Password issue

Tj_C

First let me say that yes I know Flat file db is not the way to go but I don't have a choice.

So here is the sit..

Rolling my own password function.

On page1.php the user name and password are set with

function crp($usr,$pass,$db,$pass2)	{

$usr = trim($usr);
$pass = trim($pass);
$c = trim($pass2);
$d =strlen($pass);


if ($d >= 4 and $d <= 8 ) {

	$s = md5(uniqid(rand(), 1));		//does the encryption
	$s = substr($s, 0, 8);
	$pass = crypt($pass,$s);
	$c = crypt($c,$s);

	$fArray = file($db);			//reads the db to do some basic checking of username etc.

	while(list($key,$item) = each($fArray)) {  //this loop check to see if the user is unique or it exits

		$us = strtok($item,"|");
		$e =strcasecmp($usr,$us);

		if ($e==0) {
			echo "<script language=javascript>alert ('Error!! The username you entered is already in use! Please select another username')</script>";
			echo "<script language=javascript> pop1('add|');</script>";
			rfile($db);
			exit;

		}
	}

		if ($pass == $c) {		this check to make sure that the password entered twice is the same

			strinf($usr,$pass,$db,$s); // write it back to the file  which works just fine  notice I have to write the salt to the db as well
		} else {

			echo "<script language=javascript>alert ('Error!! The passwords you entered did not match! Please try again')</script>";
			echo "<script language=javascript> pop1('add|');</script>";
			rfile($db);
			exit;
		}
} else {

	echo "<script language=javascript>alert ('Error!! The length of the password must be between 4 and 8 characters')</script>";
	echo "<script language=javascript> pop1('add|');</script>";
	rfile($db);
	exit;
}


}

then when someone logs in to page2.php it does this


function logIn($f,$u,$p) {

$p=trim($p);



if (is_readable($f)) {
	$fArray = file($f);			//read in the db

	while(list($k,$i) =each($fArray)) {	//loop thru to make check the user and pass

		$hu = strtok($i,"|");
		$hp = strtok("|");
		$hs = strtok("|");
		$hs =str_replace("\n","",$hs);		//trim the newline off the end of the salt
		$p = crypt($p,$hs);			//encrypt the entered pass with the same salt as the orig


		if ($hu == $u && $hp == $p) {

			//go to the right page

		} else {
			echo "<script language=javascript>alert ('Acces Denied!!!')</script>";
		}
	}
} else {

	echo "<script language=javascript>alert ('The file ($f) is unreadable')</script>";
}

}

My problem is that the entered password and the password stored in the db never match. Am I doing something wrong with the salt?

Thanks in advance

planetsim

Your encryption method is flawed. You'll never be able to get the exact result even if the password is correct

Try using only md5().

Your making a uniqid which is unique and in theory cannot be the same again.

Then to match it just use md5() again.