PHP - comparison operators with string and implode(file())

Question

today i had a trouble with php:

                $first = sha1($_POST['first']);
                $second = sha1($_POST['second']);
                $third = $first.$second;
                $sol = implode(file('./third/solution.txt'));

                if($third == $sol){
                    echo "Correct";
                }else{
                    echo "Not Correct";
                }

i use echo for print $third and $sol and i see that it have the same value but $third == $sol return always false. I check for some " " or \n but there's not of that think. Has anyone answer for that? Thanks

why implode/file? That's a massive waste of cpu cycles. why not just `file_get_contents()`? — Marc B, Feb 11 '15 at 15:21
@WilliamJanoti implode can work with just one argument. Luca, can you please post an example of the code that's not working? What's your input and what's the content of the txt file? — ItalyPaleAle, Feb 11 '15 at 15:21
@WilliamJanoti: not really. implode can be called with just an array. it'll default to an empty glue char though. `implode(array('a', 'b'))` will just give you `ab`. — Marc B, Feb 11 '15 at 15:21
@WilliamJanoti - The "glue" argument is optional for implode() — Mark Baker, Feb 11 '15 at 15:22
However, [file()](http://www.php.net/manual/en/function.file.php) leaves newline characters (`"\n"`) at the end of each line by default, try calling file() with the `FILE_IGNORE_NEW_LINES` flag — Mark Baker, Feb 11 '15 at 15:22
@CᴴᵁᴮᴮʸNᴵᴺᴶᴬ thanks! with trim() it works :D. i didn't know that function, i use to do a lot of str_replace("\n","",$string) — LucaLumetti, Feb 11 '15 at 15:29

score 0 · Answer 1 · edited May 23 '17 at 12:12

0

You may want to use === in your if condition instead of ==. See this link String comparison using == vs. strcmp

edited May 23 '17 at 12:12

Community

1
1

answered Feb 11 '15 at 15:38

ArrowHead

609
5
16

score -2 · Answer 2 · answered Feb 11 '15 at 15:22

-2

You need to use a binary safe comparison when comparing strings that have been handled by encryption or decryption:

if(strcmp($third,$sol) == 0) {

//do stuff here

}

http://php.net/strcmp

answered Feb 11 '15 at 15:22

DavidRothbauer

123
1
6

2

Where is OP encrypting something? – PeeHaa Feb 11 '15 at 15:24
1

@PeeHaa sha1($_POST['first']); Isn't sha1 a hashing/encryption function? – DavidRothbauer Feb 11 '15 at 15:26
3

Encrypting does not mean what you think it does – PeeHaa Feb 11 '15 at 15:27
SHA = Secure Hash Algorithm In other words it uses a mathematical function to change clear text to a hash...a string not easily deciphered. Hash is simply another word for "encrypt". – DavidRothbauer Feb 11 '15 at 15:32
Not only your used terminology is wrong (which is pretty important imo). The answer makes no sense (because it is based on the wrong things i.e. encryption) – PeeHaa Feb 11 '15 at 15:55
Okay pal...whatever you say. I'm sorry that I called into question your understanding of the English language and the proper definition of the word "encryption" I guess all my years working with military crypto systems wasn't enough for me to realize that hash wasn't the same as encryption. – DavidRothbauer Feb 11 '15 at 16:05
1

Hey Pal, You probably shouldn't be working in the security field. Hashing is by intent a one way process, a many to one relationship that has collisions. Encryption is a reversible process. http://stackoverflow.com/questions/4948322/fundamental-difference-between-hashing-and-encryption-algorithms – Dave S Feb 11 '15 at 18:30
I wasn't going to continue this conversation, but hey.... There is nothing that says that a one way cipher is not encryption. The definition of encryption is to convert data into an unrecognizable form. "Hash" on the other hand started out as a slang term (from the British slang "mix things up". But all that is besides the point. If PeeHaa wanted to be helpful, he could've merely pointed out that my answer could also be applied to "hashing". You offered some career advice...so I'll return the favour...don't become an English teacher.. – DavidRothbauer Feb 11 '15 at 19:24
1

No the definition for encryption in computer science, the field this site is meant for is as follows "Encryption is the conversion of electronic data into another form, called ciphertext, which cannot be easily understood by anyone except authorized parties." A hashing algorithm makes the data unreadable by anyone because it is a one way process, you cannot decrypt hashed data. It's a good thing I don't aspire to become an English teacher but you should really learn what you are talking about if you want to be successful in computer science. – Dave S Feb 11 '15 at 20:00
While you're playing semantics, and not being all that helpful I might add, I've been productive, writing code (and being paid for it), answering questions, feeding the homeless (seriously), and watching TV. But hey....congratulations...you found a definition that suits your purpose!!! But...just to annoy you, I will, from this day forward only use the word "HASH" to describe a dish consisting mainly of protein and starches, that is prepared in skillet. – DavidRothbauer Feb 12 '15 at 02:22
1

It's not a matter of semantics, man. They are two distinct concepts that have very different uses. It's like saying Java is just another word for Javascript because they both do stuff. It's just flat out wrong. – Dave S Feb 12 '15 at 18:39
3

No one cares about your accomplishments here, they care about useful and correct information. Don't throw around unsubstantiated claims like you are some sort of big shot when you are clearly misleading people by trying to equate hashing and encryption. – Dave S Feb 12 '15 at 20:00
I talk to clients, who understand "encryption", not "hash". I have yet to encounter a programmer who doesn't understand one-way encryption vs hash. In fact, most programmers that I discuss encryption with, know by context, if we're discussing uni-directional or bi-directional encryption. You mention "useful and correct" information....let me point something out to you... Experience in cryptology will tell you that there is no such thing as a one way cipher. Any cipher, one way or not, can, and will be eventually cracked...making your one way encryption, decryptable. – DavidRothbauer Feb 12 '15 at 22:21
1

When multiple inputs can produce the same output, mathematically speaking there is no way to determine the input based solely on the output. That's basic logic. Yes there are rainbow tables and other techniques to break a hash. That doesn't mean you can determine conclusively what the original input was, only possible inputs that produce the output. That is not the same as decryption. – Dave S Feb 12 '15 at 22:35
1

You experience should have told you that. The difference is pretty clear. You're just arguing because you're on some ego trip where you can't admit you were mistaken. input mod 2, is a one way hash, not a cipher. It's not a very useful one but your argument is invalid. Yes there is no such thing as a one way cipher, hashes aren't ciphers. – Dave S Feb 12 '15 at 22:37
You're the one who keeps responding. This isn't an "ego trip", I'm trying to give you a differing point of view....I understand where you're coming from... I don't agree with you...and here's why.... My job entails not only writing code, but reviewing requirements, writing specification documents, and negotiating contracts. You're dogged determination to prove me wrong is one of the things that I MO is why so much bad code gets written... Programmers get so wrapped up in their own world and terminology, they lose the ability to connect with and understand client requirements [more] – DavidRothbauer Feb 13 '15 at 17:43
This is a good example of that. I was completely unaware that this was even a thing, but I'm glad I found out, because I can add this to my interview questions. If I have a programmer who says to a client, or produces a document that uses the word "hash", where the specifications state "encryption", or a minimum cipher requirement, at best we have to do damage control, at worse we lose out on a contract, or have one cancelled due to breach of contract. Some might say that we have some sort of duty to instruct our users [more] – DavidRothbauer Feb 13 '15 at 17:47
I've seen that...where a programmer thought it was the client's duty to learn to understand him. He was fired shortly after that. Its that attitude that makes for bad products....developers failing to take the time to really understand user requirements, and communicate in their language. You accused me of doing ppl a disservice for using encryption instead of hash. I would say its ppl who propagate terminology with such fervor who are doing the disservice. Because when someone comes to work for an organization like mine, you need to communicate with clients...or get fired. – DavidRothbauer Feb 13 '15 at 17:48
1

I work with clients all the time, properly explaining to them what you are doing is part of the job. If a client asks for encryption and you give them a hash you are failing to fulfill your requirements. If you ask your developer to give you a hash and they implement encryption they are doing the wrong thing. Yes sometimes you need to simplify things for a client. That doesn't mean you shouldn't be clear and deliberate in your explanations rather than making false equivalencies. Your argument seems to claim saying the wrong thing produces better code. That just doesn't make any sense. – Dave S Feb 13 '15 at 19:44
1

Nice blog post you have there. And welcome to our little programming Q&A. Or was it a "how to communicate with clients Q&A". Not sure anymore... – PeeHaa Feb 13 '15 at 22:52

PHP - comparison operators with string and implode(file())

2 Answers2