; while(strlen($salt)<$saltlen) $salt.=chr(rand(64,126)); return $saltprefix.$salt.$saltsuffix; } $salt=makesalt(); $longpassword='fez1c89ez1c98ez4c89z4eqf98ez'; $encrypted = crypt($longpassword, $salt); $encrypted2 = crypt(substr($longpassword, 0, , $encrypted); if ($encrypted == $encrypted2) { echo 'Match: Weak encryption method (Standard DES)'; } else { echo 'NoMatch: Strong encryption method (MD5)'; } ?> If you use makesalt(2) you will force usage of Standard DES method, and the passwords will match. If you just use makesalt() there's great chances you'll have a MD5 password (don't know any system used nowadays which does not support MD5 passwords). Finally, do not look at md5() PHP function if you want a md5 password, that's not related. UNIX MD5 passwords uses a salt, are 34 character long and start with $1$. The reply from md5() is 32 characters long, and is more adapted for file integrity check (call that a checksum). Some people use sha1() passwords but without salt. Here's my simple sha1crypt function which will work with standard crypt passwords (by calling crypt()) AND a home-made "sha1" encryption method. <?php // NOTE: This function requires PHP 5.0.0 as we use "raw output" option of sha1() function sha1crypt($password, $salt=null) { if ( (is_null($salt)) || (strlen($salt)<1) ) { $salt=''; while(strlen($salt)<10) $salt.=chr(rand(64,126)); $salt='$sha1$'.$salt.'$'; } if ($salt{0}!='$') return crypt($password, $salt); $tmp=explode('$',$salt); if ($tmp[1]!='sha1') return crypt($password, $salt); $saltstr=$tmp[2]; if (strlen($saltstr) != 10) return crypt($password, $salt); $encrypt=base64_encode(sha1($saltstr.$password,true)); return '$sha1$'.$saltstr.'$'.$encrypt; } // without salt, sha1crypt() will generate on $pass=sha1crypt('foobar'); echo $pass."\n"; // pass directly password as salt - different output as password is not the same echo sha1crypt('foobarbaz',$pass)."\n"; // same password - same output echo sha1crypt('foobar',$pass)."\n"; // Encrypt using MD5 passwords echo sha1crypt('foobar','$1$blahblahg$')."\n"; ?> will output: $sha1$oFkYeI|vuu$d3n7D30OnecZSbS6KIbxCch608A= $sha1$oFkYeI|vuu$iA8KmbCZun1G1gEw2qVr42ELVH4= $sha1$oFkYeI|vuu$d3n7D30OnecZSbS6KIbxCch608A= $1$blahblah$/8Hme91aEkHzLaVk0g9EQ0 My sha1-encrypted passwords are 45 characters long. Remember to read that too before using SHA1 passwords too : http://www.schneier.com/blog/archives/2005/02/sha1_broken.html Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.