Page 3 of 3

Posted: Wed Sep 18, 2002 12:19 pm
by ~J~R~R
Strange, this doesn't seem to work for me :? CRYPT_MD5 is 0 for me (WinXP Home, Apache 2.0.35, PHP 4.2.2, MySQL something like 3.4). I'm using the following code to register / edit profile:

Code: Select all

extract($_POST);
	if($password1 != $password2)
	{
		die('The passwords must be the same!');
	}
	$salt = '$1$' . substr(MD5(microtime() . getmypid()),0,12);
	$password1 = md5crypt($password1, $salt);
	$query = ($action == 'new') ? 'INSERT ' : 'UPDATE ';
	mysql_query("
		$query {$prefix}users
		SET user_name = '$username',
		user_pass = '$password1',
		user_mail = '$email'
		WHERE user_name = '$username'
	")
		or die(mysql_error());
And the following code to login:

Code: Select all

$result = mysql_query('
		SELECT user_pass
		FROM users
		WHERE user_name = ''' . $_POSTї'username'] . '''
	');
	
	extract(mysql_fetch_array($result));
	
	if(md5crypt($_POSTї'password'], $user_pass) == $user_pass)
	{
		echo('login correct!');
	}
	else
	{
		echo('whaa!');
	}
I always get 'whaa!' als result, it doesn't matter if i use a correct or wrong password. Everything is inserted and retrieved well from the database. I would be very pleased with your help.

Posted: Wed Sep 18, 2002 12:31 pm
by nielsene
Is your md5crypt the same as the my_md5crypt I presented in this thread?

Posted: Wed Sep 18, 2002 12:38 pm
by ~J~R~R
Yes, and it's the corrected from. Thus from the post with your examples.

Posted: Wed Sep 18, 2002 12:42 pm
by nielsene
OK, I found an error in my function, its been corrected in the earlier post, but the relevant part is that the '2' in the substr should be a '3'
ie
the line
$salt = substr($salt,2,12);
should be
$salt = substr($salt,3,12);

I apologize for the problem. It works on my machine now. I posted when I was without a php interpreter nearby....

Posted: Wed Sep 18, 2002 12:52 pm
by ~J~R~R
Hmm, strange enough it still doesn't work. What i get from the database ($user_pass) is: $1$b233223d58d9. And the new hash is (md5crypt($_POST['password'], $user_pass)) is $1$b233223d58d9 and some other stuff, wich differs when you type another password. I think there is an error in the line if(md5crypt($_POST['password'], $user_pass) == $user_pass), but i do not see the difference with your script :?

[edit]The other stuff, after $1$b233223d58d9 in md5crypt($_POST['password'], $user_pass) is 32 characters long, the lenght of a MD5 hash[/edit]

Posted: Wed Sep 18, 2002 1:02 pm
by nielsene
I think your problem is that your database field for password is too short and its chopping of parts of the stored password.

Try this script and see what happens, if it works then your computer is doing all the crypto as expected and the problem is in the database schema.

Code: Select all

<?php
function getMD5Salt()
{
    return '$1$'.substr(MD5(microtime().getmypid()),0,12);
}

function my_md5crypt($pass,$salt="")
{
  if ($salt=="") $salt=getMD5Salt();
  if (strpos($salt,'$1$')===FALSE)
     die('Trying to use a non-MD5 Salt with my_md5crypt');
  $salt = substr($salt,3,12);
  $cryptedPass = MD5($salt.$pass);
  return '$1$'.$salt.$cryptedPass;
}

$password = "Foobar";
$cryptedPassword = my_md5crypt($password);
echo "$cryptedPassword<br />";
$recrypted=my_md5crypt($password,$cryptedPassword);
echo "$recryptred<br />";
if ($recrypted==$cryptedPassword)
    echo "Happiness";
else
    echo "Sadness";
?>

Posted: Wed Sep 18, 2002 1:06 pm
by ~J~R~R
Yes, that works. I will update my table and come back here if it still isn't fixed.

Posted: Wed Sep 18, 2002 2:13 pm
by gite_ashish
Takuma wrote: And hot_goblin is "RTFM" a type of encryption?
RTFM:

http://info.astrian.net/jargon/terms/r/RTFM.html


FYI :lol:

Posted: Wed Sep 18, 2002 3:07 pm
by Takuma
nielsene -> Thanks a million, you've been very helpfull :D
hob_goblin -> ok... but I did read the manual.