[RESOLVED] Passwords/extended ASCII problem

ixalmida

I'm using random (extended) ASCII characters to salt my passwords. When users log in, I combine the stored random salt with the submitted password, hash the whole thing, and compare to the hash stored in the database. This currently works fine on both my production and backup server.

However, I just built a new server to take the place of my production server (separating Apache from MySQL) and PHP doesn't appear to support extended ASCII on the new server.

Here's how I reached this conclusion:

I echoed the salted password to the screen - it was correct.
I echoed the two non-matching password hashes to my browser. They looked something like: "8abc91823496laadsoinb / 7812340asdofijqkwre8714".
I tried comparing the passwords using MySQL: "SELECT MD5(CONCAT('original_password',salt)) AS pw1, stored_hash AS pw2" - THEY MATCH!
I echoed just the salted password to a text box in my browser, copied it, and pasted it into query above: "SELECT MD5('copiedpassword12498utwrjsag') AS pw1, stored_hash AS pw2" - NO MATCH...however, it now matches the two hashes from step 2.
I then noticed that a few of my extended ASCII characters had been altered by the cut/paste (thank you, Windows clipboard). The fact that it gives me same incorrect hash from step #2 confirms to me that my new server is also screwing up the extended characters.

I don't know if this is a PHP problem, an Apache problem or what. Maybe it has something to do with the fact that the MySQL server is now connected remotely(?). However, I have a suspicion that I forgot to install something. 😕

Any clues?

ixalmida

Just to clarify, the PHP code on all three servers is the same, but only not working on this one server. I'm also fairly sure it isn't a "charset" issue since the browser page actually displays the extended ASCII characters correctly.

ixalmida

Update: I tried setting the Apache default charset to utf8, which didn't help.

Just checking myself again...I reset my password using random characters from my alpha/numeric-only file and am able to login. This is fine for me, but I have hundreds of user whose passwords are already salted with random characters from my extended ASCII file. Forcing all of my users to reset their passwords is not an acceptable solution.

I may end up just getting up in the middle of the night and making an image of the production server that I can copy to this one. But I'd still like to know what's going on if only to learn.

Weedpacket

I can't tell what's going on either from here, but note that the MD5 function you're using is MySQL's, not PHP's; they're the same algorithm but who knows what MySQL is doing to the string before it builds the hash - padding it with spaces? Truncating it? Changing the character encoding? Which reminds me: "extended ASCII"? I'm guessing you're referring to Latin-1?

ixalmida

Resolved by reload. Something must have been broken in the build.

I was using an openSuSE 11.2 "online" installation CD, which offers to install a "server" configuration. I'm guessing that this configuration has some issues. After installing the 11.1/x64 version from DVD, the problem disappeared.