0

i got my login page, and on it I am also using it to autheticate both username and password.

im stuck on checking the password against that provided in the database. This is because I've done this code in my registration for more security.

$hashed_password = crypt('pass1');

Would anyone be able to assist me in creating a if statement to check the database encrypted password to that of the user provided. I really appreciate it.

in the login page....this is my password post.

$password = htmlentities(trim($_POST['password']));
lecardo
  • 1,208
  • 4
  • 15
  • 37
  • 4
    no need to trim password, what if user wants whitespaces to be a part of his password – E_p Nov 23 '12 at 22:40
  • @E_p: Interesting point; I kinda feel that in almost every case an extra space would be a mistake by the user. – Evert Nov 23 '12 at 22:44
  • 3
    Using htmlentities is mad though! – Evert Nov 23 '12 at 22:44
  • 1
    No need to screen password! You never store it "as is" anyway, Why limit user? – E_p Nov 23 '12 at 22:45
  • i only allow numbers,letters, undersocres and a dash. no white spaces. isn't html entities suitable here? – lecardo Nov 23 '12 at 22:45
  • 2
    You should allow any symbol for password – E_p Nov 23 '12 at 22:46
  • 1
    PHP 5.5 will introduce [a new password hashing API with secure defaults](http://www.php.net/archive/2012.php#id2012-11-15-1). There is also [a PHP 5.3.7+ compat library](https://github.com/ircmaxell/password_compat) which does exactly the same thing. – PeeHaa Nov 23 '12 at 23:03

1 Answers1

1
// let the salt be automatically generated
$hashed_password = crypt('mypassword'); 

// You should pass the entire results of crypt() as the salt for comparing
if (crypt($user_input, $hashed_password) == $hashed_password) {
   echo "Password verified!";
}

EDIT

crypt() takes two paramaters, and second is so called salt (see wiki). If not provided, salt will be autogenerated (hence can be considered random). Salt is used in the whole alghorithm, therefore to compare you want to crypt() user provided password with the same salt you did before otherwise result will be different. To make this possible salt is added to crypt result (at the begining) so providing previous result for comparion purposes simply feeds crypt() with old salt (it is either 2 or 12 chars depending on alghoritm used).

Marcin Orlowski
  • 72,056
  • 11
  • 123
  • 141
  • thanks for the response! I was wondering what does user input varialbe actually do there? – lecardo Nov 23 '12 at 22:43
  • 1
    isnt crypt more secure. my goal here is to reduce brute force as much as possible – lecardo Nov 23 '12 at 22:56
  • why do that? his only trying to help. and when your learning a new language you take all information on board from more experienced people – lecardo Nov 23 '12 at 23:00
  • @PeeHaa What's wrong with `sha1`? http://stackoverflow.com/q/2772014/1741542 says it's still good enough for password storage. – Olaf Dietsche Nov 23 '12 at 23:02
  • had another read up on php.net, apprently sha1 shouldnt be used as crypt is normally more slower to break down. – lecardo Nov 23 '12 at 23:03
  • @OlafDietsche 1. `sha1` is meant to be fast (which is bad for hashing passwords). 2. sha1 [has known weaknesses](http://www.schneier.com/blog/archives/2005/02/sha1_broken.html). 3. there are way better tools for the job (see my comment under OP) – PeeHaa Nov 23 '12 at 23:08
  • Ah, forgot sha1 been broken. – Marcin Orlowski Nov 23 '12 at 23:21