TechQA.

comparing crypt passwords doesn't seem to work

56 views Asked by At

I am having issues comparing passwords using crypt, one password from post the other pulled from my database...

Here is my login code with an example salt:

$username   = $_POST['username'];
$password   = $_POST['password'];
$cryptSalt  = '$2y$06$PizWslhw9Z9oM9QSPt9zY.g9faOSoUdNLO7RemQrWTMY.NOpr3oTG';
$password   = crypt($password, $cryptSalt);

if($login = $con->prepare("SELECT userID,userName,userPassword FROM users WHERE userName=?")) {
    $login->bind_param("s", $username);
    if($login->execute()) {
        $login->bind_result($userID,$username,$currentPassword);
        while($login->fetch()) {
            if(crypt($password, $currentPassword) == $currentPassword) {
                echo "<p class='alert'>Password Correct</p>";
            } else {
                echo "<p class='alert'>Password Incorrect</p>";
            };
        };
    } else {
        echo "<p class='alert'>User Not Found</p>";
    };
};
$login->close();

Whenever I type in the correct password it still outputs that the password is incorrect, is there a reason for this?

$username       = $_POST['username'];
$firstName      = $_POST['firstName'];
$lastName       = $_POST['lastName'];
$emailAddress   = $_POST['emailAddress'];
$cryptSalt      = '$2y$06$PizWslhw9Z9oM9QSPt9zY.g9faOSoUdNLO7RemQrWTMY.NOpr3oTG';
$password       = $_POST['password'];
$password       = crypt($password, $cryptSalt);

if($register = $con->prepare("INSERT INTO users(userName,userFirstName,userLastName,userEmailAddress,userPassword) VALUES(?,?,?,?,?)")) {
    $register->bind_param("sssss", $username,$firstName,$lastName,$emailAddress,$password);
    if($register->execute()) {
        echo "<p class='alert'>Account Created</p>";
    } else {
        echo "<p class='alert'>Execution Error: Account Creation</p>";
    };
};
$register->close();

Note: this is an internal website, sql injection isn't an issue.

php crypt
Original Q&A
1

There are 1 answers

0
marijnz0r On BEST ANSWER

It looks like you're hashing one time too many (on line 4 and line 10), but what you want to do is compare the hash of the entered password with the hash in de database.

$username   = $_POST['username'];
$password   = $_POST['password'];
$cryptSalt  = '$2y$06$PizWslhw9Z9oM9QSPt9zY.g9faOSoUdNLO7RemQrWTMY.NOpr3oTG';
$password   = crypt($password, $cryptSalt);

if($login = $con->prepare("SELECT userID,userName,userPassword FROM users WHERE userName=?")) {
    $login->bind_param("s", $username);
    if($login->execute()) {
        $login->bind_result($userID,$username,$currentPassword);
        while($login->fetch()) {
            if($password == $currentPassword) {
                echo "<p class='alert'>Password Correct</p>";
            } else {
                echo "<p class='alert'>Password Incorrect</p>";
            };
        };
    } else {
        echo "<p class='alert'>User Not Found</p>";
    };
};
$login->close();

OR

$username   = $_POST['username'];
$password   = $_POST['password'];
$cryptSalt  = '$2y$06$PizWslhw9Z9oM9QSPt9zY.g9faOSoUdNLO7RemQrWTMY.NOpr3oTG';

if($login = $con->prepare("SELECT userID,userName,userPassword FROM users WHERE userName=?")) {
    $login->bind_param("s", $username);
    if($login->execute()) {
        $login->bind_result($userID,$username,$currentPassword);
        while($login->fetch()) {
            if(crypt($password, $cryptSalt) == $currentPassword) {
                echo "<p class='alert'>Password Correct</p>";
            } else {
                echo "<p class='alert'>Password Incorrect</p>";
            };
        };
    } else {
        echo "<p class='alert'>User Not Found</p>";
    };
};
$login->close();

Related Questions in PHP

Related Questions in CRYPT

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions