php crypt generates different values

Question

I'm have a problem with php crypt() function, it generates a different passwords

here is the code for adding a test user to the database:

    $hash = crypt('roms','rc');
    $data = array('username' => 'roms', 'password' => $hash, 'email' => 'roms@r.c');
    $this->db->insert('users',$data);

And here is the login function:

// user login function
public function userLogin($username, $password){
    $results = $this->db->select('select * from users where username = :username',
    array(':username'=>$username));

    //  print_r($results);
      $pass = $results[0]->password;
    //  echo '<br>';
    //  echo  crypt('roms','rc');
    //  echo '<br>';
    //  echo $password;
    //  echo '<br>';
    //  echo $pass;

    if( (count($results) > 0) ){
        //echo ">0";
        if($pass == $password){
            return true;
        }
    }
    return false;
}

The result of the function: it works but never passes the if($pass == $password) condition because the passed hash is different than the one stored in the database

// print_r($results);
Array ( [0] => stdClass Object ( [id] => 7 [username] => roms [password] => rc7y3Ie22wNUQ [email] => roms@r.c ) ) 

// echo crypt('roms','rc'); (crypt the original password)
rc7y3Ie22wNUQ

// echo $password; (passed to the function)
rcKGHUlyQfgrU

// echo $results[0]->password; (from the database)
rc7y3Ie22wNUQ

And here is the login function call

if(isset($_POST['user-login'])){

    $db = new DbHelpers();

    $username = $_POST['username'];
    $password = crypt($_POST['passowrd'],'rc');

    $bool = $db->userLogin($username, $password);
    if($bool){
        //echo "<script>alert('1');</script>";
        $_SESSION["username"] = $username;
        \Helpers\Url::redirect('admin');
    }else{
        //echo "<script>alert('0');</script>";
        $data['login-error'] = '1';
    }
}

Note that I'm using simple mvc framework, it has a Password class for hashing passwords but I had the same problem when I used it. I also tried the md5 function.

[using error reporting would/should throw you an undefined index **passowrd** notice](http://php.net/manual/en/function.error-reporting.php) — Funk Forty Niner, Sep 02 '15 at 19:48
It's neither of those issues, the `crypt` function is generating a hash for an empty string possibly because the $_POST variable is incorrectly spelled. See my answer for evidence. — Jamie Bicknell, Sep 02 '15 at 19:50
The input name was password, I changed it to pass and it worked. $password = crypt($_POST['pass'],'rc'); — Momen Sh, Sep 02 '15 at 19:54

Jamie Bicknell · Answer 1 · 2015-09-02T19:49:37.520

0

This is because the variable is spelled incorrectly, and the hash you're generating is for an empty string

$password = crypt($_POST['passowrd'], 'rc');

Should probably be:

$password = crypt($_POST['password'], 'rc');

When I run:

echo crypt('', 'rc')

It outputs: rcKGHUlyQfgrU

edited Sep 02 '15 at 19:49

answered Sep 02 '15 at 19:43

Jamie Bicknell

2,306
17
35

php crypt generates different values

1 Answers1