Please forgive what may seem like blatant stupidity; I am very new to php!
I'm trying to encrypt a password and store it in a database. I'm not using encrypt() as I don't want to be able to decrypt() (also, I don't have the required module installed, or something, I think, never mind).
So, I go: $password=crypt($password); and write $password to the database. Fine.
Now, I read that, since you can't decrypt these passwords again, when you're doing verification you have to crypt() the password the user just entered, and compare that to the one stored in your database.
I've entered some test data, populating my database with users' details, and I entered the same password for each one.
However, when I browse the database in phpMyAdmin, each encrypted password looks different!
What did I do wrong? :stupid:use md5() it is eaiser, for me anyway.or just use mysql password function...So... you don't know why either, then?
that is why we suggested other means.
your crypt() is doing a random encryption since you didn't tell it what salt to use
I'm trying to encrypt a password and store it in a database. I'm not using encrypt() as I don't want to be able to decrypt() (also, I don't have the required module installed, or something, I think, never mind).
So, I go: $password=crypt($password); and write $password to the database. Fine.
Now, I read that, since you can't decrypt these passwords again, when you're doing verification you have to crypt() the password the user just entered, and compare that to the one stored in your database.
I've entered some test data, populating my database with users' details, and I entered the same password for each one.
However, when I browse the database in phpMyAdmin, each encrypted password looks different!
What did I do wrong? :stupid:use md5() it is eaiser, for me anyway.or just use mysql password function...So... you don't know why either, then?
that is why we suggested other means.your crypt() is doing a random encryption since you didn't tell it what salt to use
If the salt argument is not provided, one will be randomly generated by PHP.
[/php]
crypt ( string str [, string salt] )
you failed to give it one. hence your passwords will be different.Ah.
Well, all my php knowledge comes from what I've read (up to p263) of the PHP for the World Wide Web, Second Edition Visual Quickstart Guide. As such, I don't know what 'salt' is...
From checking later chapters in the book, it seems that password comparison can be achieved using something likeif ($password_stored==crypt($password_entered, $password_stored)) {
...
}although I have yet to test this.
BTW, my previous remark was supposed to be tongue-in-cheek, hope I didn't cause any offenseno problem. I got what you meant.
this will not work
if ($password_stored==crypt($password_entered, $password_stored)) {
...
}
if you want to compare using salt (which it is just as easy to use md5 or the one illogique talked about) it goes like this
if ($password_stored==crypt($password_entered, salt_used_here)) {
...
}
or with md5
if ($password_stored == md5($password_entered)){
...
}