PHP x==x but if statement says x!=x

Question

I have a checklogin.php:

<?php

$host="localhost"; // Host name 
$username="user"; // Mysql username 
$password="pass"; // Mysql password 
$db_name="database1"; // Database name 
$tbl_name="users"; // Table name 
$lastLogDate=date("l, m/d/y, h:i:sa");
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT password FROM $tbl_name WHERE username='$myusername'";
$result=mysql_query($sql);
$realpassword=mysql_result($result, 0);

define("ENCRYPTION_KEY", "!@#$%^&*");
function decrypt($encrypted_string, $encryption_key) {
    $iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_ECB);
    $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
    $decrypted_string = mcrypt_decrypt(MCRYPT_BLOWFISH, $encryption_key, $encrypted_string, MCRYPT_MODE_ECB, $iv);
    return $decrypted_string;
}
$realpassword=decrypt($realpassword, ENCRYPTION_KEY);

if ($mypassword == $realpassword) {
session_register("myusername");
session_register("mypassword"); 
session_register("userid");
session_register("finalemail");
$sqldate="UPDATE userdata SET lastLog = '$lastLogDate' WHERE username = '$myusername'";
$resultdate=mysql_query($sqldate);
header("location:/home");
}
else {
echo "Wrong Username or Password<br>";

}
?>

When someone logs in with login.php, and the password they entered is the same as the password in the database after the decryption, it still says "wrong username or password". I added an echo to see if the decryption was working, but it returned correctly. I made a new account and tried to log in with that, and it worked. This only doesn't work with accounts before I added encryption, and I just encrypted the passwords myself. Maybe that's the problem?

Don't store passwords in a database in a reversible form. That's what [hashing](http://en.wikipedia.org/wiki/Cryptographic_hash_function) is for. — Phylogenesis, May 11 '15 at 02:18
I don't think that's the issue. I created a new account after that, and that worked perfectly. It might be because I manually encrypted the passwords of the accounts created before? — kzhao14, May 11 '15 at 02:23
best option is to query your data from backend then compare the results to your frontend. I can assume that the previous data/passwords are hashed whereas the new passwords you compared are not. — Mark, May 11 '15 at 02:27
It's not what is causing your issue, it is a general security concern. Passwords should be hashed, not encrypted. Hash means irreversible (one way), encryption is reversible (two way). You hash the given password with a unique user salt and that hash should equal what is stored in the database. — Devon Bessemer, May 11 '15 at 02:27
Where did you get that code? `mysql_*()` is deprecated and __will be removed__ in an upcoming release of PHP. `session_register()` has been deprecated and has __already been removed__ in PHP 5.4. — , May 11 '15 at 02:30
You're preprocessing the user password, including escaping it with `mysql_real_escape_string()`. You're then comparing the escaped version of the password with the decrypted version which is not at this stage escaped, so it's not surprising they don't match. If PHP says variables don't match then it's a fair bet that they don't. Try using `var_dump()` on both variables just before you compare them and see what values you actually have. — , May 11 '15 at 02:34
OK, so I tried what you said. I `var_dump`-ed it, and it said that they were both the same, as far as I could tell, that "password" and "password" are the same... I tried `mysql_real_escape_string` on the `$realpassword`, but that just messed that up. — kzhao14, May 11 '15 at 02:38

score 3 · Accepted Answer · edited May 23 '17 at 10:24

3

Your problem is two-fold.

First, mcrypt pads your data with trailing null bytes before encoding (if you don't apply padding yourself, e.g. PKCS7); after decoding you need to strip those null bytes:

$realpassword = rtrim($realpassword, "\0");

Second, you shouldn't use encryption for passwords; instead, use the password hashing API; see this answer for an example.

edited May 23 '17 at 10:24

Community

1
1

answered May 11 '15 at 02:53

Ja͢ck

170,779
38
263
309

@k97513 You're welcome; do check out [my earlier answer](http://stackoverflow.com/questions/10916284/how-to-encrypt-decrypt-data-in-php/10945097#10945097) on this subject for an example how to use password hashing. – Ja͢ck May 11 '15 at 02:59
@k97513 Also, as islq mentioned, you shouldn't escape `$mypassword` because you should always compare against the given value. – Ja͢ck May 11 '15 at 03:02

score 0 · Answer 2 · answered May 11 '15 at 03:00

0

maybe the old password affected by those transform:

$mypassword = stripslashes($mypassword);
$mypassword = mysql_real_escape_string($mypassword);

answered May 11 '15 at 03:00

islq

86
10

PHP x==x but if statement says x!=x

2 Answers2