PHP Help: Attn Sprig or Tage

[The Holy Saint, Grand High Poobah, Master of Monkeys, Ehlers]

I'm trying to make sure I understand crypt() and I think I've got my head around it, so here's a listtle sample code and I want to know if it'll work

Code: [Select]

session_start();
$link = mysql_connect('server','user','pass')
       or die('Could not connect: '.mysql_error());
       mysql_select_db('database') or die('Could not select database');

$uname=$_POST['user'];
$get_use_pass=mysql_query("SELECT pass FROM user_table WHERE name=$uname LIMIT 1");
if (!$get_use_pass) { print 'use/pass does not exist'; }
list($saved_pass)=mysql_fetch_array($get_use_pass);
$pass=crypt($_POST['pass'],$saved_pass);
if ($pass == $saved_pass) {
       print 'password accepted';
       $_SESSION['user'] = $uname;
} else {
       print 'use/pass does not exist';
}

(color coded version at http://pastebin.com/790608 if you want to wait for them, they're very slow sometimes).

This assumes there is saved user data with an already encrypted password in the database, of course. Is that code written properly

[Eric James Stone]

No, that will not work.

The crypt function takes two arguments.  The first is the text you want to encrypt, and the second is a "salt" for the encryption.

Now, the password stored in the database was encrypted using a specific salt.  In order to compare the submitted password with the stored password, you need to encrypt the submitted password using the exact same salt that was used for encrypting the stored password, or else they will not match.

In this code, you're using the encrypted version of the stored password as the salt, rather than whatever salt was originally used to encrypt the stored password.

[The Holy Saint, Grand High Poobah, Master of Monkeys, Ehlers]

so how do I get that salt if it uses a randomly generated salt to create the entry in the db in the first place

I guess I can specify a salt, but what's the point of using a randomly generated one if you can't re-use it?

edit: O'REILLY's Learning PHP 5 doesn't have much to say about crypt(), but it does say "The crypt() function needs to have the stored encrypted password passed to it as a second argument to make sure that the $_POST['password'] is encrypted properly."
This would seem to say that an encrypted password would work as the salt

[Eric James Stone]

Hmm.  Interesting.  I just tested it, and using the stored password as the salt does work, because whatever algorithm is used on the salt produces the salt when used on anything encrypted using the salt.

So I withdraw my objection.

[The Holy Saint, Grand High Poobah, Master of Monkeys, Ehlers]

Thanks, Eric. I was able to successfully implement that into the site I'm working on.

[Spriggan]

I'll be online tomrrow at work if you need more help SE.