crypt fucntion

[westminster86]

Can someone explain to me why it keeps throwing out this exception in my script. Ive checked that the two form variables im posting have values. If i dont use crypt it works fine.

 

$username = 'smith01';
$password = crypt('black');

try
{
  if($username != $_POST['username'] || $password != $_POST['password'])
    {
      throw new Exception('The administrator username and password is not valid.');
    }

}
  catch (Exception $e)
  {
    echo $e->getMessage();
    exit;
  }

 

[trq]

if($username != $_POST['username'] || $password != crypt($_POST['password']))

[westminster86]

still doesnt work

[Orio]

You sure that with the version thrope provided you are inputting "smith01","black"?

If that's what you're inputting, show the code of the form.

 

Orio.

[westminster86]

its working now. ive justed added salt as the second argument to the crypt function. I thought u dnt need to specify it, doesnt the function create one if u dont. isnt the salt just a string on which to base the encryption on. Why doesnt it work without it? can someone explain to me

 

$adminpassword = crypt('secret', salt);

 

if($adminusername != $_POST['ausername'] || $adminpassword != crypt($_POST['apassword'], salt))

[BlueSkyIS]

the second variable is not required. this works fine for me:

 

<?
$adminpassword = crypt('secret');
echo "adminpassword: $adminpassword";
?>

 

your logic may be off.

 

by the way, why are we comparing the posted password to the crypt()'ed password? they will never match that way and you'll always get the exception. crypt() isn't helping anything. i'd leave it out.

[westminster86]

why wouldnt they match? If ive encrypted for example ,

 

$password = crypt('hello');

 

Then  if i was to post a form variable over and encrypt it, and compare it with the stored encrypted password, wouldnt that be fine?. Of course they would match, as long as the user has entered the word hello into the form.

[BlueSkyIS]

i guess i'm a little confused. will you be storing the correct password in the script (bad idea) or retrieving it from a database or file? my method would be to compare the crypt() of the password stored in a database with the crypt() of the user-entered password. maybe that's what we're doing with $password = crypt('hello'); at the top of the file; assuming that 'hello' will actually be pulled from a data source.

 

anywho, i found this example that might help. note the comment.

 

<?php
$password = crypt('mypassword'); // let the salt be automatically generated

/* You should pass the entire results of crypt() as the salt for comparing a
   password, to avoid problems when different hashing algorithms are used. (As
   it says above, standard DES-based password hashing uses a 2-character salt,
   but MD5-based hashing uses 12.) */
if (crypt($user_input, $password) == $password) {
   echo "Password verified!";
}
?>

[westminster86]

yeh what im doing is storing the password in the script itself. Im not getting it from a data source. Ill try it through a database. thanks for your help

[westminster86]

how would i go about comparing a crypted password to a crypted password stored in a database. how would i write it in a query?

 

$password = crypt('avalue');

 

"SELECT * FROM admin WHERE username='$adminusername' AND password='$password'");

 

the above doesnt work.

[peranha]

"SELECT * FROM admin WHERE username='$adminusername' AND password='$password'");

 

Should be

 

"SELECT * FROM admin WHERE username='$adminusername' AND password='$password'";

 

I took out the )

[westminster86]

 

 

its not that i just  cut and pasted wrong.

 

 

[westminster86]

its not comparing the enctypted password in the database to the one ive encrypted on the script. wht am i doing wrong

[trq]

Can you post your actual code?

[westminster86]

  $username = 'admin';
  $password = crypt('password123');

  $dbhandle = sqlite_popen("adatabase", 0666, $err_msg);
  if(!$dbhandle) die("Error: Could not connect to database");

  $query = "CREATE TABLE admin(username VARCHAR(50), password VARCHAR(30))";
  if(@!sqlite_query($dbhandle, $query)) { echo "Table users already exists<br />"; }

  $query = sqlite_query($dbhandle, "SELECT * FROM admin WHERE username='$username' AND password='$password'");
  echo $query;

  if (sqlite_num_rows($query)==0) {
  
  $query = "INSERT INTO admin VALUES('$username', '$password')";
  //echo $query;

  if(@!sqlite_query($dbhandle, $query)) { echo "Could not insert table row"; }
  }

[trq]

And what exactly makes you believe its not working?

[westminster86]

in the admin table its got 5 rows with the same username and password. I wrote the if statement so that if the a row was already in the table it shudnt add. AND it is. so theres something wrong with the query, something to do with the password bit

[BlueSkyIS]

are the user names or passwords in the database encrypted? if so, you'll need to compare the user-entered password by encrypting it using the same salt that was used to encrypt the password in the database. if the password in the database is not encrypted, don't encrypt or decrypt either one before comparing them.

[westminster86]

well yes. at the top of the scipt ive encrypted the password, which i then store in the database. So the second time round it should compare the encrypted password in the database to the encrypted one im trying to enter. I know the logic behind it, i just dnt know how to implment it. I know its something to do with the crypt fucntion because when i dnt use it, it doesnt allow me to enter values that are already in the table.

[BlueSkyIS]

okay, then are you following the information from a previous post, using the same salt for each crypt? here, $user_input would be the password entered by the user.

 

<?php
$password = crypt('mypassword'); // let the salt be automatically generated

/* You should pass the entire results of crypt() as the salt for comparing a
   password, to avoid problems when different hashing algorithms are used. (As
   it says above, standard DES-based password hashing uses a 2-character salt,
   but MD5-based hashing uses 12.) */
if (crypt($user_input, $password) == $password) {
   echo "Password verified!";
}
?>

[westminster86]

where do i use the salt in the query? Im setting predefined values for username and password. Ive encrypted the password and then i insert both the username and encrypted password in the database. Ive checked the table and the password is encrypted. My problem is when i run this script again, it shudnt insert another row in to the table, which it does. If i dnt use the crypt fucntion it works fine. Its not comparing the encrypted password in the table to the one encrypted at the top of the script

  $username = 'smith';
  $password = crypt('hello123');

  $dbhandle = sqlite_popen("adatabase", 0666, $err_msg);
  if(!$dbhandle) die("Error: Could not connect to database");

  $query = "CREATE TABLE admin(username VARCHAR(50), password VARCHAR(30))";
  if(@!sqlite_query($dbhandle, $query)) { echo "Table users already exists<br />"; }

  $query = sqlite_query($dbhandle, "SELECT * FROM admin WHERE username='$username' AND password='$password'");
  echo $query;

  if (sqlite_num_rows($query)==0) {
  
  $query = "INSERT INTO admin VALUES('$username', '$password')";
  //echo $query;

  if(@!sqlite_query($dbhandle, $query)) { echo "Could not insert table row"; }
  }

  }

[BlueSkyIS]

if you're going to crypt() something and store it, you'll have to use the same salt to compare anything else crypt'd:

 

<?
$password = crypt('hello123', 'somesalt');
echo "password: $password<BR>";

$user_input = crypt('hello123', 'somesalt');
echo "user_input: $user_input<BR>";

echo "password == user_input ? ";
echo ($password == $user_input)?"TRUE":"FALSE";
?>

 

output:

password: solmAr0OP9sJ.

user_input: solmAr0OP9sJ.

password == user_input ? TRUE

 

[westminster86]

your telling me stuff i already know. Yet no one is answering my question that im asking. I know that i have to compare the one in the database to the one on the script. so

 

$password = crypt('hello')

 

and to compare

 

if($userpassword, $password) ==$password

 

but in this example, password isnt coming from the database is it? i want to know how to implemnt into my query

 

 

[BlueSkyIS]

in my previous post, the password wasn't coming from a database. the point was that if you're going to compare one crypt()'d value from anywhere with another crypt()'d value from anywhere, they have to share the same salt.

 

so i would change this:

 

$password = crypt('hello123');

 

to this:

 

$password = crypt('hello123', 'somesalt');

 

[westminster86]

what salt do u suggest using?