Encryption with blowfish

Question

I have recently learned from the internet with blowfish encryption, I am able to encrypt the user password when the user register with the database. However, when i want to validate the value where user input when they login. The value they key in does not match the one in database.

<?php session_start(); ?>
<?php 
 include("database.php");
 include("cryptpassword.php");

    $idno = $_POST['ID_Number'];
    $password = $_POST['Password']; //inputPass

  $conn = dbConnect();  

    if (!$conn)
        die("Couldn't connect to MySQL");


    $query = "select * from user where idno='$idno'";
    //$queryadmin = "select * from user where idno='$idno' and usertype='admin'";

    $result = mysql_query($query, $conn);
    //$resultadmin = mysql_query($queryadmin, $conn);

  if($row = mysql_fetch_assoc($result)){
        $set_password = $row['employeepassword'];
        echo $set_password;
        }



  //$row = mysql_fetch_assoc($resultadmin);
//$set_password = $row['employeepassword'];

$input_password = crypt($password, $set_password);  
echo "</br /> $input_password";

if($input_password == $set_password) {
              echo "</br />welcome";
  }
  else {
    echo "</br />idiot";
  }
dbDisconnect($conn);

?>

The two output i get are as follow :

$2y$10$dkGpWiujoaiegVABKvFXruQ $2y$10$dkGpWiujoaiegVABKvFXruQzkyCZIbFCtxq2N/5LmfLbi5dBHW0bS

The first one is from the database while the second value are from the user input, which i have no idea why the user input has extra values that cause the validation to fail.

**Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, Jan 06 '14 at 11:09
I use [this hashing library](http://openwall.com/phpass/) it's pretty handy — Dale, Jan 06 '14 at 11:34

score 0 · Answer 1 · answered Jan 06 '14 at 11:07

0

Is your DB field size big enough (64?)
They will never match, you have to use special function for checking password

More info how to use them http://lt1.php.net/crypt

answered Jan 06 '14 at 11:07

Valdas

1,074
13
20

Encryption with blowfish

1 Answers1