Password encrypts correctly but decrypts incorrectly from database

Question

The password encrypts just fine. But decryption is weird. It doesn't give me the deciphered password.

here's the decryption result/output : http://prntscr.com/91q0rv

Table Structure : http://prntscr.com/91qgcs

Now, I'm gonna post all of the related codes. But to save some time, keep your eyes on login_db.php, it's where the problem is coming from.

db.php

$mysql_hostname = "localhost";
$mysql_user = "root";
$mysql_password = "";
$mysql_database = "db_bank";

$db = mysql_connect($mysql_hostname, $mysql_user, $mysql_password) or die ("couldn't select any database");
mysql_select_db($mysql_database, $db) or die ("couldn't select any database");

mysql_query("set character_set_server='utf8'");
mysql_query("set names 'utf8'");


$key = 'Dr. Imran';
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);

register_db.php

include('db.php');

$fname=$_POST['fname'];
$username=$_POST['username'];
$password = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $_POST['password'], MCRYPT_MODE_CBC, $iv);
$password = base64_encode($password);
echo $password.'<br>';
$email=$_POST['email'];
$phone=$_POST['phone'];
$country=$_POST['country'];
$age=$_POST['age'];
$gender=$_POST['gender'];

$check="SELECT * FROM customers WHERE Username='$username'";
$results=mysql_query($check);

$check2="SELECT * FROM customers WHERE Email='$email'";
$results2=mysql_query($check2);

if(mysql_num_rows($results) == 0)
{ $check='true'; }

else
{ header("location: register.php?username=false"); }


if(mysql_num_rows($results2) == 0)
{ $check2='true'; }

else
{
    if($check!='true')
    { header("location: register.php?username=false&email=false"); }

    else
    { header("location: register.php?email=false"); }
}


if($check=='true' && $check2='true')
{
    for($i=0; $i<1; $i++)
    {
        $id=rand(2000,3000);

        $check3="SELECT * FROM customers WHERE ID='$id'";
        $results3=mysql_query($check3);


        if(mysql_num_rows($results3) > 0)
        { $i=-1;  }

        else
        {
            mysql_query("INSERT INTO customers (Fname, Username, Password, Email, Phone, Country, Age, Gender, ID) VALUES ('$fname', '$username', '$password','$email', '$phone', '$country', '$age', '$gender', '$id')");
            header("location: login.php?register=success");
        }
    }
}


mysql_close($db);

login_db.php

session_start();
include('db.php');


    $username = $_POST['UserOrEmail'];
    $email = $_POST['UserOrEmail'];
    $password = $_POST['password'];

    $qry="SELECT * FROM customers WHERE (username='$username' OR email='$email')";

    $results=mysql_query($qry);


    if(mysql_num_rows($results) > 0)
    {
        $rows = mysql_fetch_assoc($results);

        //Here is where the problem coming from
        $check = base64_decode($rows['Password']);
        $check = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $check, MCRYPT_MODE_CBC, $iv);

        if($password == $check)
        {
        $_SESSION['username'] = $rows['Username'];
        header("location: index.php");
        }
    }


    else { die("Login failed"); }

I hope that helps you identify the problem

You really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). — Jay Blanchard, Nov 11 '15 at 22:02
[Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Jay Blanchard, Nov 11 '15 at 22:02
If you can, you should [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really not hard](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Nov 11 '15 at 22:02
Firstly, get rid of the brackets in `WHERE (username='$username' OR email='$email')";` it's for subqueries. https://dev.mysql.com/doc/refman/5.7/en/subqueries.html — Funk Forty Niner, Nov 11 '15 at 22:03
Dont use encryption (reversable) to store passwords, use a hash (one way) instead — Steve, Nov 11 '15 at 22:03
@JayBlanchard Thanks. But I'm forced to encrypt password. It's a requirement of a project. It's not a real website. — , Nov 11 '15 at 22:03
@Steve I know, I'm aware of that. But my instructor forced me to encrypt password. It's not a real website, don't worry. — , Nov 11 '15 at 22:06
make sure that you're not faced with a nulls value or additional white spaces. Use `rtrim()` - see the manual http://php.net/manual/en/function.mcrypt-decrypt.php — Funk Forty Niner, Nov 11 '15 at 22:06
What type and length is the password column in the database? — Steve, Nov 11 '15 at 22:09
OK, are you sure the encrypted password will always be less than 300 characters? Because if its not, it will get truncated. — Steve, Nov 11 '15 at 22:13
@Steve I think so. But I can change it to 1000 characters. I don't mind — , Nov 11 '15 at 22:14
so, did you remove the brackets as previously stated? did you check for nulls values/white space? what results are you now getting? did you run error reporting? http://php.net/manual/en/function.error-reporting.php — Funk Forty Niner, Nov 11 '15 at 22:15
I removed brackets. I used `rtrim()`. Same result. I just noticed that everytime I refresh the page, the Decrypted password keep on changing, is that normal? — , Nov 11 '15 at 22:19
Instead of using [mcrypt](https://paragonie.com/blog/2015/05/if-you-re-typing-word-mcrypt-into-your-code-you-re-doing-it-wrong), why not just use [defuse/php-encryption](https://github.com/defuse/php-encryption). — Scott Arciszewski, Nov 12 '15 at 13:21
@ScottArciszewski Well, everytime I search for PHP encryption on Google , I get disappointed. I mean I see huge codes and understand nothing. Until I found a simple code (which is the one I'm using) and worked perfect for me. I'm a beginner, you know. — , Nov 12 '15 at 18:04
The problem is that the code you're using [is not secure](https://paragonie.com/blog/2015/05/using-encryption-and-authentication-correctly), and if you want security, just use the Defuse library. — Scott Arciszewski, Nov 12 '15 at 18:14

score 1 · Accepted Answer · answered Nov 11 '15 at 22:15

1

You are generating a new $iv each time db.php loads. You should store this too so you use the same one for encrypting and decrypting.

answered Nov 11 '15 at 22:15

Ali Hamze

1,590
13
26

Yes. that could be true. because The decrypted password changes every time I refresh the page. Solution? – Nov 11 '15 at 22:18
You have to store the `$iv` value you use to encrypt the password in a separate column in your database. You will then have to retrieve this value when decrypting. – Ali Hamze Nov 11 '15 at 22:19
You were right. (I'm sorry if I sounds stupid), but can't I use username as `$iv`? – Nov 11 '15 at 22:37
what I meant is, for each password its username as `$iv`but storing `$iv` right in the database is like asking for being hacked. (Thank god this isn't a real project) – Nov 11 '15 at 23:04
The `$iv` can even be publicly available although it is recommended to keep it private. So having it in the database along with the encrypted string is fine. Ref: [mcrypt_create_iv](http://php.net/manual/en/function.mcrypt-create-iv.php) – Ali Hamze Nov 11 '15 at 23:08

Password encrypts correctly but decrypts incorrectly from database

1 Answers1