troubleshooting Question

PHP 5.3.3. Crypt function

Avatar of Ashraf Hassanein
Ashraf Hassanein asked on
Web Languages and StandardsPHPSecurity
10 Comments2 Solutions1734 ViewsLast Modified:
I am trying to create an authentication mechanism using the crypt funtion.
In the php.net it says the following example:

<?php
$hashed_password = crypt('mypassword'); // let the salt be automatically generated
if (crypt($user_input, $hashed_password) == $hashed_password) {
   echo "Password verified!";
}
?>

My assumption that you will generate the hashed password in the first command, and later you retrieve it from a db and use the second command to verify it, but that doesn't work, but furthermore even the script as above did not work with me as every time the crypt is running it generates a different hash because it is using a randomly generated salt.

So instead I found this script is working with me:

<?php
$hashed_password = crypt('mypassword',$salt); // Use the same salt always
if (crypt($user_input, $salt) == $hashed_password) {
   echo "Password verified!";
}
?>

My question is me understanding is correct? or I am misusing the function which might cause a security hole in my mechanism?
ASKER CERTIFIED SOLUTION
Join our community to see this answer!
Unlock 2 Answers and 10 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 10 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros