Encryption of a string

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

JPlush76
Forum Regular
Posts: 819
Joined: Thu Aug 01, 2002 5:42 pm
Location: Los Angeles, CA
Contact:

Post by JPlush76 »

I might give that a try hobber

I tried niel's suggestions but if if I use the same password it gives the same hash value in my database

Code: Select all

<?php
function getMD5Salt() 
{ 
    return '$1$' . substr(MD5(microtime() . getmypid()),0,12); 
} 

	$newpass = crypt($_POSTї'f_pass1'],getMD5Salt());

?>
I have 4 test entries with the same password and they all have the same value :(
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

What platform are you on?
JPlush76
Forum Regular
Posts: 819
Joined: Thu Aug 01, 2002 5:42 pm
Location: Los Angeles, CA
Contact:

Post by JPlush76 »

I've tested it on my local windows 2000 with personal web server/php4/mysql

and I tested it on my hosts site which is unix/apache/php4/mysql

both with the same exact result for the password "jim"

hashed version says "$1TImo4BQjcDU"
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

If your newpass doesn't begin with $1$, then the computer you are on has not enabled MD5 salts for crypt which is very bizairre. As only the first two characters are being accepted that indicates that its using 3DES instead of MD5.
JPlush76
Forum Regular
Posts: 819
Joined: Thu Aug 01, 2002 5:42 pm
Location: Los Angeles, CA
Contact:

Post by JPlush76 »

well thats some crazy stuff

is the md5 a separate install that has to be made on the server?

do you have any solutions for bypassing the md5 function? :(
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Try echo'ing out the PHP constant CRYPT_MD5. It should be 1 if its 0 then that's the problem.
JPlush76
Forum Regular
Posts: 819
Joined: Thu Aug 01, 2002 5:42 pm
Location: Los Angeles, CA
Contact:

Post by JPlush76 »

she's a zero alright :(

any work arounds for it?
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

You should be able to make your own crypt as follows

Code: Select all

function my_md5crypt($pass,$salt)
{
    $salt = substr($salt,0,15);
    $cryptedPass = MD5($salt.$pass);
    return $salt.$cryptedPass;
}
You can pass in either a regular MD5 salt($1$+a 12 char substr of MD5 output), or a stored salted password as the salt and it should behave properly.
JPlush76
Forum Regular
Posts: 819
Joined: Thu Aug 01, 2002 5:42 pm
Location: Los Angeles, CA
Contact:

Post by JPlush76 »

so how would you code calling that function?

Code: Select all

<?php

my_md5crypt('$1$', $_POSTї'f_pass1'])

?>
User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

Post by Takuma »

Thanks guys!
JPlush76
Forum Regular
Posts: 819
Joined: Thu Aug 01, 2002 5:42 pm
Location: Los Angeles, CA
Contact:

Post by JPlush76 »

I could do an MD5 string, does that matter? :o

md5($password)

5e027396789a18c37aeda616e3d7991b
JPlush76
Forum Regular
Posts: 819
Joined: Thu Aug 01, 2002 5:42 pm
Location: Los Angeles, CA
Contact:

Post by JPlush76 »

here is what I came up with so far

Code: Select all

<?php


	function crypt_it($pwd)
{
$salt = substr($_POSTї'f_email'], 0, 2);
$encrypted_pswd = crypt($pwd, $salt);

return $encrypted_pswd;
}

$newpass = crypt_it($_POSTї'f_pass1']);

?>
I use the first 2 characters of their email address to salt it seems to work jolly
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

OK, plain crypt is much, much worse that plain MD5. Either use MD5 by istelf, use crypt in MD5 mode if your machine support it, or use the my_md5crypt given above.

To call my_md5crypt as given above:

Code: Select all

$password = $_POSTї"enteredPassword"];
$salt = '$1$' . substr(MD5(microtime() . getmypid()),0,12);
$hashedPassword = my_md5crypt($password,$salt);
// store $hashedPassword in your database
To validate a user password

Code: Select all

$username = $_POSTї"username"];
$password = $POSTї"password"];
$storedPassword = getStoredPasswordForUser($username);
if (my_md5crypt($password,$storedPassword)==$storedPassword)
{//success}
else
{//failure}
A slight correction to my_md5crypt:

Code: Select all

function my_md5crypt($pass,$salt) 
{ 
    $salt = substr($salt,3,12); // the '$1$' should not be hashed
    $cryptedPass = MD5($salt.$pass); 
    return '$1$'.$salt.$cryptedPass; // but the '$1$' needs to be passed back
}
Last edited by nielsene on Wed Sep 18, 2002 12:39 pm, edited 1 time in total.
User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

Post by Takuma »

How can I compare a POSTed password with the one in the db using MD5crypt?
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Takuma the second code snippet in my post before yours shows how to compare a user entered password with the stored hashed password. Basically the steps are
1) Use the username to look up the stored password
2) Hash the entered password, using the stored password as the salt
3) Compare the resulting hash with the stored password
Post Reply