1

I have implemented functions in my login model for decrypting/encrypting a users password (which in a encrypted version gets stored in a cookie). All works fine except when I restart the browser and try to login with the password through the cookies.

The parser tells me it's the wrong password even though I can see that it's the correct one when I echo it out. Therefore I tried a "strlen" to see how many characters the password has, and it says 32 (!). The only thing I can think of is that (in this case) 28 white spaces has been added, which cannot be seen with an echo.

I would really appreciate if someone can tell me what's going on and how to fix it?

function decrypt($encrypedText) {
    $key = "The secret key is";
    $decryptedText = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($encrypedText), MCRYPT_MODE_ECB);

    echo $decryptedText;            //  "abcd" <- what I put in
    echo strlen($decryptedText);    //  32 (?)

    return $decryptedText;
}
holyredbeard
  • 19,619
  • 32
  • 105
  • 171
  • 3
    Where are you defining `$decryptedText`? It's not assigned in the function, and it's neither a parameter or a global. – andrewsi Sep 25 '12 at 13:41
  • 3
    [Everything](http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html) you [are](http://stackoverflow.com/questions/1054022/best-way-to-store-password-in-database) trying [to](http://stackoverflow.com/questions/947618/how-to-best-store-user-information-and-user-login-and-password) do is [wrong.](http://blog.moertel.com/articles/2006/12/15/never-store-passwords-in-a-database) Please stop what you are doing and learn about proper password storage and handling. – DampeS8N Sep 25 '12 at 13:43
  • @DampeS8N: This is only an experiment now when I'm learning about cookies. – holyredbeard Sep 25 '12 at 13:46
  • 1
    *"which in a decrypted version gets stored in a cookie"* - I dearly hope that's a typo. – deceze Sep 25 '12 at 13:46
  • @andrewsi: I put in the wrong function! Now it's correct. – holyredbeard Sep 25 '12 at 13:47
  • 1
    @holyredbeard Learn about them differently. This is like learning about guns by shooting yourself in the face. – DampeS8N Sep 25 '12 at 13:47
  • @deceze: Words you know. Should of course be "encrypted". – holyredbeard Sep 25 '12 at 13:48
  • @DampeS8N: Nah, not really. I think you understand that being kind of a bad comparison yourself when you think twice. – holyredbeard Sep 25 '12 at 13:49
  • 1
    @holyredbeard yeaaah, you're right. Shooting yourself in the face only hurts you, this could hurt anyone using the code you posted, and if you put it into production, all your users. So it is more like playing with a bomb in a mall. :) – DampeS8N Sep 25 '12 at 13:51
  • 3
    A suggestion: Download this library for your PHP password handling: https://github.com/ircmaxell/password_compat -- this library will be embedded into the next version of PHP (5.5) as the standard recommended way to handle password encryption. In the meanwhile, use the downloadable version rather than trying to write your password encryption handling. (see also http://www.h-online.com/open/news/item/PHP-5-5-should-reduce-password-sloppiness-1707835.html for ref) – SDC Sep 25 '12 at 13:53
  • 1
    Oh, and never *ever* store anything password-related (whether encrypted or not) in a cookie. See also http://www.sk89q.com/content/2010/04/phpsec_cheatsheet.pdf for ref – SDC Sep 25 '12 at 13:58

2 Answers2

3

That's because 32 bytes is the block size of Rijndael 256 (i.e. 32 = 256 / 8) and the decrypted data is padded with '\0' to match that length.

To correct this you can remove those characters like so:

return rtrim($decryptedText, '\0');
Ja͢ck
  • 170,779
  • 38
  • 263
  • 309
1

to remove the white spaces use the php trim() function 

$password=trim($_COOKIE("value"));

it will remove white spaces from beginning and end

StaticVariable
  • 5,253
  • 4
  • 23
  • 45