0

I would like to encrypt some passwords and put it in database. How do I keep this stuff in a database so I can retrieve the data if the owner matches.

Example

<?php
// some validations and other staff
$data = $_POST['input'];
$hash = crypt($data);
//then database insert code
?>

If I echo the $hash, it's giving me some encrypted data but when I refresh the page, the numbers are changing from time to time. How do I keep the data static? How will I tell the encrypted password that this was the owner when username and password entered.

Example

<?php
//time of encryption 
$name = "someone";
$pass = "p1x6Fui0p>j";
$hash = "$pass"; //outcome of $hash e.g. $1$aD2.bo0.$S93XNfgOFLskhis0qjE.Q/

// $hash and $name inserted in database
?>

When the user tries to login with collect details, how will I refer $hash "$1$aD2.bo0.$S93XNfgOFLskhis0qjE.Q/" was equal to $pass "p1x6Fui0p>j" ?

Daniel
  • 2,435
  • 5
  • 26
  • 40
madcoder
  • 35
  • 2
  • 7
  • Also that's covered in pretty much any "how do I make a login page" tutorial for PHP. Passwords, encrypted or not, are associated to a username; which allows to query for the hash by username, and compare to the likewise recrypted input password. – mario Jun 10 '13 at 21:12

3 Answers3

4

crypt() has an unfortunate name. It's not an encryption function, but a one-way hashing function.

If you're using PHP 5.5+, just use password_hash and password_verify:

$hash = password_hash($data, PASSWORD_BCRYPT);  // Bcrypt is slow, which is good

And to verify the entered password:

if (password_verify($pass, $hash)) {
    // The password is correct
}

Now to answer your actual question: the purpose of password hashing is to authenticate users without actually storing their plaintext passwords. If hash(a) == hash(b), then you can be pretty sure that a == b. In your case, you already have hash(a) ($hash), so you just need to hash the inputted password and compare the resulting hashes.

crypt() does this for you:

if (crypt($pass, $hash) === $hash) {
    // The password is correct
}
Blender
  • 289,723
  • 53
  • 439
  • 496
  • +1 for the shoutout to password_hash/verify preview. – Orangepill Jun 10 '13 at 21:14
  • thanks this seems to explain what am looking for but am just one step back what comes first? Query Database where there is username given and compare the $hashed password to the user input password if $hash match? – madcoder Jun 10 '13 at 21:31
  • @madcoder: You should find the user with that username, get that user's hashed password, and finally compare the hashes. – Blender Jun 10 '13 at 22:46
2

From the php crypt page

if (crypt($user_input, $hashed_password) == $hashed_password) {
   echo "Password verified!";
}
Orangepill
  • 24,500
  • 3
  • 42
  • 63
0

You are not using your own salt, so for every call salt is automatically generated, and salted password is hashed. To get the same hash from this password, you need to run crypt with exact salt that was generated during first run.

Generated salt varies depending on algorithm used for hashing, but from your example it's MD5, and salt is delimited by first and third dollar sign inclusively:

$hash = '$1$aD2.bo0.$S93XNfgOFLskhis0qjE.Q/';
//       \   salt   /

So to get Exact same hash you need to call crypt($pass, '$1$aD2.bo0.$');

Remember that if you want to use your own salt, it needs to be in proper format for given algorithm. For best results use php 5.5+ password_hash mentioned by @Blender, and for older php versions there is password_compat library, with this you don't have to worry about proper salt format.

Community
  • 1
  • 1
dev-null-dweller
  • 29,274
  • 3
  • 65
  • 85