-2

Now, this isn't a "debug my codez for me plz" question. I've spent... I don't even want to think how long on trying to fix this issue.

My problem is that I am executing this php page that is, ideally, examining a string and converting it to a more secure format since this page is to store passwords for accounts.

What I'm aiming at with this code below is to slice the string repeatedly at each character and then evaluate it to my key. It does this for the whole string length. What's been being returned to me is '0'. I don't know how the system is even getting this value.

Maybe I'm using the substr() function wrong? Also, I'm open to a completely different method of parsing the string, such as using a RegExp. Thank you for your help, guys!

Code:

<?php
error_reporting(0);
#region Initial
$accstr = "apple";
$accn = "scourge";
//Key
$a[0] = "#"; //These variables are for conversion; indexes of this array correspond to those
$a[1] = "!"; //of the other array ($ind)
$a[2] = "@";
$a[3] = "%$";
$a[4] = "%";
$a[5] = "!@";
$a[6] = "&*";
$a[7] = "^";
$a[8] = "##";
$a[9] = "&^";
$a[10] = "&";
$a[11] = "%~";
$a[12] = "!%";
$a[13] = "!$";
$a[14] = "*#";
$a[15] = "#*";
$a[16] = "~";
$a[17] = "~&";
$a[18] = "``";
$a[19] = "/^";
$a[20] = "%`";
$a[21] = "~~";
$a[22] = "`~";
$a[23] = "%%";
$a[24] = "~!";
$a[25] = "~#";
$a[26] = "``#";
$a[27] = "``!";
$a[28] = "``@";
$a[29] = "``%$";
$a[30] = "``%";
$a[31] = "``!@";
$a[32] = "``&*";
$a[33] = "``^";
$a[34] = "``##";
$a[35] = "``&^";
$a[36] = "&&^#";
$a[37] = "~@!";
$a[38] = "!@&@";
$a[39] = "%~~$";
$a[40] = "%`%";
$a[41] = "!^~@";
$a[42] = "&#$*";
$a[43] = "^**&";
$a[44] = "#%#`";
$a[45] = "&``!@^";
$a[46] = "&**~&";
$a[47] = "%|~";
$a[48] = "!-|~%";
$a[49] = "!$~";
$a[50] = "*/#";
$a[51] = "#%*";
$a[52] = "|~";

$ind[0] = "a";//These are used to tell what's being looked at in the string
$ind[1] = "b";
$ind[2] = "c";
$ind[3] = "d";
$ind[4] = "e";
$ind[5] = "f";
$ind[6] = "g";
$ind[7] = "h";
$ind[8] = "i";
$ind[9] = "j";
$ind[10] = "k";
$ind[11] = "l";
$ind[12] = "m";
$ind[13] = "n";
$ind[14] = "o";
$ind[15] = "p";
$ind[16] = "q";
$ind[17] = "r";
$ind[18] = "s";
$ind[19] = "t";
$ind[20] = "u";
$ind[21] = "v";
$ind[22] = "w";
$ind[23] = "x";
$ind[24] = "y";
$ind[25] = "z";
$ind[26] = "0";
$ind[27] = "1";
$ind[28] = "2";
$ind[29] = "3";
$ind[30] = "4";
$ind[31] = "5";
$ind[32] = "6";
$ind[33] = "7";
$ind[34] = "8";
$ind[35] = "9";
$ind[36] = "~";
$ind[37] = "!";
$ind[38] = "@";
$ind[39] = "#";
$ind[40] = "$";
$ind[41] = "%";
$ind[42] = "^";
$ind[43] = "&";
$ind[44] = "*";
$ind[45] = "(";
$ind[46] = ")";
$ind[47] = "_";
$ind[48] = "+";
$ind[49] = "`";
$ind[50] = "-";
$ind[51] = "=";
$ind[52] = "?";

$xml = new DOMDocument('1.0', 'utf-8');
$xml->formatOutput = true;
$xml->preserveWhiteSpace = false;
$xml->load('pwDB.xml');
$finln = "";
#endregion

#region Create coded password
$pwlen = strlen($accstr);
for($cnter=1;$cnter<=$pwlen;$cnter++)
    {
        $a1 = substr($accstr,$cnter,1);
        for($cnter2=1;$cnter2<=52;$cnter2++)
            {
                if($a1==$ind[$cnter2])
                    {
                        $finln += $a[$cnter2];
                    }
            }
    }
#endregion

#region Send finln
$newpw = $xml->createElement($accn);
$newpw->appendChild($xml->createElement('password', $finln));
$xml->getElementsByTagName('cache')->item(0)->appendChild($newpw);
file_put_contents("pwDB.xml",$xml->saveXML());
print $finln;
#endregion
?>
F21
  • 32,163
  • 26
  • 99
  • 170
Aaron
  • 23
  • 1
  • 5
  • 1
    What is the ultimate goal with this? What does "converting to more secure format" mean? What is the use case for this "secure format"? – deceze Jun 26 '12 at 11:12
  • For one thing: `substr` is `0` based; second: PHP arrays are also 0 based. – Salman A Jun 26 '12 at 11:14
  • Why are you not using a salt with a standard hash type like SHA256, md5, etc.? – prodigitalson Jun 26 '12 at 11:14
  • 2
    are you trying to come up with your own hashing "algorithm"? – Adi Jun 26 '12 at 11:16
  • @Adnan, in short, yes. The whole goal of this is to take a password and convert it to a different string into an XML document to be pulled up later, using the same key. I am new to PHP, which is also why I am having issues. – Aaron Jun 26 '12 at 18:57
  • @prodigitalson, I've never heard of that before nor came across it. I'll look into it – Aaron Jun 26 '12 at 19:00
  • @Aaron, why not use `mcrypt` for that matter. Here, this can help you http://stackoverflow.com/a/1289114/1105514 And what you said you're trying to do isn't hashing, it's encoding/decoding – Adi Jun 26 '12 at 19:38

1 Answers1

1

So typical password hashing is one way - if you need two way then youre talking about encryption which is different.

Normally for hashing youd do something like the following, though id urge not to take this verbatim but to research some on your own so oyu understand what youre doing and the concepts involved:

$xml = new DOMDocument('1.0', 'utf-8');
$xml->formatOutput = true;
$xml->preserveWhiteSpace = false;
$xml->load('pwDB.xml');

$account = 'someuser';
$password = 'passw0rd';

// your salt can be a constant that you never change, or can be user specific
// if you make it user specific then you need to store it as well as the password
$salt = "1j0i90@$t%";

$hash = hash('sha256', $password . $salt);

$acct = $xml->createElement($account);
$pw = $xml->createElement('password', $salt);
$acct->appendChild($pw);

$xml->appendChild($acct);

file_put_contents("pwDB.xml",$xml->saveXML());

And then to compare credentials like for a login you would do:

    $xml = new DOMDocument('1.0', 'utf-8');
    $xml->formatOutput = true;
    $xml->preserveWhiteSpace = false;
    $xml->load('pwDB.xml');

    $account = 'someuser';
    $password = 'passw0rd';
    $salt = "1j0i90@$t%";

    $hash = hash('sha256', $password . $salt);
    $xpath = new DOMXPath($xml);

   // look up by account name - assuming these are unique
   $accountNodes = $xpath->query('//'.$account);
   if($accountNodes->length) {
      $accountNode = $accountNodes->item(0);
      $pwNodes = $xpath->query('//password', $accountNode);
      if($pwNodes->length) {
         $pwNode = $pwNodes->item(0);
         if($hash === (string) $pwNode) {
             // authentication OK!
         } 
      }
   }
prodigitalson
  • 60,050
  • 10
  • 100
  • 114