Encryption of a string

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
~J~R~R
Forum Newbie
Posts: 20
Joined: Wed Sep 18, 2002 12:19 pm
Location: Amsterdam, the Netherlanda

Post by ~J~R~R »

Strange, this doesn't seem to work for me :? CRYPT_MD5 is 0 for me (WinXP Home, Apache 2.0.35, PHP 4.2.2, MySQL something like 3.4). I'm using the following code to register / edit profile:

Code: Select all

extract($_POST);
	if($password1 != $password2)
	{
		die('The passwords must be the same!');
	}
	$salt = '$1$' . substr(MD5(microtime() . getmypid()),0,12);
	$password1 = md5crypt($password1, $salt);
	$query = ($action == 'new') ? 'INSERT ' : 'UPDATE ';
	mysql_query("
		$query {$prefix}users
		SET user_name = '$username',
		user_pass = '$password1',
		user_mail = '$email'
		WHERE user_name = '$username'
	")
		or die(mysql_error());
And the following code to login:

Code: Select all

$result = mysql_query('
		SELECT user_pass
		FROM users
		WHERE user_name = ''' . $_POSTї'username'] . '''
	');
	
	extract(mysql_fetch_array($result));
	
	if(md5crypt($_POSTї'password'], $user_pass) == $user_pass)
	{
		echo('login correct!');
	}
	else
	{
		echo('whaa!');
	}
I always get 'whaa!' als result, it doesn't matter if i use a correct or wrong password. Everything is inserted and retrieved well from the database. I would be very pleased with your help.
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Is your md5crypt the same as the my_md5crypt I presented in this thread?
User avatar
~J~R~R
Forum Newbie
Posts: 20
Joined: Wed Sep 18, 2002 12:19 pm
Location: Amsterdam, the Netherlanda

Post by ~J~R~R »

Yes, and it's the corrected from. Thus from the post with your examples.
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

OK, I found an error in my function, its been corrected in the earlier post, but the relevant part is that the '2' in the substr should be a '3'
ie
the line
$salt = substr($salt,2,12);
should be
$salt = substr($salt,3,12);

I apologize for the problem. It works on my machine now. I posted when I was without a php interpreter nearby....
User avatar
~J~R~R
Forum Newbie
Posts: 20
Joined: Wed Sep 18, 2002 12:19 pm
Location: Amsterdam, the Netherlanda

Post by ~J~R~R »

Hmm, strange enough it still doesn't work. What i get from the database ($user_pass) is: $1$b233223d58d9. And the new hash is (md5crypt($_POST['password'], $user_pass)) is $1$b233223d58d9 and some other stuff, wich differs when you type another password. I think there is an error in the line if(md5crypt($_POST['password'], $user_pass) == $user_pass), but i do not see the difference with your script :?

[edit]The other stuff, after $1$b233223d58d9 in md5crypt($_POST['password'], $user_pass) is 32 characters long, the lenght of a MD5 hash[/edit]
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

I think your problem is that your database field for password is too short and its chopping of parts of the stored password.

Try this script and see what happens, if it works then your computer is doing all the crypto as expected and the problem is in the database schema.

Code: Select all

<?php
function getMD5Salt()
{
    return '$1$'.substr(MD5(microtime().getmypid()),0,12);
}

function my_md5crypt($pass,$salt="")
{
  if ($salt=="") $salt=getMD5Salt();
  if (strpos($salt,'$1$')===FALSE)
     die('Trying to use a non-MD5 Salt with my_md5crypt');
  $salt = substr($salt,3,12);
  $cryptedPass = MD5($salt.$pass);
  return '$1$'.$salt.$cryptedPass;
}

$password = "Foobar";
$cryptedPassword = my_md5crypt($password);
echo "$cryptedPassword<br />";
$recrypted=my_md5crypt($password,$cryptedPassword);
echo "$recryptred<br />";
if ($recrypted==$cryptedPassword)
    echo "Happiness";
else
    echo "Sadness";
?>
User avatar
~J~R~R
Forum Newbie
Posts: 20
Joined: Wed Sep 18, 2002 12:19 pm
Location: Amsterdam, the Netherlanda

Post by ~J~R~R »

Yes, that works. I will update my table and come back here if it still isn't fixed.
User avatar
gite_ashish
Forum Contributor
Posts: 118
Joined: Sat Aug 31, 2002 11:38 am
Location: India

Post by gite_ashish »

Takuma wrote: And hot_goblin is "RTFM" a type of encryption?
RTFM:

http://info.astrian.net/jargon/terms/r/RTFM.html


FYI :lol:
User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

Post by Takuma »

nielsene -> Thanks a million, you've been very helpfull :D
hob_goblin -> ok... but I did read the manual.
Post Reply