Crypt() verification problem

Anon

Hi all. I am trying to redesign a webpage to verify a user through his/her stored crypt() password stored in a file.

Datafile: (daemon.o)

title "the explorer"
password "jaNWPkIN9WIPg"
al_title "Lawful Good"

PHP Code: (character.php)

$new_character = strtolower($character);
$new_password = $password;
$filename = "/rpg/mud/lib/people/".$new_character[0]."/".$new_character.".o";

$f = fopen($filename, "r");

echo $reOut[1];

$line = fgets($f, 1000);

if (ereg("^password (.*)", $line, $reOut)) {
$stored_password = $reOut[1];
$encrypted_password = crypt($new_password, $stored_password);
}

fclose($f);

if($encrypted_password != $stored_password) ... reject, etc.
The problem I am having is that when the user enters his/her password in the form ($password), the above php code isn't looking at the $password entered but just comparing $encrypted_password to itself, thus always returning 'true'.... even when I put in the wrong password, it still accepts it as the correct one.

What am I doing wrong here?

-- M

Anon

At least re-read that :

http://www.php.net/manual/en/function.crypt.php

Anon

I read the site/page, but its a bit greek to me (too technical). The file/data password is in crypt() and all I want to do is compare it to what the user enters via the form.

Is what I am doing above possible or not?

-- M

Anon

Come on ... you don't like greek :*) ?

Well this idea is to compare 2 things :

1) the stored password
2) the "new" password, input by the user

but the stored password is crypted for
security reasons, so you need to crypt
the password input by the user, that way

$crypted_password = crypt ($html_password);

($html_password is what the user had type
in the <INPUT> field)

Now you can compare that $crypted_password with the $stored_password you get from
the file.

Beware of the " I have see in the file
I think your regular expression will
get them too in the $stored_password var.

You need to check to be sure (by printing
both $stored_password and $crypted_password)
in case the == test failed again.

Good luck !

Anon

Okay, I tried that and its showing the $stored_password and the $html_password as the same thing when in fact they are different!

Could something be overwriting the html_password entry w/ the stored one?

-- M

Anon

What you have in $new_password is OK ? (mean : corresponding to what the user input ?)

try that :

print "$new_password<BR>\n";

if (ereg("^password (.)", $line, $reOut))
{
$stored_password = $reOut[1];
print "$stored_password*<BR>\n;

$encrypted_password = crypt($new_password);
print "$encrypted_password<BR>\n";
}

silverthorn

Okay, did as you stated and got the results below:

test
"aoc.dkvYRNGxc"
0$sAWxKGal/lA

It seems to be extracting the entire '"'s rather than just looking whats inside of them.

Did some additional research and the crypt function we are using to create the character's .o file is: crypt(password, 0);

I added into the PHP code to do crypt($new_password, 0); rather than the crypt($new_password); as it kept making new versions of the string/output each time.

-- M

fandelem

use md5()

it will save you headaches 🙂

for inserting for the first time:

// $password should be PLAIN TEXT starting out
$new_password = md5($password);

// this section should insert the $new_password INTO the file.
....
....

// okay, now we have them logging in again.
// they send $password as PLAIN_TEXT (ie. just type it in
// from a form and hit submit)
$new_password = md5($password);
$f = fopen($filename, "r");
$line = fgets($f, 1000);

if (ereg("^password (.*)", $line, $reOut)) {
$stored_password = $reOut[1];
// if you need to get rid of quotes
// use this next line, otherwise yank it.
// (wasn't sure if you wrote to file with quotes)
$stored_password = str_replace("\"","",$stored_password);
if ( $stored_password == $new_password)
{
echo "passed check.";
}
else
{
echo "failed check.";
}

***NOTE: this is assuming your ereg of pulling the information from the file is WORKING PROPERLY.

md5() is so easy. you md5() the user's password at the very beginning, and then everytime after that you just md5() the users input (for password) and compare the value in the file.

cheers,

kyle

Anon

In your regexp, stick a ? immediately after the * - this will stop it gobbling " characters when it finds them and instead gobble just enough to make the match succeed.

Anon

The problem isn't putting in the encrypted password, its the extraction of already a saved encrypted from a datafile (player.o) and comparing it to a form-based password entry changed into crypt.

-- M