When does 1 != 1 ??

The_Chancer

How can 1 not be equal to 1 ??

Using the MCRYPT extension, I create a logon as follows:

User - Jo
Pass - 1

Encrypt it using MCRYPT_CAST_256 and a randomly created key, and store the key, encrypted password and username in a database in VARCHAR fields.

All OK so far..

Tested the decrypt function, and it gives me a password of 1 - no trailing spaces or anything like that.. - jet when I compare it to the 1 taken from the database, 1 != 1....

Very odd.

Any suggestions ??

Code: Index.php

<?php
if ($_POST['login'])
{
	include("db.php"); // database connection script
	include("decrypt.php"); // decrypt script
	$query=do_query("SELECT * FROM users WHERE user='".$_POST['user']."'"); // select from databse (do_query function does it all)
	if (mysql_num_rows($query)) // make sure there is a user called $_POST['user']
	{
		$result=mysql_fetch_array($query);
		$ans=decrypt($result['ukey'],$result['pass']); //decrypt the password in database
		echo "ukey ".$result['ukey']; // correct key out
		echo "<br>pass ".$result[pass]; // correct password out
		echo "<br>ans =".$ans."="; // correct result from database
		echo "<br>post pass =".$_POST['pass']."="; // correct result from post form
		if ($ans!=$_POST['pass']) // means 1 should equal 1 - BUT IT DOESN'T !!
		{
			echo "<br>But why ?"; // oh why oh why
			$error="Logon details incorrect, please check and try again - password"; // take password out when OK
		}
		else
		{
			$error="Worked ?"; //doesn't do this... but take out and redirect when success using header... etc
		}
	}
	else
	{
		$error="Logon details incorrect, please check and try again - Username"; //take username out when OK
	}
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Webmail Login</title>
<body>
<div align="center"><p><span class="title" align="center">Webmail Login</span></p></div>
<div align="center">
<span class="text">
Welcome to Xplore Online Webmail Service.<br /><br />
Simply login and access your E-Mail from wherever you are.
</span>
<?if ($error) {
	echo "<br /><br /><span class=\"error\">$error</span>";
	unset($error);
}
?>
</div>
<form name="login" method="post" action="<?=$PHP_SELF;?>">
<table class="table" width="20%" align="center">
<tr><td width="50%" class="field"><span class="textBold">User Name:</span></td><td><input type="text" name="user" maxlength="10" size="8" title="User Name" /></td></tr>
<tr><td width="50%" class="field"><span class="textBold">Password:</span></td><td><input type="password" name="pass" maxlength="10" size="8" title="User Password" /></td></tr>
<tr><td colspan="2" align="center" height="30" valign="bottom"><input type="submit" name="login" value="Log me in !" /></td></tr>
</table>
</form>
</body>
</html>

Code: decrypt.php

<?php
//decrypt
ini_set("display_errors",0); //stop warning about IV not being set and key being too long (sometimes)
function decrypt($keys,$pass)
{
	$decrypted= mcrypt_ecb( MCRYPT_CAST_256, $keys, base64_decode($pass), MCRYPT_DECRYPT, 64 );
	return $decrypted;
}
?>

laserlight

maybe try

if (strcmp($ans, $_POST['pass']) == 0)
{
//ans and pass are the same string
}

The_Chancer

Still doesn't work.... like the idea though...

Could it be anything to do with the base64 encoding do you think ?

The_Chancer

Think I may have found it...

I base64_encoded the answers as they came back, and the original had loads of AAAA after it - ie spaces....

Have to look at the encoding part first....

WIll edit and let you know...

All I had to do was change the decrypt function as follows:

<?php
//decrypt
ini_set("display_errors",0); //stop warning about IV not being set and key being too long (sometimes)
function decrypt($keys,$pass)
{
	$decrypted= trim(mcrypt_ecb( MCRYPT_CAST_256, $keys, trim(base64_decode(trim($pass))), MCRYPT_DECRYPT, 64 ));
	return $decrypted;
}
?>

and add the TRIM....