#14 crypt() no good

closed-fixed
chris
None
8
2000-04-28
2000-04-27
No

See http://thatware.sourceforge.net/crypt.php3 for the full details. The script is just simply this:

<?php

$pwd = crypt('Password');
echo $pwd;

?>

If you reload the script, the crypted variable is always different. If the user always had the cookie for their username stored on their computer and didn't ever have to worry about logging in on another machine, this would be fine, but it's highly unlikely.

I think we need to remove all instances of crypt() (it was a good idea though) because mcrypt is really the only good way to do it, but not a good solution in terms of the most commonly compiled elements in php binaries. This also explains why people can't log in as a user or admin.

Discussion

  • David Norman

    David Norman - 2000-04-27
    • priority: 5 --> 8
    • assigned_to: nobody --> yvain
     
  • chris

    chris - 2000-04-28

    I'm not seeing an error...

    But that script performs correctly ... If you dig in and look at login () in user.php3 say, you will notice that there is a line like

    $pass=crypt($pass,substr($dbpass,0,2));

    Now, if the unencrypted $pass is the same password as was originally generated or originally set, then encrypted $pass == $dbpass .

    The problem that some people reported at atthat.com was due to me forgetting to fix something in setup.php3 - namely that the pwd field in the authors table needed to be 13 chars long (and it was only 12) to store the whole encrypted password. If anyone used the older setup.php3 then they would find that they couldn't log in. (they will need to remake that table, if they don't feel like instaling from scratch.

    Its been fixed.

    I've downloaded the most recent cvs snap and it is running quite happily

     
  • chris

    chris - 2000-04-28
    • status: open --> closed-fixed
     

Log in to post a comment.