crypt

Anon

I need to crypt the password with php on the same way as perl it does.
In perl is goes like this:

$password = crypt("password",$pwseed);

But I cannot use the same functions in php because then you get an other result. And it must be identical.
Is there an other possibility to crypt the password with php, and the result is the same as you do it with perl?
Maby can I call a perlscript with php, cgi crypts the password and returns it to the php-page?

cordex

$pass = "thisismypassword";
$crypt1 = crypt($pass, 'salty');
$crypt2 = crypt($pass, 'salty');

echo "1: $crypt1<BR>2: $crypt2<BR>";

Ummm .... this works .... so where's your problem?

Anon

Whoops...sorry, it's the same. I didn't do my test good...
tnx anyway 🙂

[deleted]

his problem was that he thought that PHP's cryot() was not compatible with PERL's crypt. But it seems that they are.

Anon

Yes...but they are the same... 🙂

[deleted]

which is what I just said.

Anon

I know... 🙂

Anon

I'm new to PHP and I'm trying to grasp all of its functions..

One quick question... Could you give me an example where this crypt() function would be useful? (No code, just a scenario)

Thanks

Anon

You want to store a password but are concerned with the DB being hacked.
So, you crypt() (with a seed) the password.
Then, when a person enters a password you crypt() with the same seed and compare the result with the data in the DB.
If they match, the password was the same. if not, deny access.

Anon

And how would you generate a seed that would be equal at two separate times (assuming you're using the srand function)? I would think that the seed chosen would need to be the same when it is originally written into the database and then again when its checked against the databse at a later time.

How would you generate the seed for this?

[deleted]

You wouldn't.

The seed must be the same, so it must be hardcoded somewhere in a config file or whatever. And that makes it available to hackers.

This is why crypt() is not used to cypher passwords in a database. Instead, MD5() is used, which does a one-way calculation, it is not reversable. So even if a hacker gets a complete copy of your database, he still does not have the passwords.

Crypt() is only usefull if the seed ('password') can be kept a secret, for exampole when the user has to type the encryption password into an HTML form on an SSL page.

Anon

jeez, now I'm getting them mixed up.

thanks vincent.