Hi fellow developers,

RE: mcrypt functionality failure since PHP 4.0.5 upgrade.

This is a snippet taken from the class that handles the addition of
new users into the users table. It shows the way we *were
successfully* using mcrypt to encrypt user's passwords:

//--- Begin code paste.

   $password_key = md5($username);

   // Actual passwords are randomly generated.
   // User may change later.

   $password = substr(md5(rand(0,9999999)),0,8);

   // Encrypt password using md5 string above.
   $td = mcrypt_module_open (MCRYPT_TripleDES, "", MCRYPT_MODE_ECB, "");
   $iv = mcrypt_create_iv (mcrypt_enc_get_iv_size ($td), MCRYPT_RAND);
   mcrypt_generic_init ($td, $password_key, $iv);
   $encrypted_password = mcrypt_generic ($td,$password);
   mcrypt_generic_end ($td);

   // Do database insert using $encrypted_password value.

//--- End code paste.

The rest is irrelevant. Up until the upgrade to PHP 4.0.5, the above
method worked without any issue, each time returning properly
encrypted passwords which were then stored in the database.

At the moment passwords are now being stored unencrypted but since its
currently on an internal development server the security implications
are negligible, BUT I would appreciate any feedback, similar
encounters, etc from the development community since this clearly
needs fixing.

Many thanks,


PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to